RubyGems - gemsurance - Versions diffs - 0.7.0 → 0.8.0 - Mend

gemsurance 0.7.0 → 0.8.0

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/gemsurance/cli.rb +4 -0
data/lib/gemsurance/runner.rb +23 -1
data/lib/gemsurance/templates/output.html.erb +2 -0
data/lib/gemsurance/version.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0d3c16ae4516623a0c9bf2aeaf8add57a07596e5
-  data.tar.gz: 6bc516f6387a5c43f835662ac930326a5f3f8ee7
+  metadata.gz: 7b9561a163dcf3504a3893d428cbf75ad8ee3dc5
+  data.tar.gz: bff5ed8f6ed9c921079f872972b3f6d3cacf3704
 SHA512:
-  metadata.gz: f6ebfef168b36077b26d65c65ea85831fb2de7e2580bc48ea4a2640bb75208193c3461e96df7fa02ed2dde045a11a86a222c58d4764bfb9e999264b8330f81c5
-  data.tar.gz: 52f4764a8eaf0f77aca266f00c6f063e4184bcb2428ecbe5d7b579a5dc77d3323fb4530458ad9a9b53ba19a38e7698185e676181080fba6be2a9a062ab04133e
+  metadata.gz: f4ec81aa78ba0a40201bc1cd1e3c11f8a9254b453dd5bf86118a6ef1e3168eb88b3a7420126975a2523bdea7d58255c9fcf9a5543018d51e45ac915d74d44c2d
+  data.tar.gz: d63460b5caa5547153e2b8838dae80b5d788da603f72cf32e0dc8be4db7c383e7e9c210b898a6fef9b15ceef3915f66b485ab3c0c5c354106848808fcc68d866

data/lib/gemsurance/cli.rb CHANGED

@@ -25,6 +25,10 @@ module Gemsurance
             options[:output_file] = file
           end
+          opts.on('--whitelist FILE', 'Read whitelist from file. Defaults to .gemsurance.yml') do |file|
+            options[:whitelist_file] = file
+          end
           opts.on("--format FORMAT", "Output report to given format (html & yml available). Html by default.") do |format|
             options[:formatter] = format
           end

data/lib/gemsurance/runner.rb CHANGED

@@ -6,6 +6,9 @@ module Gemsurance
       @formatter   = options.delete(:formatter) || :html
       @output_file = options.delete(:output_file) || "gemsurance_report.#{@formatter}"
       @options     = options
+      whitelist_file = options.delete(:whitelist_file) || '.gemsurance.yml'
+      @whitelist = File.exist?(whitelist_file) ? YAML.load_file(whitelist_file) : false
     end
     def run
@@ -74,8 +77,15 @@ module Gemsurance
             current_version_is_affected = (vulnerability.unaffected_versions || []).none?(&current_version_satisfies_requirement)
             current_version_isnt_patched = (vulnerability.patched_versions || []).none?(&current_version_satisfies_requirement)
+            current_version_isnt_whitelisted = if (whitelisted_versions = fetch_whitelisted_versions_for(gem_info.name,
+                                                                                                         vulnerability.cve,
+                                                                                                         vulnerability.osvdb))
+              (whitelisted_versions || []).none?(&current_version_satisfies_requirement)
+            else
+              true
+            end
-            if current_version_is_affected && current_version_isnt_patched
+            if current_version_is_affected && current_version_isnt_patched && current_version_isnt_whitelisted
               gem_info.add_vulnerability!(vulnerability)
             end
           end
@@ -94,6 +104,18 @@ module Gemsurance
       puts "Generated report #{@output_file}."
     end
+    def fetch_whitelisted_versions_for(gem, cve = nil, osvdb = nil)
+      if @whitelist && (whitelisted_gem = @whitelist[gem])
+        if cve
+          whitelisted_gem["CVE-#{cve}"]
+        elsif osvdb
+          whitelisted_gem["OSVDB-#{osvdb}"]
+        else
+          # There are is no CVE or OSVDB for this vulnerability
+        end
+      end
+    end
     def resolved_definition
       # Need to temporarily unfrozen Bundler (when the gems have been installed with --deployment option e.g.)
       if Bundler.settings[:frozen]

data/lib/gemsurance/templates/output.html.erb CHANGED

@@ -805,6 +805,8 @@
                     <dl>
                       <dt>CVE</dt>
                       <dd><%= vulnerability.cve %></dd>
+                      <dt>OSVDB</dt>
+                      <dd><%= vulnerability.osvdb %></dd>
                       <dt>URL</dt>
                       <dd><a href="<%= vulnerability.url %>">More Info</a></dd>
                       <dt>Patched Versions</dt>

data/lib/gemsurance/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Gemsurance
-  VERSION = '0.7.0'
+  VERSION = '0.8.0'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gemsurance
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Jon Kessler
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-12-02 00:00:00.000000000 Z
+date: 2017-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -147,7 +147,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.11
 requirements: []
 rubyforge_project:
-rubygems_version: 2.4.8
+rubygems_version: 2.5.2
 signing_key:
 specification_version: 4
 summary: Your Gem Insurance Policy