holepicker 0.3.0 → 0.3.1

data/Changelog.markdown

@@ -1,3 +1,7 @@
+#### Version 0.3.1 (20.05.2013)
+
+* stdin option
+
 #### Version 0.3.0 (13.04.2013)
 
 * silent option
@@ -7,10 +11,12 @@
 #### Version 0.2.2 (29.03.2013)
 
 * fixed Capistrano recipe
+* updated Devise vulnerability info
 
 #### Version 0.2.1 (21.03.2013)
 
 * added possibility to display additional notes about specific vulnerabilities (see data.json)
+* added multi_xml, httparty, extlib, crack and nori vulnerabilities
 
 #### Version 0.2.0 (7.03.2013)
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    holepicker (0.3.0)
+    holepicker (0.3.1)
       json (>= 1.7.7)
       rainbow (>= 1.1.4)
 

data/README.markdown

@@ -6,7 +6,7 @@ HolePicker is a Ruby gem for quickly checking all your `Gemfile.lock` files for
  
 [![Build Status](https://travis-ci.org/jsuder/holepicker.png?branch=master)](https://travis-ci.org/jsuder/holepicker)
  
-[![Code Climate](https://codeclimate.com/github/jsuder/rails-retweeter-bot.png)](https://codeclimate.com/github/jsuder/rails-retweeter-bot)
+[![Code Climate](https://codeclimate.com/github/jsuder/holepicker.png)](https://codeclimate.com/github/jsuder/holepicker)
 
 ## The story
 
@@ -119,7 +119,7 @@ There are a few other projects with a similar purpose, take a look if HolePicker
 * [bundler-audit](https://github.com/postmodern/bundler-audit) - lets you scan the project in current directory
 * [bundler-organization_audit](https://github.com/grosser/bundler-organization_audit) - scans all your projects on GitHub
 * [ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db) - a shared database of vulnerabilities - I'll try to integrate holepicker with it later
-* [gemcanary](https://gemcanary.com/) - some kind of web service, not released yet (as of 23.02)
+* [gemcanary](https://gemcanary.com/) - a web service that notifies you by email when a new vulnerability is found in a gem used by one of your apps
 * [gems-status](https://github.com/jordimassaguerpla/gems-status) - a more general tool for checking everything that might be wrong with your gems (work in progress)
 
 ## Credits & contributing

data/bin/holepicker

@@ -39,6 +39,10 @@ OptionParser.new do |opts|
     HolePicker.logger.level = Logger::ERROR
   end
 
+  opts.on("--stdin", "Read a gemfile directly from STDIN instead of paths given in arguments") do
+    options[:stdin] = true
+  end
+
   opts.on("-h", "--help", "Display this help") do
     HolePicker.logger.info(opts)
     exit
@@ -52,7 +56,7 @@ OptionParser.new do |opts|
   opts.parse!
 end
 
-if ARGV.empty?
+if ARGV.empty? && !options[:stdin]
   HolePicker.logger.error "Please choose at least one directory to scan for gemfiles."
   exit 1
 end

data/lib/holepicker/gemfile_parser.rb

@@ -0,0 +1,17 @@
+require 'holepicker/gem'
+
+module HolePicker
+  class GemfileParser
+    GEM_PATTERN = %r(^ {4}[^ ])
+
+    def initialize(ignored_gems = nil)
+      @ignored_gems = ignored_gems || []
+    end
+
+    def parse_gemfile(data)
+      gem_lines = data.lines.select { |l| l =~ GEM_PATTERN }
+      gems = gem_lines.map { |l| Gem.new(l) }
+      gems.reject { |g| @ignored_gems.include?(g.name) }
+    end
+  end
+end

data/lib/holepicker/logger.rb

@@ -30,11 +30,14 @@ module HolePicker
 
   module HasLogger
     def logger
-      HolePicker.logger
+      @logger ||= HolePicker.logger
     end
 
     def self.included(c)
-      c.extend(self)
+      c.class_eval do
+        attr_writer :logger
+        extend HasLogger
+      end
     end
   end
 

data/lib/holepicker/scan_reporter.rb

@@ -0,0 +1,73 @@
+require 'holepicker/logger'
+require 'holepicker/utils'
+require 'set'
+
+module HolePicker
+  class ScanReporter
+    include HasLogger
+
+    attr_reader :safe_gemfiles, :vulnerable_gems, :vulnerable_gemfiles, :vulnerabilities
+
+    def initialize
+      @safe_gemfiles = []
+      @vulnerable_gemfiles = []
+      @vulnerable_gems = []
+      @vulnerabilities = Set.new
+    end
+
+    def add_vulnerable_gem(gem, vulnerabilities)
+      @vulnerabilities.merge(vulnerabilities)
+      @vulnerable_gems << gem
+    end
+
+    def add_vulnerable_gemfile(path)
+      @vulnerable_gemfiles << path
+    end
+
+    def add_safe_gemfile(path)
+      @safe_gemfiles << path
+    end
+
+    def success?
+      @vulnerable_gems.empty?
+    end
+
+    def print_report
+      if success?
+        if @safe_gemfiles.empty?
+          logger.warn "No gemfiles found - are you sure the paths are correct?"
+        else
+          logger.info "No vulnerabilities found."
+        end
+      else
+        gem_count = @vulnerable_gems.length
+        gemfile_count = @vulnerable_gemfiles.length
+
+        gems = Utils.pluralize(gem_count, 'gem')
+        gemfiles = Utils.pluralize(gemfile_count, 'gemfile')
+
+        logger.fail "#{gem_count} vulnerable #{gems} found in #{gemfile_count} #{gemfiles}!\n"
+
+        report_vulnerabilities
+        print_notes if @vulnerabilities.any?(&:note)
+      end
+    end
+
+
+    private
+
+    def report_vulnerabilities
+      @vulnerabilities.sort_by(&:id).each do |v|
+        logger.error "[#{v.tag}] #{v.day}: #{v.url}"
+      end
+    end
+
+    def print_notes
+      logger.error
+
+      @vulnerabilities.select(&:note).each do |v|
+        logger.error "[#{v.tag}] #{v.note}"
+      end
+    end
+  end
+end

data/lib/holepicker/scanner.rb

@@ -1,22 +1,21 @@
 # encoding: utf-8
 
-require 'holepicker/gem'
 require 'holepicker/config_gemfile_finder'
 require 'holepicker/direct_gemfile_finder'
+require 'holepicker/gemfile_parser'
 require 'holepicker/logger'
 require 'holepicker/offline_database'
 require 'holepicker/online_database'
+require 'holepicker/scan_reporter'
 require 'holepicker/utils'
-require 'set'
 
 module HolePicker
   class Scanner
     include HasLogger
 
-    GEMFILE_GEM_PATTERN = %r(^ {4}[^ ])
-
     def initialize(paths, options = {})
       @paths = paths.is_a?(Array) ? paths : [paths]
+      @stdin = options[:stdin]
 
       @database = options[:offline] ? OfflineDatabase.load : OnlineDatabase.load
 
@@ -29,22 +28,23 @@ module HolePicker
         )
       end
 
-      @ignored = options[:ignored_gems] || []
+      @parser = GemfileParser.new(options[:ignored_gems])
     end
 
     def scan
-      logger.info "Looking for gemfiles..."
+      @reporter = ScanReporter.new
 
-      @found_vulnerabilities = Set.new
-      @scanned_gemfiles = 0
-      @matched_gemfiles = 0
-      @matched_gems = 0
+      if @stdin
+        scan_gemfile(STDIN.read, nil)
+      else
+        logger.info "Looking for gemfiles..."
 
-      @paths.each { |p| scan_path(p) }
+        @paths.each { |p| scan_path(p) }
+      end
 
-      print_report
+      @reporter.print_report
 
-      @matched_gems == 0
+      @reporter.success?
     end
 
 
@@ -54,68 +54,38 @@ module HolePicker
       @database.vulnerabilities.select { |v| v.gem_vulnerable?(gem) }
     end
 
-    def read_gemfile(path)
-      File.readlines(path).select { |l| l =~ GEMFILE_GEM_PATTERN }.map { |l| Gem.new(l) }
-    end
-
     def scan_path(path)
-      @finder.find_gemfiles(path).each { |f| scan_gemfile(f) }
+      @finder.find_gemfiles(path).each { |f| scan_gemfile(File.read(f), f) }
     end
 
-    def scan_gemfile(path)
-      gems = read_gemfile(path)
-      gems.delete_if { |g| @ignored.include?(g.name) }
+    def scan_gemfile(data, path)
+      gems = @parser.parse_gemfile(data)
 
       vulnerable_gems = gems.map { |g| [g, vulnerabilities_for_gem(g)] }
       vulnerable_gems.delete_if { |g, v| v.empty? }
 
       count = vulnerable_gems.length
+      label = path || "Scanning gemfile"
 
       if count == 0
-        logger.print "#{path}: "
+        logger.print "#{label}: "
         logger.success "✔"
+
+        @reporter.add_safe_gemfile(path)
       else
-        logger.print "#{path}: ", Logger::ERROR
+        logger.print "#{label}: ", Logger::ERROR
         logger.fail "#{count} vulnerable #{Utils.pluralize(count, 'gem')} found!"
 
         vulnerable_gems.each do |gem, vulnerabilities|
           logger.error "- #{gem} [#{vulnerabilities.map(&:tag).join(',')}]"
 
-          @found_vulnerabilities.merge(vulnerabilities)
-          @matched_gems += 1
+          @reporter.add_vulnerable_gem(gem, vulnerabilities)
         end
 
-        @matched_gemfiles += 1
+        @reporter.add_vulnerable_gemfile(path)
 
         logger.error
       end
-
-      @scanned_gemfiles += 1
-    end
-
-    def print_report
-      if @scanned_gemfiles == 0
-        logger.warn "No gemfiles found - are you sure the paths are correct?"
-      elsif @matched_gemfiles == 0
-        logger.info "No vulnerabilities found."
-      else
-        gems = Utils.pluralize(@matched_gems, 'gem')
-        gemfiles = Utils.pluralize(@matched_gemfiles, 'gemfile')
-
-        logger.fail "#{@matched_gems} vulnerable #{gems} found in #{@matched_gemfiles} #{gemfiles}!\n"
-
-        @found_vulnerabilities.sort_by(&:id).each do |v|
-          logger.error "[#{v.tag}] #{v.day}: #{v.url}"
-        end
-
-        if @found_vulnerabilities.any?(&:note)
-          logger.error
-
-          @found_vulnerabilities.select(&:note).each do |v|
-            logger.error "[#{v.tag}] #{v.note}"
-          end
-        end
-      end
     end
   end
 end

data/lib/holepicker/version.rb

@@ -1,7 +1,7 @@
 require 'rubygems'
 
 module HolePicker
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 
   def self.version
     ::Gem::Version.new(VERSION)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: holepicker
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-13 00:00:00.000000000 Z
+date: 2013-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -63,9 +63,11 @@ files:
 - lib/holepicker/direct_gemfile_finder.rb
 - lib/holepicker/file_finder.rb
 - lib/holepicker/gem.rb
+- lib/holepicker/gemfile_parser.rb
 - lib/holepicker/logger.rb
 - lib/holepicker/offline_database.rb
 - lib/holepicker/online_database.rb
+- lib/holepicker/scan_reporter.rb
 - lib/holepicker/scanner.rb
 - lib/holepicker/utils.rb
 - lib/holepicker/version.rb