legendary 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d3c324fc5c9231e59d724fa09bdc2aa0acf3ab4c
+  data.tar.gz: fad40b6afeb4395295b740acb733a7c8d61dcd48
+SHA512:
+  metadata.gz: 89451a2ad1542006b6b57b8314d6828a46981d11dcb67b143fecd369143d90e16eb7fcc79ee4b1fc073cd34af05a34de09395dbce00cedece8cd0ce8ea87a796
+  data.tar.gz: 23cd3daa76f1415153d4d5b1c3d4850b7dc604749748768132777915468ada41da640d8744d0e6779f05683be2d8e631abc9eeaa9c0a1e665b6570a9624c4369

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.1.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in legendary.gemspec
+gemspec

data/README.md

@@ -0,0 +1,51 @@
+# Legendary
+
+Ruby Gem Vulnerability Checker.
+
+Started as a fork of [gemsurance](github.com/appfolio/gemsurance).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'legendary'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install legendary
+
+## Usage
+
+    $ bundle exec legendary
+
+RSpec integration (in your spec/spec_helper.rb)
+
+    require 'legendary/rspec'
+
+in a spec file
+
+    ```ruby
+    describe Project::Application do
+      specify { is_expected.to be_secure }
+    end
+    ```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+1. Fork it ( https://github.com/jobready/legendary/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "legendary"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/legendary

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'legendary'
+
+Legendary::Runner.new.run

data/legendary.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'legendary/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "legendary"
+  spec.version       = Legendary::VERSION
+  spec.authors       = ["John D'Agostino"]
+  spec.email         = ["johnd@jobready.com.au"]
+
+  spec.summary       = %q{A Legendary Gem to Detect Security Vulnerabilities}
+  spec.description   = %q{A simple gem that helps detect security vulnerabilities and outdated gems}
+  spec.homepage      = "https://github.com/jobready/legendary"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.1"
+
+  spec.add_dependency "bundler", "~> 1.9"
+  spec.add_dependency "activesupport", "~> 4.2.1"
+  spec.add_dependency "git", "~> 1.2"
+  spec.add_dependency "gems", "~> 0.8"
+
+end

data/lib/legendary/gems.rb

@@ -0,0 +1,29 @@
+module Legendary
+  class Gems
+    include Enumerable
+
+    attr_accessor :bundler
+
+    delegate :dependencies, to: :bundler
+    delegate :specs, to: :bundler
+
+    def initialize
+      @bundler = Bundler.load
+    end
+
+    def each
+      specs.each do |spec|
+        yield Legendary::Info.new(spec,
+                                  dependencies,
+                                  definitions)
+      end
+    end
+
+    def definitions
+      # TODO: locking from gemsurance
+      @definitions ||= Bundler.definition(true).tap do |definition|
+        definition.resolve_remotely!
+      end
+    end
+  end
+end

data/lib/legendary/info.rb

@@ -0,0 +1,56 @@
+module Legendary
+  class Info
+    attr_accessor :name, :spec, :version, :gemfile, :dependencies, :definitions
+
+    delegate :homepage_uri, to: :meta
+    delegate :name, to: :spec
+    delegate :version, to: :spec
+    delegate :git_version, to: :spec
+    delegate :version, to: :latest, prefix: true
+
+    def initialize(spec, dependencies, definitions)
+       @spec = spec
+       @dependencies = dependencies
+       @definitions = definitions
+    end
+
+    def git_outdated?
+      git_version != latest.git_version
+    end
+
+    def gemfile
+      dependencies.any? do |other|
+        other.name == name
+      end
+    end
+
+    def outdated?
+      Gem::Version.new(latest_version) > Gem::Version.new(version)
+    end
+
+    def vulnerable?
+      # FIXME: speeds things up, but in theory a
+      # a gem might not have a release, but have vulnerable
+      return false unless (outdated? || git_outdated?)
+      return vulnerabilities.any?
+    end
+
+    def vulnerabilities
+      @vulnerabilities ||= Vulnerabilities.new(self)
+    end
+
+    def meta
+      @meta ||= ::Gems.info(name)
+    end
+
+    def latest
+      @latest ||= definitions.index[name].sort_by { |b| b.version }.last
+    end
+
+    def prerelease
+      if !version.prerelease? && latest.size > 1
+        latest.delete_if { |b| b.respond_to?(:version) && b.version.prerelease? }
+      end
+    end
+  end
+end

data/lib/legendary/repository.rb

@@ -0,0 +1,28 @@
+module Legendary
+  class Repository
+    DB_REPO = 'https://github.com/rubysec/ruby-advisory-db'
+
+    attr_accessor :path
+
+    def initialize(path)
+      @path = path
+    end
+
+    def repo_exists?
+      File.directory?(File.join(path, '/.git/'))
+    end
+
+    def clone
+      Git.clone(DB_REPO, path)
+    end
+
+    def pull
+      repo = Git.open(path)
+      repo.pull
+    end
+
+    def clone_or_update
+      repo_exists? ? pull : clone
+    end
+  end
+end

data/lib/legendary/rspec.rb

@@ -0,0 +1,13 @@
+require 'rspec/matchers'
+
+
+RSpec::Matchers.define :be_secure do
+  match do
+    gems = Legendary::Gems.new
+    vulnerable_gems = gems.collect do |gem|
+      gem.vulnerable?
+    end
+
+    expect(vulnerable_gems.nil?).to be_truthy
+  end
+end

data/lib/legendary/runner.rb

@@ -0,0 +1,24 @@
+module Legendary
+  class Runner
+    def initialize(path='/tmp/.legendary-repo')
+      Legendary.repository = Repository.new(path)
+    end
+
+    def run
+      Legendary.logger.info("Updating Repository")
+      Legendary.repository.clone_or_update
+
+      Legendary.logger.info("Loading Gems")
+
+      Gems.new.each do |gem|
+        if gem.outdated?
+          puts "#{gem.name} is outdated. #{gem.version} -> #{gem.latest_version} (it is a #{gem.gemfile ? 'in your gemfile' : 'dependency'})"
+        end
+
+        if gem.vulnerable?
+          puts "#{gem.name} is vulnerable."
+        end
+      end
+    end
+  end
+end

data/lib/legendary/version.rb

@@ -0,0 +1,3 @@
+module Legendary
+  VERSION = "0.1.0"
+end

data/lib/legendary/vulnerabilities.rb

@@ -0,0 +1,45 @@
+module Legendary
+  class Vulnerabilities
+    include Enumerable
+
+    def initialize(info)
+      @info = info
+    end
+
+    def path
+      @path ||= File.join(Legendary.repository.path,
+                          @info.name)
+    end
+
+    def exists?
+      File.exists?(path)
+    end
+
+    def each
+      return nil unless exists?
+
+      Legendary.logger.info("#{@info.name} : #{path}")
+
+      Dir.foreach(path) do |yaml_file|
+        info = YAML.load(yaml_file)
+
+        Legendary.logger.info("#{@info.name}: #{info}")
+
+        affected = (vulnerability.patched_versions || []).none?(satisfied_version)
+        patched = (vulnerability.unaffected_versions || []).none?(satisfied_version)
+
+        if affected || patched
+          yield info
+        end
+      end
+    end
+
+    private
+
+    def satisfied_version(version)
+      Gem::Requirement.new(version.split(',')).satisfied_by?(@info.version)
+    end
+  end
+end
+
+

data/lib/legendary.rb

@@ -0,0 +1,27 @@
+require 'bundler'
+require 'git'
+require 'erb'
+require 'gems'
+require 'logger'
+require 'active_support/core_ext/module/delegation'
+
+module Legendary
+  def self.repository
+    @repository ||= Repository.new
+  end
+
+  def self.repository=(repository)
+    @repository = repository
+  end
+
+  def self.logger
+    @logger ||= ::Logger.new(STDOUT)
+  end
+end
+
+require 'legendary/version'
+require 'legendary/vulnerabilities'
+require 'legendary/repository'
+require 'legendary/gems'
+require 'legendary/info'
+require 'legendary/runner'

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification
+name: legendary
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- John D'Agostino
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-06-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.1
+- !ruby/object:Gem::Dependency
+  name: git
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: gems
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: A simple gem that helps detect security vulnerabilities and outdated
+  gems
+email:
+- johnd@jobready.com.au
+executables:
+- legendary
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/legendary
+- legendary.gemspec
+- lib/legendary.rb
+- lib/legendary/gems.rb
+- lib/legendary/info.rb
+- lib/legendary/repository.rb
+- lib/legendary/rspec.rb
+- lib/legendary/runner.rb
+- lib/legendary/version.rb
+- lib/legendary/vulnerabilities.rb
+homepage: https://github.com/jobready/legendary
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: A Legendary Gem to Detect Security Vulnerabilities
+test_files: []
+has_rdoc: