gem_guard 0.1.7 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 747dee6cd137e68fae4e5086d37a40bc5fabb67672f67d06a901627ac47c00cd
-  data.tar.gz: 75c793fc063db05b04635f2c12fa7abf7169f815f57bd6c64f8da0da2d3ea03a
+  metadata.gz: 2870725c07a4b4c39c53e01c031663a934db6f9e457ad75f509d2ee6e3e35684
+  data.tar.gz: 6f630c2ef6939a0c5de8c3b8982781a907065b8c1a3901483f1101910387e244
 SHA512:
-  metadata.gz: cb271a7619b956d0b6271d3fc20c9cee8d75709951b7e8984c051de4e261ba3fdba76ea450fbd2871ece6ec0acc89bb68263e514bb1af9e53dc66e4bdc277d88
-  data.tar.gz: 5ebc3d1e492ea6d273ed740b67b61db1ea729e19eebfc1107b4511112d31641c1347ed2af90c7dd7939350d151826b18432d91279cedcf5873ff8b1a2809fd6a
+  metadata.gz: 6b7c598cd6789dfdf5d3b90c82fc9f2ade69c730418f1d2a9f6ba6c22555fad01b7e4bbd438bbb03d6116f429176a407e9b0f13221c47fd2cd0e9e2175563e98
+  data.tar.gz: 822e03ed7fa56e17d170abf92db8677fb27f92ff04d0f52ecdc1793c73db9aab3052e37e6cbcb28b7a217f3a30a7fb062a3860169f908067b2c3672964d9f977

data/README.md

@@ -6,15 +6,41 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Security](https://img.shields.io/badge/Security-Policy-blue.svg)](SECURITY.md)
 
-Supply chain security and vulnerability management for Ruby gems. GemGuard provides developers with a comprehensive tool to detect, report, and remediate dependency-related security risks.
-
-## Features
-
-- 🔍 **Vulnerability Scanning**: Detect known CVEs in your dependencies
-- 📊 **Multiple Output Formats**: Human-readable tables and JSON output
-- 🌐 **Multiple Data Sources**: OSV.dev and Ruby Advisory Database
-- 🔧 **Fix Recommendations**: Suggested commands to remediate vulnerabilities
-- 🚀 **CI/CD Ready**: Exit codes for pipeline integration
+**The comprehensive Ruby dependency security scanner and SBOM generator.**
+
+GemGuard is your one-stop solution for Ruby supply chain security. Detect vulnerabilities, identify typosquats, generate SBOMs, and secure your dependencies with enterprise-grade tooling designed for modern DevOps workflows.
+
+## ✨ Features
+
+### 🔍 **Vulnerability Scanning**
+- Detect known CVEs from OSV.dev and Ruby Advisory Database
+- Smart deduplication handles platform-specific gems
+- Severity-based filtering and thresholds
+- Actionable fix recommendations with exact commands
+
+### 🎯 **Typosquat Detection**
+- Fuzzy matching against popular Ruby gems
+- Configurable similarity thresholds
+- Risk level classification (Critical/High/Medium/Low)
+- Hardcoded fallback for reliable detection
+
+### 📋 **SBOM Generation**
+- Industry-standard SPDX 2.3 format
+- CycloneDX 1.5 support
+- Complete dependency metadata
+- License and checksum information
+
+### 🚀 **CI/CD Integration**
+- Configurable exit codes for pipeline control
+- JSON output for automated processing
+- Config file support (`.gemguard.yml`)
+- Multiple output formats and file export
+
+### 🎨 **Developer Experience**
+- Beautiful, colorful terminal output
+- Progress indicators and clear error messages
+- Comprehensive help and documentation
+- Zero-config operation with sensible defaults
 
 ## Installation
 
@@ -32,30 +58,47 @@ Or install it yourself as:
 
     $ gem install gem_guard
 
-## Usage
+## 🚀 Quick Start
+
+```bash
+# Install GemGuard
+gem install gem_guard
+
+# Scan for vulnerabilities
+gem_guard scan
+
+# Check for typosquats
+gem_guard typosquat
 
-### Basic Vulnerability Scan
+# Generate SBOM
+gem_guard sbom
+```
+
+## 📖 Usage
 
-Scan your project's dependencies for known vulnerabilities:
+### 🔍 Vulnerability Scanning
 
+**Basic scan:**
 ```bash
 gem_guard scan
 ```
 
-### Specify Custom Lockfile
-
+**Custom lockfile:**
 ```bash
 gem_guard scan --lockfile path/to/Gemfile.lock
 ```
 
-### JSON Output
-
+**JSON output for automation:**
 ```bash
-gem_guard scan --format json
+gem_guard scan --format json --output vulnerabilities.json
 ```
 
-### Example Output
+**CI/CD integration with exit codes:**
+```bash
+gem_guard scan --fail-on-vulnerabilities --severity-threshold high
+```
 
+**Example output:**
 ```
 🚨 Security Vulnerabilities Found
 ==================================================
@@ -66,17 +109,208 @@ Summary:
 
 Details:
 
-📦 actionpack (6.1.0)
-   🔍 Vulnerability: CVE-2021-22885
-   ⚠️  Severity: HIGH
-   📝 Summary: Possible Information Disclosure / Unintended Method Execution in Action Pack
-   🔧 Fix: bundle update actionpack --to 6.1.3.1
+📦 nokogiri (1.18.8)
+   🔍 Vulnerability: GHSA-353f-x4gh-cqq8
+   ⚠️  Severity: UNKNOWN
+   📝 Summary: Nokogiri patches vendored libxml2 to resolve multiple CVEs
+   🔧 Fix: bundle update nokogiri --to 1.18.9
+
+📦 thor (1.3.2)
+   🔍 Vulnerability: GHSA-mqcp-p2hv-vw6x
+   ⚠️  Severity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
+   📝 Summary: Thor can construct an unsafe shell command from library input.
+   🔧 Fix: bundle update thor --to 1.4.0
+```
+
+### 🎯 Typosquat Detection
+
+**Basic typosquat check:**
+```bash
+gem_guard typosquat
+```
+
+**Custom similarity threshold:**
+```bash
+gem_guard typosquat --threshold 0.9
+```
+
+**JSON output:**
+```bash
+gem_guard typosquat --format json --output typosquats.json
+```
+
+**Example output:**
+```
+🎯 Potential Typosquat Dependencies Found
+==========================================
+
+📦 railz (7.0.0)
+   🚨 Risk Level: CRITICAL
+   📊 Similarity: 80.0% to 'rails'
+   ⚠️  This gem name is suspiciously similar to the popular gem 'rails'
+   🔧 Consider: Did you mean 'rails'? Review this dependency carefully.
+```
+
+### 📋 SBOM Generation
 
-📦 nokogiri (1.10.0)
-   🔍 Vulnerability: CVE-2020-26247
-   ⚠️  Severity: MEDIUM
-   📝 Summary: XML External Entity vulnerability in Nokogiri
-   🔧 Fix: bundle update nokogiri --to 1.11.0
+**Generate SPDX SBOM:**
+```bash
+gem_guard sbom
+```
+
+**Generate CycloneDX SBOM:**
+```bash
+gem_guard sbom --format cyclone-dx
+```
+
+**Custom project name and output:**
+```bash
+gem_guard sbom --project my-app --output sbom.json
+```
+
+**Example SPDX output:**
+```json
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "my-app-sbom",
+  "documentNamespace": "https://gem-guard.dev/my-app/2025-01-09T23:55:00Z",
+  "creationInfo": {
+    "created": "2025-01-09T23:55:00Z",
+    "creators": ["Tool: gem_guard-1.0.0"]
+  },
+  "packages": [...],
+  "relationships": [...]
+}
+```
+
+## ⚙️ Configuration
+
+GemGuard supports project-level configuration via `.gemguard.yml`:
+
+```yaml
+# .gemguard.yml
+lockfile_path: "Gemfile.lock"
+output_format: "table"  # table, json
+fail_on_vulnerabilities: true
+severity_threshold: "medium"  # low, medium, high, critical
+output_file: null
+ignore_vulnerabilities:
+  - "CVE-2021-12345"  # Ignore specific CVEs
+  - "GHSA-xxxx-xxxx-xxxx"
+typosquat:
+  similarity_threshold: 0.8
+  enabled: true
+sbom:
+  format: "spdx"  # spdx, cyclone-dx
+  project_name: "my-project"
+```
+
+### Configuration Options
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `lockfile_path` | Path to Gemfile.lock | `"Gemfile.lock"` |
+| `output_format` | Output format (table/json) | `"table"` |
+| `fail_on_vulnerabilities` | Exit with code 1 if vulnerabilities found | `true` |
+| `severity_threshold` | Minimum severity to report | `"low"` |
+| `output_file` | Write output to file | `null` |
+| `ignore_vulnerabilities` | List of CVE/GHSA IDs to ignore | `[]` |
+| `typosquat.similarity_threshold` | Typosquat detection sensitivity | `0.8` |
+| `typosquat.enabled` | Enable typosquat detection | `true` |
+| `sbom.format` | SBOM format (spdx/cyclone-dx) | `"spdx"` |
+| `sbom.project_name` | Project name in SBOM | `"ruby-project"` |
+
+## 🔄 CI/CD Integration
+
+### Exit Codes
+
+GemGuard uses standard exit codes for CI/CD integration:
+
+- **0**: Success (no vulnerabilities or typosquats found)
+- **1**: Vulnerabilities/typosquats found
+- **2**: Error (invalid arguments, missing files, etc.)
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+      
+      - name: Install GemGuard
+        run: gem install gem_guard
+      
+      - name: Vulnerability Scan
+        run: gem_guard scan --format json --output vulnerabilities.json
+      
+      - name: Typosquat Check
+        run: gem_guard typosquat --format json --output typosquats.json
+      
+      - name: Generate SBOM
+        run: gem_guard sbom --output sbom.json
+      
+      - name: Upload Security Reports
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: security-reports
+          path: |
+            vulnerabilities.json
+            typosquats.json
+            sbom.json
+```
+
+### GitLab CI
+
+```yaml
+security_scan:
+  stage: test
+  image: ruby:3.2
+  before_script:
+    - bundle install
+    - gem install gem_guard
+  script:
+    - gem_guard scan --format json --output vulnerabilities.json
+    - gem_guard typosquat --format json --output typosquats.json
+    - gem_guard sbom --output sbom.json
+  artifacts:
+    reports:
+      # GitLab can parse these for security dashboard
+      dependency_scanning: vulnerabilities.json
+    paths:
+      - "*.json"
+    when: always
+  allow_failure: false
+```
+
+### CircleCI
+
+```yaml
+version: 2.1
+jobs:
+  security:
+    docker:
+      - image: cimg/ruby:3.2
+    steps:
+      - checkout
+      - run: bundle install
+      - run: gem install gem_guard
+      - run: gem_guard scan --fail-on-vulnerabilities
+      - run: gem_guard typosquat
+      - run: gem_guard sbom --output sbom.json
+      - store_artifacts:
+          path: sbom.json
 ```
 
 ## Development
@@ -106,14 +340,63 @@ Releases are automated via GitHub Actions. To create a new release:
 
 The release workflow is triggered only when `lib/gem_guard/version.rb` changes.
 
-## Contributing
+## 🤝 Contributing
+
+We welcome contributions! Here's how you can help:
+
+1. **Fork the repository**
+2. **Create a feature branch** (`git checkout -b feature/amazing-feature`)
+3. **Write tests** for your changes (we use strict TDD)
+4. **Run the test suite** (`bundle exec rspec`)
+5. **Run the linter** (`bundle exec rake standard`)
+6. **Commit your changes** (`git commit -am 'Add amazing feature'`)
+7. **Push to the branch** (`git push origin feature/amazing-feature`)
+8. **Open a Pull Request**
+
+### Development Guidelines
+
+- Follow DHH-style Ruby: pragmatic, intention-revealing, minimal abstractions
+- Use strict outside-in TDD with RSpec
+- Maintain 100% test coverage
+- Follow StandardRB for code style
+- Write clear, descriptive commit messages
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/wilburhimself/gem_guard.
+## 📊 Roadmap
 
-## License
+- [ ] **Enhanced Vulnerability Sources**: Additional security databases
+- [ ] **Auto-Fix Suggestions**: Automated dependency updates
+- [ ] **Web Dashboard**: Browser-based security monitoring
+- [ ] **IDE Integrations**: VS Code, RubyMine plugins
+- [ ] **Slack/Teams Notifications**: Real-time security alerts
+- [ ] **Custom Rules Engine**: User-defined security policies
+
+## 🏆 Why GemGuard?
+
+| Feature | GemGuard | bundler-audit | Other Tools |
+|---------|----------|---------------|-------------|
+| **Vulnerability Scanning** | ✅ OSV.dev + Ruby Advisory | ✅ Ruby Advisory Only | ❌ Limited Sources |
+| **Typosquat Detection** | ✅ Fuzzy Matching | ❌ | ❌ |
+| **SBOM Generation** | ✅ SPDX + CycloneDX | ❌ | ❌ |
+| **CI/CD Integration** | ✅ Full Support | ⚠️ Basic | ⚠️ Limited |
+| **JSON Output** | ✅ | ✅ | ⚠️ Varies |
+| **Configuration Files** | ✅ | ❌ | ⚠️ Limited |
+| **Platform Deduplication** | ✅ | ❌ | ❌ |
+| **Active Development** | ✅ | ⚠️ Maintenance | ⚠️ Varies |
+
+## 📄 License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
 
-## Security
+## 🔒 Security
+
+If you discover a security vulnerability within GemGuard, please see our [Security Policy](SECURITY.md) for responsible disclosure guidelines.
+
+## 🙏 Acknowledgments
+
+- [OSV.dev](https://osv.dev/) for comprehensive vulnerability data
+- [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db) for Ruby-specific advisories
+- The Ruby community for continuous feedback and contributions
+
+---
 
-If you discover a security vulnerability within GemGuard, please send an email to security@example.com. All security vulnerabilities will be promptly addressed.
+**Made with ❤️ for the Ruby community**

data/SECURITY.md

@@ -46,8 +46,52 @@ GemGuard itself implements several security best practices:
 
 When using GemGuard:
 
-- Keep GemGuard updated to the latest version
-- Review vulnerability reports carefully before applying fixes
+- **Keep GemGuard updated** to the latest version for security patches
+- **Review vulnerability reports** carefully before applying fixes
+- **Validate SBOM outputs** before sharing with external parties
+- **Use secure channels** when transmitting security reports
+- **Configure ignore lists** carefully to avoid missing critical vulnerabilities
+- **Monitor CI/CD pipelines** for security scan failures
+
+## Threat Model
+
+GemGuard protects against:
+
+- **Known Vulnerabilities**: CVEs in your dependency chain
+- **Typosquat Attacks**: Malicious gems with similar names to popular packages
+- **Supply Chain Attacks**: Compromised or malicious dependencies
+- **Outdated Dependencies**: Gems with known security issues
+
+## Data Handling
+
+GemGuard:
+
+- **Does not collect** personal or sensitive data
+- **Queries public APIs** (OSV.dev) for vulnerability information
+- **Processes locally** your Gemfile.lock and dependency information
+- **Does not transmit** your code or proprietary information
+- **Caches vulnerability data** temporarily for performance
+
+## Security Updates
+
+We provide security updates through:
+
+- **GitHub Security Advisories** for critical vulnerabilities
+- **RubyGems.org releases** with security patches
+- **Email notifications** to security@wilburhimself.com subscribers
+- **GitHub releases** with detailed changelogs
+
+## Contact
+
+For security-related inquiries:
+
+- **Email**: security@wilburhimself.com
+- **PGP Key**: Available upon request
+- **Response Time**: 48 hours for initial response
+
+---
+
+*Last updated: January 2025*
 - Use GemGuard in your CI/CD pipeline to catch vulnerabilities early
 - Consider the source and severity of reported vulnerabilities
 

data/lib/gem_guard/analyzer.rb

@@ -8,7 +8,10 @@ module GemGuard
 
         next if matching_vulns.empty?
 
-        matching_vulns.each do |vulnerability|
+        # Deduplicate vulnerabilities by ID to avoid duplicate entries for the same vulnerability
+        unique_vulns = matching_vulns.uniq { |vuln| vuln.id }
+
+        unique_vulns.each do |vulnerability|
           if version_affected?(dependency.version, vulnerability)
             vulnerable_dependencies << VulnerableDependency.new(
               dependency: dependency,

data/lib/gem_guard/auto_fixer.rb

@@ -0,0 +1,162 @@
+require "bundler"
+require "fileutils"
+
+module GemGuard
+  class AutoFixer
+    def initialize(lockfile_path = "Gemfile.lock", gemfile_path = "Gemfile")
+      @lockfile_path = lockfile_path
+      @gemfile_path = gemfile_path
+      @backup_created = false
+    end
+
+    def fix_vulnerabilities(vulnerable_dependencies, options = {})
+      dry_run = options.fetch(:dry_run, false)
+      interactive = options.fetch(:interactive, false)
+      create_backup = options.fetch(:backup, true)
+
+      unless File.exist?(@gemfile_path)
+        raise "Gemfile not found at #{@gemfile_path}. Auto-fix requires a Gemfile."
+      end
+
+      unless File.exist?(@lockfile_path)
+        raise "Gemfile.lock not found at #{@lockfile_path}. Run 'bundle install' first."
+      end
+
+      fixes = plan_fixes(vulnerable_dependencies)
+
+      if fixes.empty?
+        return {status: :no_fixes_needed, message: "No automatic fixes available."}
+      end
+
+      if dry_run
+        return {status: :dry_run, fixes: fixes, message: "Dry run completed. #{fixes.length} fixes planned."}
+      end
+
+      if interactive && !confirm_fixes(fixes)
+        return {status: :cancelled, message: "Fix operation cancelled by user."}
+      end
+
+      create_lockfile_backup if create_backup
+
+      applied_fixes = apply_fixes(fixes)
+
+      {
+        status: :completed,
+        fixes: applied_fixes,
+        message: "Applied #{applied_fixes.length} fixes successfully."
+      }
+    end
+
+    private
+
+    def plan_fixes(vulnerable_dependencies)
+      fixes = []
+
+      vulnerable_dependencies.each do |vuln_dep|
+        dependency = vuln_dep.dependency
+        vulnerability = vuln_dep.vulnerability
+
+        # Extract the recommended version from the fix suggestion
+        recommended_version = extract_version_from_fix(vuln_dep.recommended_fix)
+
+        next unless recommended_version
+
+        # Check if the recommended version is available and safe
+        if version_available_and_safe?(dependency.name, recommended_version)
+          fixes << {
+            gem_name: dependency.name,
+            current_version: dependency.version,
+            target_version: recommended_version,
+            vulnerability_id: vulnerability.id,
+            severity: vulnerability.severity
+          }
+        end
+      end
+
+      fixes
+    end
+
+    def extract_version_from_fix(fix_command)
+      # Extract version from commands like "bundle update nokogiri --to 1.18.9"
+      match = fix_command.match(/--to\s+([^\s]+)/)
+      match ? match[1] : nil
+    end
+
+    def version_available_and_safe?(gem_name, version)
+      # Check if the version exists on RubyGems
+      # This is a simplified check - in production, you might want more robust validation
+      return false if version.nil? || version.empty?
+
+      # Basic semantic version validation
+      version.match?(/^\d+\.\d+(\.\d+)?/)
+    end
+
+    def confirm_fixes(fixes)
+      puts "\n🔧 Planned Fixes:"
+      puts "=" * 50
+
+      fixes.each do |fix|
+        severity_emoji = severity_emoji(fix[:severity])
+        puts "#{severity_emoji} #{fix[:gem_name]}: #{fix[:current_version]} → #{fix[:target_version]}"
+        puts "   Fixes: #{fix[:vulnerability_id]}"
+      end
+
+      puts "\n⚠️  This will modify your Gemfile.lock and may require bundle install."
+      print "Do you want to proceed? (y/N): "
+
+      response = $stdin.gets.chomp.downcase
+      response == "y" || response == "yes"
+    end
+
+    def severity_emoji(severity)
+      case severity.to_s.downcase
+      when /critical/
+        "🔴"
+      when /high/
+        "🟠"
+      when /medium/
+        "🟡"
+      else
+        "🟢"
+      end
+    end
+
+    def create_lockfile_backup
+      return if @backup_created
+
+      backup_path = "#{@lockfile_path}.backup.#{Time.now.strftime("%Y%m%d_%H%M%S")}"
+      FileUtils.cp(@lockfile_path, backup_path)
+      @backup_created = true
+      puts "📦 Created backup: #{backup_path}"
+    end
+
+    def apply_fixes(fixes)
+      applied_fixes = []
+
+      fixes.each do |fix|
+        if apply_single_fix(fix)
+          applied_fixes << fix
+          puts "✅ Updated #{fix[:gem_name]} to #{fix[:target_version]}"
+        else
+          puts "❌ Failed to update #{fix[:gem_name]}"
+        end
+      end
+
+      # Run bundle install to update the lockfile
+      if applied_fixes.any?
+        puts "\n🔄 Running bundle install to update lockfile..."
+        system("bundle install")
+      end
+
+      applied_fixes
+    end
+
+    def apply_single_fix(fix)
+      # Use bundler to update the specific gem
+      command = "bundle update #{fix[:gem_name]} --conservative"
+
+      # Execute the bundle update command
+      system(command, out: File::NULL, err: File::NULL)
+    end
+  end
+end

data/lib/gem_guard/cli.rb

@@ -98,8 +98,50 @@ module GemGuard
       end
     end
 
+    desc "typosquat", "Check for potential typosquat dependencies"
+    option :lockfile, type: :string, default: "Gemfile.lock", desc: "Path to Gemfile.lock"
+    option :format, type: :string, default: "table", desc: "Output format (table, json)"
+    option :output, type: :string, desc: "Output file path"
+    option :config, type: :string, desc: "Config file path"
+    def typosquat
+      config = Config.new(options[:config] || ".gemguard.yml")
+
+      lockfile_path = options[:lockfile] || config.lockfile_path
+      format = options[:format] || config.output_format
+      output_file = options[:output] || config.output_file
+
+      unless File.exist?(lockfile_path)
+        puts "Error: #{lockfile_path} not found"
+        exit EXIT_ERROR
+      end
+
+      begin
+        dependencies = Parser.new.parse(lockfile_path)
+        checker = TyposquatChecker.new
+        suspicious_gems = checker.check_dependencies(dependencies)
+
+        if output_file
+          output_content = format_typosquat_output(suspicious_gems, format)
+          File.write(output_file, output_content)
+          puts "Typosquat report written to #{output_file}"
+        else
+          display_typosquat_results(suspicious_gems, format)
+        end
+
+        # Exit with appropriate code
+        if suspicious_gems.any? { |sg| sg[:risk_level] == "critical" || sg[:risk_level] == "high" }
+          exit EXIT_VULNERABILITIES_FOUND
+        else
+          exit EXIT_SUCCESS
+        end
+      rescue => e
+        puts "Error: #{e.message}"
+        exit EXIT_ERROR
+      end
+    end
+
     desc "config", "Manage configuration"
-    option :init, type: :boolean, desc: "Initialize a new .gemguard.yml config file"
+    option :init, type: :boolean, desc: "Initialize default config file"
     option :show, type: :boolean, desc: "Show current configuration"
     option :path, type: :string, default: ".gemguard.yml", desc: "Config file path"
     def config
@@ -148,6 +190,87 @@ module GemGuard
       end
     end
 
+    desc "fix", "Automatically fix vulnerable dependencies"
+    option :lockfile, type: :string, desc: "Path to Gemfile.lock"
+    option :gemfile, type: :string, desc: "Path to Gemfile"
+    option :dry_run, type: :boolean, desc: "Show planned fixes without applying them"
+    option :interactive, type: :boolean, desc: "Ask for confirmation before applying fixes"
+    option :no_backup, type: :boolean, desc: "Skip creating backup of Gemfile.lock"
+    option :config, type: :string, desc: "Config file path"
+    def fix
+      config = Config.new(options[:config] || ".gemguard.yml")
+
+      lockfile_path = options[:lockfile] || config.lockfile_path
+      gemfile_path = options[:gemfile] || "Gemfile"
+      dry_run = options[:dry_run] || false
+      interactive = options[:interactive] || false
+      create_backup = !options[:no_backup]
+
+      unless File.exist?(lockfile_path)
+        puts "Error: #{lockfile_path} not found"
+        exit EXIT_ERROR
+      end
+
+      unless File.exist?(gemfile_path)
+        puts "Error: #{gemfile_path} not found. Auto-fix requires a Gemfile."
+        exit EXIT_ERROR
+      end
+
+      begin
+        # First, scan for vulnerabilities
+        dependencies = Parser.new.parse(lockfile_path)
+        vulnerabilities = VulnerabilityFetcher.new.fetch_for(dependencies)
+        analysis = Analyzer.new.analyze(dependencies, vulnerabilities)
+
+        if analysis.vulnerable_dependencies.empty?
+          puts "✅ No vulnerabilities found. Nothing to fix!"
+          exit EXIT_SUCCESS
+        end
+
+        # Apply fixes
+        auto_fixer = AutoFixer.new(lockfile_path, gemfile_path)
+        result = auto_fixer.fix_vulnerabilities(
+          analysis.vulnerable_dependencies,
+          dry_run: dry_run,
+          interactive: interactive,
+          backup: create_backup
+        )
+
+        case result[:status]
+        when :no_fixes_needed
+          puts "ℹ️  #{result[:message]}"
+          exit EXIT_SUCCESS
+        when :dry_run
+          puts "🔍 Dry Run Results:"
+          puts "=" * 40
+          result[:fixes].each do |fix|
+            puts "#{fix[:gem_name]}: #{fix[:current_version]} → #{fix[:target_version]}"
+            puts "  Fixes: #{fix[:vulnerability_id]} (#{fix[:severity]})"
+          end
+          puts "\n#{result[:message]}"
+          puts "Run without --dry-run to apply these fixes."
+          exit EXIT_SUCCESS
+        when :cancelled
+          puts "❌ #{result[:message]}"
+          exit EXIT_SUCCESS
+        when :completed
+          puts "🎉 #{result[:message]}"
+          puts "\n📋 Applied Fixes:"
+          result[:fixes].each do |fix|
+            puts "✅ #{fix[:gem_name]}: #{fix[:current_version]} → #{fix[:target_version]}"
+          end
+          puts "\n💡 Run 'gem_guard scan' to verify fixes."
+          exit EXIT_SUCCESS
+        else
+          puts "❌ Unexpected error during fix operation"
+          exit EXIT_ERROR
+        end
+      rescue => e
+        puts "Error: #{e.message}"
+        exit EXIT_ERROR
+      end
+    end
+
     desc "version", "Show gem_guard version"
     def version
       puts GemGuard::VERSION
@@ -165,9 +288,7 @@ module GemGuard
       return analysis unless severity_threshold
 
       filtered_vulnerable_deps = analysis.vulnerable_dependencies.select do |vuln_dep|
-        vuln_dep.vulnerabilities.any? do |vuln|
-          config.meets_severity_threshold?(extract_severity_level(vuln.severity))
-        end
+        config.meets_severity_threshold?(extract_severity_level(vuln_dep.vulnerability.severity))
       end
 
       # Create new analysis with filtered vulnerabilities
@@ -193,12 +314,75 @@ module GemGuard
     end
 
     def capture_report_output(analysis, format)
+      output = StringIO.new
       old_stdout = $stdout
-      $stdout = StringIO.new
+      $stdout = output
+
       Reporter.new.report(analysis, format: format)
-      $stdout.string
-    ensure
+
       $stdout = old_stdout
+      output.string
+    end
+
+    def display_typosquat_results(suspicious_gems, format)
+      if suspicious_gems.empty?
+        puts "No potential typosquat dependencies found."
+        return
+      end
+
+      case format.downcase
+      when "json"
+        puts JSON.pretty_generate(suspicious_gems)
+      else
+        display_typosquat_table(suspicious_gems)
+      end
+    end
+
+    def display_typosquat_table(suspicious_gems)
+      puts "\n🚨 Potential Typosquat Dependencies Found:"
+      puts "=" * 80
+
+      suspicious_gems.each do |gem_info|
+        risk_emoji = case gem_info[:risk_level]
+        when "critical" then "🔴"
+        when "high" then "🟠"
+        when "medium" then "🟡"
+        else "🟢"
+        end
+
+        puts "\n#{risk_emoji} #{gem_info[:gem_name]} (#{gem_info[:version]})"
+        puts "   Suspected target: #{gem_info[:suspected_target]}"
+        puts "   Similarity: #{(gem_info[:similarity_score] * 100).round(1)}%"
+        puts "   Risk level: #{gem_info[:risk_level].upcase}"
+        puts "   Target downloads: #{number_with_commas(gem_info[:target_downloads])}"
+      end
+
+      puts "\n" + "=" * 80
+      puts "💡 Review these dependencies carefully. Consider:"
+      puts "   • Verifying the gem's legitimacy on rubygems.org"
+      puts "   • Checking the gem's source code repository"
+      puts "   • Looking for official documentation or endorsements"
+      puts "   • Comparing with the suspected target gem"
+    end
+
+    def format_typosquat_output(suspicious_gems, format)
+      case format.downcase
+      when "json"
+        JSON.pretty_generate(suspicious_gems)
+      else
+        output = StringIO.new
+        old_stdout = $stdout
+        $stdout = output
+
+        display_typosquat_table(suspicious_gems)
+
+        $stdout = old_stdout
+        output.string
+      end
+    end
+
+    def number_with_commas(number)
+      number.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse
     end
   end
 end

data/lib/gem_guard/parser.rb

@@ -16,7 +16,9 @@ module GemGuard
         )
       end
 
-      dependencies
+      # Deduplicate dependencies by name to handle platform-specific gems
+      # (e.g., nokogiri-arm64-darwin, nokogiri-x86_64-darwin, etc.)
+      dependencies.uniq { |dep| dep.name }
     end
 
     private

data/lib/gem_guard/typosquat_checker.rb

@@ -0,0 +1,157 @@
+require "net/http"
+require "json"
+require "uri"
+
+module GemGuard
+  class TyposquatChecker
+    POPULAR_GEMS_CACHE_TTL = 3600 # 1 hour
+    SIMILARITY_THRESHOLD = 0.8
+    MIN_POPULAR_GEM_DOWNLOADS = 1_000_000
+
+    def initialize
+      @popular_gems_cache = nil
+      @cache_timestamp = nil
+    end
+
+    def check_dependencies(dependencies)
+      suspicious_gems = []
+      popular_gems = fetch_popular_gems
+
+      dependencies.each do |dependency|
+        suspicious_match = find_suspicious_match(dependency.name, popular_gems)
+        if suspicious_match
+          suspicious_gems << {
+            gem_name: dependency.name,
+            version: dependency.version,
+            suspected_target: suspicious_match[:name],
+            similarity_score: suspicious_match[:similarity],
+            target_downloads: suspicious_match[:downloads],
+            risk_level: calculate_risk_level(suspicious_match[:similarity])
+          }
+        end
+      end
+
+      suspicious_gems
+    end
+
+    private
+
+    def fetch_popular_gems
+      return @popular_gems_cache if cache_valid?
+
+      begin
+        # Use fallback popular gems list for now since RubyGems API structure is complex
+        # In a production environment, you might want to use a different data source
+        # or scrape the RubyGems.org popular page
+        @popular_gems_cache = fallback_popular_gems
+        @cache_timestamp = Time.now
+        @popular_gems_cache
+      rescue
+        # Silently fall back to hardcoded list - no need to warn user
+        fallback_popular_gems
+      end
+    end
+
+    def cache_valid?
+      @popular_gems_cache && @cache_timestamp &&
+        (Time.now - @cache_timestamp) < POPULAR_GEMS_CACHE_TTL
+    end
+
+    def find_suspicious_match(gem_name, popular_gems)
+      return nil if popular_gems.any? { |pg| pg[:name] == gem_name }
+
+      best_match = nil
+      highest_similarity = 0
+
+      popular_gems.each do |popular_gem|
+        similarity = calculate_similarity(gem_name, popular_gem[:name])
+
+        if similarity >= SIMILARITY_THRESHOLD && similarity > highest_similarity
+          highest_similarity = similarity
+          best_match = {
+            name: popular_gem[:name],
+            similarity: similarity,
+            downloads: popular_gem[:downloads]
+          }
+        end
+      end
+
+      best_match
+    end
+
+    def calculate_similarity(str1, str2)
+      return 0.0 if str1.nil? || str2.nil? || str1.empty? || str2.empty?
+      return 1.0 if str1 == str2
+
+      # Use Levenshtein distance for similarity calculation
+      levenshtein_similarity(str1.downcase, str2.downcase)
+    end
+
+    def levenshtein_similarity(str1, str2)
+      distance = levenshtein_distance(str1, str2)
+      max_length = [str1.length, str2.length].max
+      return 1.0 if max_length == 0
+
+      1.0 - (distance.to_f / max_length)
+    end
+
+    def levenshtein_distance(str1, str2)
+      matrix = Array.new(str1.length + 1) { Array.new(str2.length + 1) }
+
+      (0..str1.length).each { |i| matrix[i][0] = i }
+      (0..str2.length).each { |j| matrix[0][j] = j }
+
+      (1..str1.length).each do |i|
+        (1..str2.length).each do |j|
+          cost = (str1[i - 1] == str2[j - 1]) ? 0 : 1
+          matrix[i][j] = [
+            matrix[i - 1][j] + 1,     # deletion
+            matrix[i][j - 1] + 1,     # insertion
+            matrix[i - 1][j - 1] + cost # substitution
+          ].min
+        end
+      end
+
+      matrix[str1.length][str2.length]
+    end
+
+    def calculate_risk_level(similarity)
+      case similarity
+      when 0.95..1.0
+        "critical"
+      when 0.9..0.95
+        "high"
+      when 0.85..0.9
+        "medium"
+      else
+        "low"
+      end
+    end
+
+    def fallback_popular_gems
+      # Hardcoded list of very popular Ruby gems as fallback
+      [
+        {name: "rails", downloads: 100_000_000},
+        {name: "bundler", downloads: 90_000_000},
+        {name: "rake", downloads: 80_000_000},
+        {name: "json", downloads: 70_000_000},
+        {name: "minitest", downloads: 60_000_000},
+        {name: "thread_safe", downloads: 50_000_000},
+        {name: "tzinfo", downloads: 45_000_000},
+        {name: "concurrent-ruby", downloads: 40_000_000},
+        {name: "i18n", downloads: 35_000_000},
+        {name: "activesupport", downloads: 30_000_000},
+        {name: "activerecord", downloads: 25_000_000},
+        {name: "actionpack", downloads: 20_000_000},
+        {name: "actionview", downloads: 18_000_000},
+        {name: "activemodel", downloads: 15_000_000},
+        {name: "rspec", downloads: 12_000_000},
+        {name: "puma", downloads: 10_000_000},
+        {name: "nokogiri", downloads: 8_000_000},
+        {name: "thor", downloads: 7_000_000},
+        {name: "sass", downloads: 6_000_000},
+        {name: "devise", downloads: 5_000_000}
+      ]
+    end
+  end
+end

data/lib/gem_guard/version.rb

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "0.1.7"
+  VERSION = "1.1.2"
 end

data/lib/gem_guard/vulnerability_fetcher.rb

@@ -15,7 +15,31 @@ module GemGuard
         vulnerabilities.concat(fetch_ruby_advisory_vulnerabilities(dependency))
       end
 
-      vulnerabilities.uniq { |vuln| vuln.id }
+      # Deduplicate vulnerabilities by ID and gem name, merging affected/fixed versions
+      deduplicated = {}
+      vulnerabilities.each do |vuln|
+        key = [vuln.id, vuln.gem_name]
+        if deduplicated[key]
+          # Merge affected and fixed versions from duplicate entries
+          existing = deduplicated[key]
+          merged_affected = (existing.affected_versions + vuln.affected_versions).uniq
+          merged_fixed = (existing.fixed_versions + vuln.fixed_versions).uniq
+
+          deduplicated[key] = Vulnerability.new(
+            id: existing.id,
+            gem_name: existing.gem_name,
+            affected_versions: merged_affected,
+            fixed_versions: merged_fixed,
+            severity: existing.severity,
+            summary: existing.summary,
+            details: existing.details
+          )
+        else
+          deduplicated[key] = vuln
+        end
+      end
+
+      deduplicated.values
     end
 
     private

data/lib/gem_guard.rb

@@ -3,9 +3,11 @@ require_relative "gem_guard/parser"
 require_relative "gem_guard/vulnerability_fetcher"
 require_relative "gem_guard/analyzer"
 require_relative "gem_guard/reporter"
-require_relative "gem_guard/sbom_generator"
-require_relative "gem_guard/config"
 require_relative "gem_guard/cli"
+require_relative "gem_guard/config"
+require_relative "gem_guard/sbom_generator"
+require_relative "gem_guard/typosquat_checker"
+require_relative "gem_guard/auto_fixer"
 
 module GemGuard
   class Error < StandardError; end

data/test_nokogiri.lock

@@ -0,0 +1,13 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    nokogiri (1.18.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  nokogiri
+
+BUNDLED WITH
+   2.4.10

data/test_nokogiri.lock.backup.20250810_002252

@@ -0,0 +1,13 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    nokogiri (1.18.8)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  nokogiri
+
+BUNDLED WITH
+   2.4.10

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gem_guard
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 1.1.2
 platform: ruby
 authors:
 - Wilbur Suero
@@ -96,21 +96,24 @@ files:
 - Rakefile
 - SECURITY.md
 - exe/gem_guard
-- gem_guard-0.1.0.gem
 - gem_guard.gemspec
 - lib/gem_guard.rb
 - lib/gem_guard/analyzer.rb
+- lib/gem_guard/auto_fixer.rb
 - lib/gem_guard/cli.rb
 - lib/gem_guard/config.rb
 - lib/gem_guard/parser.rb
 - lib/gem_guard/reporter.rb
 - lib/gem_guard/sbom_generator.rb
+- lib/gem_guard/typosquat_checker.rb
 - lib/gem_guard/version.rb
 - lib/gem_guard/vulnerability_fetcher.rb
 - plan.md
 - templates/circleci-config.yml
 - templates/github-actions.yml
 - templates/gitlab-ci.yml
+- test_nokogiri.lock
+- test_nokogiri.lock.backup.20250810_002252
 homepage: https://github.com/wilburhimself/gem_guard
 licenses:
 - MIT