package-audit 0.1.0 → 0.3.0

data/lib/package/audit/util/summary_printer.rb

@@ -1,5 +1,5 @@
-require_relative '../const'
-require_relative './bash_color'
+require_relative '../const/time'
+require_relative 'bash_color'
 
 module Package
   module Audit
@@ -8,48 +8,55 @@ module Package
         def self.report
           printf("\n%<info>s\n%<cmd>s\n\n",
                  info: Util::BashColor.blue('To show how risk is calculated run:'),
-                 cmd: Util::BashColor.magenta(' > bundle exec package-audit risk'))
+                 cmd: Util::BashColor.magenta(' > package-audit risk'))
         end
 
         def self.deprecated
-          puts Util::BashColor.blue("\nAlthough gems listed above have no recent updates, they may not be deprecated.")
-          puts Util::BashColor.blue("Please contact the gem author for more information about its status.\n")
+          puts Util::BashColor.blue('Although the packages above have no recent updates, they may not be deprecated.')
+          puts Util::BashColor.blue("Please contact the package author for more information about its status.\n")
         end
 
-        def self.outdated
-          printf("\n%<info>s\n%<cmd>s\n\n",
-                 info: Util::BashColor.blue('To show both Gemfile gems and their dependencies run:'),
-                 cmd: Util::BashColor.magenta(' > bundle exec package-audit outdated --include-implicit'))
+        def self.vulnerable(package_type, cmd)
+          printf("%<info>s\n%<cmd>s\n\n",
+                 info: Util::BashColor.blue("To get more information about the #{package_type} vulnerabilities run:"),
+                 cmd: Util::BashColor.magenta(" > #{cmd}"))
         end
 
-        def self.vulnerable
-          printf("\n%<info>s\n%<cmd>s\n\n",
-                 info: Util::BashColor.blue('To get more information about the vulnerabilities run:'),
-                 cmd: Util::BashColor.magenta(' > bundle exec bundle-audit check --update'))
+        def self.total(package_type, pkgs)
+          puts Util::BashColor.cyan("Found a total of #{pkgs.length} #{package_type}s.\n")
         end
 
-        def self.total(num)
-          puts Util::BashColor.cyan("\nFound a total of #{num} gems.")
+        def self.statistics(package_type, pkgs)
+          outdated = pkgs.count(&:outdated?)
+          deprecated = pkgs.count(&:deprecated?)
+          vulnerable = pkgs.count(&:vulnerable?)
+
+          vulnerabilities = pkgs.sum { |pkg| pkg.vulnerabilities.length }
+
+          puts Util::BashColor.cyan("Found a total of #{pkgs.length} #{package_type}s.\n" \
+                                    "#{vulnerable} vulnerable (#{vulnerabilities} vulnerabilities), " \
+                                    "#{outdated} outdated, #{deprecated} deprecated.\n")
         end
 
         def self.risk # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
-          puts Util::BashColor.blue('1. Check if the dependency has a security vulnerability.')
+          puts Util::BashColor.blue('1. Check if the package has a security vulnerability.')
           puts '   If yes, the following vulnerability -> risk mapping is used:'
           puts "      - #{Util::BashColor.red('unknown')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
           puts "      - #{Util::BashColor.red('critical')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
           puts "      - #{Util::BashColor.red('high')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
           puts "      - #{Util::BashColor.orange('medium')} vulnerability\t-> #{Util::BashColor.orange('medium')} risk"
+          puts "      - #{Util::BashColor.orange('moderate')} vulnerability\t-> #{Util::BashColor.orange('medium')} risk" # rubocop:disable Layout/LineLength
           puts "      - #{Util::BashColor.yellow('low')} vulnerability\t-> #{Util::BashColor.yellow('low')} risk"
 
           puts
 
-          puts Util::BashColor.blue('2. Check the dependency for potential deprecation.')
-          puts "   If no new releases by author for at least #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years:"
+          puts Util::BashColor.blue('2. Check the package for potential deprecation.')
+          puts "   If no new releases by author for at least #{Const::Time::YEARS_ELAPSED_TO_BE_OUTDATED} years:"
           puts "      - assign the risk to\t-> #{Util::BashColor.orange('medium')} risk"
 
           puts
 
-          puts Util::BashColor.blue('3. Check if a newer version of the dependency is available.')
+          puts Util::BashColor.blue('3. Check if a newer version of the package is available.')
 
           puts '   If yes, assign risk as follows:'
           puts "      - #{Util::BashColor.orange('major version')} mismatch\t-> #{Util::BashColor.orange('medium')} risk" # rubocop:disable Layout/LineLength
@@ -65,8 +72,8 @@ module Package
 
           puts
 
-          puts Util::BashColor.blue('5. Check whether the dependency is used in production or not.')
-          puts '   If a dependency is limited to a non-production environment:'
+          puts Util::BashColor.blue('5. Check whether the package is used in production or not.')
+          puts '   If a package is limited to a non-production environment:'
           puts "      - cap risk severity to\t -> #{Util::BashColor.orange('medium')} risk"
         end
       end

data/lib/package/audit/version.rb

@@ -1,5 +1,5 @@
 module Package
   module Audit
-    VERSION = '0.1.0'
+    VERSION = '0.3.0'
   end
 end

data/sig/package/audit/command_service.rbs

@@ -0,0 +1,29 @@
+module Package
+  module Audit
+    class CommandService
+      NODE_MODULE: String
+      RUBY_GEM: String
+
+      @dir: String
+      @options: Hash[Symbol, untyped]
+
+      def initialize: (String, Hash[Symbol, untyped]) -> void
+
+      def all: -> bool
+
+      def deprecated: -> bool
+
+      def outdated: -> bool
+
+      def vulnerable: -> bool
+
+      private
+
+      def node?: -> bool?
+
+      def print_success_message: (String) -> void
+
+      def ruby?: -> bool?
+    end
+  end
+end

data/sig/package/audit/const/cmd.rbs

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Const
+      module Cmd
+        BUNDLE_AUDIT: String
+        BUNDLE_AUDIT_JSON: String
+        NPM_AUDIT: String
+        NPM_AUDIT_JSON: String
+        YARN_AUDIT: String
+        YARN_AUDIT_JSON: String
+      end
+    end
+  end
+end

data/sig/package/audit/const/fields.rbs

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Const
+      module Fields
+        ALL: Array[Symbol]
+        HEADERS: Hash[Symbol, String]
+        OUTDATED: Array[Symbol]
+        REPORT: Array[Symbol]
+        VULNERABLE: Array[Symbol]
+      end
+    end
+  end
+end

data/sig/package/audit/const/file.rbs

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Const
+      module File
+        GEMFILE: String
+        GEMFILE_LOCK: String
+        PACKAGE_JSON: String
+        PACKAGE_LOCK_JSON: String
+        YARN_LOCK: String
+      end
+    end
+  end
+end

data/sig/package/audit/const/time.rbs

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    module Const
+      module Time
+        SECONDS_ELAPSED_TO_BE_OUTDATED: Integer
+        SECONDS_PER_YEAR: Integer
+        YEARS_ELAPSED_TO_BE_OUTDATED: Integer
+      end
+    end
+  end
+end

data/sig/package/audit/duplicate_package_merger.rbs

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    class DuplicatePackageMerger
+      @pkgs: Array[Package]
+
+      def initialize: (Array[Package]) -> void
+
+      def run: -> Array[Package]
+    end
+  end
+end

data/sig/package/audit/enum/vulnerability_type.rbs

@@ -6,6 +6,7 @@ module Package
         HIGH: String
         LOW: String
         MEDIUM: String
+        MODERATE: String
         NONE: String
         UNKNOWN: String
       end

data/sig/package/audit/npm/node_collection.rbs

@@ -0,0 +1,29 @@
+module Package
+  module Audit
+    module Npm
+      class NodeCollection
+        PACKAGE_JSON: String
+        PACKAGE_LOCK: String
+        YARN_LOCK: String
+
+        @dir: String
+
+        def initialize: (String) -> void
+
+        def all: -> Array[Package]
+
+        def deprecated: -> Array[Package]
+
+        def outdated: -> Array[Package]
+
+        def vulnerable: -> Array[Package]
+
+        private
+
+        def fetch_from_lock_file: -> Array[Package]
+
+        def fetch_from_package_json: -> Array[Hash[Symbol, untyped]]
+      end
+    end
+  end
+end

data/sig/package/audit/npm/npm_meta_data.rbs

@@ -0,0 +1,19 @@
+module Package
+  module Audit
+    module Npm
+      class NpmMetaData
+        REGISTRY_URL: String
+
+        @packages: Array[Package]
+
+        def initialize: (Array[Package]) -> void
+
+        def fetch: -> Array[Package]
+
+        private
+
+        def update_meta_data: (Package, Hash[Symbol, untyped]) -> void
+      end
+    end
+  end
+end

data/sig/package/audit/npm/vulnerability_finder.rbs

@@ -0,0 +1,21 @@
+module Package
+  module Audit
+    module Npm
+      class VulnerabilityFinder
+        AUDIT_ADVISORY_REGEX: Regexp
+
+        @dir: String
+        @pkg_hash: Hash[String, Package]
+        @vuln_hash: Hash[String?, Package]
+
+        def initialize: (String, Array[Package]) -> void
+
+        def run: -> Array[Package]
+
+        private
+
+        def update_meta_data: (Hash[Symbol, untyped])-> void
+      end
+    end
+  end
+end

data/sig/package/audit/npm/yarn_lock_parser.rbs

@@ -0,0 +1,20 @@
+module Package
+  module Audit
+    module Npm
+      class YarnLockParser
+        @yarn_lock_file: String
+        @yarn_lock_path: String
+
+        def initialize: (String) -> void
+
+        def fetch: (Hash[Symbol, untyped], Hash[Symbol, untyped]) -> Array[Package]
+
+        private
+
+        def fetch_package_block: (Symbol, String) -> String
+
+        def fetch_package_version: (Symbol, String) -> String
+      end
+    end
+  end
+end

data/sig/package/audit/{dependency.rbs → package.rbs}

@@ -1,8 +1,8 @@
 module Package
   module Audit
-    class Dependency
+    class Package
       @groups: Array[Symbol]
-      @risk: Risk
+      @risks: Array[Risk]
       @vulnerabilities: Array[String]
 
       attr_accessor groups: Array[Symbol]
@@ -13,14 +13,22 @@ module Package
       attr_accessor version_date: String
       attr_accessor vulnerabilities: Array[String]
 
-      def initialize: (String, String) -> void
+      def initialize: (String, String, **untyped) -> void
+
+      def deprecated?: -> bool
+
+      def full_name: -> String
 
       def group_list: -> String
 
-      def risk?: -> bool
+      def outdated?: -> bool
 
       def risk: -> Risk
 
+      def risk?: -> bool
+
+      def risks: -> Array[Risk]
+
       def risk_explanation: -> String?
 
       def risk_type: -> String
@@ -30,6 +38,8 @@ module Package
       def update: (**untyped) -> void
 
       def vulnerabilities_grouped: -> String
+
+      def vulnerable?: -> bool
     end
   end
 end

data/sig/package/audit/printer.rbs

@@ -0,0 +1,24 @@
+module Package
+  module Audit
+    class Printer
+      BASH_FORMATTING_REGEX: Regexp
+      COLUMN_GAP: Integer
+      CSV_HEADERS: Hash[Symbol, String]
+
+      @pkgs: Array[Package]
+      @options: Hash[Symbol, untyped]
+
+      def initialize: (Array[Package], Hash[Symbol, untyped]) -> void
+
+      def print: (Array[Symbol]) -> void
+
+      private
+
+      def check_fields: (Array[Symbol]) -> void
+
+      def csv: (Array[Symbol], ?exclude_headers: bool) -> void
+
+      def pretty: (?Array[Symbol]) -> void
+    end
+  end
+end

data/sig/package/audit/risk_calculator.rbs

@@ -1,19 +1,19 @@
 module Package
   module Audit
     class RiskCalculator
-      @dependency: Dependency
+      @pkg: Package
 
-      def initialize: (Dependency) -> void
+      def initialize: (Package) -> void
 
-      def find: -> Risk?
+      def find: -> Array[Risk]
 
       private
 
-      def assess_deprecation_risk: -> Risk
+      def assess_deprecation_risks: -> Array[Risk]
 
-      def assess_version_risk: -> Risk
+      def assess_version_risks: -> Array[Risk]
 
-      def assess_vulnerability_risk: -> Risk
+      def assess_vulnerability_risks: -> Array[Risk]
 
       def production_dependency?: -> bool
     end

data/sig/package/audit/ruby/bundler_specs.rbs

@@ -2,9 +2,9 @@ module Package
   module Audit
     module Ruby
       class BundlerSpecs
-        def self.all: -> untyped
+        def self.all: (String) -> untyped
 
-        def self.gemfile: -> untyped
+        def self.gemfile: (String) -> untyped
       end
     end
   end

data/sig/package/audit/ruby/gem_collection.rbs

@@ -2,13 +2,17 @@ module Package
   module Audit
     module Ruby
       class GemCollection
-        def self.all: -> Array[Dependency]
+        @dir: String
 
-        def self.deprecated: -> Array[Dependency]
+        def initialize: (String) -> void
 
-        def self.outdated: (?include_implicit: bool) -> Array[Dependency]
+        def all: -> Array[Package]
 
-        def self.vulnerable: -> Array[Dependency]
+        def deprecated: -> Array[Package]
+
+        def outdated: (?include_implicit: bool) -> Array[Package]
+
+        def vulnerable: -> Array[Package]
       end
     end
   end

data/sig/package/audit/ruby/gem_meta_data.rbs

@@ -2,21 +2,20 @@ module Package
   module Audit
     module Ruby
       class GemMetaData
-        @dependencies: Array[Dependency]
+        @gem_hash: Hash[String, Package]
+        @pkgs: Array[Package]
 
-        @gem_hash: Hash[String, Dependency]
+        def initialize: (Array[Package]) -> void
 
-        def initialize: (Array[Dependency]) -> void
+        def fetch: -> Array[Package]
 
-        def fetch: -> Array[Dependency]
-
-        def find: -> Array[Dependency]
+        def find: -> Array[Package]
 
         private
 
-        def assign_groups: -> Array[Dependency]
+        def assign_groups: -> Array[Package]
 
-        def find_rubygems_metadata: -> Array[Dependency]
+        def find_rubygems_metadata: -> Array[Package]
       end
     end
   end

data/sig/package/audit/ruby/vulnerability_finder.rbs

@@ -2,7 +2,16 @@ module Package
   module Audit
     module Ruby
       class VulnerabilityFinder
-        def self.run: -> Array[Dependency]
+        @dir: String
+        @vuln_hash: Hash[String?, Package]
+
+        def initialize: (String) -> void
+
+        def run: -> Array[Package]
+
+        private
+
+        def update_meta_data: (Hash[Symbol, untyped]) -> void
       end
     end
   end

data/sig/package/audit/util/summary_printer.rbs

@@ -4,17 +4,15 @@ module Package
       module SummaryPrinter
         def self.deprecated: -> void
 
-        def self.outdated: -> void
-
         def self.report: -> void
 
         def self.risk: -> void
 
-        def self.total: (Integer) -> void
+        def self.statistics: (String, Array[Package]) -> void
 
-        def self.vulnerable: -> void
+        def self.total: (String, Array[Package]) -> void
 
-        def risk: -> void
+        def self.vulnerable: (String, String) -> void
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: package-audit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Vadim Kononov
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-04-25 00:00:00.000000000 Z
+date: 2023-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -49,9 +49,12 @@ extra_rdoc_files: []
 files:
 - exe/package-audit
 - lib/package/audit/cli.rb
-- lib/package/audit/const.rb
-- lib/package/audit/dependency.rb
-- lib/package/audit/dependency_printer.rb
+- lib/package/audit/command_service.rb
+- lib/package/audit/const/cmd.rb
+- lib/package/audit/const/fields.rb
+- lib/package/audit/const/file.rb
+- lib/package/audit/const/time.rb
+- lib/package/audit/duplicate_package_merger.rb
 - lib/package/audit/enum/environment.rb
 - lib/package/audit/enum/risk_explanation.rb
 - lib/package/audit/enum/risk_type.rb
@@ -61,6 +64,12 @@ files:
 - lib/package/audit/formatter/version.rb
 - lib/package/audit/formatter/version_date.rb
 - lib/package/audit/formatter/vulnerability.rb
+- lib/package/audit/npm/node_collection.rb
+- lib/package/audit/npm/npm_meta_data.rb
+- lib/package/audit/npm/vulnerability_finder.rb
+- lib/package/audit/npm/yarn_lock_parser.rb
+- lib/package/audit/package.rb
+- lib/package/audit/printer.rb
 - lib/package/audit/risk.rb
 - lib/package/audit/risk_calculator.rb
 - lib/package/audit/ruby/bundler_specs.rb
@@ -70,10 +79,13 @@ files:
 - lib/package/audit/util/bash_color.rb
 - lib/package/audit/util/summary_printer.rb
 - lib/package/audit/version.rb
-- sig/const.rbs
 - sig/package/audit/cli.rbs
-- sig/package/audit/dependency.rbs
-- sig/package/audit/dependency_printer.rbs
+- sig/package/audit/command_service.rbs
+- sig/package/audit/const/cmd.rbs
+- sig/package/audit/const/fields.rbs
+- sig/package/audit/const/file.rbs
+- sig/package/audit/const/time.rbs
+- sig/package/audit/duplicate_package_merger.rbs
 - sig/package/audit/enum/environment.rbs
 - sig/package/audit/enum/risk_explanation.rbs
 - sig/package/audit/enum/risk_type.rbs
@@ -83,6 +95,12 @@ files:
 - sig/package/audit/formatter/version_date.rbs
 - sig/package/audit/formatter/version_printer.rbs
 - sig/package/audit/formatter/vulnerability.rbs
+- sig/package/audit/npm/node_collection.rbs
+- sig/package/audit/npm/npm_meta_data.rbs
+- sig/package/audit/npm/vulnerability_finder.rbs
+- sig/package/audit/npm/yarn_lock_parser.rbs
+- sig/package/audit/package.rbs
+- sig/package/audit/printer.rbs
 - sig/package/audit/risk.rbs
 - sig/package/audit/risk_calculator.rbs
 - sig/package/audit/ruby/bundler_specs.rbs
@@ -114,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.12
 signing_key:
 specification_version: 4
 summary: A helper tool to find outdated, deprecated and vulnerable dependencies.

data/lib/package/audit/const.rb

@@ -1,5 +0,0 @@
-module Const
-  SECONDS_PER_YEAR = 31_556_952 # length of a gregorian year (365.2425 days)
-  YEARS_ELAPSED_TO_BE_OUTDATED = 2
-  SECONDS_ELAPSED_TO_BE_OUTDATED = SECONDS_PER_YEAR * YEARS_ELAPSED_TO_BE_OUTDATED
-end

data/lib/package/audit/dependency.rb

@@ -1,57 +0,0 @@
-require_relative './risk'
-require_relative './risk_calculator'
-require_relative './enum/environment'
-require_relative './enum/risk_type'
-require_relative './enum/risk_explanation'
-
-module Package
-  module Audit
-    class Dependency
-      attr_reader :name, :version
-      attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
-
-      def initialize(name, version)
-        @name = name.to_s
-        @version = version.to_s
-        @groups = []
-        @vulnerabilities = []
-      end
-
-      def update(**attr)
-        attr.each { |key, value| instance_variable_set("@#{key}", value) }
-      end
-
-      def risk
-        @risk ||= RiskCalculator.new(self).find || Risk.new(Enum::RiskType::NONE)
-      end
-
-      def risk?
-        risk.type != Enum::RiskType::NONE
-      end
-
-      def group_list
-        @groups.join('|')
-      end
-
-      def vulnerabilities_grouped
-        @vulnerabilities.group_by(&:itself).map { |k, v| "#{k}(#{v.length})" }.join('|')
-      end
-
-      def risk_type
-        risk.type
-      end
-
-      def risk_explanation
-        risk.explanation
-      end
-
-      def to_csv(fields)
-        fields.map { |field| send(field) }.join(',')
-      end
-
-      def to_s
-        "#{@name} #{@version} - [#{@groups.sort.join(', ')}]"
-      end
-    end
-  end
-end

data/sig/const.rbs

@@ -1,5 +0,0 @@
-module Const
-  SECONDS_ELAPSED_TO_BE_OUTDATED: Integer
-  YEARS_ELAPSED_TO_BE_OUTDATED: Integer
-  SECONDS_PER_YEAR: Integer
-end