package-audit 0.5.0 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/package/audit/cli.rb +3 -3
- data/lib/package/audit/enum/{environment.rb → group.rb} +2 -2
- data/lib/package/audit/enum/option.rb +1 -1
- data/lib/package/audit/models/package.rb +1 -1
- data/lib/package/audit/npm/yarn_lock_parser.rb +3 -3
- data/lib/package/audit/services/command_parser.rb +2 -13
- data/lib/package/audit/services/package_finder.rb +10 -7
- data/lib/package/audit/services/risk_calculator.rb +2 -2
- data/lib/package/audit/util/summary_printer.rb +1 -1
- data/lib/package/audit/version.rb +1 -1
- data/sig/package/audit/enum/{environment.rbs → group.rbs} +1 -1
- data/sig/package/audit/enum/option.rbs +1 -1
- data/sig/package/audit/services/command_parser.rbs +1 -3
- data/sig/package/audit/services/package_finder.rbs +2 -2
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3987dbcffb0bef510d5897ad47ec79aa5ba65572c62d1a78003496a44264ca7e
|
4
|
+
data.tar.gz: f2608608cee05dde5a409e9dc6a4c885b208ee7d52cc7d6e745e0d3ccf37d7b7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: baa304f965258c639f7e4bee858da18ddd74bfb83926a66d95ce43367ac5bfcf363e4847dd56c98ed649cda9d7143cbb44bb2015d1c7dc263b73f8942538011e
|
7
|
+
data.tar.gz: a5adfb16e863dacea34dc1d1ca8e4962e76ab984f766d86073f2a5bcfceea9923d2c048ae11487e8a0644d9420025a6dba61f57dede9b6faaf74cd82954f5f52
|
data/lib/package/audit/cli.rb
CHANGED
@@ -15,9 +15,9 @@ module Package
|
|
15
15
|
class_option Enum::Option::CONFIG,
|
16
16
|
aliases: '-c', banner: 'FILE',
|
17
17
|
desc: "Path to a custom configuration file, default: #{Const::File::CONFIG})"
|
18
|
-
class_option Enum::Option::
|
19
|
-
aliases: '-
|
20
|
-
desc: '
|
18
|
+
class_option Enum::Option::GROUP,
|
19
|
+
aliases: '-g', repeatable: true,
|
20
|
+
desc: 'Group to be audited (repeat this flag for each group)'
|
21
21
|
class_option Enum::Option::TECHNOLOGY,
|
22
22
|
aliases: '-t', repeatable: true,
|
23
23
|
desc: 'Technology to be audited (repeat this flag for each technology)'
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module Package
|
2
2
|
module Audit
|
3
3
|
module Enum
|
4
|
-
module
|
4
|
+
module Group
|
5
5
|
DEV = 'development'
|
6
6
|
TEST = 'test'
|
7
7
|
STAGING = 'staging'
|
@@ -9,7 +9,7 @@ module Package
|
|
9
9
|
DEFAULT = 'default'
|
10
10
|
|
11
11
|
def self.all
|
12
|
-
constants.map { |key| Enum::
|
12
|
+
constants.map { |key| Enum::Group.const_get(key) }.sort
|
13
13
|
end
|
14
14
|
end
|
15
15
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require_relative '../enum/
|
1
|
+
require_relative '../enum/group'
|
2
2
|
|
3
3
|
module Package
|
4
4
|
module Audit
|
@@ -16,9 +16,9 @@ module Package
|
|
16
16
|
version = fetch_package_version(dep_name, pkg_block)
|
17
17
|
pks = Package.new(dep_name.to_s, version, 'node')
|
18
18
|
pks.update groups: if dev_deps.key?(dep_name)
|
19
|
-
[Enum::
|
19
|
+
[Enum::Group::DEV]
|
20
20
|
else
|
21
|
-
[Enum::
|
21
|
+
[Enum::Group::DEFAULT, Enum::Group::DEV]
|
22
22
|
end
|
23
23
|
pkgs << pks
|
24
24
|
end
|
@@ -19,7 +19,7 @@ module Package
|
|
19
19
|
@options = options
|
20
20
|
@report = report
|
21
21
|
@config = parse_config_file
|
22
|
-
@
|
22
|
+
@groups = @options[Enum::Option::GROUP]
|
23
23
|
@technologies = parse_technologies
|
24
24
|
@spinner = Util::Spinner.new('Evaluating packages and their dependencies...')
|
25
25
|
end
|
@@ -32,7 +32,7 @@ module Package
|
|
32
32
|
@spinner.start
|
33
33
|
threads = @technologies.map.with_index do |technology, technology_index|
|
34
34
|
Thread.new do
|
35
|
-
all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report, @
|
35
|
+
all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report, @groups).run(technology)
|
36
36
|
ignored_pkgs = [] if @options[Enum::Option::INCLUDE_IGNORED]
|
37
37
|
cumulative_pkgs += all_pkgs || []
|
38
38
|
sleep 0.1 while technology_index != thread_index # print each technology in order
|
@@ -101,17 +101,6 @@ module Package
|
|
101
101
|
end
|
102
102
|
end
|
103
103
|
|
104
|
-
def parse_environments
|
105
|
-
unsupported_technologies = (@options[Enum::Option::ENVIRONMENT] || []) - Enum::Environment.all
|
106
|
-
|
107
|
-
if unsupported_technologies.any?
|
108
|
-
raise ArgumentError, "#{unsupported_technologies} is not valid list of environments, " \
|
109
|
-
"use one of #{Enum::Environment.all}"
|
110
|
-
end
|
111
|
-
|
112
|
-
(@options[Enum::Option::ENVIRONMENT] || Enum::Environment.all) | [Enum::Environment::DEFAULT]
|
113
|
-
end
|
114
|
-
|
115
104
|
def parse_technologies
|
116
105
|
technology_validator = Technology::Validator.new(@dir)
|
117
106
|
@options[Enum::Option::TECHNOLOGY]&.each { |technology| technology_validator.validate! technology }
|
@@ -11,17 +11,17 @@ require 'yaml'
|
|
11
11
|
module Package
|
12
12
|
module Audit
|
13
13
|
class PackageFinder
|
14
|
-
def initialize(config, dir, report,
|
14
|
+
def initialize(config, dir, report, groups)
|
15
15
|
@config = config
|
16
16
|
@dir = dir
|
17
17
|
@report = report
|
18
|
-
@
|
18
|
+
@groups = groups
|
19
19
|
end
|
20
20
|
|
21
21
|
def run(technology)
|
22
22
|
all_pkgs = find_by_technology(technology)
|
23
|
-
|
24
|
-
active_pkgs = all_pkgs -
|
23
|
+
ignored_by_group_pkgs = filter_pkgs_based_on_group(all_pkgs)
|
24
|
+
active_pkgs = all_pkgs - ignored_by_group_pkgs
|
25
25
|
ignored_by_config_pkgs = filter_pkgs_based_on_config(active_pkgs)
|
26
26
|
[active_pkgs, ignored_by_config_pkgs]
|
27
27
|
end
|
@@ -57,12 +57,15 @@ module Package
|
|
57
57
|
ignored_pkgs
|
58
58
|
end
|
59
59
|
|
60
|
-
def
|
60
|
+
def filter_pkgs_based_on_group(pkgs)
|
61
61
|
ignored_pkgs = []
|
62
62
|
|
63
|
-
|
64
|
-
|
63
|
+
unless @groups.nil?
|
64
|
+
pkgs.each do |pkg|
|
65
|
+
ignored_pkgs << pkg unless (pkg.groups & (@groups | [Enum::Group::DEFAULT])).any?
|
66
|
+
end
|
65
67
|
end
|
68
|
+
|
66
69
|
ignored_pkgs
|
67
70
|
end
|
68
71
|
end
|
@@ -76,8 +76,8 @@ module Package
|
|
76
76
|
end
|
77
77
|
|
78
78
|
def production_dependency?
|
79
|
-
@pkg.groups.none? || (@pkg.groups & [Enum::
|
80
|
-
Enum::
|
79
|
+
@pkg.groups.none? || (@pkg.groups & [Enum::Group::DEFAULT,
|
80
|
+
Enum::Group::PRODUCTION]).any?
|
81
81
|
end
|
82
82
|
end
|
83
83
|
end
|
@@ -84,7 +84,7 @@ module Package
|
|
84
84
|
puts
|
85
85
|
|
86
86
|
puts Util::BashColor.blue('5. Check whether the package is used in production or not.')
|
87
|
-
puts ' If a package is limited to a non-production
|
87
|
+
puts ' If a package is limited to a non-production group:'
|
88
88
|
puts " - cap risk severity to\t -> #{Util::BashColor.yellow('low')} risk"
|
89
89
|
end
|
90
90
|
end
|
@@ -3,7 +3,7 @@ module Package
|
|
3
3
|
class CommandParser
|
4
4
|
@config: Hash[String, untyped]?
|
5
5
|
@dir: String
|
6
|
-
@
|
6
|
+
@groups: Array[String]
|
7
7
|
@spinner: Util::Spinner
|
8
8
|
@options: Hash[String, untyped]
|
9
9
|
@report: Symbol
|
@@ -19,8 +19,6 @@ module Package
|
|
19
19
|
|
20
20
|
def parse_config_file: -> Hash[String, untyped]?
|
21
21
|
|
22
|
-
def parse_environments: -> Array[String]
|
23
|
-
|
24
22
|
def parse_technologies: -> Array[String]
|
25
23
|
|
26
24
|
def print_disclaimer: (String) -> void
|
@@ -4,7 +4,7 @@ module Package
|
|
4
4
|
@config: Hash[String, untyped]?
|
5
5
|
@dir: String
|
6
6
|
@report: Symbol
|
7
|
-
@
|
7
|
+
@groups: Array[String]
|
8
8
|
|
9
9
|
def initialize: (Hash[String, untyped]?, String, Symbol, Array[String]) -> void
|
10
10
|
|
@@ -14,7 +14,7 @@ module Package
|
|
14
14
|
|
15
15
|
def filter_pkgs_based_on_config: (Array[Package]) -> Array[Package]
|
16
16
|
|
17
|
-
def
|
17
|
+
def filter_pkgs_based_on_group: (Array[Package]) -> Array[Package]
|
18
18
|
|
19
19
|
def find_by_technology: (String) -> Array[Package]
|
20
20
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: package-audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tactica Communications Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-11-
|
11
|
+
date: 2023-11-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler-audit
|
@@ -54,7 +54,7 @@ files:
|
|
54
54
|
- lib/package/audit/const/file.rb
|
55
55
|
- lib/package/audit/const/time.rb
|
56
56
|
- lib/package/audit/const/yaml.rb
|
57
|
-
- lib/package/audit/enum/
|
57
|
+
- lib/package/audit/enum/group.rb
|
58
58
|
- lib/package/audit/enum/option.rb
|
59
59
|
- lib/package/audit/enum/report.rb
|
60
60
|
- lib/package/audit/enum/risk_explanation.rb
|
@@ -94,7 +94,7 @@ files:
|
|
94
94
|
- sig/package/audit/const/file.rbs
|
95
95
|
- sig/package/audit/const/time.rbs
|
96
96
|
- sig/package/audit/const/yaml.rbs
|
97
|
-
- sig/package/audit/enum/
|
97
|
+
- sig/package/audit/enum/group.rbs
|
98
98
|
- sig/package/audit/enum/option.rbs
|
99
99
|
- sig/package/audit/enum/report.rbs
|
100
100
|
- sig/package/audit/enum/risk_explanation.rbs
|
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
150
150
|
- !ruby/object:Gem::Version
|
151
151
|
version: '0'
|
152
152
|
requirements: []
|
153
|
-
rubygems_version: 3.4.
|
153
|
+
rubygems_version: 3.4.21
|
154
154
|
signing_key:
|
155
155
|
specification_version: 4
|
156
156
|
summary: A helper tool to find outdated, deprecated and vulnerable dependencies.
|