git-pkgs 0.6.2 → 0.7.0

data/lib/git/pkgs/commands/vulns/praise.rb

@@ -0,0 +1,238 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      module Vulns
+        class Praise
+          include Base
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs vulns praise [options]"
+            opts.separator ""
+            opts.separator "Show who fixed vulnerabilities (opposite of blame)."
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v|
+              options[:severity] = v
+            end
+
+            opts.on("-b", "--branch=NAME", "Branch to analyze") do |v|
+              options[:branch] = v
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("--summary", "Show author leaderboard") do
+              options[:summary] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options
+        end
+
+        def run
+          repo = Repository.new
+
+          unless Database.exists?(repo.git_dir)
+            error "No database found. Run 'git pkgs init' first. Praise requires commit history."
+          end
+
+          Database.connect(repo.git_dir)
+
+          branch_name = @options[:branch] || repo.default_branch
+          branch = Models::Branch.first(name: branch_name)
+
+          unless branch&.last_analyzed_sha
+            error "No analysis found for branch '#{branch_name}'. Run 'git pkgs init' first."
+          end
+
+          # Get all unique packages from dependency changes
+          packages = Models::DependencyChange
+            .select(:ecosystem, :name)
+            .select_group(:ecosystem, :name)
+            .all
+
+          praise_results = []
+
+          packages.each do |pkg|
+            next unless Ecosystems.supported?(pkg.ecosystem)
+
+            osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem)
+            next unless osv_ecosystem
+
+            vuln_pkgs = Models::VulnerabilityPackage
+              .for_package(osv_ecosystem, pkg.name)
+              .eager(:vulnerability)
+              .all
+
+            vuln_pkgs.each do |vp|
+              next if vp.vulnerability&.withdrawn?
+
+              fix_info = find_fixing_commit_info(pkg.ecosystem, pkg.name, vp)
+              next unless fix_info
+
+              severity = vp.vulnerability&.severity
+
+              if @options[:severity]
+                min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4
+                next unless (SEVERITY_ORDER[severity&.downcase] || 4) <= min_level
+              end
+
+              praise_results << {
+                id: vp.vulnerability_id,
+                severity: severity,
+                package_name: pkg.name,
+                from_version: fix_info[:from_version],
+                to_version: fix_info[:to_version],
+                summary: vp.vulnerability&.summary,
+                fixing_commit: fix_info[:commit_info],
+                days_exposed: fix_info[:days_exposed],
+                days_after_disclosure: fix_info[:days_after_disclosure]
+              }
+            end
+          end
+
+          if praise_results.empty?
+            puts "No fixed vulnerabilities found"
+            return
+          end
+
+          praise_results.sort_by! do |v|
+            [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]]
+          end
+
+          if @options[:format] == "json"
+            require "json"
+            if @options[:summary]
+              puts JSON.pretty_generate(compute_author_summary(praise_results))
+            else
+              puts JSON.pretty_generate(praise_results)
+            end
+          elsif @options[:summary]
+            output_author_summary(praise_results)
+          else
+            output_praise_text(praise_results)
+          end
+        end
+
+        def compute_author_summary(results)
+          by_author = results.group_by { |r| r[:fixing_commit][:author] }
+
+          summaries = by_author.map do |author, fixes|
+            times = fixes.map { |f| f[:days_after_disclosure] }.compact
+            avg_time = times.empty? ? nil : (times.sum.to_f / times.size).round(1)
+
+            by_sev = {}
+            %w[critical high medium low].each do |sev|
+              count = fixes.count { |f| f[:severity]&.downcase == sev }
+              by_sev[sev] = count if count > 0
+            end
+
+            {
+              author: author,
+              total_fixes: fixes.size,
+              avg_days_to_fix: avg_time,
+              by_severity: by_sev
+            }
+          end
+
+          summaries.sort_by { |s| -s[:total_fixes] }
+        end
+
+        def output_author_summary(results)
+          summaries = compute_author_summary(results)
+
+          max_author = summaries.map { |s| s[:author].length }.max || 20
+          max_fixes = summaries.map { |s| s[:total_fixes].to_s.length }.max || 3
+
+          puts "Author".ljust(max_author) + "  Fixes  Avg Days  Critical  High  Medium  Low"
+          puts "-" * (max_author + 50)
+
+          summaries.each do |s|
+            author = s[:author].ljust(max_author)
+            fixes = s[:total_fixes].to_s.rjust(max_fixes)
+            avg = s[:avg_days_to_fix] ? "#{s[:avg_days_to_fix]}d".rjust(8) : "N/A".rjust(8)
+            crit = (s[:by_severity]["critical"] || 0).to_s.rjust(8)
+            high = (s[:by_severity]["high"] || 0).to_s.rjust(4)
+            med = (s[:by_severity]["medium"] || 0).to_s.rjust(6)
+            low = (s[:by_severity]["low"] || 0).to_s.rjust(4)
+
+            puts "#{author}  #{fixes}  #{avg}  #{crit}  #{high}  #{med}  #{low}"
+          end
+        end
+
+        def find_fixing_commit_info(ecosystem, package_name, vuln_pkg)
+          window = find_vulnerability_window(ecosystem, package_name, vuln_pkg)
+          return nil unless window && window[:fixing]
+
+          introducing_change = window[:introducing]
+          fixing_change = window[:fixing]
+
+          introduced_at = introducing_change.commit.committed_at
+          fixed_at = fixing_change.commit.committed_at
+          published_at = vuln_pkg.vulnerability&.published_at
+
+          days_exposed = ((fixed_at - introduced_at) / 86400).round
+          days_after_disclosure = if published_at && fixed_at > published_at
+                                    ((fixed_at - published_at) / 86400).round
+                                  end
+
+          {
+            commit_info: format_commit_info(fixing_change.commit),
+            from_version: introducing_change.requirement,
+            to_version: fixing_change.change_type == "removed" ? "(removed)" : fixing_change.requirement,
+            days_exposed: days_exposed,
+            days_after_disclosure: days_after_disclosure
+          }
+        end
+
+        def output_praise_text(results)
+          max_severity = results.map { |v| (v[:severity] || "").length }.max || 8
+          max_id = results.map { |v| v[:id].length }.max || 15
+          max_pkg = results.map { |v| v[:package_name].length }.max || 20
+
+          results.each do |result|
+            severity = (result[:severity] || "unknown").upcase.ljust(max_severity)
+            id = result[:id].ljust(max_id)
+            pkg = result[:package_name].ljust(max_pkg)
+
+            fix = result[:fixing_commit]
+            commit_info = "#{fix[:sha]}  #{fix[:date]}  #{fix[:author]}  \"#{fix[:message]}\""
+
+            days_info = if result[:days_after_disclosure]
+                          "(#{result[:days_after_disclosure]}d after disclosure)"
+                        else
+                          "(#{result[:days_exposed]}d total)"
+                        end
+
+            line = "#{severity}  #{id}  #{pkg}  #{commit_info}  #{days_info}"
+            puts Color.green(line)
+          end
+        end
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/commands/vulns/scan.rb

@@ -0,0 +1,231 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      module Vulns
+        class Scan
+          include Base
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs vulns [ref] [options]"
+            opts.separator ""
+            opts.separator "Scan dependencies for known vulnerabilities."
+            opts.separator ""
+            opts.separator "Arguments:"
+            opts.separator "  ref                    Git ref to scan (default: HEAD)"
+            opts.separator ""
+            opts.separator "Subcommands:"
+            opts.separator "  sync                   Sync vulnerability data from OSV"
+            opts.separator "  blame                  Show who introduced each vulnerability"
+            opts.separator "  praise                 Show who fixed vulnerabilities"
+            opts.separator "  exposure               Calculate exposure windows and remediation metrics"
+            opts.separator "  diff                   Compare vulnerability state between commits"
+            opts.separator "  log                    Show commits that introduced or fixed vulns"
+            opts.separator "  history                Show vulnerability timeline for a package or CVE"
+            opts.separator "  show                   Show details about a specific CVE"
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v|
+              options[:ecosystem] = v
+            end
+
+            opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v|
+              options[:severity] = v
+            end
+
+            opts.on("-r", "--ref=REF", "Git ref to scan (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("-b", "--branch=NAME", "Branch context for finding snapshots") do |v|
+              options[:branch] = v
+            end
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json, sarif)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("--no-pager", "Do not pipe output into a pager") do
+              options[:no_pager] = true
+            end
+
+            opts.on("--stateless", "Parse manifests directly without database") do
+              options[:stateless] = true
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options[:ref] ||= @args.shift unless @args.empty?
+          options
+        end
+
+        def run
+          repo = Repository.new
+          use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir)
+
+          if use_stateless
+            # Use in-memory database for vuln caching in stateless mode
+            Database.connect_memory
+            deps = get_dependencies_stateless(repo)
+          else
+            Database.connect(repo.git_dir)
+            deps = get_dependencies_with_database(repo)
+          end
+
+          if deps.empty?
+            empty_result "No dependencies found"
+            return
+          end
+
+          supported_deps = deps.select { |d| Ecosystems.supported?(d[:ecosystem]) }
+
+          if supported_deps.empty?
+            empty_result "No dependencies from supported ecosystems (#{Ecosystems.supported_ecosystems.join(", ")})"
+            return
+          end
+
+          vulns = scan_for_vulnerabilities(supported_deps)
+
+          if @options[:severity]
+            min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4
+            vulns = vulns.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level }
+          end
+
+          if vulns.empty?
+            puts "No known vulnerabilities found"
+            return
+          end
+
+          vulns.sort_by! { |v| [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]] }
+
+          case @options[:format]
+          when "json"
+            require "json"
+            puts JSON.pretty_generate(vulns)
+          when "sarif"
+            output_sarif(vulns, deps)
+          else
+            output_text(vulns)
+          end
+        end
+
+        def output_sarif(vulns, deps)
+          require "sarif"
+
+          rules = vulns.map do |vuln|
+            Sarif::ReportingDescriptor.new(
+              id: vuln[:id],
+              name: vuln[:id],
+              short_description: Sarif::MultiformatMessageString.new(text: vuln[:summary] || vuln[:id]),
+              help_uri: "https://osv.dev/vulnerability/#{vuln[:id]}",
+              properties: {
+                security_severity: severity_score(vuln[:cvss_score], vuln[:severity])
+              }.compact
+            )
+          end.uniq(&:id)
+
+          results = vulns.map do |vuln|
+            locations = deps
+              .select { |d| d[:name].downcase == vuln[:package_name].downcase && d[:ecosystem] == vuln[:ecosystem] }
+              .map do |dep|
+                Sarif::Location.new(
+                  physical_location: Sarif::PhysicalLocation.new(
+                    artifact_location: Sarif::ArtifactLocation.new(uri: dep[:manifest_path])
+                  ),
+                  message: Sarif::Message.new(text: "#{dep[:name]} #{dep[:requirement]}")
+                )
+              end
+
+            Sarif::Result.new(
+              rule_id: vuln[:id],
+              level: severity_to_sarif_level(vuln[:severity]),
+              message: Sarif::Message.new(
+                text: "#{vuln[:package_name]} #{vuln[:package_version]} has a known vulnerability: #{vuln[:summary] || vuln[:id]}"
+              ),
+              locations: locations.empty? ? nil : locations
+            )
+          end
+
+          log = Sarif::Log.new(
+            version: "2.1.0",
+            runs: [
+              Sarif::Run.new(
+                tool: Sarif::Tool.new(
+                  driver: Sarif::ToolComponent.new(
+                    name: "git-pkgs",
+                    version: Git::Pkgs::VERSION,
+                    information_uri: "https://github.com/andrew/git-pkgs",
+                    rules: rules
+                  )
+                ),
+                results: results
+              )
+            ]
+          )
+
+          puts log.to_json
+        end
+
+        def severity_to_sarif_level(severity)
+          case severity&.downcase
+          when "critical", "high" then "error"
+          when "medium" then "warning"
+          when "low" then "note"
+          else "warning"
+          end
+        end
+
+        def severity_score(cvss_score, severity)
+          return cvss_score.to_s if cvss_score
+
+          case severity&.downcase
+          when "critical" then "9.0"
+          when "high" then "7.0"
+          when "medium" then "4.0"
+          when "low" then "1.0"
+          end
+        end
+
+        def output_text(vulns)
+          max_severity = vulns.map { |v| (v[:severity] || "").length }.max || 8
+          max_id = vulns.map { |v| v[:id].length }.max || 15
+          max_pkg = vulns.map { |v| v[:package_name].length }.max || 20
+
+          vulns.each do |vuln|
+            severity = (vuln[:severity] || "unknown").upcase.ljust(max_severity)
+            id = vuln[:id].ljust(max_id)
+            pkg = "#{vuln[:package_name]} #{vuln[:package_version]}".ljust(max_pkg + 10)
+            fixed = vuln[:fixed_versions] ? "(fixed in #{vuln[:fixed_versions]})" : ""
+
+            line = "#{severity}  #{id}  #{pkg}  #{fixed}"
+
+            colored_line = case vuln[:severity]&.downcase
+                           when "critical", "high" then Color.red(line)
+                           when "medium" then Color.yellow(line)
+                           when "low" then Color.cyan(line)
+                           else line
+                           end
+
+            puts colored_line
+          end
+        end
+        end
+      end
+    end
+  end
+end

data/lib/git/pkgs/commands/vulns/show.rb

@@ -0,0 +1,216 @@
+# frozen_string_literal: true
+
+module Git
+  module Pkgs
+    module Commands
+      module Vulns
+        class Show
+          include Base
+
+        def initialize(args)
+          @args = args.dup
+          @options = parse_options
+        end
+
+        def parse_options
+          options = {}
+
+          parser = OptionParser.new do |opts|
+            opts.banner = "Usage: git pkgs vulns show <cve> [options]"
+            opts.separator ""
+            opts.separator "Show details about a specific CVE."
+            opts.separator ""
+            opts.separator "Arguments:"
+            opts.separator "  cve                    CVE or GHSA ID (e.g., CVE-2024-1234)"
+            opts.separator ""
+            opts.separator "Options:"
+
+            opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v|
+              options[:format] = v
+            end
+
+            opts.on("-r", "--ref=REF", "Git ref for exposure analysis (default: HEAD)") do |v|
+              options[:ref] = v
+            end
+
+            opts.on("-b", "--branch=NAME", "Branch context for finding snapshots") do |v|
+              options[:branch] = v
+            end
+
+            opts.on("-h", "--help", "Show this help") do
+              puts opts
+              exit
+            end
+          end
+
+          parser.parse!(@args)
+          options[:target] = @args.shift
+          options
+        end
+
+        def run
+          repo = Repository.new
+
+          cve_id = @options[:target]
+          error "Usage: git pkgs vulns show <cve>" unless cve_id
+          cve_id = cve_id.upcase
+
+          has_db = Database.exists?(repo.git_dir)
+          Database.connect(repo.git_dir) if has_db
+
+          ensure_vulns_synced if has_db
+
+          vuln = Models::Vulnerability.first(id: cve_id)
+          unless vuln
+            error "Vulnerability #{cve_id} not found. Try 'git pkgs vulns sync' first."
+          end
+
+          vuln_pkgs = Models::VulnerabilityPackage.where(vulnerability_id: cve_id).eager(:vulnerability).all
+
+          if @options[:format] == "json"
+            require "json"
+            output = build_show_json(vuln, vuln_pkgs, repo, has_db)
+            puts JSON.pretty_generate(output)
+          else
+            output_show_text(vuln, vuln_pkgs, repo, has_db)
+          end
+        end
+
+        def build_show_json(vuln, vuln_pkgs, repo, has_db)
+          output = {
+            id: vuln.id,
+            severity: vuln.severity,
+            summary: vuln.summary,
+            details: vuln.details,
+            published_at: vuln.published_at&.strftime("%Y-%m-%d"),
+            affected_packages: vuln_pkgs.map do |vp|
+              {
+                ecosystem: vp.ecosystem,
+                package: vp.package_name,
+                affected_versions: vp.affected_versions,
+                fixed_versions: vp.fixed_versions
+              }
+            end
+          }
+
+          if has_db
+            output[:your_exposure] = find_exposure_for_vuln(vuln, vuln_pkgs, repo)
+          end
+
+          output
+        end
+
+        def output_show_text(vuln, vuln_pkgs, repo, has_db)
+          header = "#{vuln.id} (#{vuln.severity || "unknown"} severity)"
+          colored_header = case vuln.severity&.downcase
+                           when "critical", "high" then Color.red(header)
+                           when "medium" then Color.yellow(header)
+                           when "low" then Color.cyan(header)
+                           else header
+                           end
+          puts colored_header
+          puts vuln.summary if vuln.summary
+          puts ""
+
+          puts "Affected packages:"
+          vuln_pkgs.each do |vp|
+            fixed_info = vp.fixed_versions.to_s.empty? ? "" : " (fixed in #{vp.fixed_versions})"
+            puts "  #{vp.ecosystem}/#{vp.package_name}: #{vp.affected_versions}#{fixed_info}"
+          end
+
+          puts ""
+          puts "Published: #{vuln.published_at&.strftime("%Y-%m-%d") || "unknown"}"
+
+          if vuln.references && !vuln.references.empty?
+            puts ""
+            puts "References:"
+            refs = begin
+              JSON.parse(vuln.references)
+            rescue JSON::ParserError => e
+              $stderr.puts "Warning: Could not parse references for #{vuln.id}: #{e.message}" unless Git::Pkgs.quiet
+              []
+            end
+            refs.each do |ref|
+              puts "  #{ref["url"]}" if ref["url"]
+            end
+          end
+
+          return unless has_db
+
+          exposures = find_exposure_for_vuln(vuln, vuln_pkgs, repo)
+          return if exposures.empty?
+
+          puts ""
+          puts "Your exposure:"
+          exposures.each do |exposure|
+            pkg_line = "  #{exposure[:package]} #{exposure[:version]} in #{exposure[:manifest_path]}"
+            puts Color.send(:red, pkg_line)
+
+            if exposure[:introduced_by]
+              intro = exposure[:introduced_by]
+              puts "    Added: #{intro[:sha]} #{intro[:date]} #{intro[:author]} \"#{intro[:message]}\""
+            end
+
+            if exposure[:fixed_by]
+              fix = exposure[:fixed_by]
+              puts Color.send(:green, "    Fixed: #{fix[:sha]} #{fix[:date]} #{fix[:author]} \"#{fix[:message]}\"")
+            elsif exposure[:status] == "ongoing"
+              puts Color.send(:yellow, "    Status: Still vulnerable")
+            end
+          end
+        end
+
+        def find_exposure_for_vuln(vuln, vuln_pkgs, repo)
+          exposures = []
+          ref = @options[:ref] || "HEAD"
+
+          begin
+            commit_sha = repo.rev_parse(ref)
+            target_commit = Models::Commit.first(sha: commit_sha)
+          rescue Rugged::ReferenceError
+            return exposures
+          end
+
+          return exposures unless target_commit
+
+          deps = compute_dependencies_at_commit(target_commit, repo)
+
+          vuln_pkgs.each do |vp|
+            ecosystem = Ecosystems.from_osv(vp.ecosystem) || vp.ecosystem.downcase
+
+            matching_deps = deps.select do |dep|
+              dep[:ecosystem] == ecosystem &&
+                dep[:name].downcase == vp.package_name.downcase &&
+                vp.affects_version?(dep[:requirement])
+            end
+
+            matching_deps.each do |dep|
+              exposure = {
+                package: dep[:name],
+                version: dep[:requirement],
+                ecosystem: dep[:ecosystem],
+                manifest_path: dep[:manifest_path]
+              }
+
+              intro_change = find_introducing_change(dep[:ecosystem], dep[:name], vp, target_commit)
+              exposure[:introduced_by] = format_commit_info(intro_change&.commit) if intro_change
+
+              fix_change = find_fixing_change(dep[:ecosystem], dep[:name], vp, target_commit, intro_change&.commit&.committed_at)
+              if fix_change
+                exposure[:fixed_by] = format_commit_info(fix_change.commit)
+                exposure[:status] = "fixed"
+              else
+                exposure[:status] = "ongoing"
+              end
+
+              exposures << exposure
+            end
+          end
+
+          exposures
+        end
+        end
+      end
+    end
+  end
+end