RubyGems - gem_guard - Versions diffs - 0.1.0 → 0.1.6 - Mend

gem_guard 0.1.0 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +27 -4
data/SECURITY.md +58 -0
data/gem_guard-0.1.0.gem +0 -0
data/gem_guard.gemspec +4 -4
data/lib/gem_guard/cli.rb +36 -0
data/lib/gem_guard/sbom_generator.rb +152 -0
data/lib/gem_guard/version.rb +1 -1
data/lib/gem_guard.rb +2 -1
metadata +24 -18

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7210ff3d709b761cf8aa01e0c5d770f61b2801d9a9603e2608451f782aa23fb
-  data.tar.gz: c59ee85d130fca43c719d3bcff7a136364e65ec37255af0b2721e6736dc2931e
+  metadata.gz: '073099f4fd844fee5ffd2b5466fbee6df36a8c5b9d640039efb0cbdb4db89b97'
+  data.tar.gz: 21ba615adb70721d4f9ede82e3a43361a92e72e683c53530504913250ccd7309
 SHA512:
-  metadata.gz: ff65c5924a28cc7193569c7b50ac84234aa897d139d2d177eb3f8538a77ba627492458e40205bfb40c5845e16ecefa84a902912933f131735b1ff74d3171500e
-  data.tar.gz: 58228702c7dc55e0594f515aab361cc63afbf6840fc25657f82cdeda252078e90ab5322a1dd5b56b1861f5352c1d7d527ba5fd01b464ac52ba1b92c3e4ca8033
+  metadata.gz: d1bc314331a645c4b2d9791f41d852620fc7a977fc7eaf90ea927743f297057f4af93c40da2788422c8c468b11fbb1ad4d80d59f16cb4a0c9c063f37ebed809c
+  data.tar.gz: 1dc4f927542ae0983fb73a0d285c66f61c93960f1128bde659a313bbda24a7e6625d41acfdc48fcadeb8600f78bdb2f6de2b052e072a553aa78a937ad841b7dc

data/README.md CHANGED Viewed

@@ -1,8 +1,10 @@
 # GemGuard
 [![Gem Version](https://badge.fury.io/rb/gem_guard.svg)](https://badge.fury.io/rb/gem_guard)
-[![Build Status](https://github.com/wilbursuero/gem_guard/workflows/CI/badge.svg)](https://github.com/wilbursuero/gem_guard/actions)
+[![CI](https://github.com/wilburhimself/gem_guard/workflows/CI/badge.svg)](https://github.com/wilburhimself/gem_guard/actions/workflows/ci.yml)
+[![Release](https://github.com/wilburhimself/gem_guard/workflows/Release/badge.svg)](https://github.com/wilburhimself/gem_guard/actions/workflows/release.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Security](https://img.shields.io/badge/Security-Policy-blue.svg)](SECURITY.md)
 Supply chain security and vulnerability management for Ruby gems. GemGuard provides developers with a comprehensive tool to detect, report, and remediate dependency-related security risks.
@@ -79,13 +81,34 @@ Details:
 ## Development
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bundle exec rake standard` to run the linter.
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+### Running Tests
+```bash
+bundle exec rspec          # Run all tests
+bundle exec rake standard  # Run linter
+bundle exec rake           # Run both tests and linter
+```
+### Releasing
+Releases are automated via GitHub Actions. To create a new release:
+1. Update the version number in `lib/gem_guard/version.rb`
+2. Commit and push to the `main` branch
+3. GitHub Actions will automatically:
+   - Run tests across multiple Ruby versions
+   - Create a git tag
+   - Generate release notes
+   - Create a GitHub release
+   - Publish to RubyGems.org
+The release workflow is triggered only when `lib/gem_guard/version.rb` changes.
 ## Contributing
-Bug reports and pull requests are welcome on GitHub at https://github.com/wilbursuero/gem_guard.
+Bug reports and pull requests are welcome on GitHub at https://github.com/wilburhimself/gem_guard.
 ## License

data/SECURITY.md ADDED Viewed

@@ -0,0 +1,58 @@
+# Security Policy
+## Supported Versions
+We actively support the following versions of GemGuard:
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+## Reporting a Vulnerability
+If you discover a security vulnerability within GemGuard, please send an email to **security@wilburhimself.com**. All security vulnerabilities will be promptly addressed.
+**Please do not report security vulnerabilities through public GitHub issues.**
+### What to include in your report
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Any suggested fixes (if you have them)
+### Response Timeline
+- **Initial Response**: Within 48 hours
+- **Status Update**: Within 7 days
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
+### Disclosure Policy
+- We follow responsible disclosure practices
+- We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
+- We may offer recognition in our contributors list for significant security reports
+## Security Features
+GemGuard itself implements several security best practices:
+- **Input Validation**: All user inputs are validated and sanitized
+- **API Security**: Secure communication with vulnerability databases
+- **Dependency Management**: Regular updates to dependencies
+- **Code Quality**: Comprehensive testing and static analysis
+## Security Considerations for Users
+When using GemGuard:
+- Keep GemGuard updated to the latest version
+- Review vulnerability reports carefully before applying fixes
+- Use GemGuard in your CI/CD pipeline to catch vulnerabilities early
+- Consider the source and severity of reported vulnerabilities
+## Contact
+For security-related questions or concerns, contact:
+- Email: security@wilburhimself.com
+- GitHub: [@wilburhimself](https://github.com/wilburhimself)

data/gem_guard-0.1.0.gem ADDED Viewed

Binary file

data/gem_guard.gemspec CHANGED Viewed

@@ -8,13 +8,13 @@ Gem::Specification.new do |spec|
   spec.summary = "Supply chain security and vulnerability management for Ruby gems"
   spec.description = "A comprehensive tool to detect, report, and remediate dependency-related security risks in Ruby projects. Includes CVE scanning, SBOM generation, and CI/CD integration."
-  spec.homepage = "https://github.com/wilbursuero/gem_guard"
+  spec.homepage = "https://github.com/wilburhimself/gem_guard"
   spec.license = "MIT"
   spec.required_ruby_version = ">= 3.0.0"
   spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/wilbursuero/gem_guard"
-  spec.metadata["changelog_uri"] = "https://github.com/wilbursuero/gem_guard/blob/main/CHANGELOG.md"
+  spec.metadata["source_code_uri"] = "https://github.com/wilburhimself/gem_guard"
+  spec.metadata["changelog_uri"] = "https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md"
   spec.files = Dir.chdir(__dir__) do
     `git ls-files -z`.split("\x0").reject do |f|
@@ -26,10 +26,10 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_dependency "bundler", ">= 2.0"
   spec.add_dependency "thor", "~> 1.0"
   spec.add_dependency "json", "~> 2.0"
+  spec.add_development_dependency "bundler", ">= 2.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "standard", "~> 1.3"
 end

data/lib/gem_guard/cli.rb CHANGED Viewed

@@ -22,6 +22,42 @@ module GemGuard
       exit 1 if analysis.has_vulnerabilities?
     end
+    desc "sbom", "Generate Software Bill of Materials (SBOM)"
+    option :format, type: :string, default: "spdx", desc: "SBOM format (spdx, cyclone-dx)"
+    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :output, type: :string, desc: "Output file path (default: stdout)"
+    option :project, type: :string, default: "ruby-project", desc: "Project name for SBOM"
+    def sbom
+      lockfile_path = options[:lockfile]
+      unless File.exist?(lockfile_path)
+        puts "Error: #{lockfile_path} not found"
+        exit 1
+      end
+      dependencies = Parser.new.parse(lockfile_path)
+      generator = SbomGenerator.new
+      sbom_data = case options[:format].downcase
+      when "spdx"
+        generator.generate_spdx(dependencies, options[:project])
+      when "cyclone-dx", "cyclonedx"
+        generator.generate_cyclone_dx(dependencies, options[:project])
+      else
+        puts "Error: Unsupported format '#{options[:format]}'. Use 'spdx' or 'cyclone-dx'"
+        exit 1
+      end
+      output_json = JSON.pretty_generate(sbom_data)
+      if options[:output]
+        File.write(options[:output], output_json)
+        puts "SBOM written to #{options[:output]}"
+      else
+        puts output_json
+      end
+    end
     desc "version", "Show gem_guard version"
     def version
       puts GemGuard::VERSION

data/lib/gem_guard/sbom_generator.rb ADDED Viewed

@@ -0,0 +1,152 @@
+require "json"
+require "digest"
+require "time"
+module GemGuard
+  class SbomGenerator
+    SPDX_VERSION = "SPDX-2.3"
+    CYCLONE_DX_VERSION = "1.5"
+    def initialize
+      @document_id = "SPDXRef-DOCUMENT"
+      @creation_time = Time.now.utc.iso8601
+    end
+    def generate_spdx(dependencies, project_name = "ruby-project")
+      {
+        "spdxVersion" => SPDX_VERSION,
+        "dataLicense" => "CC0-1.0",
+        "SPDXID" => @document_id,
+        "name" => "#{project_name}-sbom",
+        "documentNamespace" => "https://gem-guard.dev/#{project_name}/#{@creation_time}",
+        "creationInfo" => {
+          "created" => @creation_time,
+          "creators" => ["Tool: gem_guard-#{GemGuard::VERSION}"],
+          "licenseListVersion" => "3.21"
+        },
+        "packages" => build_spdx_packages(dependencies, project_name),
+        "relationships" => build_spdx_relationships(dependencies)
+      }
+    end
+    def generate_cyclone_dx(dependencies, project_name = "ruby-project")
+      {
+        "bomFormat" => "CycloneDX",
+        "specVersion" => CYCLONE_DX_VERSION,
+        "serialNumber" => "urn:uuid:#{generate_uuid}",
+        "version" => 1,
+        "metadata" => {
+          "timestamp" => @creation_time,
+          "tools" => [
+            {
+              "vendor" => "GemGuard",
+              "name" => "gem_guard",
+              "version" => GemGuard::VERSION
+            }
+          ],
+          "component" => {
+            "type" => "application",
+            "name" => project_name,
+            "version" => "1.0.0"
+          }
+        },
+        "components" => build_cyclone_dx_components(dependencies)
+      }
+    end
+    private
+    def build_spdx_packages(dependencies, project_name)
+      packages = []
+      # Add root package
+      packages << {
+        "SPDXID" => "SPDXRef-Package-#{sanitize_name(project_name)}",
+        "name" => project_name,
+        "downloadLocation" => "NOASSERTION",
+        "filesAnalyzed" => false,
+        "copyrightText" => "NOASSERTION"
+      }
+      # Add dependency packages
+      dependencies.each_with_index do |dep, index|
+        packages << {
+          "SPDXID" => "SPDXRef-Package-#{sanitize_name(dep.name)}",
+          "name" => dep.name,
+          "versionInfo" => dep.version,
+          "downloadLocation" => gem_download_url(dep.name, dep.version),
+          "filesAnalyzed" => false,
+          "homepage" => gem_homepage_url(dep.name),
+          "copyrightText" => "NOASSERTION",
+          "externalRefs" => [
+            {
+              "referenceCategory" => "PACKAGE-MANAGER",
+              "referenceType" => "purl",
+              "referenceLocator" => "pkg:gem/#{dep.name}@#{dep.version}"
+            }
+          ]
+        }
+      end
+      packages
+    end
+    def build_spdx_relationships(dependencies)
+      relationships = []
+      dependencies.each do |dep|
+        relationships << {
+          "spdxElementId" => @document_id,
+          "relationshipType" => "DESCRIBES",
+          "relatedSpdxElement" => "SPDXRef-Package-#{sanitize_name(dep.name)}"
+        }
+      end
+      relationships
+    end
+    def build_cyclone_dx_components(dependencies)
+      dependencies.map do |dep|
+        {
+          "type" => "library",
+          "bom-ref" => "pkg:gem/#{dep.name}@#{dep.version}",
+          "name" => dep.name,
+          "version" => dep.version,
+          "purl" => "pkg:gem/#{dep.name}@#{dep.version}",
+          "externalReferences" => [
+            {
+              "type" => "distribution",
+              "url" => gem_download_url(dep.name, dep.version)
+            },
+            {
+              "type" => "website",
+              "url" => gem_homepage_url(dep.name)
+            }
+          ]
+        }
+      end
+    end
+    def sanitize_name(name)
+      name.gsub(/[^a-zA-Z0-9\-_]/, "-")
+    end
+    def gem_download_url(name, version)
+      "https://rubygems.org/downloads/#{name}-#{version}.gem"
+    end
+    def gem_homepage_url(name)
+      "https://rubygems.org/gems/#{name}"
+    end
+    def generate_uuid
+      # Simple UUID v4 generation
+      bytes = Array.new(16) { rand(256) }
+      bytes[6] = (bytes[6] & 0x0f) | 0x40  # Version 4
+      bytes[8] = (bytes[8] & 0x3f) | 0x80  # Variant bits
+      format = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x"
+      format % bytes
+    end
+  end
+end

data/lib/gem_guard/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "0.1.0"
+  VERSION = "0.1.6"
 end

data/lib/gem_guard.rb CHANGED Viewed

@@ -1,9 +1,10 @@
 require_relative "gem_guard/version"
-require_relative "gem_guard/cli"
 require_relative "gem_guard/parser"
 require_relative "gem_guard/vulnerability_fetcher"
 require_relative "gem_guard/analyzer"
 require_relative "gem_guard/reporter"
+require_relative "gem_guard/sbom_generator"
+require_relative "gem_guard/cli"
 module GemGuard
   class Error < StandardError; end

metadata CHANGED Viewed

@@ -1,54 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: gem_guard
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.6
 platform: ruby
 authors:
 - Wilbur Suero
+autorequire:
 bindir: exe
 cert_chain: []
 date: 2025-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: thor
+  name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: json
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
@@ -93,23 +94,27 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/gem_guard
+- gem_guard-0.1.0.gem
 - gem_guard.gemspec
 - lib/gem_guard.rb
 - lib/gem_guard/analyzer.rb
 - lib/gem_guard/cli.rb
 - lib/gem_guard/parser.rb
 - lib/gem_guard/reporter.rb
+- lib/gem_guard/sbom_generator.rb
 - lib/gem_guard/version.rb
 - lib/gem_guard/vulnerability_fetcher.rb
 - plan.md
-homepage: https://github.com/wilbursuero/gem_guard
+homepage: https://github.com/wilburhimself/gem_guard
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/wilbursuero/gem_guard
-  source_code_uri: https://github.com/wilbursuero/gem_guard
-  changelog_uri: https://github.com/wilbursuero/gem_guard/blob/main/CHANGELOG.md
+  homepage_uri: https://github.com/wilburhimself/gem_guard
+  source_code_uri: https://github.com/wilburhimself/gem_guard
+  changelog_uri: https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -124,7 +129,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Supply chain security and vulnerability management for Ruby gems
 test_files: []