RubyGems - gemsurance - Versions diffs - 0.7.0 → 0.8.0 - Mend

gemsurance 0.7.0 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/gemsurance/cli.rb +4 -0
data/lib/gemsurance/runner.rb +23 -1
data/lib/gemsurance/templates/output.html.erb +2 -0
data/lib/gemsurance/version.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0d3c16ae4516623a0c9bf2aeaf8add57a07596e5
-  data.tar.gz: 6bc516f6387a5c43f835662ac930326a5f3f8ee7
+  metadata.gz: 7b9561a163dcf3504a3893d428cbf75ad8ee3dc5
+  data.tar.gz: bff5ed8f6ed9c921079f872972b3f6d3cacf3704
 SHA512:
-  metadata.gz: f6ebfef168b36077b26d65c65ea85831fb2de7e2580bc48ea4a2640bb75208193c3461e96df7fa02ed2dde045a11a86a222c58d4764bfb9e999264b8330f81c5
-  data.tar.gz: 52f4764a8eaf0f77aca266f00c6f063e4184bcb2428ecbe5d7b579a5dc77d3323fb4530458ad9a9b53ba19a38e7698185e676181080fba6be2a9a062ab04133e
+  metadata.gz: f4ec81aa78ba0a40201bc1cd1e3c11f8a9254b453dd5bf86118a6ef1e3168eb88b3a7420126975a2523bdea7d58255c9fcf9a5543018d51e45ac915d74d44c2d
+  data.tar.gz: d63460b5caa5547153e2b8838dae80b5d788da603f72cf32e0dc8be4db7c383e7e9c210b898a6fef9b15ceef3915f66b485ab3c0c5c354106848808fcc68d866

data/lib/gemsurance/cli.rb CHANGED

@@ -25,6 +25,10 @@ module Gemsurance
             options[:output_file] = file
           end
+          opts.on('--whitelist FILE', 'Read whitelist from file. Defaults to .gemsurance.yml') do |file|
+            options[:whitelist_file] = file
+          end
           opts.on("--format FORMAT", "Output report to given format (html & yml available). Html by default.") do |format|
             options[:formatter] = format
           end

data/lib/gemsurance/runner.rb CHANGED

@@ -6,6 +6,9 @@ module Gemsurance
       @formatter   = options.delete(:formatter) || :html
       @output_file = options.delete(:output_file) || "gemsurance_report.#{@formatter}"
       @options     = options
+      whitelist_file = options.delete(:whitelist_file) || '.gemsurance.yml'
+      @whitelist = File.exist?(whitelist_file) ? YAML.load_file(whitelist_file) : false
     end
     def run
@@ -74,8 +77,15 @@ module Gemsurance
             current_version_is_affected = (vulnerability.unaffected_versions || []).none?(&current_version_satisfies_requirement)
             current_version_isnt_patched = (vulnerability.patched_versions || []).none?(&current_version_satisfies_requirement)
+            current_version_isnt_whitelisted = if (whitelisted_versions = fetch_whitelisted_versions_for(gem_info.name,
+                                                                                                         vulnerability.cve,
+                                                                                                         vulnerability.osvdb))
+              (whitelisted_versions || []).none?(&current_version_satisfies_requirement)
+            else
+              true
+            end
-            if current_version_is_affected && current_version_isnt_patched
+            if current_version_is_affected && current_version_isnt_patched && current_version_isnt_whitelisted
               gem_info.add_vulnerability!(vulnerability)
             end
           end
@@ -94,6 +104,18 @@ module Gemsurance
       puts "Generated report #{@output_file}."
     end
+    def fetch_whitelisted_versions_for(gem, cve = nil, osvdb = nil)
+      if @whitelist && (whitelisted_gem = @whitelist[gem])
+        if cve
+          whitelisted_gem["CVE-#{cve}"]
+        elsif osvdb
+          whitelisted_gem["OSVDB-#{osvdb}"]
+        else
+          # There are is no CVE or OSVDB for this vulnerability
+        end
+      end
+    end
     def resolved_definition
       # Need to temporarily unfrozen Bundler (when the gems have been installed with --deployment option e.g.)
       if Bundler.settings[:frozen]

data/lib/gemsurance/templates/output.html.erb CHANGED

@@ -805,6 +805,8 @@
                     <dl>
                       <dt>CVE</dt>
                       <dd><%= vulnerability.cve %></dd>
+                      <dt>OSVDB</dt>
+                      <dd><%= vulnerability.osvdb %></dd>
                       <dt>URL</dt>
                       <dd><a href="<%= vulnerability.url %>">More Info</a></dd>
                       <dt>Patched Versions</dt>

data/lib/gemsurance/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Gemsurance
-  VERSION = '0.7.0'
+  VERSION = '0.8.0'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gemsurance
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Jon Kessler
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-02 00:00:00.000000000 Z
+date: 2017-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -147,7 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.11
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.5.2
 signing_key:
 specification_version: 4
 summary: Your Gem Insurance Policy