pronto-bundler_audit 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2873f35b21834bcf629f9dc4f6d3f03dd951d53c57f7fb243bd2a3bbf07cc86d
-  data.tar.gz: 4fee93d0072331bae4923cef0e0ce8b25cd16eafc6c87e85bb00cfdc21f37c2d
+  metadata.gz: 4f5e3d57ee3196408dfa094d7f049418ab9cde1547b8d895b4850b89e4b3eddf
+  data.tar.gz: 2faf2c8e0b126fa1158ace92f13c4e5db196ebccb909b8cdececf63a7ad8f427
 SHA512:
-  metadata.gz: 301d7d5be5569acf52a7111f810ad23eb1e44518be8cfd55ae6bce85145fba559afc78f3cfe59717a1f272db6abb29cb52fc862c9b9ebcc7227ac1d579efb75c
-  data.tar.gz: e250e59a4754b6b313d32d3c9a45b98b4d825af5b50b897ef902749f4cfd882094599ad12a0d0f2b494b484eed98fa87f1f9f18eec262ccda66047e0aa3302dd
+  metadata.gz: 547da0556ee2b901ab926f3e886f36d0098e3f142eb570cfa2e4fb50f656f49afdecfa696158e1ec9ca4df1c3a204aee5b204c7a0f012bbcf90490ee2279983b
+  data.tar.gz: 1d2e0812b77939c079c5f68fbbbccdf3e45522be2971705a462bc6eabe22e11c68312ea4dda66b416eb1171147ee88edf297ad5871e730ac65b7ddea80335be1

data/.gitignore

@@ -1,5 +1,6 @@
 /*.gem
 /.bundle/
+/.DS_Store
 /.yardoc
 /_yardoc/
 /coverage/

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+### 0.2.0 - 2019-04-30
+- Fix conditional for running Bundle Audit scans -- was always running even if there was nothing to run on in a given Pronto::Patches set
+
 ### 0.1.1 - 2019-04-29
 - Add line number to Pronto::Message; fixes GitHub API usage error when attempting to add errors to PR comments
 - Add gem version requirements to gemspec

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    pronto-bundler_audit (0.1.1)
+    pronto-bundler_audit (0.2.0)
       bundler-audit (~> 0)
       pronto (~> 0)
 
@@ -18,6 +18,7 @@ GEM
       thor (~> 0.18)
     byebug (11.0.1)
     coderay (1.1.2)
+    docile (1.3.1)
     faraday (0.15.4)
       multipart-post (>= 1.2, < 3)
     gitlab (4.11.0)
@@ -27,6 +28,8 @@ GEM
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
     jaro_winkler (1.5.2)
+    json (2.2.0)
+    metaclass (0.0.4)
     method_source (0.9.2)
     mime-types (3.2.2)
       mime-types-data (~> 3.2015)
@@ -37,6 +40,8 @@ GEM
       builder
       minitest (>= 5.0)
       ruby-progressbar
+    mocha (1.8.0)
+      metaclass (~> 0.0.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
     octokit (4.14.0)
@@ -72,6 +77,11 @@ GEM
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
+    simplecov (0.16.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
@@ -85,11 +95,13 @@ DEPENDENCIES
   byebug (~> 11)
   minitest (~> 5)
   minitest-reporters (~> 1)
+  mocha (~> 1)
   pronto-bundler_audit!
   pry (~> 0)
   pry-byebug (~> 3)
   rake (~> 12)
-  rubocop (~> 0)
+  rubocop (>= 0.67.2, < 1)
+  simplecov (~> 0.16)
 
 BUNDLED WITH
    2.0.1

data/README.md

@@ -1,13 +1,18 @@
+[![Gem Version](https://badge.fury.io/rb/pronto-bundler_audit.svg)](https://badge.fury.io/rb/pronto-bundler_audit)
+[![Build Status](https://travis-ci.org/pdobb/pronto-bundler_audit.svg?branch=master)](https://travis-ci.org/pdobb/pronto-bundler_audit)
+[![Maintainability](https://api.codeclimate.com/v1/badges/7ac01a6a6eace46487d9/maintainability)](https://codeclimate.com/github/pdobb/pronto-bundler_audit/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/7ac01a6a6eace46487d9/test_coverage)](https://codeclimate.com/github/pdobb/pronto-bundler_audit/test_coverage)
+
 # Pronto::BundlerAudit
 
 Pronto runner for [bundler-audit](https://github.com/rubysec/bundler-audit), patch-level verification for bundler. [What is Pronto?](https://github.com/prontolabs/pronto)
 
 ## Installation
 
-Add this line to your application's Gemfile:
+Add this line to the `development` group of your application's Gemfile:
 
 ```ruby
-gem 'pronto-bundler_audit'
+gem 'pronto-bundler_audit', require: false
 ```
 
 And then execute:
@@ -18,9 +23,38 @@ Or install it yourself as:
 
     $ gem install pronto-bundler_audit
 
+## Compatibility
+
+Tested MRI Ruby Versions:
+* 2.3
+* 2.4
+* 2.5
+* 2.6
+* edge
+
 ## Usage
 
-This runner will run automatically when [running Pronto](https://github.com/prontolabs/pronto#usage).
+Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
+
+### Examples
+
+#### Local Pronto Run
+
+```bash
+$ time pronto run -c=development --runner bundler_audit
+Running Pronto::BundlerAudit
+Gemfile.lock: E: Gem: bootstrap-sass v3.4.0 | Medium Advisory: XSS vulnerability in bootstrap-sass -- CVE-2019-8331 (https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/) | Solution: Upgrade to >= 3.4.1.
+
+real  0m1.417s
+user  0m0.773s
+sys 0m0.252s
+```
+
+#### Github Pull Request - Checks
+![Github Check](images/github-check.png)
+
+#### Github Pull Request - Comments
+![Github Comment](images/github-comment.png)
 
 ## Development
 
@@ -28,6 +62,11 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## TODO
+
+* Add more tests
+* Add configuration for compact vs expanded advisories reporting
+
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/pdobb/pronto-bundler_audit.

data/lib/pronto/bundler_audit/patch_handler.rb

@@ -0,0 +1,165 @@
+module Pronto
+  class BundlerAudit < Runner
+    # Pronto::BundlerAudit::PatchHandler runs Bundle Audit on the given patch
+    # and returns an Array of Pronto::Message objects if any advisories are
+    # found.
+    class PatchHandler
+      def initialize(patch, runner:)
+        @patch = patch
+        @runner = runner
+      end
+
+      # @return (see: #run_scan)
+      def call
+        update_ruby_advisory_db
+        run_scan
+      end
+
+      private
+
+      def update_ruby_advisory_db
+        Bundler::Audit::Database.update!(quiet: true)
+      end
+
+      # @return [Array>] if no advisories were found
+      # @return [Array<Pronto::Message>] if advisories were found
+      def run_scan
+        scanner = Bundler::Audit::Scanner.new
+
+        scanner.scan.inject([]) do |acc, scan_result|
+          acc << process_scan_result(scan_result)
+        end
+      end
+
+      def process_scan_result(scan_result)
+        case scan_result
+        when Bundler::Audit::Scanner::InsecureSource
+          report_insecure_source_scan_result
+        when Bundler::Audit::Scanner::UnpatchedGem
+          report_unpatched_gem_scan_result(scan_result)
+        else
+          raise ArgumentError, "unexpected type: #{scan_result.class}"
+        end
+      end
+
+      def report_insecure_source_scan_result(scan_result)
+        build_warning_message(
+          "Insecure Source URI found: #{scan_result.source}")
+      end
+
+      def report_unpatched_gem_scan_result(scan_result)
+        advisory =
+          AdvisoryFormatter.new(
+            gem: scan_result.gem, advisory: scan_result.advisory)
+        message = advisory.to_compact_s
+        line = find_relevant_line(advisory)
+
+        build_error_message(message, line: line)
+      end
+
+      # @return [Pronto::Git::Line]
+      def find_relevant_line(advisory)
+        first_added_line_for_affected_gem_name(advisory.gem_name)
+      end
+
+      # @return [Pronto::Git::Line]
+      def first_added_line_for_affected_gem_name(gem_name)
+        @patch.added_lines.detect { |line| line.content.include?(gem_name) }
+      end
+
+      def build_warning_message(message)
+        build_message(message, level: :warning)
+      end
+
+      def build_error_message(message, line:)
+        build_message(message, level: :error, line: line)
+      end
+
+      def build_message(message, level:, line:)
+        Message.new(
+          GEMFILE_LOCK_FILENAME, line, level, message, nil, @runner.class)
+      end
+
+      # Pronto::BundlerAudit::PatchHandler::AdvisoryFormatter is a message
+      # formatter for the given gem object and Bundler::Audit::Advisory#advisory
+      # object.
+      class AdvisoryFormatter
+        # param gem [Bundler::LazySpecification]
+        # param advisory [Bundler::Audit::Advisory]
+        def initialize(gem:, advisory:)
+          @gem = gem
+          @advisory = advisory
+        end
+
+        def to_s
+          [
+            "Name: #{gem_name}",
+            "Version: #{gem_version}",
+            "Advisory: #{advisory_description}",
+            "Criticality: #{advisory_criticality}",
+            "URL: #{advisory_url}",
+            "Title: #{advisory_title}",
+            "Solution: #{advisory_solution}"
+          ].join("\n")
+        end
+
+        def to_compact_s
+          [
+            "Gem: #{gem_name} v#{gem_version}",
+            "#{advisory_criticality} Advisory: #{advisory_title} -- "\
+              "#{advisory_description} (#{advisory_url})",
+            "Solution: #{advisory_solution}"
+          ].join(" | ")
+        end
+
+        def gem_name
+          @gem.name
+        end
+
+        private
+
+        def gem_version
+          @gem.version
+        end
+
+        def advisory_description
+          if @advisory.cve
+            "CVE-#{@advisory.cve}"
+          elsif @advisory.osvdb
+            @advisory.osvdb
+          end
+        end
+
+        def advisory_criticality
+          str = @advisory.criticality.to_s.capitalize
+          str = "Unknown" if str.empty?
+          str
+        end
+
+        def advisory_url
+          @advisory.url
+        end
+
+        def advisory_title
+          @advisory.title
+        end
+
+        def advisory_solution
+          if any_patched_versions?
+            "Upgrade to #{patched_versions}."
+          else
+            "Remove or disable this gem until a patch is available!"
+          end
+        end
+
+        def patched_versions
+          @advisory.patched_versions.join(', ')
+        end
+
+        def any_patched_versions?
+          !@advisory.patched_versions.empty?
+        end
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/version.rb

@@ -1,5 +1,6 @@
 module Pronto
-  module BundlerAudit
-    VERSION = "0.1.1"
+  # Pronto::BundlerAuditVersion
+  module BundlerAuditVersion
+    VERSION = "0.2.0"
   end
 end

data/lib/pronto/bundler_audit.rb

@@ -1,6 +1,8 @@
 require "pronto"
 require "bundler/audit/database"
 require "bundler/audit/scanner"
+require "pronto/bundler_audit/version"
+require "pronto/bundler_audit/patch_handler"
 
 module Pronto
   # Pronto::BundlerAudit is a Pronto::Runner that:
@@ -8,22 +10,24 @@ module Pronto
   #    Gemfile.lock)
   # 2. Updates the Ruby Advisory Database
   # 3. Runs bundle-audit to scan the Gemfile.lock
-  # 4. Returns an Array of Pronto::Message objects if any issues are found
+  # 4. Returns an Array of Pronto::Message objects if any advisories are found
   class BundlerAudit < Runner
     GEMFILE_LOCK_FILENAME = "Gemfile.lock".freeze
 
     def run
       patch = find_relevant_patch
 
-      patch_handler = PatchHandler.new(patch, runner: self)
-      patch_handler.call
+      if patch
+        patch_handler = PatchHandler.new(patch, runner: self)
+        patch_handler.call
+      end
     end
 
     private
 
     def find_relevant_patch
-      @patches.reverse_each { |patch|
-        break patch if patch.additions > 0 && relevant_patch_path?(patch)
+      @patches.reverse.detect { |patch|
+        patch.additions > 0 && relevant_patch_path?(patch)
       }
     end
 
@@ -31,164 +35,5 @@ module Pronto
       patch_path = patch.new_file_full_path.to_s
       patch_path.end_with?(GEMFILE_LOCK_FILENAME)
     end
-
-    # Pronto::BundlerAudit::PatchHandler run Bundle Audit on the given patch
-    # and returns an Array of Pronto::Message objects, if any issues are found.
-    class PatchHandler
-      def initialize(patch, runner:)
-        @patch = patch
-        @runner = runner
-      end
-
-      # @return (see: #run_scan)
-      def call
-        update_ruby_advisory_db
-        run_scan
-      end
-
-      private
-
-      def update_ruby_advisory_db
-        Bundler::Audit::Database.update!(quiet: true)
-      end
-
-      # @return [Array>] if no issues were found
-      # @return [Array<Pronto::Message>] if issues were found
-      def run_scan
-        scanner = Bundler::Audit::Scanner.new
-
-        scanner.scan.inject([]) do |acc, scan_result|
-          acc << process_scan_result(scan_result)
-        end
-      end
-
-      def process_scan_result(scan_result)
-        case scan_result
-        when Bundler::Audit::Scanner::InsecureSource
-          report_insecure_source_scan_result
-        when Bundler::Audit::Scanner::UnpatchedGem
-          report_unpatched_gem_scan_result(scan_result)
-        end
-      end
-
-      def report_insecure_source_scan_result(scan_result)
-        build_warning_message(
-          "Insecure Source URI found: #{scan_result.source}")
-      end
-
-      def report_unpatched_gem_scan_result(scan_result)
-        advisory =
-          AdvisoryFormatter.new(
-            gem: scan_result.gem, advisory: scan_result.advisory)
-        message = advisory.to_compact_s
-        line = find_relevant_line(advisory)
-
-        build_error_message(message, line: line)
-      end
-
-      # @return [Pronto::Git::Line]
-      def find_relevant_line(advisory)
-        first_added_line_for_affected_gem_name(advisory.gem_name)
-      end
-
-      # @return [Pronto::Git::Line]
-      def first_added_line_for_affected_gem_name(gem_name)
-        @patch.added_lines.detect { |line| line.content.include?(gem_name) }
-      end
-
-      def build_warning_message(message)
-        build_message(message, level: :warning)
-      end
-
-      def build_error_message(message, line:)
-        build_message(message, level: :error, line: line)
-      end
-
-      def build_message(message, level:, line:)
-        Message.new(
-          GEMFILE_LOCK_FILENAME, line, level, message, nil, @runner.class)
-      end
-
-      # Pronto::BundlerAudit::PatchHandler::AdvisoryFormatter is a message
-      # formatter for the given gem object and Bundler::Audit::Advisory#advisory
-      # object.
-      class AdvisoryFormatter
-        # param gem [Bundler::LazySpecification]
-        # param advisory [Bundler::Audit::Advisory]
-        def initialize(gem:, advisory:)
-          @gem = gem
-          @advisory = advisory
-        end
-
-        def to_s
-          [
-            "Name: #{gem_name}",
-            "Version: #{gem_version}",
-            "Advisory: #{advisory_description}",
-            "Criticality: #{advisory_criticality}",
-            "URL: #{advisory_url}",
-            "Title: #{advisory_title}",
-            "Solution: #{advisory_solution}"
-          ].join("\n")
-        end
-
-        def to_compact_s
-          [
-            "Gem: #{gem_name} v#{gem_version}",
-            "#{advisory_criticality} Advisory: #{advisory_title} -- "\
-              "#{advisory_description} (#{advisory_url})",
-            "Solution: #{advisory_solution}"
-          ].join(" | ")
-        end
-
-        def gem_name
-          @gem.name
-        end
-
-        private
-
-        def gem_version
-          @gem.version
-        end
-
-        def advisory_description
-          if @advisory.cve
-            "CVE-#{@advisory.cve}"
-          elsif @advisory.osvdb
-            @advisory.osvdb
-          end
-        end
-
-        def advisory_criticality
-          str = @advisory.criticality.to_s.capitalize
-          str = "Unknown" if str.empty?
-          str
-        end
-
-        def advisory_url
-          @advisory.url
-        end
-
-        def advisory_title
-          @advisory.title
-        end
-
-        def advisory_solution
-          if any_patched_versions?
-            "Upgrade to #{patched_versions}."
-          else
-            "Remove or disable this gem until a patch is available!"
-          end
-        end
-
-        def patched_versions
-          @advisory.patched_versions.join(', ')
-        end
-
-        def any_patched_versions?
-          !@advisory.patched_versions.empty?
-        end
-      end
-    end
   end
 end

data/pronto-bundler_audit.gemspec

@@ -1,11 +1,10 @@
-
 lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require "pronto/bundler_audit/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "pronto-bundler_audit"
-  spec.version       = Pronto::BundlerAudit::VERSION
+  spec.version       = Pronto::BundlerAuditVersion::VERSION
   spec.authors       = ["Paul Dobbins"]
   spec.email         = ["paul.dobbins@icloud.com"]
 
@@ -42,9 +41,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "byebug", "~> 11"
   spec.add_development_dependency "minitest", "~> 5"
   spec.add_development_dependency "minitest-reporters", "~> 1"
+  spec.add_development_dependency "mocha", "~> 1"
   spec.add_development_dependency "pry", "~> 0"
   spec.add_development_dependency "pry-byebug", "~> 3"
   spec.add_development_dependency "rake", "~> 12"
-  spec.add_development_dependency "rubocop", "~> 0"
-  # spec.add_development_dependency "simplecov", "~> 0.16"
+  spec.add_development_dependency "rubocop", ">= 0.67.2", "< 1"
+  spec.add_development_dependency "simplecov", "~> 0.16"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pronto-bundler_audit
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Paul Dobbins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-04-29 00:00:00.000000000 Z
+date: 2019-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pronto
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1'
+- !ruby/object:Gem::Dependency
+  name: mocha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -138,18 +152,38 @@ dependencies:
         version: '12'
 - !ruby/object:Gem::Dependency
   name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.67.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.67.2
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.16'
 description: 
 email:
 - paul.dobbins@icloud.com
@@ -167,7 +201,10 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- images/github-check.png
+- images/github-comment.png
 - lib/pronto/bundler_audit.rb
+- lib/pronto/bundler_audit/patch_handler.rb
 - lib/pronto/bundler_audit/version.rb
 - pronto-bundler_audit.gemspec
 homepage: http://github.com/pdobb/pronto-bundler_audit