gem_guard 0.1.0 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7210ff3d709b761cf8aa01e0c5d770f61b2801d9a9603e2608451f782aa23fb
-  data.tar.gz: c59ee85d130fca43c719d3bcff7a136364e65ec37255af0b2721e6736dc2931e
+  metadata.gz: '073099f4fd844fee5ffd2b5466fbee6df36a8c5b9d640039efb0cbdb4db89b97'
+  data.tar.gz: 21ba615adb70721d4f9ede82e3a43361a92e72e683c53530504913250ccd7309
 SHA512:
-  metadata.gz: ff65c5924a28cc7193569c7b50ac84234aa897d139d2d177eb3f8538a77ba627492458e40205bfb40c5845e16ecefa84a902912933f131735b1ff74d3171500e
-  data.tar.gz: 58228702c7dc55e0594f515aab361cc63afbf6840fc25657f82cdeda252078e90ab5322a1dd5b56b1861f5352c1d7d527ba5fd01b464ac52ba1b92c3e4ca8033
+  metadata.gz: d1bc314331a645c4b2d9791f41d852620fc7a977fc7eaf90ea927743f297057f4af93c40da2788422c8c468b11fbb1ad4d80d59f16cb4a0c9c063f37ebed809c
+  data.tar.gz: 1dc4f927542ae0983fb73a0d285c66f61c93960f1128bde659a313bbda24a7e6625d41acfdc48fcadeb8600f78bdb2f6de2b052e072a553aa78a937ad841b7dc

data/README.md

@@ -1,8 +1,10 @@
 # GemGuard
 
 [![Gem Version](https://badge.fury.io/rb/gem_guard.svg)](https://badge.fury.io/rb/gem_guard)
-[![Build Status](https://github.com/wilbursuero/gem_guard/workflows/CI/badge.svg)](https://github.com/wilbursuero/gem_guard/actions)
+[![CI](https://github.com/wilburhimself/gem_guard/workflows/CI/badge.svg)](https://github.com/wilburhimself/gem_guard/actions/workflows/ci.yml)
+[![Release](https://github.com/wilburhimself/gem_guard/workflows/Release/badge.svg)](https://github.com/wilburhimself/gem_guard/actions/workflows/release.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Security](https://img.shields.io/badge/Security-Policy-blue.svg)](SECURITY.md)
 
 Supply chain security and vulnerability management for Ruby gems. GemGuard provides developers with a comprehensive tool to detect, report, and remediate dependency-related security risks.
 
@@ -79,13 +81,34 @@ Details:
 
 ## Development
 
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bundle exec rake standard` to run the linter.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+### Running Tests
+
+```bash
+bundle exec rspec          # Run all tests
+bundle exec rake standard  # Run linter
+bundle exec rake           # Run both tests and linter
+```
+
+### Releasing
+
+Releases are automated via GitHub Actions. To create a new release:
+
+1. Update the version number in `lib/gem_guard/version.rb`
+2. Commit and push to the `main` branch
+3. GitHub Actions will automatically:
+   - Run tests across multiple Ruby versions
+   - Create a git tag
+   - Generate release notes
+   - Create a GitHub release
+   - Publish to RubyGems.org
+
+The release workflow is triggered only when `lib/gem_guard/version.rb` changes.
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/wilbursuero/gem_guard.
+Bug reports and pull requests are welcome on GitHub at https://github.com/wilburhimself/gem_guard.
 
 ## License
 

data/SECURITY.md

@@ -0,0 +1,58 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of GemGuard:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability within GemGuard, please send an email to **security@wilburhimself.com**. All security vulnerabilities will be promptly addressed.
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+### What to include in your report
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact of the vulnerability
+- Any suggested fixes (if you have them)
+
+### Response Timeline
+
+- **Initial Response**: Within 48 hours
+- **Status Update**: Within 7 days
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
+
+### Disclosure Policy
+
+- We follow responsible disclosure practices
+- We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
+- We may offer recognition in our contributors list for significant security reports
+
+## Security Features
+
+GemGuard itself implements several security best practices:
+
+- **Input Validation**: All user inputs are validated and sanitized
+- **API Security**: Secure communication with vulnerability databases
+- **Dependency Management**: Regular updates to dependencies
+- **Code Quality**: Comprehensive testing and static analysis
+
+## Security Considerations for Users
+
+When using GemGuard:
+
+- Keep GemGuard updated to the latest version
+- Review vulnerability reports carefully before applying fixes
+- Use GemGuard in your CI/CD pipeline to catch vulnerabilities early
+- Consider the source and severity of reported vulnerabilities
+
+## Contact
+
+For security-related questions or concerns, contact:
+- Email: security@wilburhimself.com
+- GitHub: [@wilburhimself](https://github.com/wilburhimself)

data/gem_guard.gemspec

@@ -8,13 +8,13 @@ Gem::Specification.new do |spec|
 
   spec.summary = "Supply chain security and vulnerability management for Ruby gems"
   spec.description = "A comprehensive tool to detect, report, and remediate dependency-related security risks in Ruby projects. Includes CVE scanning, SBOM generation, and CI/CD integration."
-  spec.homepage = "https://github.com/wilbursuero/gem_guard"
+  spec.homepage = "https://github.com/wilburhimself/gem_guard"
   spec.license = "MIT"
   spec.required_ruby_version = ">= 3.0.0"
 
   spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/wilbursuero/gem_guard"
-  spec.metadata["changelog_uri"] = "https://github.com/wilbursuero/gem_guard/blob/main/CHANGELOG.md"
+  spec.metadata["source_code_uri"] = "https://github.com/wilburhimself/gem_guard"
+  spec.metadata["changelog_uri"] = "https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md"
 
   spec.files = Dir.chdir(__dir__) do
     `git ls-files -z`.split("\x0").reject do |f|
@@ -26,10 +26,10 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "bundler", ">= 2.0"
   spec.add_dependency "thor", "~> 1.0"
   spec.add_dependency "json", "~> 2.0"
 
+  spec.add_development_dependency "bundler", ">= 2.0"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "standard", "~> 1.3"
 end

data/lib/gem_guard/cli.rb

@@ -22,6 +22,42 @@ module GemGuard
       exit 1 if analysis.has_vulnerabilities?
     end
 
+    desc "sbom", "Generate Software Bill of Materials (SBOM)"
+    option :format, type: :string, default: "spdx", desc: "SBOM format (spdx, cyclone-dx)"
+    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :output, type: :string, desc: "Output file path (default: stdout)"
+    option :project, type: :string, default: "ruby-project", desc: "Project name for SBOM"
+    def sbom
+      lockfile_path = options[:lockfile]
+
+      unless File.exist?(lockfile_path)
+        puts "Error: #{lockfile_path} not found"
+        exit 1
+      end
+
+      dependencies = Parser.new.parse(lockfile_path)
+      generator = SbomGenerator.new
+
+      sbom_data = case options[:format].downcase
+      when "spdx"
+        generator.generate_spdx(dependencies, options[:project])
+      when "cyclone-dx", "cyclonedx"
+        generator.generate_cyclone_dx(dependencies, options[:project])
+      else
+        puts "Error: Unsupported format '#{options[:format]}'. Use 'spdx' or 'cyclone-dx'"
+        exit 1
+      end
+
+      output_json = JSON.pretty_generate(sbom_data)
+
+      if options[:output]
+        File.write(options[:output], output_json)
+        puts "SBOM written to #{options[:output]}"
+      else
+        puts output_json
+      end
+    end
+
     desc "version", "Show gem_guard version"
     def version
       puts GemGuard::VERSION

data/lib/gem_guard/sbom_generator.rb

@@ -0,0 +1,152 @@
+require "json"
+require "digest"
+require "time"
+
+module GemGuard
+  class SbomGenerator
+    SPDX_VERSION = "SPDX-2.3"
+    CYCLONE_DX_VERSION = "1.5"
+
+    def initialize
+      @document_id = "SPDXRef-DOCUMENT"
+      @creation_time = Time.now.utc.iso8601
+    end
+
+    def generate_spdx(dependencies, project_name = "ruby-project")
+      {
+        "spdxVersion" => SPDX_VERSION,
+        "dataLicense" => "CC0-1.0",
+        "SPDXID" => @document_id,
+        "name" => "#{project_name}-sbom",
+        "documentNamespace" => "https://gem-guard.dev/#{project_name}/#{@creation_time}",
+        "creationInfo" => {
+          "created" => @creation_time,
+          "creators" => ["Tool: gem_guard-#{GemGuard::VERSION}"],
+          "licenseListVersion" => "3.21"
+        },
+        "packages" => build_spdx_packages(dependencies, project_name),
+        "relationships" => build_spdx_relationships(dependencies)
+      }
+    end
+
+    def generate_cyclone_dx(dependencies, project_name = "ruby-project")
+      {
+        "bomFormat" => "CycloneDX",
+        "specVersion" => CYCLONE_DX_VERSION,
+        "serialNumber" => "urn:uuid:#{generate_uuid}",
+        "version" => 1,
+        "metadata" => {
+          "timestamp" => @creation_time,
+          "tools" => [
+            {
+              "vendor" => "GemGuard",
+              "name" => "gem_guard",
+              "version" => GemGuard::VERSION
+            }
+          ],
+          "component" => {
+            "type" => "application",
+            "name" => project_name,
+            "version" => "1.0.0"
+          }
+        },
+        "components" => build_cyclone_dx_components(dependencies)
+      }
+    end
+
+    private
+
+    def build_spdx_packages(dependencies, project_name)
+      packages = []
+
+      # Add root package
+      packages << {
+        "SPDXID" => "SPDXRef-Package-#{sanitize_name(project_name)}",
+        "name" => project_name,
+        "downloadLocation" => "NOASSERTION",
+        "filesAnalyzed" => false,
+        "copyrightText" => "NOASSERTION"
+      }
+
+      # Add dependency packages
+      dependencies.each_with_index do |dep, index|
+        packages << {
+          "SPDXID" => "SPDXRef-Package-#{sanitize_name(dep.name)}",
+          "name" => dep.name,
+          "versionInfo" => dep.version,
+          "downloadLocation" => gem_download_url(dep.name, dep.version),
+          "filesAnalyzed" => false,
+          "homepage" => gem_homepage_url(dep.name),
+          "copyrightText" => "NOASSERTION",
+          "externalRefs" => [
+            {
+              "referenceCategory" => "PACKAGE-MANAGER",
+              "referenceType" => "purl",
+              "referenceLocator" => "pkg:gem/#{dep.name}@#{dep.version}"
+            }
+          ]
+        }
+      end
+
+      packages
+    end
+
+    def build_spdx_relationships(dependencies)
+      relationships = []
+
+      dependencies.each do |dep|
+        relationships << {
+          "spdxElementId" => @document_id,
+          "relationshipType" => "DESCRIBES",
+          "relatedSpdxElement" => "SPDXRef-Package-#{sanitize_name(dep.name)}"
+        }
+      end
+
+      relationships
+    end
+
+    def build_cyclone_dx_components(dependencies)
+      dependencies.map do |dep|
+        {
+          "type" => "library",
+          "bom-ref" => "pkg:gem/#{dep.name}@#{dep.version}",
+          "name" => dep.name,
+          "version" => dep.version,
+          "purl" => "pkg:gem/#{dep.name}@#{dep.version}",
+          "externalReferences" => [
+            {
+              "type" => "distribution",
+              "url" => gem_download_url(dep.name, dep.version)
+            },
+            {
+              "type" => "website",
+              "url" => gem_homepage_url(dep.name)
+            }
+          ]
+        }
+      end
+    end
+
+    def sanitize_name(name)
+      name.gsub(/[^a-zA-Z0-9\-_]/, "-")
+    end
+
+    def gem_download_url(name, version)
+      "https://rubygems.org/downloads/#{name}-#{version}.gem"
+    end
+
+    def gem_homepage_url(name)
+      "https://rubygems.org/gems/#{name}"
+    end
+
+    def generate_uuid
+      # Simple UUID v4 generation
+      bytes = Array.new(16) { rand(256) }
+      bytes[6] = (bytes[6] & 0x0f) | 0x40  # Version 4
+      bytes[8] = (bytes[8] & 0x3f) | 0x80  # Variant bits
+
+      format = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x"
+      format % bytes
+    end
+  end
+end

data/lib/gem_guard/version.rb

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "0.1.0"
+  VERSION = "0.1.6"
 end

data/lib/gem_guard.rb

@@ -1,9 +1,10 @@
 require_relative "gem_guard/version"
-require_relative "gem_guard/cli"
 require_relative "gem_guard/parser"
 require_relative "gem_guard/vulnerability_fetcher"
 require_relative "gem_guard/analyzer"
 require_relative "gem_guard/reporter"
+require_relative "gem_guard/sbom_generator"
+require_relative "gem_guard/cli"
 
 module GemGuard
   class Error < StandardError; end

metadata

@@ -1,54 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: gem_guard
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.6
 platform: ruby
 authors:
 - Wilbur Suero
+autorequire:
 bindir: exe
 cert_chain: []
 date: 2025-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: thor
+  name: json
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: json
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
@@ -93,23 +94,27 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/gem_guard
+- gem_guard-0.1.0.gem
 - gem_guard.gemspec
 - lib/gem_guard.rb
 - lib/gem_guard/analyzer.rb
 - lib/gem_guard/cli.rb
 - lib/gem_guard/parser.rb
 - lib/gem_guard/reporter.rb
+- lib/gem_guard/sbom_generator.rb
 - lib/gem_guard/version.rb
 - lib/gem_guard/vulnerability_fetcher.rb
 - plan.md
-homepage: https://github.com/wilbursuero/gem_guard
+homepage: https://github.com/wilburhimself/gem_guard
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/wilbursuero/gem_guard
-  source_code_uri: https://github.com/wilbursuero/gem_guard
-  changelog_uri: https://github.com/wilbursuero/gem_guard/blob/main/CHANGELOG.md
+  homepage_uri: https://github.com/wilburhimself/gem_guard
+  source_code_uri: https://github.com/wilburhimself/gem_guard
+  changelog_uri: https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -124,7 +129,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Supply chain security and vulnerability management for Ruby gems
 test_files: []