RubyGems - package-audit - Versions diffs - 0.1.0 - Mend

package-audit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

checksums.yaml +7 -0
data/exe/package-audit +10 -0
data/lib/package/audit/cli.rb +134 -0
data/lib/package/audit/const.rb +5 -0
data/lib/package/audit/dependency.rb +57 -0
data/lib/package/audit/dependency_printer.rb +128 -0
data/lib/package/audit/enum/environment.rb +15 -0
data/lib/package/audit/enum/risk_explanation.rb +14 -0
data/lib/package/audit/enum/risk_type.rb +12 -0
data/lib/package/audit/enum/vulnerability_type.rb +14 -0
data/lib/package/audit/formatter/base.rb +11 -0
data/lib/package/audit/formatter/risk.rb +28 -0
data/lib/package/audit/formatter/version.rb +33 -0
data/lib/package/audit/formatter/version_date.rb +28 -0
data/lib/package/audit/formatter/vulnerability.rb +37 -0
data/lib/package/audit/risk.rb +27 -0
data/lib/package/audit/risk_calculator.rb +65 -0
data/lib/package/audit/ruby/bundler_specs.rb +28 -0
data/lib/package/audit/ruby/gem_collection.rb +43 -0
data/lib/package/audit/ruby/gem_meta_data.rb +58 -0
data/lib/package/audit/ruby/vulnerability_finder.rb +24 -0
data/lib/package/audit/util/bash_color.rb +35 -0
data/lib/package/audit/util/summary_printer.rb +75 -0
data/lib/package/audit/version.rb +5 -0
data/sig/const.rbs +5 -0
data/sig/package/audit/cli.rbs +31 -0
data/sig/package/audit/dependency.rbs +35 -0
data/sig/package/audit/dependency_printer.rbs +24 -0
data/sig/package/audit/enum/environment.rbs +13 -0
data/sig/package/audit/enum/risk_explanation.rbs +12 -0
data/sig/package/audit/enum/risk_type.rbs +12 -0
data/sig/package/audit/enum/vulnerability_type.rbs +14 -0
data/sig/package/audit/formatter/base.rbs +9 -0
data/sig/package/audit/formatter/risk_printer.rbs +13 -0
data/sig/package/audit/formatter/version_date.rbs +13 -0
data/sig/package/audit/formatter/version_printer.rbs +14 -0
data/sig/package/audit/formatter/vulnerability.rbs +13 -0
data/sig/package/audit/risk.rbs +12 -0
data/sig/package/audit/risk_calculator.rbs +21 -0
data/sig/package/audit/ruby/bundler_specs.rbs +11 -0
data/sig/package/audit/ruby/gem_collection.rbs +15 -0
data/sig/package/audit/ruby/gem_meta_data.rbs +23 -0
data/sig/package/audit/ruby/vulnerability_finder.rbs +9 -0
data/sig/package/audit/util/bash_color.rbs +21 -0
data/sig/package/audit/util/summary_printer.rbs +21 -0
data/sig/package/audit/version.rbs +5 -0
metadata +121 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 40db656091a8559c095240ab373f96c905cc6b78898717c1932dff93428d8b6e
+  data.tar.gz: a3220c0f098a071c3cd429914b40bda20826e3157035e778513410c01bd1a566
+SHA512:
+  metadata.gz: 348811b4789ffb9dd446a15c6a73819adcf196737a3949689a18457f2b368daa7c2830f10063208e7073833c7b512feb1ddb36bf60e8376f2d84a2d40bd7d9e3
+  data.tar.gz: b3a779536d324ea28160defac771a242020168f4668ac8e7540d89e6c5db7f833c0c9caa435b8bb50b2cb807f8e211e2257d33e64aa80c61affd271e1a3fd24e

data/exe/package-audit ADDED Viewed

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+require 'package/audit/cli'
+Package::Audit::CLI.start

data/lib/package/audit/cli.rb ADDED Viewed

@@ -0,0 +1,134 @@
+require_relative './const'
+require_relative './version'
+require_relative './util/summary_printer'
+require_relative './ruby/bundler_specs'
+require_relative './dependency_printer'
+require_relative './ruby/gem_collection'
+require 'json'
+require 'thor'
+module Package
+  module Audit
+    class CLI < Thor
+      default_task :report
+      map '--version' => :version
+      desc 'report', 'Show a report of potentially deprecated, outdated or vulnerable gems'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+      def report
+        within_rescue_block do
+          gems = Ruby::GemCollection.all
+          DependencyPrinter.new(gems, options).print
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.report unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'There are no deprecated, outdated or vulnerable gems!'
+          end
+        end
+      end
+      desc 'deprecated', "Show gems with no updates by author for at least #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+      def deprecated
+        within_rescue_block do
+          gems = Ruby::GemCollection.deprecated
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.deprecated unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'No potential deprecated have been found!'
+          end
+        end
+      end
+      desc 'outdated', 'Show gems, and optionally their dependencies, that are out of date'
+      method_option :'include-implicit', type: :boolean, default: false,
+                                         desc: 'Only both gems specified in Gemfile and their dependencies'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+      def outdated # rubocop:disable Metrics/AbcSize
+        within_rescue_block do
+          gems = Ruby::GemCollection.outdated(include_implicit: options[:'include-implicit'])
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.outdated unless options[:'include-implicit'] || options[:csv]
+            exit 1
+          else
+            exit_with_success 'All gems are at latest versions!'
+          end
+        end
+      end
+      desc 'vulnerable', 'Show gems and their dependencies that have security vulnerabilities'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+      def vulnerable
+        within_rescue_block do
+          gems = Ruby::GemCollection.vulnerable
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version groups vulnerabilities])
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.vulnerable unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'No vulnerabilities found!'
+          end
+        end
+      end
+      desc 'risk', 'Print information on how risk is calculated'
+      def risk
+        Util::SummaryPrinter.risk
+      end
+      desc 'version', 'Print the currently installed version of the package-audit gem'
+      def version
+        puts "package-audit #{VERSION}"
+      end
+      def self.exit_on_failure?
+        true
+      end
+      private
+      def within_rescue_block
+        raise "Gemfile was not found in #{Dir.pwd}/Gemfile" unless File.exist?("#{Dir.pwd}/Gemfile")
+        raise "Gemfile.lock was not found in #{Dir.pwd}/Gemfile.lock" unless File.exist?("#{Dir.pwd}/Gemfile.lock")
+        yield
+      rescue StandardError => e
+        exit_with_error "#{e.class}: #{e.message}"
+      end
+      def exit_with_error(msg)
+        puts Util::BashColor.red msg
+        exit 1
+      end
+      def exit_with_success(msg)
+        puts Util::BashColor.green msg
+        exit 0
+      end
+    end
+  end
+end

data/lib/package/audit/const.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module Const
+  SECONDS_PER_YEAR = 31_556_952 # length of a gregorian year (365.2425 days)
+  YEARS_ELAPSED_TO_BE_OUTDATED = 2
+  SECONDS_ELAPSED_TO_BE_OUTDATED = SECONDS_PER_YEAR * YEARS_ELAPSED_TO_BE_OUTDATED
+end

data/lib/package/audit/dependency.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require_relative './risk'
+require_relative './risk_calculator'
+require_relative './enum/environment'
+require_relative './enum/risk_type'
+require_relative './enum/risk_explanation'
+module Package
+  module Audit
+    class Dependency
+      attr_reader :name, :version
+      attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
+      def initialize(name, version)
+        @name = name.to_s
+        @version = version.to_s
+        @groups = []
+        @vulnerabilities = []
+      end
+      def update(**attr)
+        attr.each { |key, value| instance_variable_set("@#{key}", value) }
+      end
+      def risk
+        @risk ||= RiskCalculator.new(self).find || Risk.new(Enum::RiskType::NONE)
+      end
+      def risk?
+        risk.type != Enum::RiskType::NONE
+      end
+      def group_list
+        @groups.join('|')
+      end
+      def vulnerabilities_grouped
+        @vulnerabilities.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join('|')
+      end
+      def risk_type
+        risk.type
+      end
+      def risk_explanation
+        risk.explanation
+      end
+      def to_csv(fields)
+        fields.map { |field| send(field) }.join(',')
+      end
+      def to_s
+        "#{@name} #{@version} - [#{@groups.sort.join(', ')}]"
+      end
+    end
+  end
+end

data/lib/package/audit/dependency_printer.rb ADDED Viewed

@@ -0,0 +1,128 @@
+require_relative './formatter/risk'
+require_relative './formatter/version'
+require_relative './formatter/version_date'
+require_relative './formatter/vulnerability'
+module Package
+  module Audit
+    class DependencyPrinter
+      BASH_FORMATTING_REGEX = /\e\[\d+(?:;\d+)*m/
+      COLUMN_GAP = 2
+      # the names of these fields must match the instance variables in the Dependency class
+      FIELDS = %i[
+        name
+        version
+        latest_version
+        latest_version_date
+        groups
+        vulnerabilities
+        risk_type
+        risk_explanation
+      ]
+      HEADERS = {
+        name: 'Package',
+        version: 'Version',
+        latest_version: 'Latest',
+        latest_version_date: 'Latest Date',
+        groups: 'Groups',
+        vulnerabilities: 'Vulnerabilities',
+        risk_type: 'Risk',
+        risk_explanation: 'Risk Explanation'
+      }
+      def initialize(dependencies, options)
+        @dependencies = dependencies
+        @options = options
+      end
+      def print(fields = FIELDS)
+        if (fields - FIELDS).any?
+          raise ArgumentError, "#{fields - FIELDS} are not valid field names. Available fields names are: #{FIELDS}."
+        end
+        if @options[:csv]
+          csv(fields, exclude_headers: @options[:'exclude-headers'])
+        else
+          pretty(fields)
+        end
+      end
+      private
+      def pretty(fields) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        return if @dependencies.empty?
+        # find the maximum length of each field across all the dependencies so we know how many
+        # characters of horizontal space to allocate for each field when printing
+        fields.each do |key|
+          instance_variable_set "@max_#{key}", HEADERS[key].length
+          @dependencies.each do |gem|
+            curr_field_length = case key
+                                when :vulnerabilities
+                                  gem.vulnerabilities_grouped.length
+                                when :groups
+                                  gem.group_list.length
+                                else
+                                  gem.send(key)&.gsub(BASH_FORMATTING_REGEX, '')&.length || 0
+                                end
+            max_field_length = instance_variable_get "@max_#{key}"
+            instance_variable_set "@max_#{key}", [curr_field_length, max_field_length].max
+          end
+        end
+        line_length = fields.sum { |key| instance_variable_get "@max_#{key}" } +
+                      (COLUMN_GAP * (fields.length - 1))
+        puts '=' * line_length
+        puts fields.map { |key|
+          HEADERS[key].gsub(BASH_FORMATTING_REGEX, '').ljust(instance_variable_get("@max_#{key}"))
+        }.join(' ' * COLUMN_GAP)
+        puts '=' * line_length
+        @dependencies.each do |dep|
+          puts fields.map { |key|
+            val = dep.send(key) || ''
+            val = case key
+                  when :groups
+                    dep.group_list
+                  when :risk_type
+                    Formatter::Risk.new(dep.risk_type).format
+                  when :version
+                    Formatter::Version.new(dep.version, dep.latest_version).format
+                  when :vulnerabilities
+                    Formatter::Vulnerability.new(dep.vulnerabilities).format
+                  when :latest_version_date
+                    Formatter::VersionDate.new(dep.latest_version_date).format
+                  else
+                    val
+                  end
+            formatting_length = val.length - val.gsub(BASH_FORMATTING_REGEX, '').length
+            val.ljust(instance_variable_get("@max_#{key}") + formatting_length)
+          }.join(' ' * COLUMN_GAP)
+        end
+      end
+      def csv(fields, exclude_headers: false) # rubocop:disable Metrics/MethodLength
+        return if @dependencies.empty?
+        value_fields = fields.map do |field|
+          case field
+          when :groups
+            :group_list
+          when :vulnerabilities
+            :vulnerabilities_grouped
+          else
+            field
+          end
+        end
+        puts fields.join(',') unless exclude_headers
+        @dependencies.map { |gem| puts gem.to_csv(value_fields) }
+      end
+    end
+  end
+end

data/lib/package/audit/enum/environment.rb ADDED Viewed

@@ -0,0 +1,15 @@
+require_relative '../const'
+module Package
+  module Audit
+    module Enum
+      module Environment
+        DEV = :development
+        TEST = :test
+        STAGING = :staging
+        PRODUCTION = :production
+        DEFAULT = :default
+      end
+    end
+  end
+end

data/lib/package/audit/enum/risk_explanation.rb ADDED Viewed

@@ -0,0 +1,14 @@
+require_relative '../const'
+module Package
+  module Audit
+    module Enum
+      module RiskExplanation
+        POTENTIAL_DEPRECATION = "no updates by author in over #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+        OUTDATED_BY_MAJOR_VERSION = 'behind by a major version'
+        OUTDATED = 'not at latest version'
+        VULNERABILITY = 'security vulnerability'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/risk_type.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module RiskType
+        NONE = 'none'
+        LOW = 'low'
+        MEDIUM = 'medium'
+        HIGH = 'high'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/vulnerability_type.rb ADDED Viewed

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module VulnerabilityType
+        NONE = 'none'
+        LOW = 'low'
+        MEDIUM = 'medium'
+        HIGH = 'high'
+        CRITICAL = 'critical'
+        UNKNOWN = 'unknown'
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/base.rb ADDED Viewed

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    module Formatter
+      class Base
+        def format
+          raise NotImplementedError, 'Subclass must implement abstract method'
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/risk.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require_relative './base'
+require_relative '../util/bash_color'
+module Package
+  module Audit
+    module Formatter
+      class Risk < Formatter::Base
+        def initialize(risk_type)
+          super()
+          @risk_type = risk_type
+        end
+        def format
+          case @risk_type
+          when Enum::RiskType::HIGH
+            Util::BashColor.red(Enum::RiskType::HIGH)
+          when Enum::RiskType::MEDIUM
+            Util::BashColor.orange(Enum::RiskType::MEDIUM)
+          when Enum::RiskType::LOW
+            Util::BashColor.yellow(Enum::RiskType::LOW)
+          else
+            @risk_type.to_s
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/version.rb ADDED Viewed

@@ -0,0 +1,33 @@
+require_relative './base'
+require_relative '../util/bash_color'
+module Package
+  module Audit
+    module Formatter
+      class Version < Formatter::Base
+        def initialize(curr, target)
+          super()
+          @curr = curr
+          @target = target
+        end
+        def format # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          curr_tokens = @curr.split('.')
+          target_tokens = @target.split('.')
+          if curr_tokens[0] && curr_tokens[0] < target_tokens[0]
+            Util::BashColor.orange(@curr)
+          elsif curr_tokens[1] && curr_tokens[1] < target_tokens[1]
+            "#{curr_tokens[0]}.#{Util::BashColor.yellow(curr_tokens[1..]&.join('.'))}"
+          elsif curr_tokens[2] && curr_tokens[2] < target_tokens[2]
+            "#{curr_tokens[0..1]&.join('.')}.#{Util::BashColor.green(curr_tokens[2..]&.join('.'))}"
+          elsif curr_tokens[3] && curr_tokens[3] < target_tokens[3]
+            "#{curr_tokens[0..2]&.join('.')}.#{Util::BashColor.green(curr_tokens[3])}"
+          else
+            @curr
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/version_date.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require_relative '../const'
+require_relative './base'
+require_relative '../util/bash_color'
+require 'time'
+module Package
+  module Audit
+    module Formatter
+      class VersionDate < Formatter::Base
+        def initialize(date)
+          super()
+          @date = date
+        end
+        def format
+          seconds_since_date = (Time.now - Time.parse(@date)).to_i
+          if seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
+            Util::BashColor.yellow(@date)
+          else
+            @date
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/vulnerability.rb ADDED Viewed

@@ -0,0 +1,37 @@
+require_relative './base'
+require_relative '../enum/vulnerability_type'
+require_relative '../util/bash_color'
+module Package
+  module Audit
+    module Formatter
+      class Vulnerability < Formatter::Base
+        def initialize(vulnerabilities)
+          super()
+          @vulnerabilities = vulnerabilities
+        end
+        def format # rubocop:disable Metrics/MethodLength
+          formatted = @vulnerabilities.map do |vulnerability|
+            case vulnerability
+            when Enum::VulnerabilityType::UNKNOWN, Enum::VulnerabilityType::CRITICAL, Enum::VulnerabilityType::HIGH
+              Util::BashColor.red(vulnerability)
+            when Enum::VulnerabilityType::MEDIUM
+              Util::BashColor.orange(vulnerability)
+            when Enum::VulnerabilityType::LOW
+              Util::BashColor.yellow(vulnerability)
+            else
+              vulnerability
+            end
+          end
+          formatted.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join(' ')
+        end
+        private
+        def group; end
+      end
+    end
+  end
+end

data/lib/package/audit/risk.rb ADDED Viewed

@@ -0,0 +1,27 @@
+module Package
+  module Audit
+    class Risk
+      include Comparable
+      attr_reader :type, :explanation
+      def initialize(type, explanation = nil)
+        @type = type
+        @explanation = explanation
+      end
+      def <=>(other) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+        if @type == other.type
+          0
+        elsif (@type == Enum::RiskType::HIGH && [Enum::RiskType::MEDIUM, Enum::RiskType::LOW,
+                                                 Enum::RiskType::NONE].include?(other.type)) ||
+              (@type == Enum::RiskType::MEDIUM && [Enum::RiskType::LOW, Enum::RiskType::NONE].include?(other.type)) ||
+              (@type == Enum::RiskType::LOW && [Enum::RiskType::NONE].include?(other.type))
+          1
+        else
+          -1
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/risk_calculator.rb ADDED Viewed

@@ -0,0 +1,65 @@
+require_relative './const'
+module Package
+  module Audit
+    class RiskCalculator
+      def initialize(dependency)
+        @dependency = dependency
+      end
+      def find
+        vulnerability_risk = assess_vulnerability_risk
+        deprecation_risk = assess_vulnerability_risk
+        version_risk = assess_version_risk
+        risk = [vulnerability_risk, deprecation_risk, version_risk].max
+        risk = [risk, Risk.new(Enum::RiskType::MEDIUM, risk.explanation)].min unless risk.nil? || production_dependency?
+        risk
+      end
+      private
+      def assess_vulnerability_risk # rubocop:disable Metrics/MethodLength
+        if (@dependency.vulnerabilities & [
+          Enum::VulnerabilityType::UNKNOWN,
+          Enum::VulnerabilityType::CRITICAL,
+          Enum::VulnerabilityType::HIGH
+        ]).any?
+          Risk.new(Enum::RiskType::HIGH, Enum::RiskExplanation::VULNERABILITY)
+        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::MEDIUM
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::VULNERABILITY)
+        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::LOW
+          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::VULNERABILITY)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+      def assess_version_risk
+        if (@dependency.version.split('.').first || '') < (@dependency.latest_version.split('.').first || '')
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::OUTDATED_BY_MAJOR_VERSION)
+        elsif @dependency.version < @dependency.latest_version
+          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::OUTDATED)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+      def assess_deprecation_risk
+        seconds_since_date = (Time.now - Time.parse(@dependency.latest_version_date)).to_i
+        if @dependency.version == @dependency.latest_version &&
+           seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::POTENTIAL_DEPRECATION)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+      def production_dependency?
+        @dependency.groups.none? || (@dependency.groups & [Enum::Environment::DEFAULT,
+                                                           Enum::Environment::PRODUCTION]).any?
+      end
+    end
+  end
+end

data/lib/package/audit/ruby/bundler_specs.rb ADDED Viewed

@@ -0,0 +1,28 @@
+require_relative '../dependency'
+require_relative './gem_meta_data'
+require_relative './vulnerability_finder'
+require 'bundler'
+module Package
+  module Audit
+    module Ruby
+      class BundlerSpecs
+        def self.all
+          Bundler.ui.silence { Bundler.definition.resolve }
+        end
+        def self.gemfile
+          current_dependencies = Bundler.ui.silence do
+            Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+          end
+          gemfile_specs, = all.partition do |spec|
+            current_dependencies.key? spec.name
+          end
+          gemfile_specs
+        end
+      end
+    end
+  end
+end