gem_checks 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 63d6aced5b4e03fb47dee58279f283b68dc66b6e
+  data.tar.gz: 8576824fd844c3f74dced5c3b4e0d0790278eda7
+SHA512:
+  metadata.gz: 6161980f198a53d83f19e959559e928bab9113f26414102203b629693e12a73d66312314682da45fc467b05494bd1ed705431e71e3f4d3e4f57c0a34e894ff92
+  data.tar.gz: 62683b7e6aeb99cc777ab0c2eec73494b20ccbbfe722ab491288a7d2733a757aea6ddd702092c5c3f651bf0591163680a16ce20c5b37ac54dde6200ccaa9a7b9

data/bin/gem_checks

@@ -0,0 +1,37 @@
+#!/usr/bin/env ruby
+
+$:.unshift File.expand_path('../../lib', __FILE__)
+require 'gem_checks'
+require 'optparse'
+
+ARGV.push('-h') if ARGV.empty?
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = 'Usage: gem_checks /path/to/Gemfile.lock [options]'
+
+  opts.on('-h', '--help', 'Prints this help') do
+    puts opts
+    exit
+  end
+  opts.on('-v', '--verbose', 'Prints verbose logging') do |v|
+    options[:verbose] = v
+  end
+end.parse!
+
+# Get file path from the ARGs list
+file_path = ARGV.first
+lockfile = File.new(file_path)
+
+# Setup the client logger
+client = GemnasiumClient.new
+if options[:verbose]
+  logger = Logger.new(STDOUT)
+  client.set_logger(logger)
+end
+vulnerable_version_check = VulnerableVersionCheck.new(gemnasium_client: client)
+
+# Evaluate the lockfile
+GemChecks.new(lockfile: lockfile,
+              vulnerable_version_check: vulnerable_version_check)
+         .display_vulnerable_gems

data/lib/gem_checks/dependency_parser.rb

@@ -0,0 +1,17 @@
+class DependencyParser
+  def parse(lockfile)
+    lockfile.map { |line| parse_line(line) }.compact
+  end
+
+  private
+
+  def parse_line(line)
+    (match = line.match(GEM_PARSER)) ? parse_gem(match) : nil
+  end
+
+  def parse_gem(gem_str)
+    { gem_name: gem_str[:gem_name], version: gem_str[:version] }
+  end
+
+  GEM_PARSER = /(?<gem_name>([a-zA-Z\-_0-9.])+)\s?\((?<version>(\d+\.?)+)\)/
+end

data/lib/gem_checks/gem_collection.rb

@@ -0,0 +1,37 @@
+require 'delegate'
+class GemCollection < SimpleDelegator
+  def initialize(collection)
+    @collection = collection
+    super(collection)
+  end
+
+  def display_vulnerable
+    collection.each do |gem|
+      puts format_gem_message(gem)
+    end
+  end
+
+  def self.wrap(collection)
+    collection.empty? ? EmptyGemCollection.new : new(collection)
+  end
+
+  private
+
+  attr_reader :collection
+
+  def format_gem_message(gem)
+    "#{gem[:gem_name]}, version: #{gem[:version]}"
+  end
+
+  class EmptyGemCollection
+    MESSAGE = "\nYou have no vulnerable gems in your project"
+
+    def empty?
+      true
+    end
+
+    def display_vulnerable
+      puts MESSAGE
+    end
+  end
+end

data/lib/gem_checks/gemnasium_client.rb

@@ -0,0 +1,52 @@
+require 'gem_checks/simple_logger'
+require 'logger'
+require 'nokogiri'
+require 'open-uri'
+
+class GemnasiumClient
+  def initialize(logger: SimpleLogger.new)
+    @logger = set_log_level(logger)
+  end
+
+  def vulnerable?(gem_name:, version:)
+    uri = client_url(gem_name, version)
+    log_analysis(gem_name, version)
+    query_gemnasium(uri)
+  end
+
+  def set_logger(logger)
+    @logger = set_log_level(logger)
+  end
+
+  private
+
+  def log_analysis(gem_name, version)
+    @logger.info("Analysing: #{gem_name}, version: #{version}")
+  end
+
+  def set_log_level(logger)
+    level = ENV.fetch('LOG_LEVEL') { Logger::INFO }.to_i
+    logger.tap do |logger|
+      logger.level = level
+    end
+  end
+
+  def gem_vulnerable?(doc)
+    doc.css('div.accordion.advisory.affected').count >= 1
+  end
+
+  def query_gemnasium(uri)
+    begin
+      open(uri) do |gemnasium_raw|
+        doc = Nokogiri::HTML(gemnasium_raw)
+        gem_vulnerable?(doc)
+      end
+    rescue OpenURI::HTTPError
+      false
+    end
+  end
+
+  def client_url(gem_name, version)
+    "https://gemnasium.com/gems/#{gem_name}/versions/#{version}"
+  end
+end

data/lib/gem_checks/simple_logger.rb

@@ -0,0 +1,47 @@
+class SimpleLogger
+  LOG_LEVELS = [:debug, :info, :warn, :error, :fatal, :unknown]
+
+  def initialize(default_level: :debug)
+    @level = LOG_LEVELS.index(default_level)
+  end
+
+  def debug(*)
+    log_if_level_valid(:debug)
+  end
+
+  def info(*)
+    log_if_level_valid(:info)
+  end
+
+  def warn(*)
+    log_if_level_valid(:warn)
+  end
+
+  def error(*)
+    log_level_if_valid(:error)
+  end
+
+  def fatal(*)
+    log_level_if_valid(:fatal)
+  end
+
+  def unknown(*)
+    log_level_if_valid(:unknown)
+  end
+
+  def level=(level)
+    @level = level
+  end
+
+  private
+
+  def log_if_level_valid(level_sym)
+    if @level <= LOG_LEVELS.index(level_sym)
+      log
+    end
+  end
+
+  def log(*)
+    print '.'
+  end
+end

data/lib/gem_checks/version.rb

@@ -0,0 +1,3 @@
+class Version
+  VERSION = '0.0.1'
+end

data/lib/gem_checks/vulnerable_version_check.rb

@@ -0,0 +1,17 @@
+require 'gem_checks/gemnasium_client'
+
+class VulnerableVersionCheck
+  def initialize(gemnasium_client: GemnasiumClient.new)
+    @gemnasium_client = gemnasium_client
+  end
+
+  def call(deps)
+    deps.select { |gem| vulnerable?(gem) }
+  end
+
+  private
+
+  def vulnerable?(gem)
+    @gemnasium_client.vulnerable?(gem)
+  end
+end

data/lib/gem_checks.rb

@@ -0,0 +1,33 @@
+require 'gem_checks/dependency_parser'
+require 'gem_checks/vulnerable_version_check'
+require 'gem_checks/gem_collection'
+
+class GemChecks
+  def initialize(dependency_parser: DependencyParser.new,
+                 vulnerable_version_check: VulnerableVersionCheck.new,
+                 lockfile:)
+    @dependency_parser = dependency_parser
+    @vulnerable_version_check = vulnerable_version_check
+    @lockfile = lockfile
+  end
+
+  def display_vulnerable_gems
+    GemCollection.wrap(evaluate).display_vulnerable
+  end
+
+  private
+
+  def evaluate
+    dependencies = parse_dependencies
+    list_vulnerable(dependencies)
+  end
+
+  def parse_dependencies
+    @dependency_parser.parse(@lockfile)
+  end
+
+  def list_vulnerable(deps)
+    @vulnerable_version_check.call(deps)
+  end
+
+end

data/spec/dependency_parser_spec.rb

@@ -0,0 +1,11 @@
+require 'spec_helper'
+require 'gem_checks/dependency_parser'
+
+RSpec.describe DependencyParser do
+  describe '#parse' do
+    it 'parses the file into a list' do
+      lockfile = open_safe_file
+      expect(subject.parse(lockfile)).to eq(safe_parsed_results)
+    end
+  end
+end

data/spec/gem_checks_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+require 'gem_checks'
+
+RSpec.describe GemChecks do
+  class MockVulnerableVersionCheck
+    def call(deps)
+      return [] unless deps.include?(vulnerable_gem)
+      [vulnerable_gem]
+    end
+  end
+
+  describe '#display_vulnerable_gems' do
+    context 'with no vulnerabilities in the lockfile' do
+
+      it 'displays the empty collection message' do
+        lockfile = open_safe_file
+         subject = GemChecks.new(vulnerable_version_check: MockVulnerableVersionCheck.new,
+                                 lockfile: lockfile)
+        expect{ subject.display_vulnerable_gems }.to output(empty_collection_message).to_stdout
+      end
+    end
+
+    context 'with one vulnerability in the lockfile' do
+
+      it 'displays the vulnerable gem' do
+        lockfile = open_unsafe_one_vuln_file
+         subject = GemChecks.new(vulnerable_version_check: MockVulnerableVersionCheck.new,
+                                 lockfile: lockfile)
+        expect{ subject.display_vulnerable_gems }.to output(format_gem_message(vulnerable_gem)).to_stdout
+      end
+    end
+  end
+end

data/spec/gem_collection_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+require 'gem_checks/gem_collection'
+
+RSpec.describe GemCollection do
+  describe '.wrap' do
+    it 'delegates to the underlying collection' do
+      expect(GemCollection.wrap([])).to be_empty
+    end
+  end
+
+  describe '#display_vulnerable' do
+    context 'when the collection is empty' do
+      it 'displays a message that no gems are vulnerable' do
+        assert_wrapped_collection_message(collection: [],
+                                          message: empty_collection_message)
+      end
+    end
+
+    context 'when the collection is not empty' do
+      it 'displays the vulnerable gems' do
+        assert_wrapped_collection_message(collection: [vulnerable_gem],
+                                          message: format_gem_message(vulnerable_gem))
+      end
+    end
+  end
+
+  private
+
+  def assert_wrapped_collection_message(collection:, message:)
+    collection = GemCollection.wrap(collection)
+    expect{ collection.display_vulnerable }.to output(message).to_stdout
+  end
+end

data/spec/gemnasium_client_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+require 'gem_checks/gemnasium_client'
+
+RSpec.describe GemnasiumClient do
+  describe '#vulnerable?', speed: 'slow' do
+    context 'when the gem is not vulnerable' do
+      it 'returns false' do
+        gem = safe_parsed_results.last
+        expect(subject.vulnerable?(gem)).to be_falsey
+      end
+    end
+
+    context 'when the gem is vulnerable' do
+      it 'returns true' do
+        gem = vulnerable_parsed_results.last
+        expect(subject.vulnerable?(gem)).to be_truthy
+      end
+    end
+  end
+end

data/spec/simple_logger_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+require 'gem_checks/simple_logger'
+
+RSpec.describe SimpleLogger do
+  describe '#info' do
+    context 'when the log level is set to info' do
+      it 'prints a "."' do
+        logger = SimpleLogger.new
+        expect { logger.info }.to output('.').to_stdout
+      end
+    end
+
+    context 'when the log level is set to warn' do
+      it 'does not output anything' do
+        logger = SimpleLogger.new(default_level: :warn)
+        expect { logger.info }.not_to output('.').to_stdout
+      end
+    end
+  end
+end

data/spec/vulnerable_version_check_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+require 'gem_checks/vulnerable_version_check'
+
+RSpec.describe VulnerableVersionCheck do
+  class MockGemnasiumClient
+    def vulnerable?(gem)
+      gem == vulnerable_gem
+    end
+  end
+
+  describe '#call' do
+    context 'when there are no vulnerable gems' do
+      it 'returns an empty collection' do
+        subject = VulnerableVersionCheck.new(gemnasium_client: MockGemnasiumClient.new)
+        expect(subject.call(safe_parsed_results)).to be_empty
+      end
+    end
+
+    context 'when there are vulnerable gems' do
+      it 'returns a collection of vulnerable gems' do
+        subject = VulnerableVersionCheck.new(gemnasium_client: MockGemnasiumClient.new)
+        expect(subject.call(vulnerable_parsed_results)).to include(vulnerable_gem)
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,124 @@
+--- !ruby/object:Gem::Specification
+name: gem_checks
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jacob Chae
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-04-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 11.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 11.1.0
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.7.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.7
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.7.2
+description: Validate your Gemfile.lock against Gemnasium.
+email: jacob.chae@mobiledefense.com
+executables:
+- gem_checks
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/gem_checks
+- lib/gem_checks.rb
+- lib/gem_checks/dependency_parser.rb
+- lib/gem_checks/gem_collection.rb
+- lib/gem_checks/gemnasium_client.rb
+- lib/gem_checks/simple_logger.rb
+- lib/gem_checks/version.rb
+- lib/gem_checks/vulnerable_version_check.rb
+- spec/dependency_parser_spec.rb
+- spec/gem_checks_spec.rb
+- spec/gem_collection_spec.rb
+- spec/gemnasium_client_spec.rb
+- spec/simple_logger_spec.rb
+- spec/vulnerable_version_check_spec.rb
+homepage: https://github.com/mobiledefense/gem_checks
+licenses:
+- Apache
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Validate your Gemfile.lock against Gemnasium.
+test_files:
+- spec/dependency_parser_spec.rb
+- spec/gem_checks_spec.rb
+- spec/gem_collection_spec.rb
+- spec/gemnasium_client_spec.rb
+- spec/simple_logger_spec.rb
+- spec/vulnerable_version_check_spec.rb