package-audit 0.5.0 → 0.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/package/audit/cli.rb +3 -3
- data/lib/package/audit/enum/{environment.rb → group.rb} +2 -2
- data/lib/package/audit/enum/option.rb +1 -1
- data/lib/package/audit/models/package.rb +1 -1
- data/lib/package/audit/npm/yarn_lock_parser.rb +3 -3
- data/lib/package/audit/services/command_parser.rb +2 -13
- data/lib/package/audit/services/package_finder.rb +10 -7
- data/lib/package/audit/services/risk_calculator.rb +2 -2
- data/lib/package/audit/util/summary_printer.rb +1 -1
- data/lib/package/audit/version.rb +1 -1
- data/sig/package/audit/enum/{environment.rbs → group.rbs} +1 -1
- data/sig/package/audit/enum/option.rbs +1 -1
- data/sig/package/audit/services/command_parser.rbs +1 -3
- data/sig/package/audit/services/package_finder.rbs +2 -2
- metadata +5 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3987dbcffb0bef510d5897ad47ec79aa5ba65572c62d1a78003496a44264ca7e
|
4
|
+
data.tar.gz: f2608608cee05dde5a409e9dc6a4c885b208ee7d52cc7d6e745e0d3ccf37d7b7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: baa304f965258c639f7e4bee858da18ddd74bfb83926a66d95ce43367ac5bfcf363e4847dd56c98ed649cda9d7143cbb44bb2015d1c7dc263b73f8942538011e
|
7
|
+
data.tar.gz: a5adfb16e863dacea34dc1d1ca8e4962e76ab984f766d86073f2a5bcfceea9923d2c048ae11487e8a0644d9420025a6dba61f57dede9b6faaf74cd82954f5f52
|
data/lib/package/audit/cli.rb
CHANGED
@@ -15,9 +15,9 @@ module Package
|
|
15
15
|
class_option Enum::Option::CONFIG,
|
16
16
|
aliases: '-c', banner: 'FILE',
|
17
17
|
desc: "Path to a custom configuration file, default: #{Const::File::CONFIG})"
|
18
|
-
class_option Enum::Option::
|
19
|
-
aliases: '-
|
20
|
-
desc: '
|
18
|
+
class_option Enum::Option::GROUP,
|
19
|
+
aliases: '-g', repeatable: true,
|
20
|
+
desc: 'Group to be audited (repeat this flag for each group)'
|
21
21
|
class_option Enum::Option::TECHNOLOGY,
|
22
22
|
aliases: '-t', repeatable: true,
|
23
23
|
desc: 'Technology to be audited (repeat this flag for each technology)'
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module Package
|
2
2
|
module Audit
|
3
3
|
module Enum
|
4
|
-
module
|
4
|
+
module Group
|
5
5
|
DEV = 'development'
|
6
6
|
TEST = 'test'
|
7
7
|
STAGING = 'staging'
|
@@ -9,7 +9,7 @@ module Package
|
|
9
9
|
DEFAULT = 'default'
|
10
10
|
|
11
11
|
def self.all
|
12
|
-
constants.map { |key| Enum::
|
12
|
+
constants.map { |key| Enum::Group.const_get(key) }.sort
|
13
13
|
end
|
14
14
|
end
|
15
15
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require_relative '../enum/
|
1
|
+
require_relative '../enum/group'
|
2
2
|
|
3
3
|
module Package
|
4
4
|
module Audit
|
@@ -16,9 +16,9 @@ module Package
|
|
16
16
|
version = fetch_package_version(dep_name, pkg_block)
|
17
17
|
pks = Package.new(dep_name.to_s, version, 'node')
|
18
18
|
pks.update groups: if dev_deps.key?(dep_name)
|
19
|
-
[Enum::
|
19
|
+
[Enum::Group::DEV]
|
20
20
|
else
|
21
|
-
[Enum::
|
21
|
+
[Enum::Group::DEFAULT, Enum::Group::DEV]
|
22
22
|
end
|
23
23
|
pkgs << pks
|
24
24
|
end
|
@@ -19,7 +19,7 @@ module Package
|
|
19
19
|
@options = options
|
20
20
|
@report = report
|
21
21
|
@config = parse_config_file
|
22
|
-
@
|
22
|
+
@groups = @options[Enum::Option::GROUP]
|
23
23
|
@technologies = parse_technologies
|
24
24
|
@spinner = Util::Spinner.new('Evaluating packages and their dependencies...')
|
25
25
|
end
|
@@ -32,7 +32,7 @@ module Package
|
|
32
32
|
@spinner.start
|
33
33
|
threads = @technologies.map.with_index do |technology, technology_index|
|
34
34
|
Thread.new do
|
35
|
-
all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report, @
|
35
|
+
all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report, @groups).run(technology)
|
36
36
|
ignored_pkgs = [] if @options[Enum::Option::INCLUDE_IGNORED]
|
37
37
|
cumulative_pkgs += all_pkgs || []
|
38
38
|
sleep 0.1 while technology_index != thread_index # print each technology in order
|
@@ -101,17 +101,6 @@ module Package
|
|
101
101
|
end
|
102
102
|
end
|
103
103
|
|
104
|
-
def parse_environments
|
105
|
-
unsupported_technologies = (@options[Enum::Option::ENVIRONMENT] || []) - Enum::Environment.all
|
106
|
-
|
107
|
-
if unsupported_technologies.any?
|
108
|
-
raise ArgumentError, "#{unsupported_technologies} is not valid list of environments, " \
|
109
|
-
"use one of #{Enum::Environment.all}"
|
110
|
-
end
|
111
|
-
|
112
|
-
(@options[Enum::Option::ENVIRONMENT] || Enum::Environment.all) | [Enum::Environment::DEFAULT]
|
113
|
-
end
|
114
|
-
|
115
104
|
def parse_technologies
|
116
105
|
technology_validator = Technology::Validator.new(@dir)
|
117
106
|
@options[Enum::Option::TECHNOLOGY]&.each { |technology| technology_validator.validate! technology }
|
@@ -11,17 +11,17 @@ require 'yaml'
|
|
11
11
|
module Package
|
12
12
|
module Audit
|
13
13
|
class PackageFinder
|
14
|
-
def initialize(config, dir, report,
|
14
|
+
def initialize(config, dir, report, groups)
|
15
15
|
@config = config
|
16
16
|
@dir = dir
|
17
17
|
@report = report
|
18
|
-
@
|
18
|
+
@groups = groups
|
19
19
|
end
|
20
20
|
|
21
21
|
def run(technology)
|
22
22
|
all_pkgs = find_by_technology(technology)
|
23
|
-
|
24
|
-
active_pkgs = all_pkgs -
|
23
|
+
ignored_by_group_pkgs = filter_pkgs_based_on_group(all_pkgs)
|
24
|
+
active_pkgs = all_pkgs - ignored_by_group_pkgs
|
25
25
|
ignored_by_config_pkgs = filter_pkgs_based_on_config(active_pkgs)
|
26
26
|
[active_pkgs, ignored_by_config_pkgs]
|
27
27
|
end
|
@@ -57,12 +57,15 @@ module Package
|
|
57
57
|
ignored_pkgs
|
58
58
|
end
|
59
59
|
|
60
|
-
def
|
60
|
+
def filter_pkgs_based_on_group(pkgs)
|
61
61
|
ignored_pkgs = []
|
62
62
|
|
63
|
-
|
64
|
-
|
63
|
+
unless @groups.nil?
|
64
|
+
pkgs.each do |pkg|
|
65
|
+
ignored_pkgs << pkg unless (pkg.groups & (@groups | [Enum::Group::DEFAULT])).any?
|
66
|
+
end
|
65
67
|
end
|
68
|
+
|
66
69
|
ignored_pkgs
|
67
70
|
end
|
68
71
|
end
|
@@ -76,8 +76,8 @@ module Package
|
|
76
76
|
end
|
77
77
|
|
78
78
|
def production_dependency?
|
79
|
-
@pkg.groups.none? || (@pkg.groups & [Enum::
|
80
|
-
Enum::
|
79
|
+
@pkg.groups.none? || (@pkg.groups & [Enum::Group::DEFAULT,
|
80
|
+
Enum::Group::PRODUCTION]).any?
|
81
81
|
end
|
82
82
|
end
|
83
83
|
end
|
@@ -84,7 +84,7 @@ module Package
|
|
84
84
|
puts
|
85
85
|
|
86
86
|
puts Util::BashColor.blue('5. Check whether the package is used in production or not.')
|
87
|
-
puts ' If a package is limited to a non-production
|
87
|
+
puts ' If a package is limited to a non-production group:'
|
88
88
|
puts " - cap risk severity to\t -> #{Util::BashColor.yellow('low')} risk"
|
89
89
|
end
|
90
90
|
end
|
@@ -3,7 +3,7 @@ module Package
|
|
3
3
|
class CommandParser
|
4
4
|
@config: Hash[String, untyped]?
|
5
5
|
@dir: String
|
6
|
-
@
|
6
|
+
@groups: Array[String]
|
7
7
|
@spinner: Util::Spinner
|
8
8
|
@options: Hash[String, untyped]
|
9
9
|
@report: Symbol
|
@@ -19,8 +19,6 @@ module Package
|
|
19
19
|
|
20
20
|
def parse_config_file: -> Hash[String, untyped]?
|
21
21
|
|
22
|
-
def parse_environments: -> Array[String]
|
23
|
-
|
24
22
|
def parse_technologies: -> Array[String]
|
25
23
|
|
26
24
|
def print_disclaimer: (String) -> void
|
@@ -4,7 +4,7 @@ module Package
|
|
4
4
|
@config: Hash[String, untyped]?
|
5
5
|
@dir: String
|
6
6
|
@report: Symbol
|
7
|
-
@
|
7
|
+
@groups: Array[String]
|
8
8
|
|
9
9
|
def initialize: (Hash[String, untyped]?, String, Symbol, Array[String]) -> void
|
10
10
|
|
@@ -14,7 +14,7 @@ module Package
|
|
14
14
|
|
15
15
|
def filter_pkgs_based_on_config: (Array[Package]) -> Array[Package]
|
16
16
|
|
17
|
-
def
|
17
|
+
def filter_pkgs_based_on_group: (Array[Package]) -> Array[Package]
|
18
18
|
|
19
19
|
def find_by_technology: (String) -> Array[Package]
|
20
20
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: package-audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tactica Communications Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-11-
|
11
|
+
date: 2023-11-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler-audit
|
@@ -54,7 +54,7 @@ files:
|
|
54
54
|
- lib/package/audit/const/file.rb
|
55
55
|
- lib/package/audit/const/time.rb
|
56
56
|
- lib/package/audit/const/yaml.rb
|
57
|
-
- lib/package/audit/enum/
|
57
|
+
- lib/package/audit/enum/group.rb
|
58
58
|
- lib/package/audit/enum/option.rb
|
59
59
|
- lib/package/audit/enum/report.rb
|
60
60
|
- lib/package/audit/enum/risk_explanation.rb
|
@@ -94,7 +94,7 @@ files:
|
|
94
94
|
- sig/package/audit/const/file.rbs
|
95
95
|
- sig/package/audit/const/time.rbs
|
96
96
|
- sig/package/audit/const/yaml.rbs
|
97
|
-
- sig/package/audit/enum/
|
97
|
+
- sig/package/audit/enum/group.rbs
|
98
98
|
- sig/package/audit/enum/option.rbs
|
99
99
|
- sig/package/audit/enum/report.rbs
|
100
100
|
- sig/package/audit/enum/risk_explanation.rbs
|
@@ -150,7 +150,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
150
150
|
- !ruby/object:Gem::Version
|
151
151
|
version: '0'
|
152
152
|
requirements: []
|
153
|
-
rubygems_version: 3.4.
|
153
|
+
rubygems_version: 3.4.21
|
154
154
|
signing_key:
|
155
155
|
specification_version: 4
|
156
156
|
summary: A helper tool to find outdated, deprecated and vulnerable dependencies.
|