package-audit 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 55535a9ef08ce99d8cdacbfe15e0ec11e770f4803e4ef212d9ff4565111c89a6
-  data.tar.gz: 3f1efc9489c0ac9139f94bb7ed66d8ccee255e9c61f79440c899c0dcc4cd5885
+  metadata.gz: d30d08ba36373c75427371f922cb0a5819a021868bf82001428e0541571df9f8
+  data.tar.gz: ac4dce54e3905dd56de9b137a62101de7267262c1f6b0310e4697c8f016a36b8
 SHA512:
-  metadata.gz: 9c7ee67ccfadae05b1ec3a7e53d77ed8d977ae43bd54bbc0b95dee86e33ddceb87592089abc7a1410dba71c00802cc6172c3849d23e789878a9e8e14a1de2d96
-  data.tar.gz: 4ff43ca9c9e7bc410b545cde33b77798bfe71d40ebf92874235a695fb1862b2fa826849ce62f67cab831dfa22b987506248754e0a03b3827612e17b12df3f9be
+  metadata.gz: 00be4151f4f124614d117a739a558f9f2816f0f72095f222ddadf5101a6d089b40bdc5369c4a68c9b096b1547932561394f1fee5ca58712e13a4909c4a8c9558
+  data.tar.gz: f224c2c2fe2ff39586d20989ef6999d7b2a52acd2276dcdd9895441105ccaebc5991523676b88545a5afa96d4ffcac10291ab76dfab735b65d42aabc4598d7e4

data/lib/package/audit/cli.rb

@@ -1,11 +1,8 @@
-require_relative './const/time'
-require_relative './version'
-require_relative './util/summary_printer'
-require_relative './ruby/bundler_specs'
-require_relative './printer'
-require_relative './ruby/gem_collection'
-require_relative './npm/node_collection'
-require_relative './command_service'
+require_relative 'const/file'
+require_relative 'const/time'
+require_relative 'enum/option'
+require_relative 'services/command_parser'
+require_relative 'version'
 
 require 'json'
 require 'thor'
@@ -15,57 +12,52 @@ module Package
     class CLI < Thor
       default_task :report
 
+      class_option Enum::Option::CONFIG,
+                   aliases: '-c', banner: 'FILE',
+                   desc: "Path to a custom configuration file, default: #{Const::File::CONFIG})"
+      class_option Enum::Option::TECHNOLOGY,
+                   aliases: '-t', repeatable: true,
+                   desc: 'Technology to be audited (repeat this flag for each technology)'
+      class_option Enum::Option::INCLUDE_IGNORED,
+                   type: :boolean, default: false,
+                   desc: 'Include packages ignored by a configuration file'
+      class_option Enum::Option::CSV,
+                   type: :boolean, default: false,
+                   desc: 'Output reports using comma separated values (CSV)'
+      class_option Enum::Option::CSV_EXCLUDE_HEADERS,
+                   type: :boolean, default: false,
+                   desc: "Hide headers when using the --#{Enum::Option::CSV} option"
+
+      map '-v' => :version
       map '--version' => :version
 
-      desc 'report', 'Show a report of potentially deprecated, outdated or vulnerable packages'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
-      def report
-        within_rescue_block do
-          exit CommandService.new(Dir.pwd, options).all
-        end
+      desc 'report [DIR]', 'Show a report of potentially deprecated, outdated or vulnerable packages'
+      def report(dir = Dir.pwd)
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::ALL).run }
       end
 
-      desc 'deprecated',
+      desc 'deprecated [DIR]',
            "Show packages with no updates by author for at least #{Const::Time::YEARS_ELAPSED_TO_BE_OUTDATED} years"
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
-      def deprecated
-        within_rescue_block do
-          exit CommandService.new(Dir.pwd, options).deprecated
-        end
+      def deprecated(dir = Dir.pwd)
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::DEPRECATED).run }
       end
 
-      desc 'outdated', 'Show packages that are out of date'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
-      def outdated
-        within_rescue_block do
-          exit CommandService.new(Dir.pwd, options).outdated
-        end
+      desc 'outdated [DIR]', 'Show packages that are out of date'
+      def outdated(dir = Dir.pwd)
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::OUTDATED).run }
       end
 
-      desc 'vulnerable', 'Show packages and their dependencies that have security vulnerabilities'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
-      def vulnerable
-        within_rescue_block do
-          exit CommandService.new(Dir.pwd, options).vulnerable
-        end
+      desc 'vulnerable [DIR]', 'Show packages and their dependencies that have security vulnerabilities'
+      def vulnerable(dir = Dir.pwd)
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::VULNERABLE).run }
       end
 
       desc 'risk', 'Print information on how risk is calculated'
-
       def risk
         Util::SummaryPrinter.risk
       end
 
       desc 'version', 'Print the currently installed version of the package-audit gem'
-
       def version
         puts "package-audit #{VERSION}"
       end
@@ -74,6 +66,14 @@ module Package
         true
       end
 
+      def method_missing(command, *args)
+        invoke :report, [command], args
+      end
+
+      def respond_to_missing?
+        true
+      end
+
       private
 
       def within_rescue_block

data/lib/package/audit/const/cmd.rb

@@ -2,14 +2,14 @@ module Package
   module Audit
     module Const
       module Cmd
-        BUNDLE_AUDIT = 'bundle exec bundle-audit check --update'
-        BUNDLE_AUDIT_JSON = 'bundle exec bundle-audit check --update --quiet --format json'
+        BUNDLE_AUDIT = 'bundle-audit check --update'
+        BUNDLE_AUDIT_JSON = 'bundle-audit check --update --quiet --format json %s'
 
         NPM_AUDIT = 'npm audit'
         NPM_AUDIT_JSON = 'npm audit --json'
 
         YARN_AUDIT = 'yarn audit'
-        YARN_AUDIT_JSON = 'yarn audit --json'
+        YARN_AUDIT_JSON = 'yarn audit --json --cwd %s'
       end
     end
   end

data/lib/package/audit/const/fields.rb

@@ -2,7 +2,7 @@ module Package
   module Audit
     module Const
       module Fields
-        ALL = %i[
+        AVAILABLE = %i[
           name
           version
           version_date
@@ -14,15 +14,15 @@ module Package
           risk_explanation
         ]
 
-        REPORT = %i[name version latest_version latest_version_date groups vulnerabilities risk_type risk_explanation]
-        VULNERABLE = %i[name version latest_version groups vulnerabilities]
+        ALL = %i[name version latest_version latest_version_date groups vulnerabilities risk_type risk_explanation]
+        DEPRECATED = %i[name version latest_version latest_version_date groups]
         OUTDATED = %i[name version latest_version latest_version_date groups]
+        VULNERABLE = %i[name version latest_version groups vulnerabilities]
 
         # the names of these fields must match the instance variables in the Dependency class
         HEADERS = {
           name: 'Package',
           version: 'Version',
-          version_date: 'Date',
           latest_version: 'Latest',
           latest_version_date: 'Latest Date',
           groups: 'Groups',

data/lib/package/audit/const/file.rb

@@ -2,6 +2,7 @@ module Package
   module Audit
     module Const
       module File
+        CONFIG = '.package-audit.yml'
         GEMFILE = 'Gemfile'
         GEMFILE_LOCK = 'Gemfile.lock'
         PACKAGE_JSON = 'package.json'

data/lib/package/audit/const/yaml.rb

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Const
+      module YAML
+        DEPRECATED = 'deprecated'
+        OUTDATED = 'outdated'
+        VULNERABLE = 'vulnerable'
+        TECHNOLOGY = 'technology'
+        VERSION = 'version'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/option.rb

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Enum
+      module Option
+        CONFIG = 'config'
+        CSV = 'csv'
+        CSV_EXCLUDE_HEADERS = 'exclude-headers'
+        INCLUDE_IGNORED = 'include-ignored'
+        TECHNOLOGY = 'technology'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/report.rb

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module Report
+        ALL = :all
+        DEPRECATED = :deprecated
+        OUTDATED = :outdated
+        VULNERABLE = :vulnerable
+      end
+    end
+  end
+end

data/lib/package/audit/enum/technology.rb

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module Technology
+        NODE = 'node'
+        RUBY = 'ruby'
+
+        def self.all
+          constants.map { |key| Enum::Technology.const_get(key) }.sort
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/risk.rb

@@ -1,5 +1,5 @@
-require_relative './base'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/formatter/version.rb

@@ -1,5 +1,5 @@
-require_relative './base'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/formatter/version_date.rb

@@ -1,6 +1,6 @@
-require_relative './base'
 require_relative '../const/time'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 require 'time'
 

data/lib/package/audit/formatter/vulnerability.rb

@@ -1,6 +1,6 @@
-require_relative './base'
 require_relative '../enum/vulnerability_type'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/{package.rb → models/package.rb}

@@ -1,18 +1,19 @@
-require_relative './risk'
-require_relative './risk_calculator'
-require_relative './enum/environment'
-require_relative './enum/risk_type'
-require_relative './enum/risk_explanation'
+require_relative '../enum/environment'
+require_relative '../enum/risk_explanation'
+require_relative '../enum/risk_type'
+require_relative '../services/risk_calculator'
+require_relative 'risk'
 
 module Package
   module Audit
     class Package
-      attr_reader :name, :version
+      attr_reader :name, :version, :technology
       attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
 
-      def initialize(name, version, **attr)
+      def initialize(name, version, technology, **attr)
         @name = name.to_s
         @version = version.to_s
+        @technology = technology.to_s
         @groups = []
         @vulnerabilities = []
         @risks = []

data/lib/package/audit/npm/node_collection.rb

@@ -1,23 +1,34 @@
-require_relative './yarn_lock_parser'
-require_relative './npm_meta_data'
-require_relative './vulnerability_finder'
-require_relative '../duplicate_package_merger'
+require_relative '../const/file'
+require_relative '../services/duplicate_package_merger'
+require_relative 'npm_meta_data'
+require_relative 'vulnerability_finder'
+require_relative 'yarn_lock_parser'
 
 module Package
   module Audit
     module Npm
       class NodeCollection
-        PACKAGE_JSON = 'package.json'
-        PACKAGE_LOCK = 'package-lock.json'
-        YARN_LOCK = 'yarn.lock'
-
-        def initialize(dir)
+        def initialize(dir, report)
           @dir = dir
+          @report = report
+        end
+
+        def fetch
+          case @report
+          when Enum::Report::DEPRECATED
+            deprecated
+          when Enum::Report::OUTDATED
+            outdated
+          when Enum::Report::VULNERABLE
+            vulnerable
+          else
+            all
+          end
         end
 
         def all
           implicit_pkgs = fetch_from_lock_file
-          vulnerable_pkgs = VulnerabilityFinder.new(implicit_pkgs).run
+          vulnerable_pkgs = VulnerabilityFinder.new(@dir, implicit_pkgs).run
           pkgs = NpmMetaData.new(vulnerable_pkgs + implicit_pkgs).fetch.filter(&:risk?)
           DuplicatePackageMerger.new(pkgs).run
         end
@@ -36,7 +47,7 @@ module Package
 
         def vulnerable
           implicit_pkgs = fetch_from_lock_file
-          vulnerable_pkgs = VulnerabilityFinder.new(implicit_pkgs).run
+          vulnerable_pkgs = VulnerabilityFinder.new(@dir, implicit_pkgs).run
           pkgs = NpmMetaData.new(vulnerable_pkgs).fetch
           DuplicatePackageMerger.new(pkgs).run
         end
@@ -44,7 +55,7 @@ module Package
         private
 
         def fetch_from_package_json
-          package_json = JSON.parse(File.read("#{@dir}/#{PACKAGE_JSON}"), symbolize_names: true)
+          package_json = JSON.parse(File.read("#{@dir}/#{Const::File::PACKAGE_JSON}"), symbolize_names: true)
           default_deps = package_json[:dependencies] || {}
           dev_deps = package_json[:devDependencies] || {}
           [default_deps, dev_deps]
@@ -52,8 +63,8 @@ module Package
 
         def fetch_from_lock_file
           default_deps, dev_deps = fetch_from_package_json
-          if File.exist?("#{@dir}/#{YARN_LOCK}")
-            YarnLockParser.new("#{@dir}/#{YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
+          if File.exist?("#{@dir}/#{Const::File::YARN_LOCK}")
+            YarnLockParser.new("#{@dir}/#{Const::File::YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
           else
             []
           end

data/lib/package/audit/npm/vulnerability_finder.rb

@@ -7,13 +7,14 @@ module Package
       class VulnerabilityFinder
         AUDIT_ADVISORY_REGEX = /^{"type":"auditAdvisory".*$/
 
-        def initialize(pkgs)
+        def initialize(dir, pkgs)
+          @dir = dir
           @pkg_hash = pkgs.to_h { |pkg| [pkg.name, pkg] }
           @vuln_hash = {}
         end
 
         def run
-          json_string_lines = `#{Const::Cmd::YARN_AUDIT_JSON}`
+          json_string_lines = `#{format(Const::Cmd::YARN_AUDIT_JSON, @dir)}`
           array = json_string_lines.scan(AUDIT_ADVISORY_REGEX)
 
           vulnerability_json_array = JSON.parse("[#{array.join(',')}]", symbolize_names: true)
@@ -33,7 +34,7 @@ module Package
           full_name = "#{name}@#{version}"
           vulnerability = advisory[:severity] || Enum::VulnerabilityType::UNKNOWN
 
-          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name] = Package.new(name, version, 'node') unless @vuln_hash.key? full_name
           @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
           @vuln_hash[full_name].update groups: @pkg_hash[parent_name].groups
         end

data/lib/package/audit/npm/yarn_lock_parser.rb

@@ -3,7 +3,8 @@ module Package
     module Npm
       class YarnLockParser
         def initialize(yarn_lock_path)
-          @yarn_lock_path = File.read(yarn_lock_path)
+          @yarn_lock_file = File.read(yarn_lock_path)
+          @yarn_lock_path = yarn_lock_path
         end
 
         def fetch(default_deps, dev_deps)
@@ -11,7 +12,7 @@ module Package
           default_deps.merge(dev_deps).each do |dep_name, expected_version|
             pkg_block = fetch_package_block(dep_name, expected_version)
             version = fetch_package_version(dep_name, pkg_block)
-            pks = Package.new(dep_name.to_s, version)
+            pks = Package.new(dep_name.to_s, version, 'node')
             pks.update groups: dev_deps.key?(dep_name) ? %i[development] : %i[default development]
             pkgs << pks
           end
@@ -22,17 +23,20 @@ module Package
 
         def fetch_package_block(dep_name, expected_version)
           regex = /#{Regexp.escape(dep_name)}@#{Regexp.escape(expected_version)}.*?:.*?(\n\n|\z)/m
-          blocks = @yarn_lock_path.match(regex)
+          blocks = @yarn_lock_file.match(regex)
           if blocks.nil? || blocks[0].nil?
-            raise NoMatchingPatternError, "Unable to find #{dep_name} in #{@yarn_lock_path}"
+            raise NoMatchingPatternError, "Unable to find \"#{dep_name}\" in #{@yarn_lock_path}"
           end
 
           blocks[0] || ''
         end
 
         def fetch_package_version(dep_name, pkg_block)
-          version = pkg_block.match(/version "(.*?)"/)&.[](1)
-          raise NoMatchingPatternError, "Unable to find #{dep_name} version in #{@yarn_lock_path}" if version.nil?
+          version = pkg_block.match(/version"?\s*"(.*?)"/)&.captures&.[](0)
+          if version.nil?
+            raise NoMatchingPatternError,
+                  "Unable to find the version of \"#{dep_name}\" in #{@yarn_lock_path}"
+          end
 
           version || '0.0.0.0'
         end

data/lib/package/audit/ruby/bundler_specs.rb

@@ -1,6 +1,6 @@
-require_relative '../package'
-require_relative './gem_meta_data'
-require_relative './vulnerability_finder'
+require_relative '../models/package'
+require_relative 'gem_meta_data'
+require_relative 'vulnerability_finder'
 
 require 'bundler'
 
@@ -8,16 +8,23 @@ module Package
   module Audit
     module Ruby
       class BundlerSpecs
-        def self.all
-          Bundler.ui.silence { Bundler.definition.resolve }
+        def self.all(dir)
+          Bundler.with_unbundled_env do
+            ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
+            Bundler.ui.silence { Bundler.definition.resolve }
+          end
         end
 
-        def self.gemfile
-          current_dependencies = Bundler.ui.silence do
-            Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+        def self.gemfile(dir)
+          current_dependencies = Bundler.with_unbundled_env do
+            ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
+            Bundler.reset!
+            Bundler.ui.silence do
+              Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
+            end
           end
 
-          gemfile_specs, = all.partition do |spec|
+          gemfile_specs, = all(dir).partition do |spec|
             current_dependencies.key? spec.name
           end
           gemfile_specs

data/lib/package/audit/ruby/gem_collection.rb

@@ -1,35 +1,56 @@
-require_relative './bundler_specs'
-require_relative './../enum/risk_type'
-require_relative '../duplicate_package_merger'
+require_relative '../enum/report'
+require_relative '../enum/risk_type'
+require_relative '../services/duplicate_package_merger'
+require_relative 'bundler_specs'
 
 module Package
   module Audit
     module Ruby
       class GemCollection
-        def self.all
-          specs = BundlerSpecs.gemfile
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
-          vulnerable_pkgs = VulnerabilityFinder.new.run
+        def initialize(dir, report)
+          @dir = dir
+          @report = report
+        end
+
+        def fetch
+          case @report
+          when Enum::Report::DEPRECATED
+            deprecated
+          when Enum::Report::OUTDATED
+            outdated
+          when Enum::Report::VULNERABLE
+            vulnerable
+          else
+            all
+          end
+        end
+
+        private
+
+        def all
+          specs = BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
+          vulnerable_pkgs = VulnerabilityFinder.new(@dir).run
           pkgs = GemMetaData.new(pkgs + vulnerable_pkgs).fetch.filter(&:risk?)
           DuplicatePackageMerger.new(pkgs).run
         end
 
-        def self.deprecated
-          specs = BundlerSpecs.gemfile
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+        def deprecated
+          specs = BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
           pkgs = GemMetaData.new(pkgs).fetch.filter(&:deprecated?)
           DuplicatePackageMerger.new(pkgs).run
         end
 
-        def self.outdated(include_implicit: false)
-          specs = include_implicit ? BundlerSpecs.all : BundlerSpecs.gemfile
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+        def outdated(include_implicit: false)
+          specs = include_implicit ? BundlerSpecs.all(@dir) : BundlerSpecs.gemfile(@dir)
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
           pkgs = GemMetaData.new(pkgs).fetch.filter(&:outdated?)
           DuplicatePackageMerger.new(pkgs).run
         end
 
-        def self.vulnerable
-          pkgs = VulnerabilityFinder.new.run
+        def vulnerable
+          pkgs = VulnerabilityFinder.new(@dir).run
           pkgs = GemMetaData.new(pkgs).fetch.filter(&:vulnerable?)
           DuplicatePackageMerger.new(pkgs).run
         end

data/lib/package/audit/ruby/gem_meta_data.rb

@@ -1,4 +1,4 @@
-require_relative '../package'
+require_relative '../models/package'
 
 module Package
   module Audit

data/lib/package/audit/ruby/vulnerability_finder.rb

@@ -5,12 +5,13 @@ module Package
   module Audit
     module Ruby
       class VulnerabilityFinder
-        def initialize
+        def initialize(dir)
+          @dir = dir
           @vuln_hash = {}
         end
 
         def run
-          json_result = `#{Const::Cmd::BUNDLE_AUDIT_JSON}`
+          json_result = `#{format(Const::Cmd::BUNDLE_AUDIT_JSON, @dir)}`
           vulnerability_json_array = JSON.parse(json_result, symbolize_names: true)[:results]
           vulnerability_json_array.each do |vulnerability_json|
             update_meta_data(vulnerability_json)
@@ -25,7 +26,7 @@ module Package
           version = json[:gem][:version]
           full_name = "#{name}@#{version}"
           vulnerability = json[:advisory][:criticality] || Enum::VulnerabilityType::UNKNOWN
-          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name] = Package.new(name, version, 'ruby') unless @vuln_hash.key? full_name
           @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
         end
       end