RubyGems - package-audit - Versions diffs - 0.1.0 - Mend

package-audit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

checksums.yaml +7 -0
data/exe/package-audit +10 -0
data/lib/package/audit/cli.rb +134 -0
data/lib/package/audit/const.rb +5 -0
data/lib/package/audit/dependency.rb +57 -0
data/lib/package/audit/dependency_printer.rb +128 -0
data/lib/package/audit/enum/environment.rb +15 -0
data/lib/package/audit/enum/risk_explanation.rb +14 -0
data/lib/package/audit/enum/risk_type.rb +12 -0
data/lib/package/audit/enum/vulnerability_type.rb +14 -0
data/lib/package/audit/formatter/base.rb +11 -0
data/lib/package/audit/formatter/risk.rb +28 -0
data/lib/package/audit/formatter/version.rb +33 -0
data/lib/package/audit/formatter/version_date.rb +28 -0
data/lib/package/audit/formatter/vulnerability.rb +37 -0
data/lib/package/audit/risk.rb +27 -0
data/lib/package/audit/risk_calculator.rb +65 -0
data/lib/package/audit/ruby/bundler_specs.rb +28 -0
data/lib/package/audit/ruby/gem_collection.rb +43 -0
data/lib/package/audit/ruby/gem_meta_data.rb +58 -0
data/lib/package/audit/ruby/vulnerability_finder.rb +24 -0
data/lib/package/audit/util/bash_color.rb +35 -0
data/lib/package/audit/util/summary_printer.rb +75 -0
data/lib/package/audit/version.rb +5 -0
data/sig/const.rbs +5 -0
data/sig/package/audit/cli.rbs +31 -0
data/sig/package/audit/dependency.rbs +35 -0
data/sig/package/audit/dependency_printer.rbs +24 -0
data/sig/package/audit/enum/environment.rbs +13 -0
data/sig/package/audit/enum/risk_explanation.rbs +12 -0
data/sig/package/audit/enum/risk_type.rbs +12 -0
data/sig/package/audit/enum/vulnerability_type.rbs +14 -0
data/sig/package/audit/formatter/base.rbs +9 -0
data/sig/package/audit/formatter/risk_printer.rbs +13 -0
data/sig/package/audit/formatter/version_date.rbs +13 -0
data/sig/package/audit/formatter/version_printer.rbs +14 -0
data/sig/package/audit/formatter/vulnerability.rbs +13 -0
data/sig/package/audit/risk.rbs +12 -0
data/sig/package/audit/risk_calculator.rbs +21 -0
data/sig/package/audit/ruby/bundler_specs.rbs +11 -0
data/sig/package/audit/ruby/gem_collection.rbs +15 -0
data/sig/package/audit/ruby/gem_meta_data.rbs +23 -0
data/sig/package/audit/ruby/vulnerability_finder.rbs +9 -0
data/sig/package/audit/util/bash_color.rbs +21 -0
data/sig/package/audit/util/summary_printer.rbs +21 -0
data/sig/package/audit/version.rbs +5 -0
metadata +121 -0

data/lib/package/audit/ruby/gem_collection.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require_relative './bundler_specs'
+require_relative './../enum/risk_type'
+module Package
+  module Audit
+    module Ruby
+      class GemCollection
+        def self.all
+          specs = BundlerSpecs.gemfile
+          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
+          vulnerable_deps = VulnerabilityFinder.run
+          GemMetaData.new(dependencies + vulnerable_deps).fetch.filter(&:risk?).sort_by(&:name).uniq(&:name)
+        end
+        def self.deprecated
+          specs = BundlerSpecs.gemfile
+          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
+          GemMetaData.new(dependencies).fetch.filter do |dep|
+            dep.risk.explanation == Enum::RiskExplanation::POTENTIAL_DEPRECATION
+          end.sort_by(&:name).uniq(&:name)
+        end
+        def self.outdated(include_implicit: false)
+          specs = include_implicit ? BundlerSpecs.all : BundlerSpecs.gemfile
+          dependencies = specs.map { |spec| Dependency.new(spec.name, spec.version) }
+          GemMetaData.new(dependencies).fetch.filter do |dep|
+            dep.version < dep.latest_version
+          end.sort_by(&:name).uniq(&:name)
+        end
+        def self.vulnerable
+          dependencies = VulnerabilityFinder.run
+          GemMetaData.new(dependencies).fetch.filter do |dep|
+            dep.risk.explanation == Enum::RiskExplanation::VULNERABILITY
+          end.sort_by(&:name).uniq(&:name)
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/ruby/gem_meta_data.rb ADDED Viewed

@@ -0,0 +1,58 @@
+require_relative '../dependency'
+module Package
+  module Audit
+    module Ruby
+      class GemMetaData
+        def initialize(dependencies)
+          @dependencies = dependencies
+          @gem_hash = {}
+        end
+        def fetch
+          find_rubygems_metadata
+          assign_groups
+          @gem_hash.values
+        end
+        private
+        def find_rubygems_metadata # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+          fetcher = Gem::SpecFetcher.fetcher
+          @dependencies.each do |dep|
+            gem_dependency = Gem::Dependency.new dep.name, ">= #{dep.version}"
+            local_version_date = Time.new(0)
+            latest_version_date = Time.new(0)
+            local_version = Gem::Version.new(dep.version)
+            latest_version = Gem::Version.new('0.0.0')
+            remote_dependencies, = fetcher.spec_for_dependency gem_dependency
+            remote_dependencies.each do |remote_spec, _|
+              latest_version = remote_spec.version if latest_version < remote_spec.version
+              latest_version_date = remote_spec.date if latest_version_date < remote_spec.date
+              local_version_date = remote_spec.date if local_version == remote_spec.version
+            end
+            @gem_hash[dep.name] = dep
+            dep.update latest_version: latest_version.to_s,
+                       version_date: local_version_date.strftime('%Y-%m-%d'),
+                       latest_version_date: latest_version_date.strftime('%Y-%m-%d')
+          end
+        end
+        def assign_groups # rubocop:disable Metrics/AbcSize
+          definition = Bundler.definition
+          groups = definition.groups.uniq.sort
+          groups.each do |group|
+            specs = definition.specs_for([group])
+            specs.each do |spec|
+              @gem_hash[spec.name].update(groups: @gem_hash[spec.name].groups | [group]) if @gem_hash.key? spec.name
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/ruby/vulnerability_finder.rb ADDED Viewed

@@ -0,0 +1,24 @@
+require_relative '../enum/vulnerability_type'
+module Package
+  module Audit
+    module Ruby
+      class VulnerabilityFinder
+        def self.run # rubocop:disable Metrics/AbcSize
+          gem_hash = {}
+          json_str = `bundle exec bundle-audit check --update --quiet --format json`
+          json_results = JSON.parse(json_str, symbolize_names: true)[:results]
+          json_results.each do |result|
+            gem_name = result[:gem][:name]
+            vulnerability = result[:advisory][:criticality] || Enum::VulnerabilityType::UNKNOWN
+            unless gem_hash.key? gem_name
+              gem_hash[gem_name] = Dependency.new result[:gem][:name], result[:gem][:version]
+            end
+            gem_hash[gem_name].update vulnerabilities: gem_hash[gem_name].vulnerabilities + [vulnerability]
+          end
+          gem_hash.values
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/util/bash_color.rb ADDED Viewed

@@ -0,0 +1,35 @@
+module Package
+  module Audit
+    module Util
+      module BashColor
+        def self.green(str)
+          "\e[32m#{str}\e[0m"
+        end
+        def self.yellow(str)
+          "\e[33m#{str}\e[0m"
+        end
+        def self.orange(str)
+          "\e[38;5;208m#{str}\e[0m"
+        end
+        def self.red(str)
+          "\e[31m#{str}\e[0m"
+        end
+        def self.cyan(str)
+          "\e[36m#{str}\e[0m"
+        end
+        def self.magenta(str)
+          "\e[35m#{str}\e[0m"
+        end
+        def self.blue(str)
+          "\e[34m#{str}\e[0m"
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/util/summary_printer.rb ADDED Viewed

@@ -0,0 +1,75 @@
+require_relative '../const'
+require_relative './bash_color'
+module Package
+  module Audit
+    module Util
+      module SummaryPrinter
+        def self.report
+          printf("\n%<info>s\n%<cmd>s\n\n",
+                 info: Util::BashColor.blue('To show how risk is calculated run:'),
+                 cmd: Util::BashColor.magenta(' > bundle exec package-audit risk'))
+        end
+        def self.deprecated
+          puts Util::BashColor.blue("\nAlthough gems listed above have no recent updates, they may not be deprecated.")
+          puts Util::BashColor.blue("Please contact the gem author for more information about its status.\n")
+        end
+        def self.outdated
+          printf("\n%<info>s\n%<cmd>s\n\n",
+                 info: Util::BashColor.blue('To show both Gemfile gems and their dependencies run:'),
+                 cmd: Util::BashColor.magenta(' > bundle exec package-audit outdated --include-implicit'))
+        end
+        def self.vulnerable
+          printf("\n%<info>s\n%<cmd>s\n\n",
+                 info: Util::BashColor.blue('To get more information about the vulnerabilities run:'),
+                 cmd: Util::BashColor.magenta(' > bundle exec bundle-audit check --update'))
+        end
+        def self.total(num)
+          puts Util::BashColor.cyan("\nFound a total of #{num} gems.")
+        end
+        def self.risk # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+          puts Util::BashColor.blue('1. Check if the dependency has a security vulnerability.')
+          puts '   If yes, the following vulnerability -> risk mapping is used:'
+          puts "      - #{Util::BashColor.red('unknown')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
+          puts "      - #{Util::BashColor.red('critical')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
+          puts "      - #{Util::BashColor.red('high')} vulnerability\t-> #{Util::BashColor.red('high')} risk"
+          puts "      - #{Util::BashColor.orange('medium')} vulnerability\t-> #{Util::BashColor.orange('medium')} risk"
+          puts "      - #{Util::BashColor.yellow('low')} vulnerability\t-> #{Util::BashColor.yellow('low')} risk"
+          puts
+          puts Util::BashColor.blue('2. Check the dependency for potential deprecation.')
+          puts "   If no new releases by author for at least #{Const::YEARS_ELAPSED_TO_BE_OUTDATED} years:"
+          puts "      - assign the risk to\t-> #{Util::BashColor.orange('medium')} risk"
+          puts
+          puts Util::BashColor.blue('3. Check if a newer version of the dependency is available.')
+          puts '   If yes, assign risk as follows:'
+          puts "      - #{Util::BashColor.orange('major version')} mismatch\t-> #{Util::BashColor.orange('medium')} risk" # rubocop:disable Layout/LineLength
+          puts "      - #{Util::BashColor.yellow('minor version')} mismatch\t-> #{Util::BashColor.yellow('low')} risk"
+          puts "      - #{Util::BashColor.green('patch version')} mismatch\t-> #{Util::BashColor.yellow('low')} risk"
+          puts "      - #{Util::BashColor.green('build version')} mismatch\t-> #{Util::BashColor.yellow('low')} risk"
+          puts
+          puts Util::BashColor.blue('4. Take the highest risk from the first 3 steps.')
+          puts '   If two risks match in severity, use the following precedence:'
+          puts "      - #{Util::BashColor.red('vulnerability')} > #{Util::BashColor.orange('deprecation')} > #{Util::BashColor.yellow('outdatedness')}" # rubocop:disable Layout/LineLength
+          puts
+          puts Util::BashColor.blue('5. Check whether the dependency is used in production or not.')
+          puts '   If a dependency is limited to a non-production environment:'
+          puts "      - cap risk severity to\t -> #{Util::BashColor.orange('medium')} risk"
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module Package
+  module Audit
+    VERSION = '0.1.0'
+  end
+end

data/sig/const.rbs ADDED Viewed

@@ -0,0 +1,5 @@
+module Const
+  SECONDS_ELAPSED_TO_BE_OUTDATED: Integer
+  YEARS_ELAPSED_TO_BE_OUTDATED: Integer
+  SECONDS_PER_YEAR: Integer
+end

data/sig/package/audit/cli.rbs ADDED Viewed

@@ -0,0 +1,31 @@
+module Package
+  module Audit
+    class CLI
+      def self.exit_on_failure?: -> bool
+      def deprecated: (String) -> void
+      def outdated: (String) -> void
+      def report: (String) -> void
+      def risk: -> void
+      def version: -> void
+      def vulnerable: (String) -> void
+      private
+      def exit_with_error: (String) -> void
+      def exit_with_success: (String) -> void
+      def print_total: (Integer) -> void
+      def print_vulnerability_info: (String) -> void
+      def within_rescue_block: (String) { () -> void } -> void
+    end
+  end
+end

data/sig/package/audit/dependency.rbs ADDED Viewed

@@ -0,0 +1,35 @@
+module Package
+  module Audit
+    class Dependency
+      @groups: Array[Symbol]
+      @risk: Risk
+      @vulnerabilities: Array[String]
+      attr_accessor groups: Array[Symbol]
+      attr_accessor latest_version: String
+      attr_accessor latest_version_date: String
+      attr_reader name: String
+      attr_reader version: String
+      attr_accessor version_date: String
+      attr_accessor vulnerabilities: Array[String]
+      def initialize: (String, String) -> void
+      def group_list: -> String
+      def risk?: -> bool
+      def risk: -> Risk
+      def risk_explanation: -> String?
+      def risk_type: -> String
+      def to_csv: (Array[Symbol]) -> String
+      def update: (**untyped) -> void
+      def vulnerabilities_grouped: -> String
+    end
+  end
+end

data/sig/package/audit/dependency_printer.rbs ADDED Viewed

@@ -0,0 +1,24 @@
+module Package
+  module Audit
+    class DependencyPrinter
+      BASH_FORMATTING_REGEX: Regexp
+      COLUMN_GAP: Integer
+      CSV_HEADERS: Hash[Symbol, String]
+      FIELDS: Array[Symbol]
+      HEADERS: Hash[Symbol, String]
+      @dependencies: Array[Dependency]
+      @options: Hash[Symbol, untyped]
+      def initialize: (Array[Dependency], Hash[Symbol, untyped]) -> void
+      def print: (?Array[Symbol]) -> void
+      private
+      def csv: (Array[Symbol], ?exclude_headers: bool) -> void
+      def pretty: (Array[Symbol]) -> void
+    end
+  end
+end

data/sig/package/audit/enum/environment.rbs ADDED Viewed

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Enum
+      module Environment
+        DEFAULT: Symbol
+        DEV: Symbol
+        PRODUCTION: Symbol
+        STAGING: Symbol
+        TEST: Symbol
+      end
+    end
+  end
+end

data/sig/package/audit/enum/risk_explanation.rbs ADDED Viewed

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module RiskExplanation
+        OUTDATED: String
+        OUTDATED_BY_MAJOR_VERSION: String
+        POTENTIAL_DEPRECATION: String
+        VULNERABILITY: String
+      end
+    end
+  end
+end

data/sig/package/audit/enum/risk_type.rbs ADDED Viewed

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module RiskType
+        HIGH: String
+        LOW: String
+        MEDIUM: String
+        NONE: String
+      end
+    end
+  end
+end

data/sig/package/audit/enum/vulnerability_type.rbs ADDED Viewed

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module VulnerabilityType
+        CRITICAL: String
+        HIGH: String
+        LOW: String
+        MEDIUM: String
+        NONE: String
+        UNKNOWN: String
+      end
+    end
+  end
+end

data/sig/package/audit/formatter/base.rbs ADDED Viewed

@@ -0,0 +1,9 @@
+module Package
+  module Audit
+    module Formatter
+      class Base
+        def format: -> String
+      end
+    end
+  end
+end

data/sig/package/audit/formatter/risk_printer.rbs ADDED Viewed

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Formatter
+      class Risk
+        @risk_type: String
+        def initialize: (String) -> void
+        def format: -> String
+      end
+    end
+  end
+end

data/sig/package/audit/formatter/version_date.rbs ADDED Viewed

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Formatter
+      class VersionDate
+        @date: String
+        def initialize: (String) -> void
+        def format: -> void
+      end
+    end
+  end
+end

data/sig/package/audit/formatter/version_printer.rbs ADDED Viewed

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Formatter
+      class Version
+        @curr: String
+        @target: String
+        def initialize: (String, String) -> void
+        def format: -> String
+      end
+    end
+  end
+end

data/sig/package/audit/formatter/vulnerability.rbs ADDED Viewed

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Formatter
+      class Vulnerability
+        @vulnerabilities: Array[String]
+        def initialize: (Array[String]) -> void
+        def format: -> String
+      end
+    end
+  end
+end

data/sig/package/audit/risk.rbs ADDED Viewed

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    class Risk
+      attr_reader explanation: String?
+      attr_reader type: String
+      def initialize: (String, ?String?)-> void
+      def <=>: (Risk) -> Integer?
+    end
+  end
+end

data/sig/package/audit/risk_calculator.rbs ADDED Viewed

@@ -0,0 +1,21 @@
+module Package
+  module Audit
+    class RiskCalculator
+      @dependency: Dependency
+      def initialize: (Dependency) -> void
+      def find: -> Risk?
+      private
+      def assess_deprecation_risk: -> Risk
+      def assess_version_risk: -> Risk
+      def assess_vulnerability_risk: -> Risk
+      def production_dependency?: -> bool
+    end
+  end
+end

data/sig/package/audit/ruby/bundler_specs.rbs ADDED Viewed

@@ -0,0 +1,11 @@
+module Package
+  module Audit
+    module Ruby
+      class BundlerSpecs
+        def self.all: -> untyped
+        def self.gemfile: -> untyped
+      end
+    end
+  end
+end

data/sig/package/audit/ruby/gem_collection.rbs ADDED Viewed

@@ -0,0 +1,15 @@
+module Package
+  module Audit
+    module Ruby
+      class GemCollection
+        def self.all: -> Array[Dependency]
+        def self.deprecated: -> Array[Dependency]
+        def self.outdated: (?include_implicit: bool) -> Array[Dependency]
+        def self.vulnerable: -> Array[Dependency]
+      end
+    end
+  end
+end

data/sig/package/audit/ruby/gem_meta_data.rbs ADDED Viewed

@@ -0,0 +1,23 @@
+module Package
+  module Audit
+    module Ruby
+      class GemMetaData
+        @dependencies: Array[Dependency]
+        @gem_hash: Hash[String, Dependency]
+        def initialize: (Array[Dependency]) -> void
+        def fetch: -> Array[Dependency]
+        def find: -> Array[Dependency]
+        private
+        def assign_groups: -> Array[Dependency]
+        def find_rubygems_metadata: -> Array[Dependency]
+      end
+    end
+  end
+end

data/sig/package/audit/ruby/vulnerability_finder.rbs ADDED Viewed

@@ -0,0 +1,9 @@
+module Package
+  module Audit
+    module Ruby
+      class VulnerabilityFinder
+        def self.run: -> Array[Dependency]
+      end
+    end
+  end
+end

data/sig/package/audit/util/bash_color.rbs ADDED Viewed

@@ -0,0 +1,21 @@
+module Package
+  module Audit
+    module Util
+      module BashColor
+        def self.blue: (String?) -> String
+        def self.green: (String?) -> String
+        def self.magenta: (String?) -> String
+        def self.orange: (String?) -> String
+        def self.red: (String?) -> String
+        def self.yellow: (String?) -> String
+        def self.cyan: (String?) -> String
+      end
+    end
+  end
+end

data/sig/package/audit/util/summary_printer.rbs ADDED Viewed

@@ -0,0 +1,21 @@
+module Package
+  module Audit
+    module Util
+      module SummaryPrinter
+        def self.deprecated: -> void
+        def self.outdated: -> void
+        def self.report: -> void
+        def self.risk: -> void
+        def self.total: (Integer) -> void
+        def self.vulnerable: -> void
+        def risk: -> void
+      end
+    end
+  end
+end

data/sig/package/audit/version.rbs ADDED Viewed

@@ -0,0 +1,5 @@
+module Package
+  module Audit
+    VERSION: String
+  end
+end