holepicker 0.2.2 → 0.3.0

data/Changelog.markdown

@@ -1,3 +1,9 @@
+#### Version 0.3.0 (13.04.2013)
+
+* silent option
+* no-color option
+* added vulnerabilities for ftpd, dragonfly, rdoc
+
 #### Version 0.2.2 (29.03.2013)
 
 * fixed Capistrano recipe

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    holepicker (0.2.2)
+    holepicker (0.3.0)
       json (>= 1.7.7)
       rainbow (>= 1.1.4)
 

data/README.markdown

@@ -53,6 +53,24 @@ You might have a lot of random apps deployed in the `/var/www` directory, but on
     holepicker -f /etc/nginx/sites-enabled
 
 
+## Results
+
+This is more or less what you will get if you run HolePicker in a directory with some old Rails projects:
+
+![screenshot](http://f.cl.ly/items/1l3C2c2s0r1k3v033B34/Screen%20Shot%202013-02-16%20at%2001.43.39.png)
+
+
+## Running on app startup
+
+If you want to check your gems when your app is started, add HolePicker to your Gemfile and then call `HolePicker::Scanner#scan` in a file that's loaded at app startup (e.g. in Rails projects you can add an initializer in `config/initializers`):
+
+```rb
+HolePicker::Scanner.new('Gemfile.lock').scan or abort
+```
+
+You may want to pass `:offline` or `:ignored_gems` options or change logger settings too - see [`bin/holepicker` source](https://github.com/jsuder/holepicker/blob/master/bin/holepicker) for more info.
+
+
 ## Integration with capistrano
 
 To automatically check for vulnerabilities before deployment, you can add the HolePicker Capistrano recipe:
@@ -62,12 +80,6 @@ To automatically check for vulnerabilities before deployment, you can add the Ho
 
 This will introduce a `cap holepicker` task which will be executed before the deploy.
 
-## Results
-
-This is more or less what you will get if you run HolePicker in a directory with some old Rails projects:
-
-![screenshot](http://f.cl.ly/items/1l3C2c2s0r1k3v033B34/Screen%20Shot%202013-02-16%20at%2001.43.39.png)
-
 
 ## Full option list
 
@@ -87,16 +99,24 @@ Look for `root`/`DocumentRoot` directives in config files at given locations ins
 
 Ignore the gems passed in the parameter.
 
+`--no-color`
+
+Disable output coloring (by default green is used for good gemfiles and red is used for bad gemfiles and errors).
+
 `-o`, `--offline`
 
 Use an offline copy of the data file - useful if you really need to run the tool, but the network or GitHub is down.
 
+`-s`, `--silent`
+
+Silent mode - disable info-level messages ("Looking for gemfiles...") and only print errors and found vulnerabilities.
+
 
 ## Similar projects
 
 There are a few other projects with a similar purpose, take a look if HolePicker isn't exactly what you need:
 
-* [bundler-audit](https://github.com/postmodern/bundler-audit) - scans the current project when the app is loaded
+* [bundler-audit](https://github.com/postmodern/bundler-audit) - lets you scan the project in current directory
 * [bundler-organization_audit](https://github.com/grosser/bundler-organization_audit) - scans all your projects on GitHub
 * [ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db) - a shared database of vulnerabilities - I'll try to integrate holepicker with it later
 * [gemcanary](https://gemcanary.com/) - some kind of web service, not released yet (as of 23.02)

data/bin/holepicker

@@ -27,17 +27,25 @@ OptionParser.new do |opts|
     options[:ignored_gems] = names
   end
 
+  opts.on("--no-color", "Disable output coloring") do
+    HolePicker.logger.color = false
+  end
+
   opts.on("-o", "--offline", "Use an offline copy of the data.json file") do
     options[:offline] = true
   end
 
+  opts.on("-s", "--silent", "Silent mode - disable info-level logging, only print errors") do
+    HolePicker.logger.level = Logger::ERROR
+  end
+
   opts.on("-h", "--help", "Display this help") do
-    puts opts
+    HolePicker.logger.info(opts)
     exit
   end
 
   opts.on("-v", "--version", "Print gem version") do
-    puts HolePicker::VERSION
+    HolePicker.logger.info(HolePicker::VERSION)
     exit
   end
 
@@ -45,7 +53,8 @@ OptionParser.new do |opts|
 end
 
 if ARGV.empty?
-  abort "Please choose at least one directory to scan for gemfiles."
+  HolePicker.logger.error "Please choose at least one directory to scan for gemfiles."
+  exit 1
 end
 
 success = HolePicker::Scanner.new(ARGV, options).scan

data/lib/holepicker.rb

@@ -1,2 +1,3 @@
+require 'holepicker/logger'
 require 'holepicker/scanner'
 require 'holepicker/version'

data/lib/holepicker/data/data.json

@@ -9,6 +9,20 @@
       "date": "2013-03-18T17:21Z",
       "note": "Warning: there are several issues with Rails 3.2.13, affecting view performance and other things; see http://blog.bugsnag.com/2013/03/20/rails-3-2-13-performance-regressions-major-bugs/ for more info."
     },
+    {
+      "gems": {
+        "ftpd": ["0.2.2"]
+      },
+      "url": "http://seclists.org/bugtraq/2013/Mar/10",
+      "date": "2013-03-03T05:45Z"
+    },
+    {
+      "gems": {
+        "dragonfly": ["0.9.14"]
+      },
+      "url": "https://groups.google.com/d/msg/dragonfly-users/3c3WIU3VQTo/ccasejdDjcAJ",
+      "date": "2013-02-19T08:39Z"
+    },
     {
       "gems": {
         "rails": ["3.2.12", "3.1.11", "2.3.17"]
@@ -31,6 +45,13 @@
       "url": "http://rack.github.com/",
       "date": "2013-02-08T03:14Z"
     },
+    {
+      "gems": {
+        "rdoc": ["4.0.0.rc.2", "3.12.1", "3.9.5"]
+      },
+      "url": "http://rdoc.rubyforge.org/CVE-2013-0256_rdoc.html",
+      "date": "2013-02-07T05:49Z"
+    },
     {
       "gems": {
         "rails": ["3.0.20", "2.3.16"]
@@ -50,7 +71,7 @@
         "httparty": ["0.10.0"],
         "extlib": ["0.9.16"],
         "crack": ["0.3.2"],
-        "nori": ["2.0.2", "1.1.4", "1.0.3"]
+        "nori": ["2.0.3", "1.1.4", "1.0.3"]
       },
       "url": "https://support.cloud.engineyard.com/entries/22915701-January-14-2013-Security-vulnerabilities-httparty-extlib-crack-nori-Update-these-gems-immediately",
       "date": "2013-01-15T13:10Z"

data/lib/holepicker/logger.rb

@@ -0,0 +1,44 @@
+require 'logger'
+require 'rainbow'
+
+module HolePicker
+  class Logger < ::Logger
+    attr_accessor :color
+
+    def initialize(io)
+      super
+      self.level = INFO
+      self.color = true
+    end
+
+    def format_message(level, datetime, progname, message)
+      progname == 'print' ? message.to_s : "#{message}\n"
+    end
+
+    def print(message, level = INFO)
+      add(level, message, 'print')
+    end
+
+    def fail(message)
+      error(color ? message.color(:red) : message)
+    end
+
+    def success(message)
+      info(color ? message.color(:green) : message)
+    end
+  end
+
+  module HasLogger
+    def logger
+      HolePicker.logger
+    end
+
+    def self.included(c)
+      c.extend(self)
+    end
+  end
+
+  def self.logger
+    @logger ||= Logger.new(STDOUT)
+  end
+end

data/lib/holepicker/offline_database.rb

@@ -1,13 +1,16 @@
 require 'holepicker/database'
+require 'holepicker/logger'
 
 module HolePicker
   class OfflineDatabase < Database
+    include HasLogger
+
     OFFLINE_JSON_FILE = File.expand_path('../data/data.json', __FILE__)
 
     def self.load
       load_from_json_file(File.read(OFFLINE_JSON_FILE))
     rescue Exception => e
-      puts "Can't load local data file: #{e}"
+      logger.fail "Can't load local data file: #{e}"
       exit 1
     end
   end

data/lib/holepicker/online_database.rb

@@ -1,26 +1,36 @@
 require 'holepicker/database'
+require 'holepicker/logger'
 require 'holepicker/utils'
 require 'net/http'
 require 'net/https'
 
 module HolePicker
   class OnlineDatabase < Database
-    URL='https://raw.github.com/jsuder/holepicker/master/lib/holepicker/data/data.json'
+    include HasLogger
+
+    URL = 'https://raw.github.com/jsuder/holepicker/master/lib/holepicker/data/data.json'
 
     def self.load
-      puts "Fetching list of vulnerabilities..."
+      logger.info "Fetching list of vulnerabilities..."
 
-      load_from_json_file(http_get(URL)).tap do |db|
-        db.check_compatibility
-        db.report_new_vulnerabilities
-      end
+      load_from_json_file(http_get(URL))
     rescue SystemExit
       raise
     rescue Exception => e
-      puts "Can't download latest data file: #{e}"
+      logger.fail "Can't download latest data file: #{e}"
       exit 1
     end
 
+    def initialize(json)
+      super
+
+      check_compatibility
+      report_new_vulnerabilities
+    end
+
+
+    private
+
     def self.http_get(url)
       uri = URI(url)
       http = Net::HTTP.new(uri.host, uri.port)
@@ -32,7 +42,7 @@ module HolePicker
 
     def check_compatibility
       unless compatible?
-        puts "You need to upgrade holepicker to version #{@min_version} or later."
+        logger.fail "You need to upgrade holepicker to version #{@min_version} or later."
         exit 1
       end
     end
@@ -42,14 +52,14 @@ module HolePicker
       count = new_vulnerabilities.length
 
       if count > 0
-        puts "#{count} new #{Utils.pluralize(count, 'vulnerability')} found in the last " +
+        logger.info "#{count} new #{Utils.pluralize(count, 'vulnerability')} found in the last " +
           "#{Vulnerability::NEW_VULNERABILITY_DAYS} days:"
 
         new_vulnerabilities.each do |v|
-          puts "#{v.day} (#{v.gem_names.join(', ')}): #{v.url}"
+          logger.info "#{v.day} (#{v.gem_names.join(', ')}): #{v.url}"
         end
 
-        puts
+        logger.info
       end
     end
   end

data/lib/holepicker/scanner.rb

@@ -3,14 +3,16 @@
 require 'holepicker/gem'
 require 'holepicker/config_gemfile_finder'
 require 'holepicker/direct_gemfile_finder'
+require 'holepicker/logger'
 require 'holepicker/offline_database'
 require 'holepicker/online_database'
 require 'holepicker/utils'
-require 'rainbow'
 require 'set'
 
 module HolePicker
   class Scanner
+    include HasLogger
+
     GEMFILE_GEM_PATTERN = %r(^ {4}[^ ])
 
     def initialize(paths, options = {})
@@ -31,7 +33,7 @@ module HolePicker
     end
 
     def scan
-      puts "Looking for gemfiles..."
+      logger.info "Looking for gemfiles..."
 
       @found_vulnerabilities = Set.new
       @scanned_gemfiles = 0
@@ -61,8 +63,6 @@ module HolePicker
     end
 
     def scan_gemfile(path)
-      print "#{path}: "
-
       gems = read_gemfile(path)
       gems.delete_if { |g| @ignored.include?(g.name) }
 
@@ -72,12 +72,14 @@ module HolePicker
       count = vulnerable_gems.length
 
       if count == 0
-        puts "✔".color(:green)
+        logger.print "#{path}: "
+        logger.success "✔"
       else
-        puts "#{count} vulnerable #{Utils.pluralize(count, 'gem')} found!".color(:red)
+        logger.print "#{path}: ", Logger::ERROR
+        logger.fail "#{count} vulnerable #{Utils.pluralize(count, 'gem')} found!"
 
         vulnerable_gems.each do |gem, vulnerabilities|
-          puts "- #{gem} [#{vulnerabilities.map(&:tag).join(',')}]"
+          logger.error "- #{gem} [#{vulnerabilities.map(&:tag).join(',')}]"
 
           @found_vulnerabilities.merge(vulnerabilities)
           @matched_gems += 1
@@ -85,7 +87,7 @@ module HolePicker
 
         @matched_gemfiles += 1
 
-        puts
+        logger.error
       end
 
       @scanned_gemfiles += 1
@@ -93,25 +95,24 @@ module HolePicker
 
     def print_report
       if @scanned_gemfiles == 0
-        puts "No gemfiles found - are you sure the paths are correct?".color(:red)
+        logger.warn "No gemfiles found - are you sure the paths are correct?"
       elsif @matched_gemfiles == 0
-        puts "No vulnerabilities found."
+        logger.info "No vulnerabilities found."
       else
         gems = Utils.pluralize(@matched_gems, 'gem')
         gemfiles = Utils.pluralize(@matched_gemfiles, 'gemfile')
 
-        warning = "#{@matched_gems} vulnerable #{gems} found in #{@matched_gemfiles} #{gemfiles}!\n"
-        puts warning.color(:red)
+        logger.fail "#{@matched_gems} vulnerable #{gems} found in #{@matched_gemfiles} #{gemfiles}!\n"
 
         @found_vulnerabilities.sort_by(&:id).each do |v|
-          puts "[#{v.tag}] #{v.day}: #{v.url}"
+          logger.error "[#{v.tag}] #{v.day}: #{v.url}"
         end
 
         if @found_vulnerabilities.any?(&:note)
-          puts
+          logger.error
 
           @found_vulnerabilities.select(&:note).each do |v|
-            puts "[#{v.tag}] #{v.note}"
+            logger.error "[#{v.tag}] #{v.note}"
           end
         end
       end

data/lib/holepicker/version.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 
 module HolePicker
-  VERSION = "0.2.2"
+  VERSION = "0.3.0"
 
   def self.version
     ::Gem::Version.new(VERSION)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: holepicker
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-29 00:00:00.000000000 Z
+date: 2013-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -63,6 +63,7 @@ files:
 - lib/holepicker/direct_gemfile_finder.rb
 - lib/holepicker/file_finder.rb
 - lib/holepicker/gem.rb
+- lib/holepicker/logger.rb
 - lib/holepicker/offline_database.rb
 - lib/holepicker/online_database.rb
 - lib/holepicker/scanner.rb