package-audit 0.3.0 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b01c3c377fec4245b836119f812bbacc6ceac724ed3c64da348f0b97481fd2a1
-  data.tar.gz: ceec2dc5e451fbe9ece1b915e35f790ed2ef60efb18fb3130ccc876e1eb7237c
+  metadata.gz: 637173ee31a102187a23134942d6df2245d6b7785708747c85029d5fdf2045c0
+  data.tar.gz: d30d4aad7dd1ff9a39348db8125fe991e9877a537eec6962883885f788e79438
 SHA512:
-  metadata.gz: '0438ecb657dcaf116dc0048b89a9de474785d88e868f68f306521e917045651b525f49c8a6b802fda8401e8ff795f02b79c0be627fd337dc5eff4dcd48eaf128'
-  data.tar.gz: 38f68c6e7251196f2a526d4affcbb1487760615dd6947a3bd11b20f6ed0f791bac762a1327741b7c31e72ffa6a6b44471fdcfa98c0e0135d5d77b1751729ce80
+  metadata.gz: 187e2559f65548b13eded61cbcc0679e4ddbf99e46484f7ce3a8ae1ddf71d8c095c224dab43aaf3366cc918105a8df4310a2991b69b1a64a23735bd20308f727
+  data.tar.gz: 1b452b5db99d6434d475b04adfa91ac4c49dd934211d160a4a9a4d49dafade42e59b7ac2a2162ba344169bc70f74632ffcd466dcfdef5dc99a7379dace932940

data/lib/package/audit/cli.rb

@@ -1,11 +1,8 @@
+require_relative 'const/file'
 require_relative 'const/time'
+require_relative 'enum/option'
+require_relative 'services/command_parser'
 require_relative 'version'
-require_relative 'util/summary_printer'
-require_relative 'ruby/bundler_specs'
-require_relative 'printer'
-require_relative 'ruby/gem_collection'
-require_relative 'npm/node_collection'
-require_relative 'command_service'
 
 require 'json'
 require 'thor'
@@ -15,57 +12,52 @@ module Package
     class CLI < Thor
       default_task :report
 
+      class_option Enum::Option::CONFIG,
+                   aliases: '-c', banner: 'FILE',
+                   desc: "Path to a custom configuration file, default: #{Const::File::CONFIG})"
+      class_option Enum::Option::TECHNOLOGY,
+                   aliases: '-t', repeatable: true,
+                   desc: 'Technology to be audited (repeat this flag for each technology)'
+      class_option Enum::Option::INCLUDE_IGNORED,
+                   type: :boolean, default: false,
+                   desc: 'Include packages ignored by a configuration file'
+      class_option Enum::Option::CSV,
+                   type: :boolean, default: false,
+                   desc: 'Output reports using comma separated values (CSV)'
+      class_option Enum::Option::CSV_EXCLUDE_HEADERS,
+                   type: :boolean, default: false,
+                   desc: "Hide headers when using the --#{Enum::Option::CSV} option"
+
+      map '-v' => :version
       map '--version' => :version
 
       desc 'report [DIR]', 'Show a report of potentially deprecated, outdated or vulnerable packages'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
       def report(dir = Dir.pwd)
-        # within_rescue_block do
-        exit CommandService.new(dir, options).all
-        # end
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::ALL).run }
       end
 
       desc 'deprecated [DIR]',
            "Show packages with no updates by author for at least #{Const::Time::YEARS_ELAPSED_TO_BE_OUTDATED} years"
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
       def deprecated(dir = Dir.pwd)
-        within_rescue_block do
-          exit CommandService.new(dir, options).deprecated
-        end
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::DEPRECATED).run }
       end
 
       desc 'outdated [DIR]', 'Show packages that are out of date'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
       def outdated(dir = Dir.pwd)
-        within_rescue_block do
-          exit CommandService.new(dir, options).outdated
-        end
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::OUTDATED).run }
       end
 
       desc 'vulnerable [DIR]', 'Show packages and their dependencies that have security vulnerabilities'
-      method_option :csv, type: :boolean, default: false, desc: 'Output using comma separated values (CSV)'
-      method_option :'exclude-headers', type: :boolean, default: false, desc: 'Hide headers if when using CSV'
-
       def vulnerable(dir = Dir.pwd)
-        within_rescue_block do
-          exit CommandService.new(dir, options).vulnerable
-        end
+        within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::VULNERABLE).run }
       end
 
       desc 'risk', 'Print information on how risk is calculated'
-
       def risk
         Util::SummaryPrinter.risk
       end
 
       desc 'version', 'Print the currently installed version of the package-audit gem'
-
       def version
         puts "package-audit #{VERSION}"
       end
@@ -74,6 +66,14 @@ module Package
         true
       end
 
+      def method_missing(command, *args)
+        invoke :report, [command], args
+      end
+
+      def respond_to_missing?
+        true
+      end
+
       private
 
       def within_rescue_block

data/lib/package/audit/const/fields.rb

@@ -2,7 +2,7 @@ module Package
   module Audit
     module Const
       module Fields
-        ALL = %i[
+        AVAILABLE = %i[
           name
           version
           version_date
@@ -14,15 +14,15 @@ module Package
           risk_explanation
         ]
 
-        REPORT = %i[name version latest_version latest_version_date groups vulnerabilities risk_type risk_explanation]
-        VULNERABLE = %i[name version latest_version groups vulnerabilities]
+        ALL = %i[name version latest_version latest_version_date groups vulnerabilities risk_type risk_explanation]
+        DEPRECATED = %i[name version latest_version latest_version_date groups]
         OUTDATED = %i[name version latest_version latest_version_date groups]
+        VULNERABLE = %i[name version latest_version groups vulnerabilities]
 
         # the names of these fields must match the instance variables in the Dependency class
         HEADERS = {
           name: 'Package',
           version: 'Version',
-          version_date: 'Date',
           latest_version: 'Latest',
           latest_version_date: 'Latest Date',
           groups: 'Groups',

data/lib/package/audit/const/file.rb

@@ -2,6 +2,7 @@ module Package
   module Audit
     module Const
       module File
+        CONFIG = '.package-audit.yml'
         GEMFILE = 'Gemfile'
         GEMFILE_LOCK = 'Gemfile.lock'
         PACKAGE_JSON = 'package.json'

data/lib/package/audit/const/yaml.rb

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Const
+      module YAML
+        DEPRECATED = 'deprecated'
+        OUTDATED = 'outdated'
+        VULNERABLE = 'vulnerable'
+        TECHNOLOGY = 'technology'
+        VERSION = 'version'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/option.rb

@@ -0,0 +1,13 @@
+module Package
+  module Audit
+    module Enum
+      module Option
+        CONFIG = 'config'
+        CSV = 'csv'
+        CSV_EXCLUDE_HEADERS = 'exclude-headers'
+        INCLUDE_IGNORED = 'include-ignored'
+        TECHNOLOGY = 'technology'
+      end
+    end
+  end
+end

data/lib/package/audit/enum/report.rb

@@ -0,0 +1,12 @@
+module Package
+  module Audit
+    module Enum
+      module Report
+        ALL = :all
+        DEPRECATED = :deprecated
+        OUTDATED = :outdated
+        VULNERABLE = :vulnerable
+      end
+    end
+  end
+end

data/lib/package/audit/enum/technology.rb

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module Technology
+        NODE = 'node'
+        RUBY = 'ruby'
+
+        def self.all
+          constants.map { |key| Enum::Technology.const_get(key) }.sort
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/formatter/risk.rb

@@ -1,5 +1,5 @@
-require_relative 'base'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/formatter/version.rb

@@ -1,5 +1,5 @@
-require_relative 'base'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/formatter/version_date.rb

@@ -1,6 +1,6 @@
-require_relative 'base'
 require_relative '../const/time'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 require 'time'
 

data/lib/package/audit/formatter/vulnerability.rb

@@ -1,6 +1,6 @@
-require_relative 'base'
 require_relative '../enum/vulnerability_type'
 require_relative '../util/bash_color'
+require_relative 'base'
 
 module Package
   module Audit

data/lib/package/audit/{package.rb → models/package.rb}

@@ -1,18 +1,19 @@
+require_relative '../enum/environment'
+require_relative '../enum/risk_explanation'
+require_relative '../enum/risk_type'
+require_relative '../services/risk_calculator'
 require_relative 'risk'
-require_relative 'risk_calculator'
-require_relative 'enum/environment'
-require_relative 'enum/risk_type'
-require_relative 'enum/risk_explanation'
 
 module Package
   module Audit
     class Package
-      attr_reader :name, :version
+      attr_reader :name, :version, :technology
       attr_accessor :groups, :version_date, :latest_version, :latest_version_date, :vulnerabilities
 
-      def initialize(name, version, **attr)
+      def initialize(name, version, technology, **attr)
         @name = name.to_s
         @version = version.to_s
+        @technology = technology.to_s
         @groups = []
         @vulnerabilities = []
         @risks = []

data/lib/package/audit/npm/node_collection.rb

@@ -1,18 +1,29 @@
-require_relative 'yarn_lock_parser'
+require_relative '../const/file'
+require_relative '../services/duplicate_package_merger'
 require_relative 'npm_meta_data'
 require_relative 'vulnerability_finder'
-require_relative '../duplicate_package_merger'
+require_relative 'yarn_lock_parser'
 
 module Package
   module Audit
     module Npm
       class NodeCollection
-        PACKAGE_JSON = 'package.json'
-        PACKAGE_LOCK = 'package-lock.json'
-        YARN_LOCK = 'yarn.lock'
-
-        def initialize(dir)
+        def initialize(dir, report)
           @dir = dir
+          @report = report
+        end
+
+        def fetch
+          case @report
+          when Enum::Report::DEPRECATED
+            deprecated
+          when Enum::Report::OUTDATED
+            outdated
+          when Enum::Report::VULNERABLE
+            vulnerable
+          else
+            all
+          end
         end
 
         def all
@@ -44,7 +55,7 @@ module Package
         private
 
         def fetch_from_package_json
-          package_json = JSON.parse(File.read("#{@dir}/#{PACKAGE_JSON}"), symbolize_names: true)
+          package_json = JSON.parse(File.read("#{@dir}/#{Const::File::PACKAGE_JSON}"), symbolize_names: true)
           default_deps = package_json[:dependencies] || {}
           dev_deps = package_json[:devDependencies] || {}
           [default_deps, dev_deps]
@@ -52,8 +63,8 @@ module Package
 
         def fetch_from_lock_file
           default_deps, dev_deps = fetch_from_package_json
-          if File.exist?("#{@dir}/#{YARN_LOCK}")
-            YarnLockParser.new("#{@dir}/#{YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
+          if File.exist?("#{@dir}/#{Const::File::YARN_LOCK}")
+            YarnLockParser.new("#{@dir}/#{Const::File::YARN_LOCK}").fetch(default_deps || {}, dev_deps || {})
           else
             []
           end

data/lib/package/audit/npm/vulnerability_finder.rb

@@ -34,7 +34,7 @@ module Package
           full_name = "#{name}@#{version}"
           vulnerability = advisory[:severity] || Enum::VulnerabilityType::UNKNOWN
 
-          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name] = Package.new(name, version, 'node') unless @vuln_hash.key? full_name
           @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
           @vuln_hash[full_name].update groups: @pkg_hash[parent_name].groups
         end

data/lib/package/audit/npm/yarn_lock_parser.rb

@@ -12,7 +12,7 @@ module Package
           default_deps.merge(dev_deps).each do |dep_name, expected_version|
             pkg_block = fetch_package_block(dep_name, expected_version)
             version = fetch_package_version(dep_name, pkg_block)
-            pks = Package.new(dep_name.to_s, version)
+            pks = Package.new(dep_name.to_s, version, 'node')
             pks.update groups: dev_deps.key?(dep_name) ? %i[development] : %i[default development]
             pkgs << pks
           end
@@ -22,7 +22,7 @@ module Package
         private
 
         def fetch_package_block(dep_name, expected_version)
-          regex = /#{Regexp.escape(dep_name)}@#{Regexp.escape(expected_version)}.*?:.*?(\n\n|\z)/m
+          regex = regex_pattern_for_package(dep_name, expected_version)
           blocks = @yarn_lock_file.match(regex)
           if blocks.nil? || blocks[0].nil?
             raise NoMatchingPatternError, "Unable to find \"#{dep_name}\" in #{@yarn_lock_path}"
@@ -40,6 +40,17 @@ module Package
 
           version || '0.0.0.0'
         end
+
+        def regex_pattern_for_package(dep_name, version)
+          # assume the package name is prefixed by a space, a quote or be the first thing on the line
+          # there can be multiple comma-separated versions on the same line with or without quotes
+          # Here are some examples of strings that would be matched:
+          # - aria-query@^5.0.0:
+          # - lodash@^4.17.15, lodash@^4.17.20:
+          # - "@adobe/css-tools@^4.0.1":
+          # - "@babel/runtime@^7.23.1", "@babel/runtime@^7.9.2":
+          /(?:^|[ "])#{Regexp.escape(dep_name)}@#{Regexp.escape(version)}.*?:.*?(\n\n|\z)/m
+        end
       end
     end
   end

data/lib/package/audit/ruby/bundler_specs.rb

@@ -1,4 +1,4 @@
-require_relative '../package'
+require_relative '../models/package'
 require_relative 'gem_meta_data'
 require_relative 'vulnerability_finder'
 

data/lib/package/audit/ruby/gem_collection.rb

@@ -1,18 +1,35 @@
-require_relative 'bundler_specs'
+require_relative '../enum/report'
 require_relative '../enum/risk_type'
-require_relative '../duplicate_package_merger'
+require_relative '../services/duplicate_package_merger'
+require_relative 'bundler_specs'
 
 module Package
   module Audit
     module Ruby
       class GemCollection
-        def initialize(dir)
+        def initialize(dir, report)
           @dir = dir
+          @report = report
         end
 
+        def fetch
+          case @report
+          when Enum::Report::DEPRECATED
+            deprecated
+          when Enum::Report::OUTDATED
+            outdated
+          when Enum::Report::VULNERABLE
+            vulnerable
+          else
+            all
+          end
+        end
+
+        private
+
         def all
           specs = BundlerSpecs.gemfile(@dir)
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
           vulnerable_pkgs = VulnerabilityFinder.new(@dir).run
           pkgs = GemMetaData.new(pkgs + vulnerable_pkgs).fetch.filter(&:risk?)
           DuplicatePackageMerger.new(pkgs).run
@@ -20,14 +37,14 @@ module Package
 
         def deprecated
           specs = BundlerSpecs.gemfile(@dir)
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
           pkgs = GemMetaData.new(pkgs).fetch.filter(&:deprecated?)
           DuplicatePackageMerger.new(pkgs).run
         end
 
         def outdated(include_implicit: false)
           specs = include_implicit ? BundlerSpecs.all(@dir) : BundlerSpecs.gemfile(@dir)
-          pkgs = specs.map { |spec| Package.new(spec.name, spec.version) }
+          pkgs = specs.map { |spec| Package.new(spec.name, spec.version, Enum::Technology::RUBY) }
           pkgs = GemMetaData.new(pkgs).fetch.filter(&:outdated?)
           DuplicatePackageMerger.new(pkgs).run
         end

data/lib/package/audit/ruby/gem_meta_data.rb

@@ -1,4 +1,4 @@
-require_relative '../package'
+require_relative '../models/package'
 
 module Package
   module Audit

data/lib/package/audit/ruby/vulnerability_finder.rb

@@ -26,7 +26,7 @@ module Package
           version = json[:gem][:version]
           full_name = "#{name}@#{version}"
           vulnerability = json[:advisory][:criticality] || Enum::VulnerabilityType::UNKNOWN
-          @vuln_hash[full_name] = Package.new(name, version) unless @vuln_hash.key? full_name
+          @vuln_hash[full_name] = Package.new(name, version, 'ruby') unless @vuln_hash.key? full_name
           @vuln_hash[full_name].update vulnerabilities: @vuln_hash[full_name].vulnerabilities + [vulnerability]
         end
       end

data/lib/package/audit/services/command_parser.rb

@@ -0,0 +1,103 @@
+require_relative '../const/cmd'
+require_relative '../const/file'
+require_relative '../enum/option'
+require_relative '../enum/report'
+require_relative '../technology/detector'
+require_relative '../technology/validator'
+require_relative '../util/summary_printer'
+require_relative 'package_finder'
+require_relative 'package_printer'
+
+require 'yaml'
+
+module Package
+  module Audit
+    class CommandParser
+      def initialize(dir, options, report)
+        @dir = dir
+        @options = options
+        @report = report
+        @config = parse_config_file
+        @technologies = parse_technologies
+      end
+
+      def run
+        cumulative_pkgs = []
+
+        @technologies.each do |technology|
+          all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report).run(technology)
+          ignored_pkgs = [] if @options[Enum::Option::INCLUDE_IGNORED]
+          cumulative_pkgs << all_pkgs
+          print_results(technology, (all_pkgs || []) - (ignored_pkgs || []), ignored_pkgs || [])
+        end
+
+        cumulative_pkgs.any?
+      end
+
+      private
+
+      def print_results(technology, pkgs, ignored_pkgs)
+        PackagePrinter.new(@options, pkgs).print(report_fields)
+        print_summary(technology, pkgs, ignored_pkgs) unless @options[Enum::Option::CSV]
+        print_disclaimer(technology) unless @options[Enum::Option::CSV] || pkgs.empty?
+      end
+
+      def print_summary(technology, pkgs, ignored_pkgs)
+        if @report == Enum::Report::ALL
+          Util::SummaryPrinter.statistics(technology, @report, pkgs, ignored_pkgs)
+        else
+          Util::SummaryPrinter.total(technology, @report, pkgs, ignored_pkgs)
+        end
+      end
+
+      def print_disclaimer(technology)
+        case @report
+        when Enum::Report::DEPRECATED
+          Util::SummaryPrinter.deprecated
+        when Enum::Report::ALL, Enum::Report::VULNERABLE
+          Util::SummaryPrinter.vulnerable(technology, learn_more_command(technology))
+        end
+      end
+
+      def learn_more_command(technology)
+        case technology
+        when Enum::Technology::RUBY
+          Const::Cmd::BUNDLE_AUDIT
+        when Enum::Technology::NODE
+          Const::Cmd::YARN_AUDIT
+        else
+          raise ArgumentError, "Unexpected technology \"#{technology}\" found in #{__method__}"
+        end
+      end
+
+      def report_fields
+        case @report
+        when Enum::Report::DEPRECATED
+          Const::Fields::DEPRECATED
+        when Enum::Report::OUTDATED
+          Const::Fields::OUTDATED
+        when Enum::Report::VULNERABLE
+          Const::Fields::VULNERABLE
+        else
+          Const::Fields::ALL
+        end
+      end
+
+      def parse_config_file
+        if @options[Enum::Option::CONFIG].nil?
+          YAML.load_file("#{@dir}/#{Const::File::CONFIG}") if File.exist? "#{@dir}/#{Const::File::CONFIG}"
+        elsif File.exist? @options[Enum::Option::CONFIG]
+          YAML.load_file(@options[Enum::Option::CONFIG])
+        else
+          raise ArgumentError, "Configuration file not found: #{@options[Enum::Option::CONFIG]}"
+        end
+      end
+
+      def parse_technologies
+        technology_validator = Technology::Validator.new(@dir)
+        @options[Enum::Option::TECHNOLOGY]&.each { |technology| technology_validator.validate! technology }
+        @options[Enum::Option::TECHNOLOGY] || Technology::Detector.new(@dir).detect
+      end
+    end
+  end
+end

data/lib/package/audit/services/package_filter.rb

@@ -0,0 +1,39 @@
+require_relative '../const/cmd'
+require_relative '../const/file'
+require_relative '../const/yaml'
+require_relative '../enum/technology'
+require_relative '../ruby/gem_collection'
+
+require 'yaml'
+
+module Package
+  module Audit
+    class PackageFilter
+      def initialize(config)
+        @config = config
+      end
+
+      def ignored?(pkg)
+        pkg_yaml = pkg_yaml_from_config(pkg)
+        pkg_version_in_config?(pkg, pkg_yaml) && ignore_package?(pkg, pkg_yaml)
+      end
+
+      private
+
+      def pkg_yaml_from_config(pkg)
+        yaml_fragment = @config&.dig(Const::YAML::TECHNOLOGY, pkg.technology, pkg.name)&.to_yaml
+        yaml_fragment.nil? ? nil : YAML.safe_load(yaml_fragment)
+      end
+
+      def pkg_version_in_config?(pkg, yaml)
+        yaml&.dig(Const::YAML::VERSION) == pkg.version
+      end
+
+      def ignore_package?(pkg, yaml)
+        (!pkg.deprecated? || yaml&.dig(Const::YAML::DEPRECATED) == false) &&
+          (!pkg.outdated? || yaml&.dig(Const::YAML::OUTDATED) == false) &&
+          (!pkg.vulnerable? || yaml&.dig(Const::YAML::VULNERABLE) == false)
+      end
+    end
+  end
+end

data/lib/package/audit/services/package_finder.rb

@@ -0,0 +1,58 @@
+require_relative '../const/cmd'
+require_relative '../const/file'
+require_relative '../const/yaml'
+require_relative '../enum/technology'
+require_relative '../npm/node_collection'
+require_relative '../ruby/gem_collection'
+require_relative 'package_filter'
+
+require 'yaml'
+
+module Package
+  module Audit
+    class PackageFinder
+      def initialize(config, dir, report)
+        @config = config
+        @dir = dir
+        @report = report
+      end
+
+      def run(technology)
+        all_pkgs = find_by_technology(technology)
+        ignored_pkgs = filter_pkgs_based_on_config(all_pkgs)
+        [all_pkgs, ignored_pkgs]
+      end
+
+      private
+
+      def find_by_technology(technology)
+        case technology
+        when Enum::Technology::RUBY
+          find_ruby
+        when Enum::Technology::NODE
+          find_node
+        else
+          []
+        end
+      end
+
+      def find_node
+        Npm::NodeCollection.new(@dir, @report).fetch
+      end
+
+      def find_ruby
+        Ruby::GemCollection.new(@dir, @report).fetch
+      end
+
+      def filter_pkgs_based_on_config(pkgs)
+        package_filter = PackageFilter.new(@config)
+        ignored_pkgs = []
+
+        pkgs.each do |pkg|
+          ignored_pkgs << pkg if package_filter.ignored?(pkg)
+        end
+        ignored_pkgs
+      end
+    end
+  end
+end