package-audit 0.1.0 → 0.3.0

data/lib/package/audit/npm/vulnerability_finder.rb

@@ -0,0 +1,44 @@
+require_relative '../const/cmd'
+require_relative '../enum/vulnerability_type'
+
+module Package
+  module Audit
+    module Npm
+      class VulnerabilityFinder
+        AUDIT_ADVISORY_REGEX = /^{"type":"auditAdvisory".*$/
+
+        def initialize(dir, pkgs)
+          @dir = dir
+          @pkg_hash = pkgs.to_h { |pkg| [pkg.name, pkg] }
+          @vuln_hash = {}
+        end
+
+        def run
+          json_string_lines = `#{format(Const::Cmd::YARN_AUDIT_JSON, @dir)}`
+          array = json_string_lines.scan(AUDIT_ADVISORY_REGEX)
+
+          vulnerability_json_array = JSON.parse("[#{array.join(',')}]", symbolize_names: true)
+          vulnerability_json_array.each do |vulnerability_json|
+            update_meta_data(vulnerability_json)
+          end
+          @vuln_hash.values
+        end
+
+        private
+
+        def update_meta_data(json) # rubocop:disable Metrics/AbcSize
+          parent_name = json[:data][:resolution][:path].split('>').first
+          advisory = json[:data][:advisory]
+          name = advisory[:module_name]
+          version = advisory[:findings][0][:version]
+          full_name = "#{name}@#{version}"
+          vulnerability = advisory[:severity] || Enum::VulnerabilityType::UNKNOWN
+
+          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
+          @vuln_hash[full_name].update groups: @pkg_hash[parent_name].groups
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/npm/yarn_lock_parser.rb

@@ -0,0 +1,46 @@
+module Package
+  module Audit
+    module Npm
+      class YarnLockParser
+        def initialize(yarn_lock_path)
+          @yarn_lock_file = File.read(yarn_lock_path)
+          @yarn_lock_path = yarn_lock_path
+        end
+
+        def fetch(default_deps, dev_deps)
+          pkgs = []
+          default_deps.merge(dev_deps).each do |dep_name, expected_version|
+            pkg_block = fetch_package_block(dep_name, expected_version)
+            version = fetch_package_version(dep_name, pkg_block)
+            pks = Package.new(dep_name.to_s, version)
+            pks.update groups: dev_deps.key?(dep_name) ? %i[development] : %i[default development]
+            pkgs << pks
+          end
+          pkgs
+        end
+
+        private
+
+        def fetch_package_block(dep_name, expected_version)
+          regex = /#{Regexp.escape(dep_name)}@#{Regexp.escape(expected_version)}.*?:.*?(\n\n|\z)/m
+          blocks = @yarn_lock_file.match(regex)
+          if blocks.nil? || blocks[0].nil?
+            raise NoMatchingPatternError, "Unable to find \"#{dep_name}\" in #{@yarn_lock_path}"
+          end
+
+          blocks[0] || ''
+        end
+
+        def fetch_package_version(dep_name, pkg_block)
+          version = pkg_block.match(/version"?\s*"(.*?)"/)&.captures&.[](0)
+          if version.nil?
+            raise NoMatchingPatternError,
+                  "Unable to find the version of \"#{dep_name}\" in #{@yarn_lock_path}"
+          end
+
+          version || '0.0.0.0'
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/package.rb

@@ -0,0 +1,91 @@
+require_relative 'risk'
+require_relative 'risk_calculator'
+require_relative 'enum/environment'
+require_relative 'enum/risk_type'
+require_relative 'enum/risk_explanation'
+
+module Package
+  module Audit
+    class Package
+      attr_reader :name, :version
+      attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
+
+      def initialize(name, version, **attr)
+        @name = name.to_s
+        @version = version.to_s
+        @groups = []
+        @vulnerabilities = []
+        @risks = []
+        update(**attr)
+      end
+
+      def full_name
+        "#{name}@#{version}"
+      end
+
+      def update(**attr)
+        attr.each { |key, value| instance_variable_set("@#{key}", value) }
+      end
+
+      def risk
+        risks.max || Risk.new(Enum::RiskType::NONE)
+      end
+
+      def risks
+        RiskCalculator.new(self).find
+      end
+
+      def risk?
+        risks.any?
+      end
+
+      def group_list
+        @groups.join('|')
+      end
+
+      def vulnerabilities_grouped
+        @vulnerabilities.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join('|')
+      end
+
+      def risk_type
+        risk.type
+      end
+
+      def risk_explanation
+        risk.explanation
+      end
+
+      def deprecated?
+        risks.each do |risk|
+          return true if risk.explanation == Enum::RiskExplanation::POTENTIAL_DEPRECATION
+        end
+        false
+      end
+
+      def outdated?
+        risks.each do |risk|
+          return true if [
+            Enum::RiskExplanation::OUTDATED,
+            Enum::RiskExplanation::OUTDATED_BY_MAJOR_VERSION
+          ].include?(risk.explanation || '')
+        end
+        false
+      end
+
+      def vulnerable?
+        risks.each do |risk|
+          return true if risk.explanation == Enum::RiskExplanation::VULNERABILITY
+        end
+        false
+      end
+
+      def to_csv(fields)
+        fields.map { |field| send(field) }.join(',')
+      end
+
+      def to_s
+        "#{@name} #{@version} - [#{@groups.sort.join(', ')}]"
+      end
+    end
+  end
+end

data/lib/package/audit/{dependency_printer.rb → printer.rb}

@@ -1,65 +1,49 @@
-require_relative './formatter/risk'
-require_relative './formatter/version'
-require_relative './formatter/version_date'
-require_relative './formatter/vulnerability'
+require_relative 'const/fields'
+require_relative 'formatter/risk'
+require_relative 'formatter/version'
+require_relative 'formatter/version_date'
+require_relative 'formatter/vulnerability'
 
 module Package
   module Audit
-    class DependencyPrinter
+    class Printer
       BASH_FORMATTING_REGEX = /\e\[\d+(?:;\d+)*m/
 
       COLUMN_GAP = 2
 
-      # the names of these fields must match the instance variables in the Dependency class
-      FIELDS = %i[
-        name
-        version
-        latest_version
-        latest_version_date
-        groups
-        vulnerabilities
-        risk_type
-        risk_explanation
-      ]
-
-      HEADERS = {
-        name: 'Package',
-        version: 'Version',
-        latest_version: 'Latest',
-        latest_version_date: 'Latest Date',
-        groups: 'Groups',
-        vulnerabilities: 'Vulnerabilities',
-        risk_type: 'Risk',
-        risk_explanation: 'Risk Explanation'
-      }
-
-      def initialize(dependencies, options)
-        @dependencies = dependencies
+      def initialize(pkgs, options)
+        @pkgs = pkgs
         @options = options
       end
 
-      def print(fields = FIELDS)
-        if (fields - FIELDS).any?
-          raise ArgumentError, "#{fields - FIELDS} are not valid field names. Available fields names are: #{FIELDS}."
-        end
+      def print(fields)
+        check_fields(fields)
+        return if @pkgs.empty?
 
         if @options[:csv]
           csv(fields, exclude_headers: @options[:'exclude-headers'])
         else
           pretty(fields)
         end
+        puts
       end
 
       private
 
-      def pretty(fields) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
-        return if @dependencies.empty?
+      def check_fields(fields)
+        return unless (fields - Const::Fields::ALL).any?
 
-        # find the maximum length of each field across all the dependencies so we know how many
+        raise ArgumentError,
+              "#{fields - Const::Fields::ALL} are not valid field names. " \
+              "Available fields names are: #{Const::Fields::ALL}."
+      end
+
+      def pretty(fields = Const::Fields::REPORT) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+        # find the maximum length of each field across all the packages so we know how many
         # characters of horizontal space to allocate for each field when printing
         fields.each do |key|
-          instance_variable_set "@max_#{key}", HEADERS[key].length
-          @dependencies.each do |gem|
+          instance_variable_set "@max_#{key}", Const::Fields::HEADERS[key].length
+          @pkgs.each do |gem|
             curr_field_length = case key
                                 when :vulnerabilities
                                   gem.vulnerabilities_grouped.length
@@ -78,24 +62,24 @@ module Package
 
         puts '=' * line_length
         puts fields.map { |key|
-          HEADERS[key].gsub(BASH_FORMATTING_REGEX, '').ljust(instance_variable_get("@max_#{key}"))
+          Const::Fields::HEADERS[key].gsub(BASH_FORMATTING_REGEX, '').ljust(instance_variable_get("@max_#{key}"))
         }.join(' ' * COLUMN_GAP)
         puts '=' * line_length
 
-        @dependencies.each do |dep|
+        @pkgs.each do |pkg|
           puts fields.map { |key|
-            val = dep.send(key) || ''
+            val = pkg.send(key) || ''
             val = case key
                   when :groups
-                    dep.group_list
+                    pkg.group_list
                   when :risk_type
-                    Formatter::Risk.new(dep.risk_type).format
+                    Formatter::Risk.new(pkg.risk_type).format
                   when :version
-                    Formatter::Version.new(dep.version, dep.latest_version).format
+                    Formatter::Version.new(pkg.version, pkg.latest_version).format
                   when :vulnerabilities
-                    Formatter::Vulnerability.new(dep.vulnerabilities).format
+                    Formatter::Vulnerability.new(pkg.vulnerabilities).format
                   when :latest_version_date
-                    Formatter::VersionDate.new(dep.latest_version_date).format
+                    Formatter::VersionDate.new(pkg.latest_version_date).format
                   else
                     val
                   end
@@ -106,9 +90,7 @@ module Package
         end
       end
 
-      def csv(fields, exclude_headers: false) # rubocop:disable Metrics/MethodLength
-        return if @dependencies.empty?
-
+      def csv(fields, exclude_headers: false)
         value_fields = fields.map do |field|
           case field
           when :groups
@@ -121,7 +103,7 @@ module Package
         end
 
         puts fields.join(',') unless exclude_headers
-        @dependencies.map { |gem| puts gem.to_csv(value_fields) }
+        @pkgs.map { |gem| puts gem.to_csv(value_fields) }
       end
     end
   end

data/lib/package/audit/risk_calculator.rb

@@ -1,64 +1,79 @@
-require_relative './const'
+require_relative 'const/time'
 
 module Package
   module Audit
     class RiskCalculator
-      def initialize(dependency)
-        @dependency = dependency
+      def initialize(pkg)
+        @pkg = pkg
       end
 
       def find
-        vulnerability_risk = assess_vulnerability_risk
-        deprecation_risk = assess_vulnerability_risk
-        version_risk = assess_version_risk
+        risks = assess_vulnerability_risks + assess_deprecation_risks + assess_version_risks
 
-        risk = [vulnerability_risk, deprecation_risk, version_risk].max
-        risk = [risk, Risk.new(Enum::RiskType::MEDIUM, risk.explanation)].min unless risk.nil? || production_dependency?
-        risk
+        unless production_dependency?
+          risks.each_with_index do |risk, index|
+            risks[index] =
+              [risk, Risk.new(Enum::RiskType::MEDIUM, risk.explanation)].min || Risk.new(Enum::RiskType::NONE)
+          end
+        end
+        risks
       end
 
       private
 
-      def assess_vulnerability_risk # rubocop:disable Metrics/MethodLength
-        if (@dependency.vulnerabilities & [
+      def assess_vulnerability_risks # rubocop:disable Metrics/MethodLength
+        risks = []
+
+        if (@pkg.vulnerabilities & [
           Enum::VulnerabilityType::UNKNOWN,
           Enum::VulnerabilityType::CRITICAL,
           Enum::VulnerabilityType::HIGH
         ]).any?
-          Risk.new(Enum::RiskType::HIGH, Enum::RiskExplanation::VULNERABILITY)
-        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::MEDIUM
-          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::VULNERABILITY)
-        elsif @dependency.vulnerabilities.include? Enum::VulnerabilityType::LOW
-          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::VULNERABILITY)
-        else
-          Risk.new(Enum::RiskType::NONE)
+          risks << Risk.new(Enum::RiskType::HIGH, Enum::RiskExplanation::VULNERABILITY)
+        end
+        if (@pkg.vulnerabilities & [
+          Enum::VulnerabilityType::MEDIUM,
+          Enum::VulnerabilityType::MODERATE
+        ]).any?
+          risks << Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::VULNERABILITY)
+        end
+        if @pkg.vulnerabilities.include? Enum::VulnerabilityType::LOW
+          risks << Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::VULNERABILITY)
         end
+        risks
       end
 
-      def assess_version_risk
-        if (@dependency.version.split('.').first || '') < (@dependency.latest_version.split('.').first || '')
-          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::OUTDATED_BY_MAJOR_VERSION)
-        elsif @dependency.version < @dependency.latest_version
-          Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::OUTDATED)
-        else
-          Risk.new(Enum::RiskType::NONE)
+      def assess_version_risks # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+        risks = []
+
+        return risks if @pkg.latest_version.nil?
+
+        version_parts = @pkg.version.split('.').map(&:to_i)
+        latest_version_parts = @pkg.latest_version.split('.').map(&:to_i)
+
+        if (version_parts.first || 0) < (latest_version_parts.first || 0)
+          risks << Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::OUTDATED_BY_MAJOR_VERSION)
+        end
+        if (version_parts.first || 0) == (latest_version_parts.first || 0) &&
+           (version_parts[1..] <=> latest_version_parts[1..]) == -1
+          risks << Risk.new(Enum::RiskType::LOW, Enum::RiskExplanation::OUTDATED)
         end
+        risks
       end
 
-      def assess_deprecation_risk
-        seconds_since_date = (Time.now - Time.parse(@dependency.latest_version_date)).to_i
+      def assess_deprecation_risks
+        risks = []
+        seconds_since_date = (Time.now - Time.parse(@pkg.latest_version_date)).to_i
 
-        if @dependency.version == @dependency.latest_version &&
-           seconds_since_date >= Const::SECONDS_ELAPSED_TO_BE_OUTDATED
-          Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::POTENTIAL_DEPRECATION)
-        else
-          Risk.new(Enum::RiskType::NONE)
+        if seconds_since_date >= Const::Time::SECONDS_ELAPSED_TO_BE_OUTDATED
+          risks << Risk.new(Enum::RiskType::MEDIUM, Enum::RiskExplanation::POTENTIAL_DEPRECATION)
         end
+        risks
       end
 
       def production_dependency?
-        @dependency.groups.none? || (@dependency.groups & [Enum::Environment::DEFAULT,
-                                                           Enum::Environment::PRODUCTION]).any?
+        @pkg.groups.none? || (@pkg.groups & [Enum::Environment::DEFAULT,
+                                             Enum::Environment::PRODUCTION]).any?
       end
     end
   end

data/lib/package/audit/ruby/bundler_specs.rb

@@ -1,6 +1,6 @@
-require_relative '../dependency'
-require_relative './gem_meta_data'
-require_relative './vulnerability_finder'
+require_relative '../package'
+require_relative 'gem_meta_data'
+require_relative 'vulnerability_finder'
 
 require 'bundler'
 
@@ -8,16 +8,23 @@ module Package
   module Audit
     module Ruby
       class BundlerSpecs
-        def self.all
-          Bundler.ui.silence { Bundler.definition.resolve }
+        def self.all(dir)
+          Bundler.with_unbundled_env do
+            ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
+            Bundler.ui.silence { Bundler.definition.resolve }
+          end
         end
 
-        def self.gemfile
-          current_dependencies = Bundler.ui.silence do
-            Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+        def self.gemfile(dir)
+          current_dependencies = Bundler.with_unbundled_env do
+            ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
+            Bundler.reset!
+            Bundler.ui.silence do
+              Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+            end
           end
 
-          gemfile_specs, = all.partition do |spec|
+          gemfile_specs, = all(dir).partition do |spec|
             current_dependencies.key? spec.name
           end
           gemfile_specs

data/lib/package/audit/ruby/gem_collection.rb

@@ -1,41 +1,41 @@
-require_relative './bundler_specs'
-require_relative './../enum/risk_type'
+require_relative 'bundler_specs'
+require_relative '../enum/risk_type'
+require_relative '../duplicate_package_merger'
 
 module Package
   module Audit
     module Ruby
       class GemCollection
-        def self.all
-          specs = BundlerSpecs.gemfile
-          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
-          vulnerable_deps = VulnerabilityFinder.run
-          GemMetaData.new(dependencies + vulnerable_deps).fetch.filter(&:risk?).sort_by(&:name).uniq(&:name)
+        def initialize(dir)
+          @dir = dir
         end
 
-        def self.deprecated
-          specs = BundlerSpecs.gemfile
-          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
-
-          GemMetaData.new(dependencies).fetch.filter do |dep|
-            dep.risk.explanation == Enum::RiskExplanation::POTENTIAL_DEPRECATION
-          end.sort_by(&:name).uniq(&:name)
+        def all
+          specs = BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          vulnerable_pkgs = VulnerabilityFinder.new(@dir).run
+          pkgs = GemMetaData.new(pkgs + vulnerable_pkgs).fetch.filter(&:risk?)
+          DuplicatePackageMerger.new(pkgs).run
         end
 
-        def self.outdated(include_implicit: false)
-          specs = include_implicit ? BundlerSpecs.all : BundlerSpecs.gemfile
-          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
-
-          GemMetaData.new(dependencies).fetch.filter do |dep|
-            dep.version < dep.latest_version
-          end.sort_by(&:name).uniq(&:name)
+        def deprecated
+          specs = BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          pkgs = GemMetaData.new(pkgs).fetch.filter(&:deprecated?)
+          DuplicatePackageMerger.new(pkgs).run
         end
 
-        def self.vulnerable
-          dependencies = VulnerabilityFinder.run
+        def outdated(include_implicit: false)
+          specs = include_implicit ? BundlerSpecs.all(@dir) : BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          pkgs = GemMetaData.new(pkgs).fetch.filter(&:outdated?)
+          DuplicatePackageMerger.new(pkgs).run
+        end
 
-          GemMetaData.new(dependencies).fetch.filter do |dep|
-            dep.risk.explanation == Enum::RiskExplanation::VULNERABILITY
-          end.sort_by(&:name).uniq(&:name)
+        def vulnerable
+          pkgs = VulnerabilityFinder.new(@dir).run
+          pkgs = GemMetaData.new(pkgs).fetch.filter(&:vulnerable?)
+          DuplicatePackageMerger.new(pkgs).run
         end
       end
     end

data/lib/package/audit/ruby/gem_meta_data.rb

@@ -1,11 +1,11 @@
-require_relative '../dependency'
+require_relative '../package'
 
 module Package
   module Audit
     module Ruby
       class GemMetaData
-        def initialize(dependencies)
-          @dependencies = dependencies
+        def initialize(pkgs)
+          @pkgs = pkgs
           @gem_hash = {}
         end
 
@@ -20,23 +20,25 @@ module Package
         def find_rubygems_metadata # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
           fetcher = Gem::SpecFetcher.fetcher
 
-          @dependencies.each do |dep|
-            gem_dependency = Gem::Dependency.new dep.name, ">= #{dep.version}"
+          @pkgs.each do |pkg|
+            gem_dependency = Gem::Dependency.new pkg.name, ">= #{pkg.version}"
             local_version_date = Time.new(0)
             latest_version_date = Time.new(0)
-            local_version = Gem::Version.new(dep.version)
-            latest_version = Gem::Version.new('0.0.0')
+            local_version = Gem::Version.new(pkg.version)
+            latest_version = Gem::Version.new('0.0.0.0')
 
             remote_dependencies, = fetcher.spec_for_dependency gem_dependency
 
+            next unless remote_dependencies.any?
+
             remote_dependencies.each do |remote_spec, _|
               latest_version = remote_spec.version if latest_version < remote_spec.version
               latest_version_date = remote_spec.date if latest_version_date < remote_spec.date
               local_version_date = remote_spec.date if local_version == remote_spec.version
             end
 
-            @gem_hash[dep.name] = dep
-            dep.update latest_version: latest_version.to_s,
+            @gem_hash[pkg.name] = pkg
+            pkg.update latest_version: latest_version.to_s,
                        version_date: local_version_date.strftime('%Y-%m-%d'),
                        latest_version_date: latest_version_date.strftime('%Y-%m-%d')
           end

data/lib/package/audit/ruby/vulnerability_finder.rb

@@ -1,22 +1,33 @@
+require_relative '../const/cmd'
 require_relative '../enum/vulnerability_type'
 
 module Package
   module Audit
     module Ruby
       class VulnerabilityFinder
-        def self.run # rubocop:disable Metrics/AbcSize
-          gem_hash = {}
-          json_str = `bundle exec bundle-audit check --update --quiet --format json`
-          json_results = JSON.parse(json_str, symbolize_names: true)[:results]
-          json_results.each do |result|
-            gem_name = result[:gem][:name]
-            vulnerability = result[:advisory][:criticality] || Enum::VulnerabilityType::UNKNOWN
-            unless gem_hash.key? gem_name
-              gem_hash[gem_name] = Dependency.new result[:gem][:name], result[:gem][:version]
-            end
-            gem_hash[gem_name].update vulnerabilities: gem_hash[gem_name].vulnerabilities + [vulnerability]
+        def initialize(dir)
+          @dir = dir
+          @vuln_hash = {}
+        end
+
+        def run
+          json_result = `#{format(Const::Cmd::BUNDLE_AUDIT_JSON, @dir)}`
+          vulnerability_json_array = JSON.parse(json_result, symbolize_names: true)[:results]
+          vulnerability_json_array.each do |vulnerability_json|
+            update_meta_data(vulnerability_json)
           end
-          gem_hash.values
+          @vuln_hash.values
+        end
+
+        private
+
+        def update_meta_data(json)
+          name = json[:gem][:name]
+          version = json[:gem][:version]
+          full_name = "#{name}@#{version}"
+          vulnerability = json[:advisory][:criticality] || Enum::VulnerabilityType::UNKNOWN
+          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
         end
       end
     end