gem_guard 1.1.2 → 1.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2870725c07a4b4c39c53e01c031663a934db6f9e457ad75f509d2ee6e3e35684
-  data.tar.gz: 6f630c2ef6939a0c5de8c3b8982781a907065b8c1a3901483f1101910387e244
+  metadata.gz: b97a15143a123482699d1aa0bb8c4458c19dd9d61bc4c5044ffb305064a6dc24
+  data.tar.gz: 1aa0c21a8f0b0f6d5ff78af7c75759c1f5f5a777329090eae1a27ca55488893c
 SHA512:
-  metadata.gz: 6b7c598cd6789dfdf5d3b90c82fc9f2ade69c730418f1d2a9f6ba6c22555fad01b7e4bbd438bbb03d6116f429176a407e9b0f13221c47fd2cd0e9e2175563e98
-  data.tar.gz: 822e03ed7fa56e17d170abf92db8677fb27f92ff04d0f52ecdc1793c73db9aab3052e37e6cbcb28b7a217f3a30a7fb062a3860169f908067b2c3672964d9f977
+  metadata.gz: 6a2ac4bc9d7f793a603d694a105b0a235f1663ab4e91ae189729097cf2ea2e2c2159ebb08fd2c5fb8e6d15b99a32754cf4a310fef4416af8f684a46189c8ca24
+  data.tar.gz: 23fc743bebe7451d7e30a7b405aa8498b98be33c529317be4084af278fced5761b2a379496b07ee32b4ba58a5c5258618b838bf6c1fec132209cdf67cfcccbf8

data/CHANGELOG.md

@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.0] - 2025-08-17
+
+### Added
+- Interactive fix flow: `gem_guard fix --interactive` prompts per gem (via `tty-prompt`).
+
+### Changed
+- Dry-run output refined to: `✅ Would update <gem> <from> → <to>` for clarity.
+
+### Dependencies
+- Add runtime dependency: `tty-prompt ~> 0.23`.
+
+## [1.1.2] - 2025-08-11
+
+### Added
+- Auto-Fix Mode: `gem_guard fix` to automatically update vulnerable gems with safe versions
+- SBOM generation: SPDX and CycloneDX outputs via `gem_guard sbom`
+- Typosquat detection with fuzzy matching and RubyGems API integration
+
+### Changed
+- Standardized CLI exit codes (0: clean, 1: vulnerabilities, 2: error)
+- Improved integration test mocking; tests run fast without external calls
+- Dropped Ruby 3.0 from CI matrix; now testing 3.1, 3.2, 3.3
+- SECURITY.md updated to use GitHub Security Advisories for private reports (no direct email)
+
+### Fixed
+- Deduplicated platform-specific gem vulnerabilities in reports
+- Resolved config state leakage across tests via deep copy of defaults
+- CI/CD publishing issues (RubyGems token permissions, bundler as dev dependency)
+- CLI integration test exit code handling and minor lint issues
+
 ## [0.1.0] - 2025-08-08
 
 ### Added

data/README.md

@@ -98,6 +98,8 @@ gem_guard scan --format json --output vulnerabilities.json
 gem_guard scan --fail-on-vulnerabilities --severity-threshold high
 ```
 
+> Exit codes: 0 = success, 1 = vulnerabilities found (only when `--fail-on-vulnerabilities` is set), 2 = error. See [Exit Codes](#exit-codes).
+
 **Example output:**
 ```
 🚨 Security Vulnerabilities Found
@@ -122,6 +124,40 @@ Details:
    🔧 Fix: bundle update thor --to 1.4.0
 ```
 
+### 🛠 Auto-fix Vulnerable Dependencies
+
+Use `fix` to apply recommended upgrades. Start with a dry run to preview changes.
+
+```bash
+# Preview only — shows what would change, does not modify files
+gem_guard fix --dry-run
+
+# Interactively confirm each upgrade (uses tty-prompt)
+gem_guard fix --interactive
+
+# Apply fixes non-interactively
+gem_guard fix
+```
+
+Dry run output example:
+
+```
+🔍 Dry run — no files will be modified.
+========================================
+✅ Would update nokogiri 1.12.0 → 1.14.3
+
+Dry run completed. 1 fixes planned.
+Run without --dry-run to apply these fixes.
+```
+
+Behavior notes:
+
+- **Interactive**: You’ll be asked per gem: `Upgrade nokogiri 1.12.0 → 1.14.3?` Answering “no” skips that gem.
+- **Backups**: A `Gemfile.lock.backup.YYYYMMDD_HHMMSS` is created only if at least one fix is approved/applied.
+- **Requirements**: `Gemfile` and `Gemfile.lock` must exist. Interactive prompts require a TTY-capable environment.
+
+> Exit codes: 0 = success, 2 = error. See [Exit Codes](#exit-codes). Use `--verbose` for diagnostics if a file/permission error occurs.
+
 ### 🎯 Typosquat Detection
 
 **Basic typosquat check:**
@@ -151,6 +187,8 @@ gem_guard typosquat --format json --output typosquats.json
    🔧 Consider: Did you mean 'rails'? Review this dependency carefully.
 ```
 
+> Exit codes: 0 = no high/critical risks, 1 = high/critical typosquat risks detected, 2 = error. See [Exit Codes](#exit-codes). Use `--verbose` for diagnostics on file errors.
+
 ### 📋 SBOM Generation
 
 **Generate SPDX SBOM:**
@@ -185,6 +223,8 @@ gem_guard sbom --project my-app --output sbom.json
 }
 ```
 
+> Exit codes: 0 = success, 2 = error. See [Exit Codes](#exit-codes). Use `--verbose` for diagnostics on file errors.
+
 ## ⚙️ Configuration
 
 GemGuard supports project-level configuration via `.gemguard.yml`:
@@ -313,6 +353,57 @@ jobs:
           path: sbom.json
 ```
 
+## ❗️ Troubleshooting
+
+### InvalidLockfileError: Invalid Gemfile.lock
+
+GemGuard raises `GemGuard::InvalidLockfileError` when the `Gemfile.lock` is malformed (e.g., truncated file, malformed `DEPENDENCIES` entries, or dependencies not present in the `specs` section).
+
+Common fixes:
+
+- Run `bundle install` to regenerate `Gemfile.lock`.
+- If issues persist, delete `Gemfile.lock` and run `bundle install` again to fully regenerate.
+- Ensure the file wasn’t manually edited. `Gemfile.lock` should be managed by Bundler.
+- Verify Bundler version compatibility (see the `BUNDLED WITH` section at the bottom of your lockfile).
+
+If you believe the lockfile is valid but still see this error, please open an issue with your `Gemfile.lock` attached (sanitized if needed).
+
+### FileError: Filesystem or Permission Issues
+
+GemGuard raises `GemGuard::FileError` when it cannot read or write required files (e.g., missing `Gemfile`, missing `Gemfile.lock`, or permission denied when creating backups or writing reports).
+
+Common scenarios and fixes:
+
+- **Gemfile not found** (auto-fix): Ensure a `Gemfile` exists at the project root or pass `--gemfile PATH`.
+
+- **Gemfile.lock not found**:
+  - Run `bundle install` to generate it, or pass `--lockfile PATH` to point to the correct file.
+
+- **Permission denied when creating backup (fix)**:
+  - The `fix` command creates a backup like `Gemfile.lock.backup.YYYYMMDD_HHMMSS` when applying changes.
+  - Ensure the working directory is writable by your user: `chmod u+w .` or run within a writable workspace.
+  - In CI, ensure the job user has write access to the repo checkout directory.
+
+- **Permission denied when writing output files (scan/typosquat/sbom)**:
+  - Specify a writable path using `--output`, e.g.: `gem_guard scan --output tmp/vulns.json`.
+  - Create the directory first: `mkdir -p tmp`.
+
+- **Read-only mounted directories in containers/CI**:
+  - Write outputs to a mounted writable volume, e.g., `/tmp`, and upload artifacts from there.
+
+If you continue to see `FileError`, re-run with verbose shell tracing to confirm permissions:
+
+```bash
+set -x
+gem_guard scan --output tmp/vulns.json
+```
+
+You can also add GemGuard diagnostics:
+
+```bash
+gem_guard scan --verbose --output tmp/vulns.json
+```
+
 ## Development
 
 After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bundle exec rake standard` to run the linter.
@@ -355,7 +446,7 @@ We welcome contributions! Here's how you can help:
 
 ### Development Guidelines
 
-- Follow DHH-style Ruby: pragmatic, intention-revealing, minimal abstractions
+- Follow pragmatic, intention-revealing, minimal abstractions
 - Use strict outside-in TDD with RSpec
 - Maintain 100% test coverage
 - Follow StandardRB for code style

data/SECURITY.md

@@ -10,7 +10,11 @@ We actively support the following versions of GemGuard:
 
 ## Reporting a Vulnerability
 
-If you discover a security vulnerability within GemGuard, please send an email to **security@wilburhimself.com**. All security vulnerabilities will be promptly addressed.
+If you discover a security vulnerability within GemGuard, please submit a private report via GitHub Security Advisories:
+
+https://github.com/wilburhimself/gem_guard/security/advisories/new
+
+All security vulnerabilities will be promptly addressed through the advisory workflow.
 
 **Please do not report security vulnerabilities through public GitHub issues.**
 
@@ -78,16 +82,15 @@ We provide security updates through:
 
 - **GitHub Security Advisories** for critical vulnerabilities
 - **RubyGems.org releases** with security patches
-- **Email notifications** to security@wilburhimself.com subscribers
 - **GitHub releases** with detailed changelogs
 
 ## Contact
 
-For security-related inquiries:
+For security-related inquiries and reports, use GitHub Security Advisories to contact maintainers privately:
+
+https://github.com/wilburhimself/gem_guard/security/advisories/new
 
-- **Email**: security@wilburhimself.com
-- **PGP Key**: Available upon request
-- **Response Time**: 48 hours for initial response
+We do not monitor any dedicated security email inbox. Initial response within 48 hours.
 
 ---
 
@@ -97,6 +100,5 @@ For security-related inquiries:
 
 ## Contact
 
-For security-related questions or concerns, contact:
-- Email: security@wilburhimself.com
+For general questions, reach out via GitHub Discussions or issues as appropriate:
 - GitHub: [@wilburhimself](https://github.com/wilburhimself)

data/lib/gem_guard/auto_fixer.rb

@@ -1,5 +1,6 @@
 require "bundler"
 require "fileutils"
+require "tty-prompt"
 
 module GemGuard
   class AutoFixer
@@ -15,11 +16,11 @@ module GemGuard
       create_backup = options.fetch(:backup, true)
 
       unless File.exist?(@gemfile_path)
-        raise "Gemfile not found at #{@gemfile_path}. Auto-fix requires a Gemfile."
+        raise GemGuard::FileError, "Gemfile not found at #{@gemfile_path}. Auto-fix requires a Gemfile."
       end
 
       unless File.exist?(@lockfile_path)
-        raise "Gemfile.lock not found at #{@lockfile_path}. Run 'bundle install' first."
+        raise GemGuard::FileError, "Gemfile.lock not found at #{@lockfile_path}. Run 'bundle install' first."
       end
 
       fixes = plan_fixes(vulnerable_dependencies)
@@ -32,13 +33,12 @@ module GemGuard
         return {status: :dry_run, fixes: fixes, message: "Dry run completed. #{fixes.length} fixes planned."}
       end
 
-      if interactive && !confirm_fixes(fixes)
-        return {status: :cancelled, message: "Fix operation cancelled by user."}
-      end
-
-      create_lockfile_backup if create_backup
+      # Apply fixes with optional per-gem confirmation
+      applied_fixes, cancelled = apply_fixes(fixes, interactive: interactive, backup: create_backup)
 
-      applied_fixes = apply_fixes(fixes)
+      if cancelled
+        return {status: :cancelled, message: "No fixes approved."}
+      end
 
       {
         status: :completed,
@@ -92,20 +92,8 @@ module GemGuard
     end
 
     def confirm_fixes(fixes)
-      puts "\n🔧 Planned Fixes:"
-      puts "=" * 50
-
-      fixes.each do |fix|
-        severity_emoji = severity_emoji(fix[:severity])
-        puts "#{severity_emoji} #{fix[:gem_name]}: #{fix[:current_version]} → #{fix[:target_version]}"
-        puts "   Fixes: #{fix[:vulnerability_id]}"
-      end
-
-      puts "\n⚠️  This will modify your Gemfile.lock and may require bundle install."
-      print "Do you want to proceed? (y/N): "
-
-      response = $stdin.gets.chomp.downcase
-      response == "y" || response == "yes"
+      # Deprecated: kept for compatibility but not used with per-gem prompts
+      true
     end
 
     def severity_emoji(severity)
@@ -125,15 +113,36 @@ module GemGuard
       return if @backup_created
 
       backup_path = "#{@lockfile_path}.backup.#{Time.now.strftime("%Y%m%d_%H%M%S")}"
-      FileUtils.cp(@lockfile_path, backup_path)
+      begin
+        FileUtils.cp(@lockfile_path, backup_path)
+      rescue Errno::EACCES, Errno::EPERM => e
+        raise GemGuard::FileError, "Cannot write backup for #{@lockfile_path}: #{e.message}. Check file permissions."
+      end
       @backup_created = true
       puts "📦 Created backup: #{backup_path}"
     end
 
-    def apply_fixes(fixes)
+    def apply_fixes(fixes, interactive: false, backup: true)
       applied_fixes = []
 
-      fixes.each do |fix|
+      # Determine which fixes to apply
+      selected_fixes = if interactive
+        prompt = TTY::Prompt.new
+        fixes.select do |fix|
+          question = "Upgrade #{fix[:gem_name]} #{fix[:current_version]} → #{fix[:target_version]}?"
+          prompt.yes?(question)
+        end
+      else
+        fixes
+      end
+
+      # If no fixes were approved, signal cancellation
+      return [applied_fixes, true] if selected_fixes.empty?
+
+      # Create backup only if we will actually apply at least one fix
+      create_lockfile_backup if backup
+
+      selected_fixes.each do |fix|
         if apply_single_fix(fix)
           applied_fixes << fix
           puts "✅ Updated #{fix[:gem_name]} to #{fix[:target_version]}"
@@ -148,7 +157,7 @@ module GemGuard
         system("bundle install")
       end
 
-      applied_fixes
+      [applied_fixes, false]
     end
 
     def apply_single_fix(fix)

data/lib/gem_guard/cli.rb

@@ -8,6 +8,9 @@ module GemGuard
     EXIT_VULNERABILITIES_FOUND = 1
     EXIT_ERROR = 2
 
+    # Global options
+    class_option :verbose, type: :boolean, desc: "Print extra diagnostics on errors"
+
     desc "scan", "Scan dependencies for known vulnerabilities"
     option :format, type: :string, desc: "Output format (table, json)"
     option :lockfile, type: :string, desc: "Path to Gemfile.lock"
@@ -27,6 +30,7 @@ module GemGuard
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
+        verbose_diagnostics([lockfile_path])
         exit EXIT_ERROR
       end
 
@@ -56,6 +60,14 @@ module GemGuard
         else
           exit EXIT_SUCCESS
         end
+      rescue GemGuard::InvalidLockfileError => e
+        puts "Invalid Gemfile.lock: #{e.message}"
+        puts "Tip: Run 'bundle install' to regenerate your lockfile."
+        exit EXIT_ERROR
+      rescue GemGuard::FileError => e
+        puts "File error: #{e.message}"
+        verbose_diagnostics([lockfile_path, output_file].compact)
+        exit EXIT_ERROR
       rescue => e
         puts "Error: #{e.message}"
         exit EXIT_ERROR
@@ -72,7 +84,8 @@ module GemGuard
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
-        exit 1
+        verbose_diagnostics([lockfile_path])
+        exit EXIT_ERROR
       end
 
       dependencies = Parser.new.parse(lockfile_path)
@@ -85,7 +98,7 @@ module GemGuard
         generator.generate_cyclone_dx(dependencies, options[:project])
       else
         puts "Error: Unsupported format '#{options[:format]}'. Use 'spdx' or 'cyclone-dx'"
-        exit 1
+        exit EXIT_ERROR
       end
 
       output_json = JSON.pretty_generate(sbom_data)
@@ -112,6 +125,7 @@ module GemGuard
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
+        verbose_diagnostics([lockfile_path])
         exit EXIT_ERROR
       end
 
@@ -134,6 +148,14 @@ module GemGuard
         else
           exit EXIT_SUCCESS
         end
+      rescue GemGuard::InvalidLockfileError => e
+        puts "Invalid Gemfile.lock: #{e.message}"
+        puts "Tip: Run 'bundle install' to regenerate your lockfile."
+        exit EXIT_ERROR
+      rescue GemGuard::FileError => e
+        puts "File error: #{e.message}"
+        verbose_diagnostics([lockfile_path, output_file].compact)
+        exit EXIT_ERROR
       rescue => e
         puts "Error: #{e.message}"
         exit EXIT_ERROR
@@ -208,11 +230,13 @@ module GemGuard
 
       unless File.exist?(lockfile_path)
         puts "Error: #{lockfile_path} not found"
+        verbose_diagnostics([lockfile_path])
         exit EXIT_ERROR
       end
 
       unless File.exist?(gemfile_path)
         puts "Error: #{gemfile_path} not found. Auto-fix requires a Gemfile."
+        verbose_diagnostics([gemfile_path])
         exit EXIT_ERROR
       end
 
@@ -241,11 +265,10 @@ module GemGuard
           puts "ℹ️  #{result[:message]}"
           exit EXIT_SUCCESS
         when :dry_run
-          puts "🔍 Dry Run Results:"
+          puts "🔍 Dry run — no files will be modified."
           puts "=" * 40
           result[:fixes].each do |fix|
-            puts "#{fix[:gem_name]}: #{fix[:current_version]} → #{fix[:target_version]}"
-            puts "  Fixes: #{fix[:vulnerability_id]} (#{fix[:severity]})"
+            puts "✅ Would update #{fix[:gem_name]} #{fix[:current_version]} → #{fix[:target_version]}"
           end
           puts "\n#{result[:message]}"
           puts "Run without --dry-run to apply these fixes."
@@ -265,6 +288,13 @@ module GemGuard
           puts "❌ Unexpected error during fix operation"
           exit EXIT_ERROR
         end
+      rescue GemGuard::InvalidLockfileError => e
+        puts "Invalid Gemfile.lock: #{e.message}"
+        puts "Tip: Run 'bundle install' to regenerate your lockfile."
+        exit EXIT_ERROR
+      rescue GemGuard::FileError => e
+        puts "File error: #{e.message}"
+        exit EXIT_ERROR
       rescue => e
         puts "Error: #{e.message}"
         exit EXIT_ERROR
@@ -384,5 +414,19 @@ module GemGuard
     def number_with_commas(number)
       number.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse
     end
+
+    def verbose_diagnostics(paths)
+      return unless options[:verbose]
+      puts "\n[Diagnostics]"
+      puts "cwd: #{Dir.pwd}"
+      Array(paths).each do |p|
+        exists = File.exist?(p)
+        readable = exists ? File.readable?(p) : false
+        writable_dir = File.writable?(File.directory?(p) ? p : File.dirname(p))
+        puts "- #{p}: exists=#{exists}, readable=#{readable}, writable_dir=#{writable_dir}"
+      rescue => ex
+        puts "- #{p}: (error checking permissions: #{ex.message})"
+      end
+    end
   end
 end

data/lib/gem_guard/parser.rb

@@ -3,7 +3,18 @@ require "bundler"
 module GemGuard
   class Parser
     def parse(lockfile_path)
-      lockfile = Bundler::LockfileParser.new(File.read(lockfile_path))
+      content = File.read(lockfile_path)
+      begin
+        lockfile = Bundler::LockfileParser.new(content)
+      rescue => e
+        # Wrap any parsing errors from Bundler with a clearer custom error
+        raise GemGuard::InvalidLockfileError, "Invalid Gemfile.lock at #{lockfile_path}: #{e.message}"
+      end
+
+      # Basic structural validation to catch truncated files quickly
+      unless content.include?("\nBUNDLED WITH") || content.end_with?("BUNDLED WITH\n")
+        raise GemGuard::InvalidLockfileError, "Invalid Gemfile.lock at #{lockfile_path}: missing 'BUNDLED WITH' section"
+      end
 
       dependencies = []
 
@@ -16,6 +27,9 @@ module GemGuard
         )
       end
 
+      # Validate DEPENDENCIES section formatting and presence in specs
+      validate_dependencies_section!(content, dependencies.map(&:name), lockfile_path)
+
       # Deduplicate dependencies by name to handle platform-specific gems
       # (e.g., nokogiri-arm64-darwin, nokogiri-x86_64-darwin, etc.)
       dependencies.uniq { |dep| dep.name }
@@ -23,6 +37,46 @@ module GemGuard
 
     private
 
+    def validate_dependencies_section!(content, spec_names, lockfile_path)
+      lines = content.lines
+      start_index = lines.index { |l| l.strip == "DEPENDENCIES" }
+      return unless start_index # If no section, let Bundler rules apply
+
+      # Collect until blank line or next all-caps heading
+      deps = []
+      i = start_index + 1
+      while i < lines.length
+        line = lines[i]
+        break if line.strip.empty?
+        break if line == line.upcase && line.match?(/^[A-Z\s]+$/)
+
+        # Ignore comments on the line
+        stripped = line.split("#", 2).first.to_s.rstrip
+        if stripped.strip.empty?
+          i += 1
+          next
+        end
+
+        # Expect indentation then a gem name optionally with version in parens
+        if !/^\s{2,}[a-z0-9_\-]+(\s*\([^)]*\))?\s*$/i.match?(stripped)
+          raise GemGuard::InvalidLockfileError, "Invalid Gemfile.lock at #{lockfile_path}: malformed DEPENDENCIES entry '#{line.strip}'"
+        end
+
+        name = stripped.strip.split.first
+        # remove optional version tuple e.g., rails, or rails(=7.0.0) case without space
+        name = name.split("(").first
+
+        unless spec_names.include?(name)
+          raise GemGuard::InvalidLockfileError, "Invalid Gemfile.lock at #{lockfile_path}: dependency '#{name}' not found in specs"
+        end
+
+        deps << name
+        i += 1
+      end
+
+      deps
+    end
+
     def extract_source(spec)
       if spec.source.respond_to?(:uri)
         spec.source.uri.to_s

data/lib/gem_guard/version.rb

@@ -1,3 +1,3 @@
 module GemGuard
-  VERSION = "1.1.2"
+  VERSION = "1.2.4"
 end

data/lib/gem_guard.rb

@@ -11,4 +11,8 @@ require_relative "gem_guard/auto_fixer"
 
 module GemGuard
   class Error < StandardError; end
+
+  class InvalidLockfileError < Error; end
+
+  class FileError < Error; end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gem_guard
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.4
 platform: ruby
 authors:
 - Wilbur Suero
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-10 00:00:00.000000000 Z
+date: 2025-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: tty-prompt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.23'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.23'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +86,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '1.39'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.39'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-snapshot
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0.22'
 description: A comprehensive tool to detect, report, and remediate dependency-related
   security risks in Ruby projects. Includes CVE scanning, SBOM generation, and CI/CD
   integration.
@@ -96,7 +152,6 @@ files:
 - Rakefile
 - SECURITY.md
 - exe/gem_guard
-- gem_guard.gemspec
 - lib/gem_guard.rb
 - lib/gem_guard/analyzer.rb
 - lib/gem_guard/auto_fixer.rb
@@ -108,12 +163,9 @@ files:
 - lib/gem_guard/typosquat_checker.rb
 - lib/gem_guard/version.rb
 - lib/gem_guard/vulnerability_fetcher.rb
-- plan.md
 - templates/circleci-config.yml
 - templates/github-actions.yml
 - templates/gitlab-ci.yml
-- test_nokogiri.lock
-- test_nokogiri.lock.backup.20250810_002252
 homepage: https://github.com/wilburhimself/gem_guard
 licenses:
 - MIT
@@ -121,6 +173,7 @@ metadata:
   homepage_uri: https://github.com/wilburhimself/gem_guard
   source_code_uri: https://github.com/wilburhimself/gem_guard
   changelog_uri: https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:

data/gem_guard.gemspec

@@ -1,35 +0,0 @@
-require_relative "lib/gem_guard/version"
-
-Gem::Specification.new do |spec|
-  spec.name = "gem_guard"
-  spec.version = GemGuard::VERSION
-  spec.authors = ["Wilbur Suero"]
-  spec.email = ["wilbur@example.com"]
-
-  spec.summary = "Supply chain security and vulnerability management for Ruby gems"
-  spec.description = "A comprehensive tool to detect, report, and remediate dependency-related security risks in Ruby projects. Includes CVE scanning, SBOM generation, and CI/CD integration."
-  spec.homepage = "https://github.com/wilburhimself/gem_guard"
-  spec.license = "MIT"
-  spec.required_ruby_version = ">= 3.0.0"
-
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/wilburhimself/gem_guard"
-  spec.metadata["changelog_uri"] = "https://github.com/wilburhimself/gem_guard/blob/main/CHANGELOG.md"
-
-  spec.files = Dir.chdir(__dir__) do
-    `git ls-files -z`.split("\x0").reject do |f|
-      (File.expand_path(f) == __FILE__) ||
-        f.start_with?(*%w[bin/ test/ spec/ features/ .git .github appveyor Gemfile])
-    end
-  end
-  spec.bindir = "exe"
-  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
-
-  spec.add_dependency "thor", "~> 1.0"
-  spec.add_dependency "json", "~> 2.0"
-
-  spec.add_development_dependency "bundler", ">= 2.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "standard", "~> 1.3"
-end

data/plan.md

@@ -1,167 +0,0 @@
-# Supply Chain Security & Vulnerability Management Gem – Plan
-
-## 1. Overview
-
-**Working Name:** `gem_guard`  
-**Goal:** Provide Ruby developers with a one-stop tool to detect, report, and remediate dependency-related security risks.  
-**Core Capabilities:**
-- Scan dependency tree (including transient deps)
-- Detect known CVEs from public and private vulnerability databases
-- Suggest safe upgrades and patches
-- Generate SBOM (Software Bill of Materials) in SPDX/CycloneDX format
-- Integrate with CI/CD to prevent unsafe deployments
-
----
-
-## 2. Problems Being Solved
-
-1. **Typosquatting & brand-jacking detection** – accidental installs of malicious gems with similar names.
-2. **Unpatched dependencies** – gems with known vulnerabilities not updated.
-3. **Lack of visibility** – no SBOM or complete dependency inventory.
-4. **CI/CD security gap** – insecure builds proceed unnoticed.
-
----
-
-## 3. Target Users
-
-- Ruby and Rails developers
-- DevOps engineers managing Ruby apps in production
-- Security-conscious teams using Ruby for internal tooling
-
----
-
-## 4. Features & Requirements
-
-### Phase 1 – Core CLI Scanner
-- Command: `gem_guard scan`
-- Parse `Gemfile.lock` and detect:
-  - Direct & transitive dependencies
-  - Gem source URLs
-- Query vulnerability sources:
-  - [OSV.dev](https://osv.dev)
-  - [Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db)
-- Output:
-  - Table of vulnerable gems, CVE IDs, severity, fixed versions
-  - Recommended fix commands (e.g., `bundle update <gem>`)
-
-### Phase 2 – SBOM Generation
-- Command: `gem_guard sbom`
-- Output formats:
-  - SPDX JSON
-  - CycloneDX JSON
-- Include metadata:
-  - Gem name, version, source URL, license, checksum
-
-### Phase 3 – CI/CD Integration
-- Exit with non-zero status if vulnerabilities above a severity threshold are found
-- Optional GitHub Action and GitLab CI template
-- Config file `.gem_guard.yml` to set:
-  - Allowed severity levels
-  - Ignored CVEs
-  - Output format
-
-### Phase 4 – Typosquat Detection
-- Fuzzy matching gem names against known gems in RubyGems API
-- Flag suspicious dependencies
-
-### Phase 5 – Auto-Fix Mode
-- Command: `gem_guard fix`
-- Automatically updates vulnerable gems within safe version constraints
-
----
-
-## 5. Architecture
-
-### Modules
-1. **Parser**
-   - Reads `Gemfile.lock`
-   - Builds dependency graph
-2. **VulnerabilityFetcher**
-   - Fetches advisories from APIs or local DB
-3. **Analyzer**
-   - Matches dependencies with advisories
-   - Assesses severity and suggests fixes
-4. **Reporter**
-   - Formats output (table, JSON, markdown, SBOM)
-5. **CIAdapter**
-   - Reads config
-   - Sets exit codes for pipelines
-6. **TyposquatChecker**
-   - Fuzzy matches gem names
-7. **Updater**
-   - Runs safe updates for vulnerable gems
-
----
-
-## 6. Implementation Stack
-
-- **Language:** Ruby (≥ 3.0)
-- **Key Libraries:**
-  - `bundler` – parsing Gemfile.lock
-  - `json` / `oj` – output formatting
-  - `net/http` or `httpx` – API calls
-  - `thor` – CLI interface
-  - `fuzzy_match` – typosquat detection
-- **Test Framework:** RSpec
-- **Static Analysis:** RuboCop
-
----
-
-## 7. Development Roadmap
-
-### Milestone 1 – MVP Scanner
-- Parse Gemfile.lock
-- Fetch & match CVEs
-- CLI with human-readable output
-- Tests + RuboCop
-
-### Milestone 2 – SBOM Output
-- Generate SPDX and CycloneDX JSON
-- CLI flags for format selection
-
-### Milestone 3 – CI/CD Integration
-- Config file support
-- Exit codes for severity thresholds
-- GitHub Action template
-
-### Milestone 4 – Typosquat Detection
-- Implement fuzzy match against RubyGems API
-- Add to scan output
-
-### Milestone 5 – Auto-Fix Mode
-- Implement safe dependency update logic
-
----
-
-## 8. Distribution & Adoption
-
-- Publish to RubyGems.org
-- Create GitHub repo with:
-  - Badges (Gem Version, Build Status, License)
-  - README with quickstart and examples
-  - Security policy
-- Write blog post on Ruby security gaps
-- Submit to Ruby Weekly
-- Post to dev.to and Hacker News for feedback
-
----
-
-## 9. License
-
-MIT or Apache 2.0 (lean towards MIT for broad adoption)
-
----
-
-## 10. Risks & Mitigation
-
-- **API rate limits** – cache advisories locally
-- **False positives** – allow ignore list in config
-- **Slow scans** – async fetching with caching
-
----
-
-## 11. Success Criteria
-
-- MVP used in CI by at least 10 open source projects within 3 months
-- Detects >95% of known vulnerabilities from Ruby Advisory DB
-- SBOM passes validation in major tools (e.g., CycloneDX CLI)

data/test_nokogiri.lock

@@ -1,13 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    nokogiri (1.18.8)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  nokogiri
-
-BUNDLED WITH
-   2.4.10

data/test_nokogiri.lock.backup.20250810_002252

@@ -1,13 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    nokogiri (1.18.8)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  nokogiri
-
-BUNDLED WITH
-   2.4.10