package-audit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 40db656091a8559c095240ab373f96c905cc6b78898717c1932dff93428d8b6e
+  data.tar.gz: a3220c0f098a071c3cd429914b40bda20826e3157035e778513410c01bd1a566
+SHA512:
+  metadata.gz: 348811b4789ffb9dd446a15c6a73819adcf196737a3949689a18457f2b368daa7c2830f10063208e7073833c7b512feb1ddb36bf60e8376f2d84a2d40bd7d9e3
+  data.tar.gz: b3a779536d324ea28160defac771a242020168f4668ac8e7540d89e6c5db7f833c0c9caa435b8bb50b2cb807f8e211e2257d33e64aa80c61affd271e1a3fd24e

data/exe/package-audit

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'package/audit/cli'
+
+Package::Audit::CLI.start

data/lib/package/audit/cli.rb

@@ -0,0 +1,134 @@
+require_relative './const'
+require_relative './version'
+require_relative './util/summary_printer'
+require_relative './ruby/bundler_specs'
+require_relative './dependency_printer'
+require_relative './ruby/gem_collection'
+
+require 'json'
+require 'thor'
+
+module Package
+  module Audit
+    class CLI < Thor
+      default_task :report
+
+      map '--version' => :version
+
+      desc 'report', 'Show a report of potentially deprecated, outdated or vulnerable gems'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+
+      def report
+        within_rescue_block do
+          gems = Ruby::GemCollection.all
+          DependencyPrinter.new(gems, options).print
+
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.report unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'There are no deprecated, outdated or vulnerable gems!'
+          end
+        end
+      end
+
+      desc 'deprecated', "Show gems with no updates by author for at least #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+
+      def deprecated
+        within_rescue_block do
+          gems = Ruby::GemCollection.deprecated
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
+
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.deprecated unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'No potential deprecated have been found!'
+          end
+        end
+      end
+
+      desc 'outdated', 'Show gems, and optionally their dependencies, that are out of date'
+      method_option :'include-implicit', type: :boolean, default: false,
+                                         desc: 'Only both gems specified in Gemfile and their dependencies'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+
+      def outdated # rubocop:disable Metrics/AbcSize
+        within_rescue_block do
+          gems = Ruby::GemCollection.outdated(include_implicit: options[:'include-implicit'])
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version latest_version_date groups])
+
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.outdated unless options[:'include-implicit'] || options[:csv]
+            exit 1
+          else
+            exit_with_success 'All gems are at latest versions!'
+          end
+        end
+      end
+
+      desc 'vulnerable', 'Show gems and their dependencies that have security vulnerabilities'
+      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
+      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
+
+      def vulnerable
+        within_rescue_block do
+          gems = Ruby::GemCollection.vulnerable
+          DependencyPrinter.new(gems, options).print(%i[name version latest_version groups vulnerabilities])
+
+          if gems.any?
+            Util::SummaryPrinter.total(gems.length) unless options[:csv]
+            Util::SummaryPrinter.vulnerable unless options[:csv]
+            exit 1
+          else
+            exit_with_success 'No vulnerabilities found!'
+          end
+        end
+      end
+
+      desc 'risk', 'Print information on how risk is calculated'
+
+      def risk
+        Util::SummaryPrinter.risk
+      end
+
+      desc 'version', 'Print the currently installed version of the package-audit gem'
+
+      def version
+        puts "package-audit #{VERSION}"
+      end
+
+      def self.exit_on_failure?
+        true
+      end
+
+      private
+
+      def within_rescue_block
+        raise "Gemfile was not found in #{Dir.pwd}/Gemfile" unless File.exist?("#{Dir.pwd}/Gemfile")
+        raise "Gemfile.lock was not found in #{Dir.pwd}/Gemfile.lock" unless File.exist?("#{Dir.pwd}/Gemfile.lock")
+
+        yield
+      rescue StandardError => e
+        exit_with_error "#{e.class}: #{e.message}"
+      end
+
+      def exit_with_error(msg)
+        puts Util::BashColor.red msg
+        exit 1
+      end
+
+      def exit_with_success(msg)
+        puts Util::BashColor.green msg
+        exit 0
+      end
+    end
+  end
+end

data/lib/package/audit/const.rb

@@ -0,0 +1,5 @@
+module Const
+  SECONDS_PER_YEAR = 31_556_952 # length of a gregorian year (365.2425 days)
+  YEARS_ELAPSED_TO_BE_OUTDATED = 2
+  SECONDS_ELAPSED_TO_BE_OUTDATED = SECONDS_PER_YEAR * YEARS_ELAPSED_TO_BE_OUTDATED
+end

data/lib/package/audit/dependency.rb

@@ -0,0 +1,57 @@
+require_relative './risk'
+require_relative './risk_calculator'
+require_relative './enum/environment'
+require_relative './enum/risk_type'
+require_relative './enum/risk_explanation'
+
+module Package
+  module Audit
+    class Dependency
+      attr_reader :name, :version
+      attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
+
+      def initialize(name, version)
+        @name = name.to_s
+        @version = version.to_s
+        @groups = []
+        @vulnerabilities = []
+      end
+
+      def update(**attr)
+        attr.each { |key, value| instance_variable_set("@#{key}", value) }
+      end
+
+      def risk
+        @risk ||= RiskCalculator.new(self).find || Risk.new(Enum::RiskType::NONE)
+      end
+
+      def risk?
+        risk.type != Enum::RiskType::NONE
+      end
+
+      def group_list
+        @groups.join('|')
+      end
+
+      def vulnerabilities_grouped
+        @vulnerabilities.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join('|')
+      end
+
+      def risk_type
+        risk.type
+      end
+
+      def risk_explanation
+        risk.explanation
+      end
+
+      def to_csv(fields)
+        fields.map { |field| send(field) }.join(',')
+      end
+
+      def to_s
+        "#{@name} #{@version} - [#{@groups.sort.join(', ')}]"
+      end
+    end
+  end
+end

data/lib/package/audit/dependency_printer.rb

@@ -0,0 +1,128 @@
+require_relative './formatter/risk'
+require_relative './formatter/version'
+require_relative './formatter/version_date'
+require_relative './formatter/vulnerability'
+
+module Package
+  module Audit
+    class DependencyPrinter
+      BASH_FORMATTING_REGEX = /\e\[\d+(?:;\d+)*m/
+
+      COLUMN_GAP = 2
+
+      # the names of these fields must match the instance variables in the Dependency class
+      FIELDS = %i[
+        name
+        version
+        latest_version
+        latest_version_date
+        groups
+        vulnerabilities
+        risk_type
+        risk_explanation
+      ]
+
+      HEADERS = {
+        name: 'Package',
+        version: 'Version',
+        latest_version: 'Latest',
+        latest_version_date: 'Latest Date',
+        groups: 'Groups',
+        vulnerabilities: 'Vulnerabilities',
+        risk_type: 'Risk',
+        risk_explanation: 'Risk Explanation'
+      }
+
+      def initialize(dependencies, options)
+        @dependencies = dependencies
+        @options = options
+      end
+
+      def print(fields = FIELDS)
+        if (fields - FIELDS).any?
+          raise ArgumentError, "#{fields - FIELDS} are not valid field names. Available fields names are: #{FIELDS}."
+        end
+
+        if @options[:csv]
+          csv(fields, exclude_headers: @options[:'exclude-headers'])
+        else
+          pretty(fields)
+        end
+      end
+
+      private
+
+      def pretty(fields) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        return if @dependencies.empty?
+
+        # find the maximum length of each field across all the dependencies so we know how many
+        # characters of horizontal space to allocate for each field when printing
+        fields.each do |key|
+          instance_variable_set "@max_#{key}", HEADERS[key].length
+          @dependencies.each do |gem|
+            curr_field_length = case key
+                                when :vulnerabilities
+                                  gem.vulnerabilities_grouped.length
+                                when :groups
+                                  gem.group_list.length
+                                else
+                                  gem.send(key)&.gsub(BASH_FORMATTING_REGEX, '')&.length || 0
+                                end
+            max_field_length = instance_variable_get "@max_#{key}"
+            instance_variable_set "@max_#{key}", [curr_field_length, max_field_length].max
+          end
+        end
+
+        line_length = fields.sum { |key| instance_variable_get "@max_#{key}" } +
+                      (COLUMN_GAP * (fields.length - 1))
+
+        puts '=' * line_length
+        puts fields.map { |key|
+          HEADERS[key].gsub(BASH_FORMATTING_REGEX, '').ljust(instance_variable_get("@max_#{key}"))
+        }.join(' ' * COLUMN_GAP)
+        puts '=' * line_length
+
+        @dependencies.each do |dep|
+          puts fields.map { |key|
+            val = dep.send(key) || ''
+            val = case key
+                  when :groups
+                    dep.group_list
+                  when :risk_type
+                    Formatter::Risk.new(dep.risk_type).format
+                  when :version
+                    Formatter::Version.new(dep.version, dep.latest_version).format
+                  when :vulnerabilities
+                    Formatter::Vulnerability.new(dep.vulnerabilities).format
+                  when :latest_version_date
+                    Formatter::VersionDate.new(dep.latest_version_date).format
+                  else
+                    val
+                  end
+
+            formatting_length = val.length - val.gsub(BASH_FORMATTING_REGEX, '').length
+            val.ljust(instance_variable_get("@max_#{key}") + formatting_length)
+          }.join(' ' * COLUMN_GAP)
+        end
+      end
+
+      def csv(fields, exclude_headers: false) # rubocop:disable Metrics/MethodLength
+        return if @dependencies.empty?
+
+        value_fields = fields.map do |field|
+          case field
+          when :groups
+            :group_list
+          when :vulnerabilities
+            :vulnerabilities_grouped
+          else
+            field
+          end
+        end
+
+        puts fields.join(',') unless exclude_headers
+        @dependencies.map { |gem| puts gem.to_csv(value_fields) }
+      end
+    end
+  end
+end

data/lib/package/audit/enum/environment.rb

@@ -0,0 +1,15 @@
+require_relative '../const'
+
+module Package
+  module Audit
+    module Enum
+      module Environment
+        DEV = :development
+        TEST = :test
+        STAGING = :staging
+        PRODUCTION = :production
+        DEFAULT = :default
+      end
+    end
+  end
+end

data/lib/package/audit/enum/risk_explanation.rb

@@ -0,0 +1,14 @@
+require_relative '../const'
+
+module Package
+  module Audit
+    module Enum
+      module RiskExplanation
+        POTENTIAL_DEPRECATION = "no updates by author in over #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years"
+        OUTDATED_BY_MAJOR_VERSION = 'behind by a major version'
+        OUTDATED = 'not at latest version'
+        VULNERABILITY = 'security vulnerability'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/risk_type.rb

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module RiskType
+        NONE = 'none'
+        LOW = 'low'
+        MEDIUM = 'medium'
+        HIGH = 'high'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/vulnerability_type.rb

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module VulnerabilityType
+        NONE = 'none'
+        LOW = 'low'
+        MEDIUM = 'medium'
+        HIGH = 'high'
+        CRITICAL = 'critical'
+        UNKNOWN = 'unknown'
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/base.rb

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    module Formatter
+      class Base
+        def format
+          raise NotImplementedError, 'Subclass must implement abstract method'
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/risk.rb

@@ -0,0 +1,28 @@
+require_relative './base'
+require_relative '../util/bash_color'
+
+module Package
+  module Audit
+    module Formatter
+      class Risk < Formatter::Base
+        def initialize(risk_type)
+          super()
+          @risk_type = risk_type
+        end
+
+        def format
+          case @risk_type
+          when Enum::RiskType::HIGH
+            Util::BashColor.red(Enum::RiskType::HIGH)
+          when Enum::RiskType::MEDIUM
+            Util::BashColor.orange(Enum::RiskType::MEDIUM)
+          when Enum::RiskType::LOW
+            Util::BashColor.yellow(Enum::RiskType::LOW)
+          else
+            @risk_type.to_s
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/version.rb

@@ -0,0 +1,33 @@
+require_relative './base'
+require_relative '../util/bash_color'
+
+module Package
+  module Audit
+    module Formatter
+      class Version < Formatter::Base
+        def initialize(curr, target)
+          super()
+          @curr = curr
+          @target = target
+        end
+
+        def format # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+          curr_tokens = @curr.split('.')
+          target_tokens = @target.split('.')
+
+          if curr_tokens[0] && curr_tokens[0] < target_tokens[0]
+            Util::BashColor.orange(@curr)
+          elsif curr_tokens[1] && curr_tokens[1] < target_tokens[1]
+            "#{curr_tokens[0]}.#{Util::BashColor.yellow(curr_tokens[1..]&.join('.'))}"
+          elsif curr_tokens[2] && curr_tokens[2] < target_tokens[2]
+            "#{curr_tokens[0..1]&.join('.')}.#{Util::BashColor.green(curr_tokens[2..]&.join('.'))}"
+          elsif curr_tokens[3] && curr_tokens[3] < target_tokens[3]
+            "#{curr_tokens[0..2]&.join('.')}.#{Util::BashColor.green(curr_tokens[3])}"
+          else
+            @curr
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/version_date.rb

@@ -0,0 +1,28 @@
+require_relative '../const'
+require_relative './base'
+require_relative '../util/bash_color'
+
+require 'time'
+
+module Package
+  module Audit
+    module Formatter
+      class VersionDate < Formatter::Base
+        def initialize(date)
+          super()
+          @date = date
+        end
+
+        def format
+          seconds_since_date = (Time.now - Time.parse(@date)).to_i
+
+          if seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
+            Util::BashColor.yellow(@date)
+          else
+            @date
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/vulnerability.rb

@@ -0,0 +1,37 @@
+require_relative './base'
+require_relative '../enum/vulnerability_type'
+require_relative '../util/bash_color'
+
+module Package
+  module Audit
+    module Formatter
+      class Vulnerability < Formatter::Base
+        def initialize(vulnerabilities)
+          super()
+          @vulnerabilities = vulnerabilities
+        end
+
+        def format # rubocop:disable Metrics/MethodLength
+          formatted = @vulnerabilities.map do |vulnerability|
+            case vulnerability
+            when Enum::VulnerabilityType::UNKNOWN, Enum::VulnerabilityType::CRITICAL, Enum::VulnerabilityType::HIGH
+              Util::BashColor.red(vulnerability)
+            when Enum::VulnerabilityType::MEDIUM
+              Util::BashColor.orange(vulnerability)
+            when Enum::VulnerabilityType::LOW
+              Util::BashColor.yellow(vulnerability)
+            else
+              vulnerability
+            end
+          end
+
+          formatted.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join(' ')
+        end
+
+        private
+
+        def group; end
+      end
+    end
+  end
+end

data/lib/package/audit/risk.rb

@@ -0,0 +1,27 @@
+module Package
+  module Audit
+    class Risk
+      include Comparable
+
+      attr_reader :type, :explanation
+
+      def initialize(type, explanation = nil)
+        @type = type
+        @explanation = explanation
+      end
+
+      def <=>(other) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+        if @type == other.type
+          0
+        elsif (@type == Enum::RiskType::HIGH && [Enum::RiskType::MEDIUM, Enum::RiskType::LOW,
+                                                 Enum::RiskType::NONE].include?(other.type)) ||
+              (@type == Enum::RiskType::MEDIUM && [Enum::RiskType::LOW, Enum::RiskType::NONE].include?(other.type)) ||
+              (@type == Enum::RiskType::LOW && [Enum::RiskType::NONE].include?(other.type))
+          1
+        else
+          -1
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/risk_calculator.rb

@@ -0,0 +1,65 @@
+require_relative './const'
+
+module Package
+  module Audit
+    class RiskCalculator
+      def initialize(dependency)
+        @dependency = dependency
+      end
+
+      def find
+        vulnerability_risk = assess_vulnerability_risk
+        deprecation_risk = assess_vulnerability_risk
+        version_risk = assess_version_risk
+
+        risk = [vulnerability_risk, deprecation_risk, version_risk].max
+        risk = [risk, Risk.new(Enum::RiskType::MEDIUM, risk.explanation)].min unless risk.nil? || production_dependency?
+        risk
+      end
+
+      private
+
+      def assess_vulnerability_risk # rubocop:disable Metrics/MethodLength
+        if (@dependency.vulnerabilities & [
+          Enum::VulnerabilityType::UNKNOWN,
+          Enum::VulnerabilityType::CRITICAL,
+          Enum::VulnerabilityType::HIGH
+        ]).any?
+          Risk.new(Enum::RiskType::HIGH, Enum::RiskExplanation::VULNERABILITY)
+        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::MEDIUM
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::VULNERABILITY)
+        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::LOW
+          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::VULNERABILITY)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+
+      def assess_version_risk
+        if (@dependency.version.split('.').first || '') < (@dependency.latest_version.split('.').first || '')
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::OUTDATED_BY_MAJOR_VERSION)
+        elsif @dependency.version < @dependency.latest_version
+          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::OUTDATED)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+
+      def assess_deprecation_risk
+        seconds_since_date = (Time.now - Time.parse(@dependency.latest_version_date)).to_i
+
+        if @dependency.version == @dependency.latest_version &&
+           seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
+          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::POTENTIAL_DEPRECATION)
+        else
+          Risk.new(Enum::RiskType::NONE)
+        end
+      end
+
+      def production_dependency?
+        @dependency.groups.none? || (@dependency.groups & [Enum::Environment::DEFAULT,
+                                                           Enum::Environment::PRODUCTION]).any?
+      end
+    end
+  end
+end

data/lib/package/audit/ruby/bundler_specs.rb

@@ -0,0 +1,28 @@
+require_relative '../dependency'
+require_relative './gem_meta_data'
+require_relative './vulnerability_finder'
+
+require 'bundler'
+
+module Package
+  module Audit
+    module Ruby
+      class BundlerSpecs
+        def self.all
+          Bundler.ui.silence { Bundler.definition.resolve }
+        end
+
+        def self.gemfile
+          current_dependencies = Bundler.ui.silence do
+            Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+          end
+
+          gemfile_specs, = all.partition do |spec|
+            current_dependencies.key? spec.name
+          end
+          gemfile_specs
+        end
+      end
+    end
+  end
+end