gem_guard 0.1.6 → 0.1.10

data/lib/gem_guard/cli.rb

@@ -1,25 +1,65 @@
 require "thor"
+require "stringio"
 
 module GemGuard
   class CLI < Thor
+    # Exit codes for CI/CD integration
+    EXIT_SUCCESS = 0
+    EXIT_VULNERABILITIES_FOUND = 1
+    EXIT_ERROR = 2
+
     desc "scan", "Scan dependencies for known vulnerabilities"
-    option :format, type: :string, default: "table", desc: "Output format (table, json)"
-    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :format, type: :string, desc: "Output format (table, json)"
+    option :lockfile, type: :string, desc: "Path to Gemfile.lock"
+    option :config, type: :string, default: ".gemguard.yml", desc: "Path to config file"
+    option :fail_on_vulnerabilities, type: :boolean, desc: "Exit with code 1 if vulnerabilities found"
+    option :severity_threshold, type: :string, desc: "Minimum severity level (low, medium, high, critical)"
+    option :output, type: :string, desc: "Output file path"
     def scan
-      lockfile_path = options[:lockfile]
+      config = Config.new(options[:config])
+
+      # Override config with CLI options
+      lockfile_path = options[:lockfile] || config.lockfile_path
+      format = options[:format] || config.output_format
+      fail_on_vulns = options[:fail_on_vulnerabilities].nil? ? config.fail_on_vulnerabilities? : options[:fail_on_vulnerabilities]
+      severity_threshold = options[:severity_threshold] || config.severity_threshold
+      output_file = options[:output] || config.output_file
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
-        exit 1
+        exit EXIT_ERROR
       end
 
-      dependencies = Parser.new.parse(lockfile_path)
-      vulnerabilities = VulnerabilityFetcher.new.fetch_for(dependencies)
-      analysis = Analyzer.new.analyze(dependencies, vulnerabilities)
+      begin
+        dependencies = Parser.new.parse(lockfile_path)
+        vulnerabilities = VulnerabilityFetcher.new.fetch_for(dependencies)
+
+        # Filter vulnerabilities based on config
+        filtered_vulnerabilities = filter_vulnerabilities(vulnerabilities, config)
+
+        analysis = Analyzer.new.analyze(dependencies, filtered_vulnerabilities)
 
-      Reporter.new.report(analysis, format: options[:format])
+        # Filter analysis based on severity threshold
+        filtered_analysis = filter_analysis_by_severity(analysis, severity_threshold, config)
 
-      exit 1 if analysis.has_vulnerabilities?
+        if output_file
+          output_content = capture_report_output(filtered_analysis, format)
+          File.write(output_file, output_content)
+          puts "Report written to #{output_file}"
+        else
+          Reporter.new.report(filtered_analysis, format: format)
+        end
+
+        # Exit with appropriate code for CI/CD
+        if filtered_analysis.has_vulnerabilities? && fail_on_vulns
+          exit EXIT_VULNERABILITIES_FOUND
+        else
+          exit EXIT_SUCCESS
+        end
+      rescue => e
+        puts "Error: #{e.message}"
+        exit EXIT_ERROR
+      end
     end
 
     desc "sbom", "Generate Software Bill of Materials (SBOM)"
@@ -58,9 +98,210 @@ module GemGuard
       end
     end
 
+    desc "typosquat", "Check for potential typosquat dependencies"
+    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :format, type: :string, default: "table", desc: "Output format (table, json)"
+    option :output, type: :string, desc: "Output file path"
+    option :config, type: :string, desc: "Config file path"
+    def typosquat
+      config = Config.new(options[:config] || ".gemguard.yml")
+
+      lockfile_path = options[:lockfile] || config.lockfile_path
+      format = options[:format] || config.output_format
+      output_file = options[:output] || config.output_file
+
+      unless File.exist?(lockfile_path)
+        puts "Error: #{lockfile_path} not found"
+        exit EXIT_ERROR
+      end
+
+      begin
+        dependencies = Parser.new.parse(lockfile_path)
+        checker = TyposquatChecker.new
+        suspicious_gems = checker.check_dependencies(dependencies)
+
+        if output_file
+          output_content = format_typosquat_output(suspicious_gems, format)
+          File.write(output_file, output_content)
+          puts "Typosquat report written to #{output_file}"
+        else
+          display_typosquat_results(suspicious_gems, format)
+        end
+
+        # Exit with appropriate code
+        if suspicious_gems.any? { |sg| sg[:risk_level] == "critical" || sg[:risk_level] == "high" }
+          exit EXIT_VULNERABILITIES_FOUND
+        else
+          exit EXIT_SUCCESS
+        end
+      rescue => e
+        puts "Error: #{e.message}"
+        exit EXIT_ERROR
+      end
+    end
+
+    desc "config", "Manage configuration"
+    option :init, type: :boolean, desc: "Initialize default config file"
+    option :show, type: :boolean, desc: "Show current configuration"
+    option :path, type: :string, default: ".gemguard.yml", desc: "Config file path"
+    def config
+      config_file = Config.new(options[:path])
+
+      if options[:init]
+        if File.exist?(options[:path])
+          puts "Config file #{options[:path]} already exists"
+          exit EXIT_ERROR
+        end
+
+        # Create default config file
+        default_config = {
+          "lockfile" => "Gemfile.lock",
+          "format" => "table",
+          "fail_on_vulnerabilities" => true,
+          "severity_threshold" => "low",
+          "ignore_vulnerabilities" => [],
+          "ignore_gems" => [],
+          "output_file" => nil,
+          "project_name" => config_file.send(:detect_project_name),
+          "sbom" => {
+            "format" => "spdx",
+            "include_dev_dependencies" => false
+          },
+          "scan" => {
+            "sources" => ["osv", "ruby_advisory_db"],
+            "timeout" => 30
+          }
+        }
+
+        File.write(options[:path], YAML.dump(default_config))
+        puts "Created #{options[:path]} with default configuration"
+      elsif options[:show]
+        if config_file.exists?
+          puts File.read(options[:path])
+        else
+          puts "No config file found at #{options[:path]}"
+          puts "Run 'gem_guard config --init' to create one"
+        end
+      else
+        puts "Usage: gem_guard config [--init|--show] [--path PATH]"
+        puts "  --init  Create a new .gemguard.yml config file"
+        puts "  --show  Display current configuration"
+        puts "  --path  Specify config file path (default: .gemguard.yml)"
+      end
+    end
+
     desc "version", "Show gem_guard version"
     def version
       puts GemGuard::VERSION
     end
+
+    private
+
+    def filter_vulnerabilities(vulnerabilities, config)
+      vulnerabilities.reject do |vuln|
+        config.should_ignore_vulnerability?(vuln.id)
+      end
+    end
+
+    def filter_analysis_by_severity(analysis, severity_threshold, config)
+      return analysis unless severity_threshold
+
+      filtered_vulnerable_deps = analysis.vulnerable_dependencies.select do |vuln_dep|
+        config.meets_severity_threshold?(extract_severity_level(vuln_dep.vulnerability.severity))
+      end
+
+      # Create new analysis with filtered vulnerabilities
+      GemGuard::Analysis.new(filtered_vulnerable_deps)
+    end
+
+    def extract_severity_level(severity_string)
+      return "unknown" if severity_string.nil? || severity_string.empty?
+
+      # Extract severity from CVSS string or direct severity
+      case severity_string.downcase
+      when /critical/
+        "critical"
+      when /high/
+        "high"
+      when /medium/
+        "medium"
+      when /low/
+        "low"
+      else
+        "unknown"
+      end
+    end
+
+    def capture_report_output(analysis, format)
+      output = StringIO.new
+      old_stdout = $stdout
+      $stdout = output
+
+      Reporter.new.report(analysis, format: format)
+
+      $stdout = old_stdout
+      output.string
+    end
+
+    def display_typosquat_results(suspicious_gems, format)
+      if suspicious_gems.empty?
+        puts "No potential typosquat dependencies found."
+        return
+      end
+
+      case format.downcase
+      when "json"
+        puts JSON.pretty_generate(suspicious_gems)
+      else
+        display_typosquat_table(suspicious_gems)
+      end
+    end
+
+    def display_typosquat_table(suspicious_gems)
+      puts "\n🚨 Potential Typosquat Dependencies Found:"
+      puts "=" * 80
+
+      suspicious_gems.each do |gem_info|
+        risk_emoji = case gem_info[:risk_level]
+        when "critical" then "🔴"
+        when "high" then "🟠"
+        when "medium" then "🟡"
+        else "🟢"
+        end
+
+        puts "\n#{risk_emoji} #{gem_info[:gem_name]} (#{gem_info[:version]})"
+        puts "   Suspected target: #{gem_info[:suspected_target]}"
+        puts "   Similarity: #{(gem_info[:similarity_score] * 100).round(1)}%"
+        puts "   Risk level: #{gem_info[:risk_level].upcase}"
+        puts "   Target downloads: #{number_with_commas(gem_info[:target_downloads])}"
+      end
+
+      puts "\n" + "=" * 80
+      puts "💡 Review these dependencies carefully. Consider:"
+      puts "   • Verifying the gem's legitimacy on rubygems.org"
+      puts "   • Checking the gem's source code repository"
+      puts "   • Looking for official documentation or endorsements"
+      puts "   • Comparing with the suspected target gem"
+    end
+
+    def format_typosquat_output(suspicious_gems, format)
+      case format.downcase
+      when "json"
+        JSON.pretty_generate(suspicious_gems)
+      else
+        output = StringIO.new
+        old_stdout = $stdout
+        $stdout = output
+
+        display_typosquat_table(suspicious_gems)
+
+        $stdout = old_stdout
+        output.string
+      end
+    end
+
+    def number_with_commas(number)
+      number.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse
+    end
   end
 end

data/lib/gem_guard/config.rb

@@ -0,0 +1,193 @@
+require "yaml"
+
+module GemGuard
+  class Config
+    DEFAULT_CONFIG = {
+      "lockfile" => "Gemfile.lock",
+      "format" => "table",
+      "fail_on_vulnerabilities" => true,
+      "severity_threshold" => "low",
+      "ignore_vulnerabilities" => [],
+      "ignore_gems" => [],
+      "output_file" => nil,
+      "project_name" => nil,
+      "sbom" => {
+        "format" => "spdx",
+        "include_dev_dependencies" => false
+      },
+      "scan" => {
+        "sources" => ["osv", "ruby_advisory_db"],
+        "timeout" => 30
+      }
+    }.freeze
+
+    SEVERITY_LEVELS = %w[low medium high critical].freeze
+
+    def initialize(config_path = ".gemguard.yml")
+      @config_path = config_path
+      @config = load_config
+    end
+
+    def get(key)
+      keys = key.split(".")
+      value = @config
+
+      keys.each do |k|
+        value = value[k] if value.is_a?(Hash)
+      end
+
+      value
+    end
+
+    def set(key, value)
+      keys = key.split(".")
+      target = @config
+
+      keys[0..-2].each do |k|
+        target[k] ||= {}
+        target = target[k]
+      end
+
+      target[keys.last] = value
+    end
+
+    def save
+      File.write(@config_path, YAML.dump(@config))
+    end
+
+    def exists?
+      File.exist?(@config_path)
+    end
+
+    def lockfile_path
+      get("lockfile")
+    end
+
+    def output_format
+      get("format")
+    end
+
+    def fail_on_vulnerabilities?
+      get("fail_on_vulnerabilities")
+    end
+
+    def severity_threshold
+      get("severity_threshold")
+    end
+
+    def ignored_vulnerabilities
+      get("ignore_vulnerabilities") || []
+    end
+
+    def ignored_gems
+      get("ignore_gems") || []
+    end
+
+    def output_file
+      get("output_file")
+    end
+
+    def project_name
+      get("project_name") || detect_project_name
+    end
+
+    def sbom_format
+      get("sbom.format")
+    end
+
+    def include_dev_dependencies?
+      get("sbom.include_dev_dependencies")
+    end
+
+    def vulnerability_sources
+      get("scan.sources")
+    end
+
+    def scan_timeout
+      get("scan.timeout")
+    end
+
+    def should_ignore_vulnerability?(vulnerability_id)
+      ignored_vulnerabilities.include?(vulnerability_id)
+    end
+
+    def should_ignore_gem?(gem_name)
+      ignored_gems.include?(gem_name)
+    end
+
+    def meets_severity_threshold?(severity)
+      return true if severity.nil? || severity.empty?
+
+      severity_index = SEVERITY_LEVELS.index(severity.downcase)
+      threshold_index = SEVERITY_LEVELS.index(severity_threshold.downcase)
+
+      return true if severity_index.nil? || threshold_index.nil?
+
+      severity_index >= threshold_index
+    end
+
+    private
+
+    def load_config
+      if File.exist?(@config_path)
+        user_config = YAML.load_file(@config_path) || {}
+        deep_merge(deep_dup(DEFAULT_CONFIG), user_config)
+      else
+        deep_dup(DEFAULT_CONFIG)
+      end
+    rescue Psych::SyntaxError => e
+      puts "Warning: Invalid YAML in #{@config_path}: #{e.message}"
+      puts "Using default configuration."
+      deep_dup(DEFAULT_CONFIG)
+    end
+
+    def deep_dup(obj)
+      case obj
+      when Hash
+        obj.each_with_object({}) { |(key, value), hash| hash[key] = deep_dup(value) }
+      when Array
+        obj.map { |item| deep_dup(item) }
+      else
+        begin
+          obj.dup
+        rescue
+          obj
+        end
+      end
+    end
+
+    def deep_merge(hash1, hash2)
+      result = hash1.dup
+
+      hash2.each do |key, value|
+        result[key] = if result[key].is_a?(Hash) && value.is_a?(Hash)
+          deep_merge(result[key], value)
+        else
+          value
+        end
+      end
+
+      result
+    end
+
+    def detect_project_name
+      # Try to detect project name from various sources
+      if File.exist?("Gemfile")
+        gemfile_content = File.read("Gemfile")
+        if gemfile_content =~ /gem\s+['"]([^'"]+)['"]/
+          return $1
+        end
+      end
+
+      if File.exist?("*.gemspec")
+        gemspec_files = Dir.glob("*.gemspec")
+        unless gemspec_files.empty?
+          return File.basename(gemspec_files.first, ".gemspec")
+        end
+      end
+
+      # Fallback to directory name
+      File.basename(Dir.pwd)
+    end
+  end
+end

data/lib/gem_guard/parser.rb

@@ -16,7 +16,9 @@ module GemGuard
         )
       end
 
-      dependencies
+      # Deduplicate dependencies by name to handle platform-specific gems
+      # (e.g., nokogiri-arm64-darwin, nokogiri-x86_64-darwin, etc.)
+      dependencies.uniq { |dep| dep.name }
     end
 
     private

data/lib/gem_guard/typosquat_checker.rb

@@ -0,0 +1,157 @@
+require "net/http"
+require "json"
+require "uri"
+
+module GemGuard
+  class TyposquatChecker
+    POPULAR_GEMS_CACHE_TTL = 3600 # 1 hour
+    SIMILARITY_THRESHOLD = 0.8
+    MIN_POPULAR_GEM_DOWNLOADS = 1_000_000
+
+    def initialize
+      @popular_gems_cache = nil
+      @cache_timestamp = nil
+    end
+
+    def check_dependencies(dependencies)
+      suspicious_gems = []
+      popular_gems = fetch_popular_gems
+
+      dependencies.each do |dependency|
+        suspicious_match = find_suspicious_match(dependency.name, popular_gems)
+        if suspicious_match
+          suspicious_gems << {
+            gem_name: dependency.name,
+            version: dependency.version,
+            suspected_target: suspicious_match[:name],
+            similarity_score: suspicious_match[:similarity],
+            target_downloads: suspicious_match[:downloads],
+            risk_level: calculate_risk_level(suspicious_match[:similarity])
+          }
+        end
+      end
+
+      suspicious_gems
+    end
+
+    private
+
+    def fetch_popular_gems
+      return @popular_gems_cache if cache_valid?
+
+      begin
+        # Use fallback popular gems list for now since RubyGems API structure is complex
+        # In a production environment, you might want to use a different data source
+        # or scrape the RubyGems.org popular page
+        @popular_gems_cache = fallback_popular_gems
+        @cache_timestamp = Time.now
+        @popular_gems_cache
+      rescue
+        # Silently fall back to hardcoded list - no need to warn user
+        fallback_popular_gems
+      end
+    end
+
+    def cache_valid?
+      @popular_gems_cache && @cache_timestamp &&
+        (Time.now - @cache_timestamp) < POPULAR_GEMS_CACHE_TTL
+    end
+
+    def find_suspicious_match(gem_name, popular_gems)
+      return nil if popular_gems.any? { |pg| pg[:name] == gem_name }
+
+      best_match = nil
+      highest_similarity = 0
+
+      popular_gems.each do |popular_gem|
+        similarity = calculate_similarity(gem_name, popular_gem[:name])
+
+        if similarity >= SIMILARITY_THRESHOLD && similarity > highest_similarity
+          highest_similarity = similarity
+          best_match = {
+            name: popular_gem[:name],
+            similarity: similarity,
+            downloads: popular_gem[:downloads]
+          }
+        end
+      end
+
+      best_match
+    end
+
+    def calculate_similarity(str1, str2)
+      return 0.0 if str1.nil? || str2.nil? || str1.empty? || str2.empty?
+      return 1.0 if str1 == str2
+
+      # Use Levenshtein distance for similarity calculation
+      levenshtein_similarity(str1.downcase, str2.downcase)
+    end
+
+    def levenshtein_similarity(str1, str2)
+      distance = levenshtein_distance(str1, str2)
+      max_length = [str1.length, str2.length].max
+      return 1.0 if max_length == 0
+
+      1.0 - (distance.to_f / max_length)
+    end
+
+    def levenshtein_distance(str1, str2)
+      matrix = Array.new(str1.length + 1) { Array.new(str2.length + 1) }
+
+      (0..str1.length).each { |i| matrix[i][0] = i }
+      (0..str2.length).each { |j| matrix[0][j] = j }
+
+      (1..str1.length).each do |i|
+        (1..str2.length).each do |j|
+          cost = (str1[i - 1] == str2[j - 1]) ? 0 : 1
+          matrix[i][j] = [
+            matrix[i - 1][j] + 1,     # deletion
+            matrix[i][j - 1] + 1,     # insertion
+            matrix[i - 1][j - 1] + cost # substitution
+          ].min
+        end
+      end
+
+      matrix[str1.length][str2.length]
+    end
+
+    def calculate_risk_level(similarity)
+      case similarity
+      when 0.95..1.0
+        "critical"
+      when 0.9..0.95
+        "high"
+      when 0.85..0.9
+        "medium"
+      else
+        "low"
+      end
+    end
+
+    def fallback_popular_gems
+      # Hardcoded list of very popular Ruby gems as fallback
+      [
+        {name: "rails", downloads: 100_000_000},
+        {name: "bundler", downloads: 90_000_000},
+        {name: "rake", downloads: 80_000_000},
+        {name: "json", downloads: 70_000_000},
+        {name: "minitest", downloads: 60_000_000},
+        {name: "thread_safe", downloads: 50_000_000},
+        {name: "tzinfo", downloads: 45_000_000},
+        {name: "concurrent-ruby", downloads: 40_000_000},
+        {name: "i18n", downloads: 35_000_000},
+        {name: "activesupport", downloads: 30_000_000},
+        {name: "activerecord", downloads: 25_000_000},
+        {name: "actionpack", downloads: 20_000_000},
+        {name: "actionview", downloads: 18_000_000},
+        {name: "activemodel", downloads: 15_000_000},
+        {name: "rspec", downloads: 12_000_000},
+        {name: "puma", downloads: 10_000_000},
+        {name: "nokogiri", downloads: 8_000_000},
+        {name: "thor", downloads: 7_000_000},
+        {name: "sass", downloads: 6_000_000},
+        {name: "devise", downloads: 5_000_000}
+      ]
+    end
+  end
+end

data/lib/gem_guard/version.rb

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "0.1.6"
+  VERSION = "0.1.10"
 end

data/lib/gem_guard/vulnerability_fetcher.rb

@@ -15,7 +15,31 @@ module GemGuard
         vulnerabilities.concat(fetch_ruby_advisory_vulnerabilities(dependency))
       end
 
-      vulnerabilities.uniq { |vuln| vuln.id }
+      # Deduplicate vulnerabilities by ID and gem name, merging affected/fixed versions
+      deduplicated = {}
+      vulnerabilities.each do |vuln|
+        key = [vuln.id, vuln.gem_name]
+        if deduplicated[key]
+          # Merge affected and fixed versions from duplicate entries
+          existing = deduplicated[key]
+          merged_affected = (existing.affected_versions + vuln.affected_versions).uniq
+          merged_fixed = (existing.fixed_versions + vuln.fixed_versions).uniq
+
+          deduplicated[key] = Vulnerability.new(
+            id: existing.id,
+            gem_name: existing.gem_name,
+            affected_versions: merged_affected,
+            fixed_versions: merged_fixed,
+            severity: existing.severity,
+            summary: existing.summary,
+            details: existing.details
+          )
+        else
+          deduplicated[key] = vuln
+        end
+      end
+
+      deduplicated.values
     end
 
     private

data/lib/gem_guard.rb

@@ -4,6 +4,8 @@ require_relative "gem_guard/vulnerability_fetcher"
 require_relative "gem_guard/analyzer"
 require_relative "gem_guard/reporter"
 require_relative "gem_guard/sbom_generator"
+require_relative "gem_guard/typosquat_checker"
+require_relative "gem_guard/config"
 require_relative "gem_guard/cli"
 
 module GemGuard