gem_guard 0.1.6 → 0.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '073099f4fd844fee5ffd2b5466fbee6df36a8c5b9d640039efb0cbdb4db89b97'
-  data.tar.gz: 21ba615adb70721d4f9ede82e3a43361a92e72e683c53530504913250ccd7309
+  metadata.gz: 747dee6cd137e68fae4e5086d37a40bc5fabb67672f67d06a901627ac47c00cd
+  data.tar.gz: 75c793fc063db05b04635f2c12fa7abf7169f815f57bd6c64f8da0da2d3ea03a
 SHA512:
-  metadata.gz: d1bc314331a645c4b2d9791f41d852620fc7a977fc7eaf90ea927743f297057f4af93c40da2788422c8c468b11fbb1ad4d80d59f16cb4a0c9c063f37ebed809c
-  data.tar.gz: 1dc4f927542ae0983fb73a0d285c66f61c93960f1128bde659a313bbda24a7e6625d41acfdc48fcadeb8600f78bdb2f6de2b052e072a553aa78a937ad841b7dc
+  metadata.gz: cb271a7619b956d0b6271d3fc20c9cee8d75709951b7e8984c051de4e261ba3fdba76ea450fbd2871ece6ec0acc89bb68263e514bb1af9e53dc66e4bdc277d88
+  data.tar.gz: 5ebc3d1e492ea6d273ed740b67b61db1ea729e19eebfc1107b4511112d31641c1347ed2af90c7dd7939350d151826b18432d91279cedcf5873ff8b1a2809fd6a

data/lib/gem_guard/cli.rb

@@ -1,25 +1,65 @@
 require "thor"
+require "stringio"
 
 module GemGuard
   class CLI < Thor
+    # Exit codes for CI/CD integration
+    EXIT_SUCCESS = 0
+    EXIT_VULNERABILITIES_FOUND = 1
+    EXIT_ERROR = 2
+
     desc "scan", "Scan dependencies for known vulnerabilities"
-    option :format, type: :string, default: "table", desc: "Output format (table, json)"
-    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :format, type: :string, desc: "Output format (table, json)"
+    option :lockfile, type: :string, desc: "Path to Gemfile.lock"
+    option :config, type: :string, default: ".gemguard.yml", desc: "Path to config file"
+    option :fail_on_vulnerabilities, type: :boolean, desc: "Exit with code 1 if vulnerabilities found"
+    option :severity_threshold, type: :string, desc: "Minimum severity level (low, medium, high, critical)"
+    option :output, type: :string, desc: "Output file path"
     def scan
-      lockfile_path = options[:lockfile]
+      config = Config.new(options[:config])
+
+      # Override config with CLI options
+      lockfile_path = options[:lockfile] || config.lockfile_path
+      format = options[:format] || config.output_format
+      fail_on_vulns = options[:fail_on_vulnerabilities].nil? ? config.fail_on_vulnerabilities? : options[:fail_on_vulnerabilities]
+      severity_threshold = options[:severity_threshold] || config.severity_threshold
+      output_file = options[:output] || config.output_file
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
-        exit 1
+        exit EXIT_ERROR
       end
 
-      dependencies = Parser.new.parse(lockfile_path)
-      vulnerabilities = VulnerabilityFetcher.new.fetch_for(dependencies)
-      analysis = Analyzer.new.analyze(dependencies, vulnerabilities)
+      begin
+        dependencies = Parser.new.parse(lockfile_path)
+        vulnerabilities = VulnerabilityFetcher.new.fetch_for(dependencies)
+
+        # Filter vulnerabilities based on config
+        filtered_vulnerabilities = filter_vulnerabilities(vulnerabilities, config)
+
+        analysis = Analyzer.new.analyze(dependencies, filtered_vulnerabilities)
+
+        # Filter analysis based on severity threshold
+        filtered_analysis = filter_analysis_by_severity(analysis, severity_threshold, config)
 
-      Reporter.new.report(analysis, format: options[:format])
+        if output_file
+          output_content = capture_report_output(filtered_analysis, format)
+          File.write(output_file, output_content)
+          puts "Report written to #{output_file}"
+        else
+          Reporter.new.report(filtered_analysis, format: format)
+        end
 
-      exit 1 if analysis.has_vulnerabilities?
+        # Exit with appropriate code for CI/CD
+        if filtered_analysis.has_vulnerabilities? && fail_on_vulns
+          exit EXIT_VULNERABILITIES_FOUND
+        else
+          exit EXIT_SUCCESS
+        end
+      rescue => e
+        puts "Error: #{e.message}"
+        exit EXIT_ERROR
+      end
     end
 
     desc "sbom", "Generate Software Bill of Materials (SBOM)"
@@ -58,9 +98,107 @@ module GemGuard
       end
     end
 
+    desc "config", "Manage configuration"
+    option :init, type: :boolean, desc: "Initialize a new .gemguard.yml config file"
+    option :show, type: :boolean, desc: "Show current configuration"
+    option :path, type: :string, default: ".gemguard.yml", desc: "Config file path"
+    def config
+      config_file = Config.new(options[:path])
+
+      if options[:init]
+        if File.exist?(options[:path])
+          puts "Config file #{options[:path]} already exists"
+          exit EXIT_ERROR
+        end
+
+        # Create default config file
+        default_config = {
+          "lockfile" => "Gemfile.lock",
+          "format" => "table",
+          "fail_on_vulnerabilities" => true,
+          "severity_threshold" => "low",
+          "ignore_vulnerabilities" => [],
+          "ignore_gems" => [],
+          "output_file" => nil,
+          "project_name" => config_file.send(:detect_project_name),
+          "sbom" => {
+            "format" => "spdx",
+            "include_dev_dependencies" => false
+          },
+          "scan" => {
+            "sources" => ["osv", "ruby_advisory_db"],
+            "timeout" => 30
+          }
+        }
+
+        File.write(options[:path], YAML.dump(default_config))
+        puts "Created #{options[:path]} with default configuration"
+      elsif options[:show]
+        if config_file.exists?
+          puts File.read(options[:path])
+        else
+          puts "No config file found at #{options[:path]}"
+          puts "Run 'gem_guard config --init' to create one"
+        end
+      else
+        puts "Usage: gem_guard config [--init|--show] [--path PATH]"
+        puts "  --init  Create a new .gemguard.yml config file"
+        puts "  --show  Display current configuration"
+        puts "  --path  Specify config file path (default: .gemguard.yml)"
+      end
+    end
+
     desc "version", "Show gem_guard version"
     def version
       puts GemGuard::VERSION
     end
+
+    private
+
+    def filter_vulnerabilities(vulnerabilities, config)
+      vulnerabilities.reject do |vuln|
+        config.should_ignore_vulnerability?(vuln.id)
+      end
+    end
+
+    def filter_analysis_by_severity(analysis, severity_threshold, config)
+      return analysis unless severity_threshold
+
+      filtered_vulnerable_deps = analysis.vulnerable_dependencies.select do |vuln_dep|
+        vuln_dep.vulnerabilities.any? do |vuln|
+          config.meets_severity_threshold?(extract_severity_level(vuln.severity))
+        end
+      end
+
+      # Create new analysis with filtered vulnerabilities
+      GemGuard::Analysis.new(filtered_vulnerable_deps)
+    end
+
+    def extract_severity_level(severity_string)
+      return "unknown" if severity_string.nil? || severity_string.empty?
+
+      # Extract severity from CVSS string or direct severity
+      case severity_string.downcase
+      when /critical/
+        "critical"
+      when /high/
+        "high"
+      when /medium/
+        "medium"
+      when /low/
+        "low"
+      else
+        "unknown"
+      end
+    end
+
+    def capture_report_output(analysis, format)
+      old_stdout = $stdout
+      $stdout = StringIO.new
+      Reporter.new.report(analysis, format: format)
+      $stdout.string
+    ensure
+      $stdout = old_stdout
+    end
   end
 end

data/lib/gem_guard/config.rb

@@ -0,0 +1,193 @@
+require "yaml"
+
+module GemGuard
+  class Config
+    DEFAULT_CONFIG = {
+      "lockfile" => "Gemfile.lock",
+      "format" => "table",
+      "fail_on_vulnerabilities" => true,
+      "severity_threshold" => "low",
+      "ignore_vulnerabilities" => [],
+      "ignore_gems" => [],
+      "output_file" => nil,
+      "project_name" => nil,
+      "sbom" => {
+        "format" => "spdx",
+        "include_dev_dependencies" => false
+      },
+      "scan" => {
+        "sources" => ["osv", "ruby_advisory_db"],
+        "timeout" => 30
+      }
+    }.freeze
+
+    SEVERITY_LEVELS = %w[low medium high critical].freeze
+
+    def initialize(config_path = ".gemguard.yml")
+      @config_path = config_path
+      @config = load_config
+    end
+
+    def get(key)
+      keys = key.split(".")
+      value = @config
+
+      keys.each do |k|
+        value = value[k] if value.is_a?(Hash)
+      end
+
+      value
+    end
+
+    def set(key, value)
+      keys = key.split(".")
+      target = @config
+
+      keys[0..-2].each do |k|
+        target[k] ||= {}
+        target = target[k]
+      end
+
+      target[keys.last] = value
+    end
+
+    def save
+      File.write(@config_path, YAML.dump(@config))
+    end
+
+    def exists?
+      File.exist?(@config_path)
+    end
+
+    def lockfile_path
+      get("lockfile")
+    end
+
+    def output_format
+      get("format")
+    end
+
+    def fail_on_vulnerabilities?
+      get("fail_on_vulnerabilities")
+    end
+
+    def severity_threshold
+      get("severity_threshold")
+    end
+
+    def ignored_vulnerabilities
+      get("ignore_vulnerabilities") || []
+    end
+
+    def ignored_gems
+      get("ignore_gems") || []
+    end
+
+    def output_file
+      get("output_file")
+    end
+
+    def project_name
+      get("project_name") || detect_project_name
+    end
+
+    def sbom_format
+      get("sbom.format")
+    end
+
+    def include_dev_dependencies?
+      get("sbom.include_dev_dependencies")
+    end
+
+    def vulnerability_sources
+      get("scan.sources")
+    end
+
+    def scan_timeout
+      get("scan.timeout")
+    end
+
+    def should_ignore_vulnerability?(vulnerability_id)
+      ignored_vulnerabilities.include?(vulnerability_id)
+    end
+
+    def should_ignore_gem?(gem_name)
+      ignored_gems.include?(gem_name)
+    end
+
+    def meets_severity_threshold?(severity)
+      return true if severity.nil? || severity.empty?
+
+      severity_index = SEVERITY_LEVELS.index(severity.downcase)
+      threshold_index = SEVERITY_LEVELS.index(severity_threshold.downcase)
+
+      return true if severity_index.nil? || threshold_index.nil?
+
+      severity_index >= threshold_index
+    end
+
+    private
+
+    def load_config
+      if File.exist?(@config_path)
+        user_config = YAML.load_file(@config_path) || {}
+        deep_merge(deep_dup(DEFAULT_CONFIG), user_config)
+      else
+        deep_dup(DEFAULT_CONFIG)
+      end
+    rescue Psych::SyntaxError => e
+      puts "Warning: Invalid YAML in #{@config_path}: #{e.message}"
+      puts "Using default configuration."
+      deep_dup(DEFAULT_CONFIG)
+    end
+
+    def deep_dup(obj)
+      case obj
+      when Hash
+        obj.each_with_object({}) { |(key, value), hash| hash[key] = deep_dup(value) }
+      when Array
+        obj.map { |item| deep_dup(item) }
+      else
+        begin
+          obj.dup
+        rescue
+          obj
+        end
+      end
+    end
+
+    def deep_merge(hash1, hash2)
+      result = hash1.dup
+
+      hash2.each do |key, value|
+        result[key] = if result[key].is_a?(Hash) && value.is_a?(Hash)
+          deep_merge(result[key], value)
+        else
+          value
+        end
+      end
+
+      result
+    end
+
+    def detect_project_name
+      # Try to detect project name from various sources
+      if File.exist?("Gemfile")
+        gemfile_content = File.read("Gemfile")
+        if gemfile_content =~ /gem\s+['"]([^'"]+)['"]/
+          return $1
+        end
+      end
+
+      if File.exist?("*.gemspec")
+        gemspec_files = Dir.glob("*.gemspec")
+        unless gemspec_files.empty?
+          return File.basename(gemspec_files.first, ".gemspec")
+        end
+      end
+
+      # Fallback to directory name
+      File.basename(Dir.pwd)
+    end
+  end
+end

data/lib/gem_guard/version.rb

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "0.1.6"
+  VERSION = "0.1.7"
 end

data/lib/gem_guard.rb

@@ -4,6 +4,7 @@ require_relative "gem_guard/vulnerability_fetcher"
 require_relative "gem_guard/analyzer"
 require_relative "gem_guard/reporter"
 require_relative "gem_guard/sbom_generator"
+require_relative "gem_guard/config"
 require_relative "gem_guard/cli"
 
 module GemGuard

data/templates/circleci-config.yml

@@ -0,0 +1,107 @@
+# CircleCI configuration for GemGuard security scanning
+# Copy this content to .circleci/config.yml in your repository
+
+version: 2.1
+
+orbs:
+  ruby: circleci/ruby@2.1.0
+
+jobs:
+  security-scan:
+    docker:
+      - image: cimg/ruby:3.3
+    parameters:
+      ruby-version:
+        type: string
+        default: "3.3"
+    steps:
+      - checkout
+      
+      - ruby/install-deps:
+          bundler-version: "2.4.0"
+          
+      - run:
+          name: Install GemGuard
+          command: gem install gem_guard
+          
+      - run:
+          name: Run vulnerability scan
+          command: |
+            echo "Running GemGuard security scan..."
+            gem_guard scan --format json --output security-report.json
+            gem_guard scan --format table
+            
+      - run:
+          name: Generate SBOM
+          command: |
+            echo "Generating Software Bill of Materials..."
+            gem_guard sbom --format spdx --output sbom-spdx.json
+            gem_guard sbom --format cyclone-dx --output sbom-cyclone.json
+            
+      - store_artifacts:
+          path: security-report.json
+          destination: security-reports/
+          
+      - store_artifacts:
+          path: sbom-spdx.json
+          destination: sbom/
+          
+      - store_artifacts:
+          path: sbom-cyclone.json
+          destination: sbom/
+          
+      - run:
+          name: Check for vulnerabilities
+          command: |
+            if [ -f security-report.json ]; then
+              VULN_COUNT=$(ruby -rjson -e "puts JSON.parse(File.read('security-report.json'))['vulnerabilities']&.length || 0")
+              echo "Found $VULN_COUNT vulnerabilities"
+              
+              if [ "$VULN_COUNT" -gt 0 ]; then
+                echo "⚠️ Vulnerabilities detected! Check the artifacts for details."
+                exit 1
+              else
+                echo "✅ No vulnerabilities found!"
+              fi
+            fi
+
+  security-scan-matrix:
+    docker:
+      - image: cimg/ruby:<< parameters.ruby-version >>
+    parameters:
+      ruby-version:
+        type: string
+    steps:
+      - checkout
+      - ruby/install-deps
+      - run:
+          name: Install GemGuard
+          command: gem install gem_guard
+      - run:
+          name: Security scan for Ruby << parameters.ruby-version >>
+          command: |
+            gem_guard scan --format json --output security-report-<< parameters.ruby-version >>.json
+            gem_guard scan
+      - store_artifacts:
+          path: security-report-<< parameters.ruby-version >>.json
+
+workflows:
+  security-checks:
+    jobs:
+      - security-scan:
+          name: security-scan-main
+          
+  security-matrix:
+    jobs:
+      - security-scan-matrix:
+          matrix:
+            parameters:
+              ruby-version: ["3.1", "3.2", "3.3"]
+          name: security-scan-ruby-<< matrix.ruby-version >>
+    triggers:
+      - schedule:
+          cron: "0 2 * * *"  # Daily at 2 AM UTC
+          filters:
+            branches:
+              only:
+                - main

data/templates/github-actions.yml

@@ -0,0 +1,85 @@
+# GitHub Actions workflow for GemGuard security scanning
+# Copy this file to .github/workflows/gemguard.yml in your repository
+
+name: Security Scan with GemGuard
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run daily at 2 AM UTC
+    - cron: '0 2 * * *'
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        ruby-version: ['3.1', '3.2', '3.3']
+    
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    
+    - name: Install GemGuard
+      run: gem install gem_guard
+    
+    - name: Run GemGuard vulnerability scan
+      run: |
+        gem_guard scan --format json --output security-report.json
+        gem_guard scan --format table
+    
+    - name: Generate SBOM
+      run: |
+        gem_guard sbom --format spdx --output sbom-spdx.json
+        gem_guard sbom --format cyclone-dx --output sbom-cyclone.json
+    
+    - name: Upload security artifacts
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: security-reports-ruby-${{ matrix.ruby-version }}
+        path: |
+          security-report.json
+          sbom-spdx.json
+          sbom-cyclone.json
+        retention-days: 30
+    
+    - name: Comment PR with security report
+      if: github.event_name == 'pull_request'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          try {
+            const report = fs.readFileSync('security-report.json', 'utf8');
+            const data = JSON.parse(report);
+            
+            if (data.vulnerabilities && data.vulnerabilities.length > 0) {
+              const comment = `## 🚨 Security Vulnerabilities Found
+              
+              GemGuard detected ${data.vulnerabilities.length} vulnerabilities in this PR.
+              
+              Please review the security report artifact for details.
+              
+              **High/Critical vulnerabilities:** ${data.high_severity_count || 0}
+              `;
+              
+              github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: comment
+              });
+            }
+          } catch (error) {
+            console.log('No security report found or error reading report');
+          }

data/templates/gitlab-ci.yml

@@ -0,0 +1,112 @@
+# GitLab CI configuration for GemGuard security scanning
+# Copy this content to your .gitlab-ci.yml file
+
+stages:
+  - security
+  - report
+
+variables:
+  BUNDLE_PATH: vendor/bundle
+  BUNDLE_JOBS: 4
+  BUNDLE_RETRY: 3
+
+.ruby_template: &ruby_template
+  image: ruby:3.3
+  before_script:
+    - gem install bundler
+    - bundle install --path $BUNDLE_PATH
+    - gem install gem_guard
+  cache:
+    key: gems-$CI_COMMIT_REF_SLUG
+    paths:
+      - vendor/bundle/
+
+security_scan:
+  <<: *ruby_template
+  stage: security
+  script:
+    - echo "Running GemGuard security scan..."
+    - gem_guard scan --format json --output security-report.json
+    - gem_guard scan --format table
+    - echo "Generating SBOM..."
+    - gem_guard sbom --format spdx --output sbom-spdx.json
+    - gem_guard sbom --format cyclone-dx --output sbom-cyclone.json
+  artifacts:
+    reports:
+      # GitLab security report format (if you want to convert)
+      dependency_scanning: security-report.json
+    paths:
+      - security-report.json
+      - sbom-spdx.json
+      - sbom-cyclone.json
+    expire_in: 30 days
+    when: always
+  allow_failure: false
+  only:
+    - main
+    - develop
+    - merge_requests
+
+security_scan_ruby_3_1:
+  <<: *ruby_template
+  image: ruby:3.1
+  stage: security
+  script:
+    - gem_guard scan --format json --output security-report-ruby31.json
+    - gem_guard scan
+  artifacts:
+    paths:
+      - security-report-ruby31.json
+    expire_in: 7 days
+  only:
+    - schedules
+
+security_scan_ruby_3_2:
+  <<: *ruby_template
+  image: ruby:3.2
+  stage: security
+  script:
+    - gem_guard scan --format json --output security-report-ruby32.json
+    - gem_guard scan
+  artifacts:
+    paths:
+      - security-report-ruby32.json
+    expire_in: 7 days
+  only:
+    - schedules
+
+# Optional: Create a summary report
+security_report:
+  stage: report
+  image: alpine:latest
+  before_script:
+    - apk add --no-cache jq
+  script:
+    - |
+      echo "## Security Scan Summary" > security-summary.md
+      echo "" >> security-summary.md
+      if [ -f security-report.json ]; then
+        VULN_COUNT=$(jq '.vulnerabilities | length' security-report.json)
+        HIGH_COUNT=$(jq '.high_severity_count // 0' security-report.json)
+        echo "- **Total vulnerabilities found:** $VULN_COUNT" >> security-summary.md
+        echo "- **High/Critical severity:** $HIGH_COUNT" >> security-summary.md
+        echo "" >> security-summary.md
+        
+        if [ "$VULN_COUNT" -gt 0 ]; then
+          echo "⚠️ **Action required:** Please review and address the identified vulnerabilities." >> security-summary.md
+        else
+          echo "✅ **No vulnerabilities found!**" >> security-summary.md
+        fi
+      else
+        echo "❌ **Error:** Security report not found." >> security-summary.md
+      fi
+      cat security-summary.md
+  artifacts:
+    paths:
+      - security-summary.md
+    expire_in: 30 days
+  dependencies:
+    - security_scan
+  only:
+    - main
+    - develop

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gem_guard
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Wilbur Suero
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-09 00:00:00.000000000 Z
+date: 2025-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -101,12 +101,16 @@ files:
 - lib/gem_guard.rb
 - lib/gem_guard/analyzer.rb
 - lib/gem_guard/cli.rb
+- lib/gem_guard/config.rb
 - lib/gem_guard/parser.rb
 - lib/gem_guard/reporter.rb
 - lib/gem_guard/sbom_generator.rb
 - lib/gem_guard/version.rb
 - lib/gem_guard/vulnerability_fetcher.rb
 - plan.md
+- templates/circleci-config.yml
+- templates/github-actions.yml
+- templates/gitlab-ci.yml
 homepage: https://github.com/wilburhimself/gem_guard
 licenses:
 - MIT