RubyGems - polariscope - Versions diffs - 0.2.0 → 0.3.0 - Mend

polariscope 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/lib/polariscope/scanner/codebase_health_score.rb +1 -1
data/lib/polariscope/scanner/gemfile_health_score.rb +4 -0
data/lib/polariscope/scanner/ruby_scanner.rb +45 -0
data/lib/polariscope/version.rb +1 -1
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bedcc2db6f82679631ccdd4d7d3b007beaa22421639347301ab37e43796cab9a
-  data.tar.gz: fb9904ba457696f0409c7b6162ad99843c8abae2d23d26dfc10391bc306bdd53
+  metadata.gz: 1c891a85ae5f5fed5a3cba46ddb78c81657baedfac15bcf31de9002fdae9c6df
+  data.tar.gz: 3864c4ecf3833289fb1cb1af30df8316a646f62714962f034e60ab42d0ab11f9
 SHA512:
-  metadata.gz: 7c986b31f221691c6de5ffc81d354b07bbd96a2003b5537a8f59d2e74fd1733f39f348be129c6ec9d65b5491131aabda10ee14b8e6a27a55f73dfc7882210c09
-  data.tar.gz: 68377f2df1b43e99b9cd2ff88a2b9cfac558246dac6144ea77d011112bcf48b4e44f979a663499e2fdc21e751d1ac333a556dd99630d8073af4f9be6d5142dba
+  metadata.gz: c008254c44678d2a936e027e33bba206ac12f48f7350d5aa63f5105e8897713fc851664d46afa02f665f11d53ad4459094b6795e3ba4caefaf58b3918d74fd47
+  data.tar.gz: 8e123d4cc077831e1fc252d846655b0994e3f78836affdc11af73ad9df9ae87bedf3c5ead5012be77f6b010d38585172d7e31800f23f86241f68b74cae3c97d2

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,9 @@
 ## [Unreleased]
+## [0.3.0] - 2024-10-17
+- Count Ruby advisories towards health score
 ## [0.2.0] - 2024-08-23
 - Check if audit database is missing or stale (older than 7 weeks) & update if true

data/lib/polariscope/scanner/codebase_health_score.rb CHANGED Viewed

@@ -34,7 +34,7 @@ module Polariscope
       def gemfile_file
         @gemfile_file ||= begin
           file = Tempfile.new('Gemfile')
-          file.write(gemfile_content.gsub("gemspec\n", ''))
+          file.write(gemfile_content.gsub("gemspec\n", '').gsub(/^ruby.*$\R/, ''))
           file.close
           file
         end

data/lib/polariscope/scanner/gemfile_health_score.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require 'bundler/audit/database'
 require 'set'
 require_relative 'gem_versions'
 require_relative 'gem_health_score'
+require_relative 'ruby_scanner'
 module Polariscope
   module Scanner
@@ -30,6 +31,7 @@ module Polariscope
         update_audit_database: false, bundler_audit_config_path: ''
       )
         @lockfile_parser = Bundler::LockfileParser.new(gemfile_lock_content)
+        @ruby_scanner = RubyScanner.new(@lockfile_parser)
         @gemfile_path = gemfile_path
         @dependencies = installed_dependencies
         @gem_priorities = gem_priorities
@@ -54,6 +56,7 @@ module Polariscope
       attr_reader :dependencies
       attr_reader :lockfile_parser
+      attr_reader :ruby_scanner
       attr_reader :advisory_penalty_map
       attr_reader :fallback_advisory_penalty
       attr_reader :bundler_audit_config_path
@@ -127,6 +130,7 @@ module Polariscope
         lockfile_parser.specs
                        .flat_map { |gem| database.check_gem(gem).to_a }
+                       .concat(ruby_scanner.vulnerable_advisories)
                        .reject { |advisory| ignored_advisories.intersect?(advisory.identifiers.to_set) }
       end

data/lib/polariscope/scanner/ruby_scanner.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+require 'bundler'
+require 'bundler/audit/database'
+module Polariscope
+  module Scanner
+    class RubyScanner
+      def initialize(lockfile_parser)
+        @lockfile_parser = lockfile_parser
+      end
+      def version
+        lockfile_ruby_version&.gem_version
+      end
+      def vulnerable_advisories
+        version ? advisories.select { |a| a.vulnerable?(version) } : []
+      end
+      private
+      attr_reader :lockfile_parser
+      attr_reader :bundler_audit_database
+      def advisories
+        cve_paths.map { |path| Bundler::Audit::Advisory.load(path) }
+      end
+      # see https://github.com/rubysec/ruby-advisory-db?tab=readme-ov-file#directory-structure
+      # and https://github.com/rubysec/bundler-audit/blob/da0eff072a9521dc2995483a8978d5a7dd4e328a/lib/bundler/audit/database.rb#L364
+      def cve_paths
+        Dir.glob(File.join(Bundler::Audit::Database.path, 'rubies', engine, '*.yml'))
+      end
+      def engine
+        lockfile_ruby_version.engine
+      end
+      def lockfile_ruby_version
+        @lockfile_ruby_version ||= Bundler::RubyVersion.from_string(@lockfile_parser.ruby_version)
+      end
+    end
+  end
+end

data/lib/polariscope/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Polariscope
-  VERSION = '0.2.0'
+  VERSION = '0.3.0'
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: polariscope
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Rails team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-08-23 00:00:00.000000000 Z
+date: 2024-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -60,6 +60,7 @@ files:
 - lib/polariscope/scanner/gem_health_score.rb
 - lib/polariscope/scanner/gem_versions.rb
 - lib/polariscope/scanner/gemfile_health_score.rb
+- lib/polariscope/scanner/ruby_scanner.rb
 - lib/polariscope/version.rb
 - polariscope.gemspec
 homepage: https://github.com/infinum/polariscope