hakiri 0.3.2 → 0.4.0

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    hakiri (0.3.1)
+    hakiri (0.3.2)
       active_support
+      bundler
       commander
       i18n
       json_pure

data/README.md

@@ -1,6 +1,6 @@
 # Secure Rails with Hakiri
 
-Hakiri is a command line interface (CLI) for the Hakiri platform. It allows Ruby on Rails developers to automate version scraping of servers, databases and other technologies used in their stacks. For each technology Hakiri shows CVE vulnerabilities. Here is a snippet of how it works:
+Hakiri is a command line interface (CLI) for the Hakiri platform. It allows Ruby on Rails developers to automate version scraping of Ruby gems, servers, databases and other technologies used in their stacks. For each technology Hakiri shows CVE vulnerabilities. Here is a snippet of how it works:
 
 ~~~
 $ hakiri system:scan
@@ -82,14 +82,32 @@ $ hakiri system:scan -m ../my_stack.json
 
 You can learn more about configuring the manifest in [Hakiri docs](https://www.hakiriup.com/docs/manifest-file).
 
+## Test Your Gemfile
+
+Hakiri supports vulnerability detection for a collection of gems listed in [the docs](https://www.hakiriup.com/docs/supported-gems). To scan a `Gemfile.lock` for vulnerabilities in the current directory do the following:
+
+~~~
+$ hakiri gemfile:scan
+~~~
+
+To scan a specific `Gemfile.lock` add the `-m` parameter at the end:
+
+~~~
+$ hakiri gemfile:scan -m ../Gemfile.lock
+~~~
+
+This will scan your `Gemfile.lock` and check with the server whether it has any vulnerable gems. It only checks gems that are [supported by Hakiri]((https://www.hakiriup.com/docs/manifest-file)).
+
+You can also [sync your gems]((https://www.hakiriup.com/docs/syncing-with-the-cloud)) with the cloud and get notified when new vulnerabilities come out.
+
 ## Advanced Usage
 
 We just went through the most basic Hakiri use case. Here are links to docs describing how to do more:
 
 - [Learn about](https://www.hakiriup.com/docs/manifest-file) advanced manifest file options.
 - [Setup your](https://www.hakiriup.com/docs/authentication-token) authentication token.
-- [Sync your stack technologies](https://www.hakiriup.com/docs/stack-syncing) with the cloud and get notified when new vulnerabilities come out.
-- [Check out technologies](https://www.hakiriup.com/docs/technologies-version-formats) the lsit of supported technologies and version formats.
+- [Sync your technologies and gems](https://www.hakiriup.com/docs/syncing-with-the-cloud) with the cloud and get notified when new vulnerabilities come out.
+- [Check out technologies](https://www.hakiriup.com/docs/technologies-version-formats) the list of supported technologies and version formats.
 
 ## Contribute
 

data/bin/hakiri

@@ -35,7 +35,7 @@ end
 
 command 'system:sync' do |c|
   c.syntax = 'hakiri system:sync [options]'
-  c.summary = 'Sync your system\'s software versions with the server.'
+  c.summary = 'Sync your system\'s software versions with the cloud.'
   c.description = 'This command grabs your custom stack JSON file, and syncs it with your project on www.hakiriup.com.'
   c.option '--manifest STRING', String, 'Path to your manifest JSON file stack'
   c.option '--project INTEGER', Integer, 'Your project ID.'
@@ -58,4 +58,34 @@ command 'system:steps' do |c|
     cli = Hakiri::System.new(args, options)
     cli.steps
   end
+end
+
+command 'gemfile:scan' do |c|
+  c.syntax = 'hakiri gemfile:scan [options]'
+  c.summary = 'Check if Gemfile.lock has any vulnerabilities.'
+  c.description = 'This command grabs your Gemfile.lock file and shows vulnerabilities in it.'
+  c.option '--gemfile STRING', String, 'Path to your Gemfile.lock'
+
+  c.action do |args, options|
+    options.default :gemfile => './Gemfile.lock'
+
+    cli = Hakiri::Gemfile.new(args, options)
+    cli.scan
+  end
+end
+
+command 'gemfile:sync' do |c|
+  c.syntax = 'hakiri gemfile:sync [options]'
+  c.summary = 'Sync your system\'s Gemfile.lock gem versions with the cloud.'
+  c.description = 'This command grabs your Gemfile.lock file, and syncs it with your project on www.hakiriup.com.'
+  c.option '--gemfile STRING', String, 'Path to your Gemfile.lock'
+  c.option '--project INTEGER', Integer, 'Your project ID.'
+  c.option '--force', 'Force syncing without asking for it first.'
+
+  c.action do |args, options|
+    options.default :gemfile => './Gemfile.lock'
+    options.default :project => nil
+    cli = Hakiri::Gemfile.new(args, options)
+    cli.sync
+  end
 end

data/hakiri.gemspec

@@ -14,6 +14,7 @@ Gem::Specification.new do |s|
   s.homepage      = 'https://www.hakiriup.com'
   s.license       = 'MIT'
 
+  s.add_dependency 'bundler'
   s.add_dependency 'rake'
   s.add_dependency 'commander'
   s.add_dependency 'terminal-table'

data/lib/hakiri.rb

@@ -5,10 +5,13 @@ end
 require 'terminal-table'
 require 'open-uri'
 require 'json'
+require 'bundler'
+require 'bundler/lockfile_parser'
 
 require 'hakiri/cli/cli'
 require 'hakiri/cli/system'
 require 'hakiri/cli/manifest'
+require 'hakiri/cli/gemfile'
 
 require 'hakiri/stack'
 require 'hakiri/version'

data/lib/hakiri/cli/gemfile.rb

@@ -0,0 +1,140 @@
+class Hakiri::Gemfile < Hakiri::Cli
+  #
+  # Walks the user through Gemfile scanning process.
+  #
+  def scan
+    if File.exist? @options.gemfile
+      @stack.build_from_gemfile(@options.gemfile)
+
+      if @stack.technologies.empty?
+        say '       No gems were found in your Gemfile.lock...'
+      else
+        @stack.technologies.each do |technology_slug, payload|
+          say "       Found #{payload[:name]} #{payload[:version]}"
+        end
+
+        # GETTING VULNERABILITIES
+        say '-----> Searching for vulnerabilities...'
+        params = ({ :technologies => @stack.technologies }.to_param)
+        response = @http_client.get_issues(params)
+
+        if response[:errors]
+          response[:errors].each do |error|
+            say "!      Server Error: #{error}"
+          end
+        else
+          authenticated = response[:meta][:authenticated]
+
+          if response[:technologies].empty?
+            say '       No vulnerabilities found. Keep it up!'
+          else
+            response[:technologies].each do |technology|
+              unless technology[:issues_count] == 0
+                say "!      Found #{technology[:issues_count].to_i} #{'vulnerability'.pluralize if technology[:issues_count].to_i != 1} in #{technology[:name]} #{technology[:version]}"
+              end
+            end
+
+            if agree 'Show all of them? (yes or no) '
+              puts ' '
+              response[:technologies].each do |technology|
+                technology[:issues].each do |issue|
+                  say issue[:name]
+                  say issue[:description]
+                  puts ' '
+                end
+              end
+            end
+
+            unless authenticated
+              say '****** Signup on www.hakiriup.com to get notified when new vulnerabilities come out.'
+            end
+          end
+        end
+      end
+    else
+      say '!      You have to either have a Gemfile.lock in the current directory or setup a parameter `-p` with a path to it.'
+    end
+  end
+
+  #
+  # Walks the user through Gemfile syncing process.
+  #
+  def sync
+    if @http_client.auth_token
+      @stack.build_from_gemfile(@options.gemfile)
+
+      # GETTING VERSIONS
+
+      if @stack.technologies.empty?
+        say '       No gems were found in your Gemfile.lock...'
+      else
+        @stack.technologies.each do |technology_name, payload|
+          say "       Found #{payload[:name]} #{payload[:version]}"
+        end
+
+        # CHECK VERSIONS ON THE SERVER
+        params = { :project_id => @options.project, :technologies => @stack.technologies }
+        say '-----> Checking software versions on www.hakiriup.com...'
+        response = @http_client.check_versions_diff(params)
+
+        if response[:errors]
+          response[:errors].each do |error|
+            say "!      Server Error: #{error}"
+          end
+        else
+          if response[:diffs].any?
+            @stack.technologies = {}
+            response[:diffs].each do |diff|
+              if diff[:success]
+                @stack.technologies[diff[:technology][:slug]] = { :version => diff[:system_version] }
+
+                if diff[:hakiri_version]
+                  if diff[:system_version_newer]
+                    say "       System version of #{diff[:technology][:name]} is newer (#{diff[:system_version]} > #{diff[:hakiri_version]})"
+                  else
+                    say "       System version of #{diff[:technology][:name]} is older (#{diff[:system_version]} < #{diff[:hakiri_version]})"
+                  end
+                else
+                  say "       New gem detected: #{diff[:technology][:name]} #{diff[:system_version]}"
+                end
+              else
+                say "!      Error in #{diff[:technology][:name]}: #{diff[:errors][:value][0]}"
+              end
+            end
+
+            # UPDATE VERSIONS ON THE SERVER
+            unless @options.force
+              update = agree "Do you want to update \"#{response[:project][:name]}\" with system versions? (yes or no) "
+            end
+
+            if update or @options.force
+              say '-----> Syncing versions with www.hakiriup.com...'
+              params = ({ :project_id => @options.project, :technologies => @stack.technologies }.to_param)
+              response = @http_client.sync_project_versions(response[:project][:id], params)
+
+              if response[:errors]
+                response[:errors].each do |error|
+                  say "!      Server Error: #{error}"
+                end
+              else
+                if response[:updated].any?
+                  response[:updated].each do |update|
+                    if update[:success]
+                      say "       #{update[:technology][:name]} was updated to #{update[:new_version]}"
+                    else
+                      say "!      Error syncing #{update[:technology][:name]}: #{update[:errors][:value][0]}"
+                    end
+                  end
+                end
+              end
+            end
+          else
+            say '       No differences were found. Everything is up to date.'
+          end
+        end
+      end
+    else
+      say '!      You have to setup HAKIRI_AUTH_TOKEN environmental variable with your Hakiri authentication token.'
+    end
+  end
+end

data/lib/hakiri/cli/system.rb

@@ -64,10 +64,10 @@ class Hakiri::System < Hakiri::Cli
   # Walks the user through the version syncing process.
   #
   def sync
-    @stack.build_from_json_file(@options.manifest)
-    @stack.fetch_versions
-
     if @http_client.auth_token
+      @stack.build_from_json_file(@options.manifest)
+      @stack.fetch_versions
+
       # GETTING VERSIONS
       say '-----> Scanning system for software versions...'
 
@@ -79,7 +79,7 @@ class Hakiri::System < Hakiri::Cli
         end
 
         # CHECK VERSIONS ON THE SERVER
-        params = ({ :project_id => @options.project, :technologies => @stack.technologies }.to_param)
+        params = { :project_id => @options.project, :technologies => @stack.technologies }
         say '-----> Checking software versions on www.hakiriup.com...'
         response = @http_client.check_versions_diff(params)
 

data/lib/hakiri/http_client.rb

@@ -24,7 +24,7 @@ class Hakiri::HttpClient
     # { |response, request, result, &block|
     #  JSON.parse(.to_str, symbolize_names: true)
     # "!      Server Error: #{response.code}"
-    RestClient.get "#{@api_url}/issues.json?auth_token=#{@auth_token}&#{params}" do |response, request, result, &block|
+    RestClient.post "#{@api_url}/issues.json?auth_token=#{@auth_token}", params do |response, request, result, &block|
       case response.code
         when 200
           JSON.parse(response.to_str, :symbolize_names => true)
@@ -44,7 +44,7 @@ class Hakiri::HttpClient
   #   Returns a hash of differences between technologies.
   #
   def check_versions_diff(params)
-    RestClient.get "#{@api_url}/versions/diffs.json?auth_token=#{@auth_token}&#{params}" do |response, request, result, &block|
+    RestClient.post "#{@api_url}/versions/diffs.json?auth_token=#{@auth_token}", params do |response, request, result, &block|
       case response.code
         when 200
           JSON.parse(response.to_str, :symbolize_names => true)

data/lib/hakiri/stack.rb

@@ -22,6 +22,40 @@ class Hakiri::Stack
     @technologies = JSON.parse(IO.read(json_file))
   end
 
+  #
+  # Parses a supplied Gemfile.lock and sets stack technologies.
+  #
+  # @param [String] gemfile
+  #   Gemfile.lock file.
+  #
+  def build_from_gemfile(gemfile)
+    begin
+      lockfile = Bundler::LockfileParser.new(IO.read(gemfile))
+
+      lockfile.sources.map do |source|
+        case source
+          when Bundler::Source::Git
+            case source.uri
+              when /^git:/, /^http:/
+                say "!      Insecure Source: #{source.uri}"
+            end
+          when Bundler::Source::Rubygems
+            source.remotes.each do |uri|
+              if uri.scheme == 'http'
+                say "!      Insecure Source: #{uri.to_s}"
+              end
+            end
+        end
+      end
+
+      lockfile.specs.each do |gem|
+        @technologies[gem.name] = { name: gem.name, version: gem.version.to_s, type: 'gem' }
+      end
+    rescue Exception => e
+      say "!      Couldn\'t parse your Gemfile.lock: #{e}"
+    end
+  end
+
   #
   # This method analyzes user input from the Hakiri gem and sets up
   # default commands to retrieve versions.

data/lib/hakiri/version.rb

@@ -1,3 +1,3 @@
 module Hakiri
-  VERSION = '0.3.2'
+  VERSION = '0.4.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hakiri
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,8 +9,24 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-01 00:00:00.000000000 Z
+date: 2013-07-04 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -141,6 +157,7 @@ files:
 - hakiri.gemspec
 - lib/hakiri.rb
 - lib/hakiri/cli/cli.rb
+- lib/hakiri/cli/gemfile.rb
 - lib/hakiri/cli/manifest.json
 - lib/hakiri/cli/manifest.rb
 - lib/hakiri/cli/system.rb