polariscope 0.2.0 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/polariscope/scanner/codebase_health_score.rb +1 -1
  4. data/lib/polariscope/scanner/gemfile_health_score.rb +4 -0
  5. data/lib/polariscope/scanner/ruby_scanner.rb +45 -0
  6. data/lib/polariscope/version.rb +1 -1
  7. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bedcc2db6f82679631ccdd4d7d3b007beaa22421639347301ab37e43796cab9a
4
- data.tar.gz: fb9904ba457696f0409c7b6162ad99843c8abae2d23d26dfc10391bc306bdd53
3
+ metadata.gz: 1c891a85ae5f5fed5a3cba46ddb78c81657baedfac15bcf31de9002fdae9c6df
4
+ data.tar.gz: 3864c4ecf3833289fb1cb1af30df8316a646f62714962f034e60ab42d0ab11f9
5
5
  SHA512:
6
- metadata.gz: 7c986b31f221691c6de5ffc81d354b07bbd96a2003b5537a8f59d2e74fd1733f39f348be129c6ec9d65b5491131aabda10ee14b8e6a27a55f73dfc7882210c09
7
- data.tar.gz: 68377f2df1b43e99b9cd2ff88a2b9cfac558246dac6144ea77d011112bcf48b4e44f979a663499e2fdc21e751d1ac333a556dd99630d8073af4f9be6d5142dba
6
+ metadata.gz: c008254c44678d2a936e027e33bba206ac12f48f7350d5aa63f5105e8897713fc851664d46afa02f665f11d53ad4459094b6795e3ba4caefaf58b3918d74fd47
7
+ data.tar.gz: 8e123d4cc077831e1fc252d846655b0994e3f78836affdc11af73ad9df9ae87bedf3c5ead5012be77f6b010d38585172d7e31800f23f86241f68b74cae3c97d2
data/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  ## [Unreleased]
2
2
 
3
+ ## [0.3.0] - 2024-10-17
4
+
5
+ - Count Ruby advisories towards health score
6
+
3
7
  ## [0.2.0] - 2024-08-23
4
8
 
5
9
  - Check if audit database is missing or stale (older than 7 weeks) & update if true
data/lib/polariscope/scanner/codebase_health_score.rb CHANGED
@@ -34,7 +34,7 @@ module Polariscope
34
34
  def gemfile_file
35
35
  @gemfile_file ||= begin
36
36
  file = Tempfile.new('Gemfile')
37
- file.write(gemfile_content.gsub("gemspec\n", ''))
37
+ file.write(gemfile_content.gsub("gemspec\n", '').gsub(/^ruby.*$\R/, ''))
38
38
  file.close
39
39
  file
40
40
  end
data/lib/polariscope/scanner/gemfile_health_score.rb CHANGED
@@ -6,6 +6,7 @@ require 'bundler/audit/database'
6
6
  require 'set'
7
7
  require_relative 'gem_versions'
8
8
  require_relative 'gem_health_score'
9
+ require_relative 'ruby_scanner'
9
10
 
10
11
  module Polariscope
11
12
  module Scanner
@@ -30,6 +31,7 @@ module Polariscope
30
31
  update_audit_database: false, bundler_audit_config_path: ''
31
32
  )
32
33
  @lockfile_parser = Bundler::LockfileParser.new(gemfile_lock_content)
34
+ @ruby_scanner = RubyScanner.new(@lockfile_parser)
33
35
  @gemfile_path = gemfile_path
34
36
  @dependencies = installed_dependencies
35
37
  @gem_priorities = gem_priorities
@@ -54,6 +56,7 @@ module Polariscope
54
56
 
55
57
  attr_reader :dependencies
56
58
  attr_reader :lockfile_parser
59
+ attr_reader :ruby_scanner
57
60
  attr_reader :advisory_penalty_map
58
61
  attr_reader :fallback_advisory_penalty
59
62
  attr_reader :bundler_audit_config_path
@@ -127,6 +130,7 @@ module Polariscope
127
130
 
128
131
  lockfile_parser.specs
129
132
  .flat_map { |gem| database.check_gem(gem).to_a }
133
+ .concat(ruby_scanner.vulnerable_advisories)
130
134
  .reject { |advisory| ignored_advisories.intersect?(advisory.identifiers.to_set) }
131
135
  end
132
136
 
data/lib/polariscope/scanner/ruby_scanner.rb ADDED
@@ -0,0 +1,45 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'bundler'
4
+ require 'bundler/audit/database'
5
+
6
+ module Polariscope
7
+ module Scanner
8
+ class RubyScanner
9
+ def initialize(lockfile_parser)
10
+ @lockfile_parser = lockfile_parser
11
+ end
12
+
13
+ def version
14
+ lockfile_ruby_version&.gem_version
15
+ end
16
+
17
+ def vulnerable_advisories
18
+ version ? advisories.select { |a| a.vulnerable?(version) } : []
19
+ end
20
+
21
+ private
22
+
23
+ attr_reader :lockfile_parser
24
+ attr_reader :bundler_audit_database
25
+
26
+ def advisories
27
+ cve_paths.map { |path| Bundler::Audit::Advisory.load(path) }
28
+ end
29
+
30
+ # see https://github.com/rubysec/ruby-advisory-db?tab=readme-ov-file#directory-structure
31
+ # and https://github.com/rubysec/bundler-audit/blob/da0eff072a9521dc2995483a8978d5a7dd4e328a/lib/bundler/audit/database.rb#L364
32
+ def cve_paths
33
+ Dir.glob(File.join(Bundler::Audit::Database.path, 'rubies', engine, '*.yml'))
34
+ end
35
+
36
+ def engine
37
+ lockfile_ruby_version.engine
38
+ end
39
+
40
+ def lockfile_ruby_version
41
+ @lockfile_ruby_version ||= Bundler::RubyVersion.from_string(@lockfile_parser.ruby_version)
42
+ end
43
+ end
44
+ end
45
+ end
data/lib/polariscope/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Polariscope
4
- VERSION = '0.2.0'
4
+ VERSION = '0.3.0'
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: polariscope
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rails team
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2024-08-23 00:00:00.000000000 Z
11
+ date: 2024-10-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -60,6 +60,7 @@ files:
60
60
  - lib/polariscope/scanner/gem_health_score.rb
61
61
  - lib/polariscope/scanner/gem_versions.rb
62
62
  - lib/polariscope/scanner/gemfile_health_score.rb
63
+ - lib/polariscope/scanner/ruby_scanner.rb
63
64
  - lib/polariscope/version.rb
64
65
  - polariscope.gemspec
65
66
  homepage: https://github.com/infinum/polariscope