pronto-bundler_audit 0.3.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a6328fffd859750def2c69f570ea970ecc44aa1b31362dfa03b5933cde49201
-  data.tar.gz: c6c226e11867996c7d19d53089a31e20b87acaebe3593713f11d310f7e1b602b
+  metadata.gz: 8112a836fbdf9cfbedc584f8a6f6546da622fea402df4be5e6a21b883504377e
+  data.tar.gz: 1e2c2c4e8144bc9c1dbc8d2c84887a0419d95570e357b92054ff73400517c095
 SHA512:
-  metadata.gz: df67a7343d90292e9b15fdfeb6c75eab64b76b27a98ee1feffb3ac9b2c1ef3f0e20822048a595018904d19655c8c82142635644409e01faaee3fa313fccc5826
-  data.tar.gz: 167db3c4bfbd04bec6b25d519f0fd060809de610f899d8e3cc166601baac28ffcc512129ab02496305899df4b7f192fc77a274352f4cc2fcdfcb8f6c846e5edb
+  metadata.gz: c92d25f870b348a78b3f52f16d4fd839b14c4f96a10ad59f803a27a4891160c6249ed397a7d28ce52068bf01be4c609f85a8e106710c97ab9fd10aa096455c4d
+  data.tar.gz: 9e12deff351a41433d0386567c46e3240a06ca71ccc7eb588ff15b95916be62221678705255619b906f1c7272c4e54f832cad10a1d7e9eb44903ded29fe885c1

data/.rubocop.yml

@@ -129,6 +129,9 @@ Style/FormatString:
 Style/Lambda:
   EnforcedStyle: literal
 
+Style/LambdaCall:
+  Enabled: false # Allow ServiceObject.(*). Only use on classes, not instances.
+
 Style/NumericPredicate:
   Enabled: false # Trying to be welcoming to earlier versions of Ruby.
   # AutoCorrect: true

data/.travis.yml

@@ -4,14 +4,13 @@ env:
 sudo: false
 language: ruby
 rvm:
-  - 2.3
   - 2.4
   - 2.5
   - 2.6
   - ruby-head
 notifications:
   email: false
-before_install: gem install bundler -v 2.0.1
+before_install: gem install bundler -v 2.0.2 --no-document
 cache: bundler
 before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter

data/CHANGELOG.md

@@ -1,3 +1,33 @@
+### 0.7.0 - 2021-04-29
+- [#11](https://github.com/pdobb/pronto-bundler_audit/pull/11)
+  - Attempted Fix for `NoMethodError: undefined method 'line' for #<Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine...>`
+- [#10](https://github.com/pdobb/pronto-bundler_audit/pull/10) Pronto 0.11.0 compatibility
+  - Fix Pronto -> GitHub call :publish_pull_request_comments instead of :create_pull_request_review
+
+#### NOTE:
+This version requires pronto 0.11+ and bundler-audit 0.8+. Use v0.6.0 if you cannot update pronto and bundler-audit at this time.
+
+### 0.6.1 - 2021-04-08
+- Unreleased... see 0.7.0 instead.
+
+### 0.6.0 - 2019-11-30
+- [#7](https://github.com/pdobb/pronto-bundler_audit/pull/7) Add configurability via .pronto-bundler_audit.yml file
+  - For now, the only configuration available is ignoring advisories in the bundler_audit scan. See the [README](https://github.com/pdobb/pronto-bundler_audit#configuration).
+
+### 0.5.1 - 2019-10-24
+- Fix Pronto -> GitHub reporting errors
+  - If Gemfile.lock is not in the PR then Pronto would fail when attempting to create a comment on the Gemfile.lock file withing the PR.
+    - Note: This issue isn't fully fixed yet, but at least doesn't fail flat out.
+      - To fully fix: would like to still add a PR-level comment with CVE issue(s) instead of requiring the user to dig into their CI output to see the CVE issue(s).
+
+### 0.5.0 - 2019-07-31
+- Fix Pronto -> GitHub reporting errors
+  - Thanks to Inestor for the [bug report](https://github.com/pdobb/pronto-bundler_audit/issues/2).
+  - Credit for the approach taken here goes to to os6sense and [his hard work](https://github.com/pdobb/pronto-bundler_audit/pull/4/files)
+
+### 0.4.0 - 2019-05-08
+- Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
+
 ### 0.3.0 - 2019-05-03
 - Internal rewrite into smaller objects with full test coverage
 - Switch to using the verbose advisory formatter by default
@@ -13,6 +43,5 @@
 - Add line number to Pronto::Message; fixes GitHub API usage error when attempting to add errors to PR comments
 - Add gem version requirements to gemspec
 
-
 ### 0.1.0 - 2019-04-28
 - Initial release!

data/Gemfile.lock

@@ -1,89 +1,100 @@
 PATH
   remote: .
   specs:
-    pronto-bundler_audit (0.3.0)
-      bundler-audit (~> 0)
-      pronto (~> 0)
+    pronto-bundler_audit (0.7.0)
+      bundler-audit (~> 0.8)
+      pronto (~> 0.11)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ansi (1.5.0)
     ast (2.4.0)
     builder (3.2.3)
-    bundler-audit (0.6.1)
+    bundler-audit (0.8.0)
       bundler (>= 1.2.0, < 3)
-      thor (~> 0.18)
+      thor (~> 1.0)
     byebug (11.0.1)
     coderay (1.1.2)
-    docile (1.3.1)
-    faraday (0.15.4)
+    docile (1.3.2)
+    faraday (1.4.1)
+      faraday-excon (~> 1.1)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
       multipart-post (>= 1.2, < 3)
-    gitlab (4.11.0)
-      httparty (~> 0.14, >= 0.14.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-excon (1.1.0)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.1.0)
+    gitlab (4.17.0)
+      httparty (~> 0.18)
       terminal-table (~> 1.5, >= 1.5.1)
-    httparty (0.17.0)
+    httparty (0.18.1)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
-    jaro_winkler (1.5.2)
-    json (2.2.0)
+    jaro_winkler (1.5.3)
+    json (2.3.1)
     method_source (0.9.2)
-    mime-types (3.2.2)
+    mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2019.0331)
+    mime-types-data (3.2021.0225)
     minitest (5.11.3)
     minitest-reporters (1.3.6)
       ansi
       builder
       minitest (>= 5.0)
       ruby-progressbar
-    much-stub (0.1.0)
+    much-stub (0.1.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
-    octokit (4.14.0)
+    multipart-post (2.1.1)
+    octokit (4.21.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     parallel (1.17.0)
     parser (2.6.3.0)
       ast (~> 2.4.0)
-    pronto (0.10.0)
-      gitlab (~> 4.0, >= 4.0.0)
+    pronto (0.11.0)
+      gitlab (~> 4.4, >= 4.4.0)
       httparty (>= 0.13.7)
       octokit (~> 4.7, >= 4.7.0)
       rainbow (>= 2.2, < 4.0)
-      rugged (~> 0.24, >= 0.23.0)
-      thor (~> 0.20.0)
+      rexml (~> 3.2)
+      rugged (>= 0.23.0, < 1.1.0)
+      thor (>= 0.20.3, < 2.0)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     pry-byebug (3.7.0)
       byebug (~> 11.0)
       pry (~> 0.10)
-    public_suffix (3.0.3)
+    public_suffix (4.0.6)
     rainbow (3.0.0)
-    rake (12.3.2)
-    rubocop (0.68.1)
+    rake (12.3.3)
+    rexml (3.2.5)
+    rubocop (0.73.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
+      parser (>= 2.6)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.6)
-    ruby-progressbar (1.10.0)
-    rugged (0.28.1)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    ruby-progressbar (1.10.1)
+    ruby2_keywords (0.0.4)
+    rugged (1.0.1)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.16.1)
+    simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
-    thor (0.20.3)
-    unicode-display_width (1.5.0)
+    thor (1.1.0)
+    unicode-display_width (1.6.0)
 
 PLATFORMS
   ruby
@@ -102,4 +113,4 @@ DEPENDENCIES
   simplecov (~> 0.16)
 
 BUNDLED WITH
-   2.0.1
+   2.2.16

data/README.md

@@ -1,3 +1,8 @@
+# Maintainer needed
+
+Unfortunately, I (@pdobb) am no longer working on any projects and, therefore, don't have a good way to test fixes. There are probably numerous fixes needed right now as pronto 0.11.0 has been recently released and since there is no proper API for using pronto's internals, each update to pronto will likely mean breaking changes in gems such as this one. But, probably... especially this one. This gem attempts to do something that pronto isn't made for: examine code from a file that isn't necessarily contained within the diff that pronto is analyzing. Most of pronto-bundler_audit is attempting to solve this problem by overriding the pronto API  with custom adapter objects standing in for Pronto-native object.
+
+
 [![Gem Version](https://badge.fury.io/rb/pronto-bundler_audit.svg)](https://badge.fury.io/rb/pronto-bundler_audit)
 [![Build Status](https://travis-ci.org/pdobb/pronto-bundler_audit.svg?branch=master)](https://travis-ci.org/pdobb/pronto-bundler_audit)
 [![Maintainability](https://api.codeclimate.com/v1/badges/7ac01a6a6eace46487d9/maintainability)](https://codeclimate.com/github/pdobb/pronto-bundler_audit/maintainability)
@@ -26,35 +31,83 @@ Or install it yourself as:
 ## Compatibility
 
 Tested MRI Ruby Versions:
-* 2.3
 * 2.4
 * 2.5
 * 2.6
 * edge
 
+NOTE: pronto-bundler_audit v0.7.0 requires pronto v0.11+ and bundler-audit v0.8+. Use pronto-bundler_audit v0.6.0 if you cannot update pronto and bundler-audit at this time.
+
 ## Usage
 
-Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
+Once installed as a gem, this runner activates automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
 
-### Examples
+Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because, otherwise, this gem  wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
 
-#### Local Pronto Run
+## Configuration
+
+Configuration of the pronto-bundler_audit gem is available by creating a YAML file on the project root, called `.pronto-bundler_audit.yml`.
+
+Available configuration options include:
+
+```yaml
+Advisories:
+  # Send the following advisory names to bundler_audit's `ignored` option.
+  Ignore:
+    - CVE-YYYY-####1
+    - CVE-YYYY-####2
+```
+
+The above acts the same as running `bundle-audit check --ignore CVE-YYYY-####1 CVE-YYYY-####2`.
+
+
+## Examples
+
+### Local Pronto Run
+
+#### Compact Mode
 
 ```bash
-$ time pronto run -c=development --runner bundler_audit
+$ pronto run -c=master --runner bundler_audit
 Running Pronto::BundlerAudit
 Gemfile.lock: E: Gem: bootstrap-sass v3.4.0 | Medium Advisory: XSS vulnerability in bootstrap-sass -- CVE-2019-8331 (https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/) | Solution: Upgrade to >= 3.4.1.
+```
+
+#### Verbose Mode
 
-real  0m1.417s
-user  0m0.773s
-sys 0m0.252s
+```bash
+$ pronto run -c=master --runner bundler_audit
+Running Pronto::BundlerAudit
+Gemfile.lock: E: Name: bootstrap-sass
+Version: 3.4.0
+Advisory: CVE-2019-8331
+Criticality: Medium
+URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
+Title: XSS vulnerability in bootstrap-sass
+Solution: Upgrade to >= 3.4.1.
 ```
 
+#### Continuous Integration Output
+
+![CI Output](images/ci-output.png)
+
+
 #### Github Pull Request - Checks
+
 ![Github Check](images/github-check.png)
 
 #### Github Pull Request - Comments
-![Github Comment](images/github-comment.png)
+
+#### Verbose Mode
+
+![Github Comment - Verbose](images/github-comment-verbose.png)
+
+#### Compact Mode
+
+Note: Not yet available by configuration.
+
+![Github Comment - Compact](images/github-comment-compact.png)
+
 
 ## Development
 
@@ -62,6 +115,11 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+### Testing
+
+GitHub integration testing isn't easy. I have created a test app for myself at: https://github.com/pdobb/pronto-bundler_audit_test_app.
+
+
 ## TODO
 
 * Add configuration for compact vs expanded advisories reporting

data/lib/formatter/github_pull_request_review_formatter.rb

@@ -0,0 +1,36 @@
+module Pronto
+  module Formatter
+    # Pronto::Formatter::GithubPullRequestReviewFormatter comes from the
+    # Pronto gem itself.
+    #
+    # # Note: Ignore `method redefined` warnings on these methods.
+    #
+    # The methods below are feature overrides to:
+    #   1. prevent the {#line_number} class from failing if none of the patches
+    #      contain the `message.line.new_lineno` value found. Which can happen
+    #      in the context of this pronto-bundler audit gem since we aren't
+    #      necessarily altering the Gemfile.lock file within a PR at the time of
+    #      finding an issue in the Gemfile.lock file.
+    #   2. FIXME: Prevent a POST error due to an unknown file path in the
+    #      traditional Pull Request Review comment style.
+    class GithubPullRequestReviewFormatter
+      def submit_comments(client, comments)
+        client.publish_pull_request_comments(comments)
+      rescue Octokit::UnprocessableEntity, HTTParty::Error => e
+        # If Gemfile.lock doesn't exist in the PR, then attempt a non-review
+        # style comment instead (which doesn't attempt to reference a file
+        # path and line number).
+        begin
+          comments.each { |comment| client.create_pull_comment(comment) }
+        rescue Octokit::UnprocessableEntity, HTTParty::Error => e
+          $stderr.puts "Failed to post: #{e.message}"
+        end
+      end
+
+      def line_number(message, patches)
+        line = patches.find_line(message.full_path, message.line.new_lineno)
+        line&.position || message.line.new_lineno
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit.rb

@@ -1,43 +1,54 @@
 # frozen_string_literal: true
 
 require "pronto"
+
+# Pronto gem overrides (use sparingly):
+require "formatter/github_pull_request_review_formatter"
+
 require "bundler/audit/database"
 require "bundler/audit/scanner"
 
 module Pronto
-  # Pronto::BundlerAudit is a Pronto::Runner that:
-  # 1. Finds the most relevant patch (the last patch that contains a change to
-  #    Gemfile.lock)
-  # 2. Updates the Ruby Advisory Database
-  # 3. Runs bundle-audit to scan the Gemfile.lock
-  # 4. Returns an Array of Pronto::Message objects if any advisories are found
-  class BundlerAudit < Runner
+  # Pronto::BundlerAudit is a ::Pronto::Runner that:
+  # 1. Updates the Ruby Advisory Database,
+  # 2. Runs bundle-audit to scan the Gemfile.lock, and then
+  # 3. Returns an Array of ::Pronto::Message objects if any issues or advisories
+  #    are found.
+  class BundlerAudit < ::Pronto::Runner
     GEMFILE_LOCK_FILENAME = "Gemfile.lock"
 
-    # @return [Array] per Pronto expectation
+    def self.configuration
+      @configuration ||= Pronto::BundlerAudit::Configuration.new
+    end
+
+    # @return [Array<Pronto::Message>] one for each issue found
     def run
-      if (patch = find_relevant_patch)
-        auditor = Auditor.new(patch)
-        auditor.call
-      else
-        []
-      end
+      results = Auditor.call
+
+      Pronto::BundlerAudit::Results::ProntoMessagesAdapter.call(
+        results,
+        runner: self)
     end
 
-    private
+    # @return [Pathname] the absolute path to the current git repo / code.
+    def path
+      Pathname.new(File.expand_path("."))
+    end
 
-    def find_relevant_patch
-      @patches.to_a.reverse.detect { |patch|
-        patch.additions > 0 && relevant_patch_path?(patch)
-      }
+    def filename
+      GEMFILE_LOCK_FILENAME
     end
 
-    def relevant_patch_path?(patch)
-      patch_path = patch.new_file_full_path.to_s
-      patch_path.end_with?(GEMFILE_LOCK_FILENAME)
+    # Don't really need a commit SHA for Pronto's GitHubFormatter to work. Just
+    # need to return nil here, and in
+    # {Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine#commit_sha}.
+    def commit_sha
+      nil
     end
   end
 end
 
+require "pronto/bundler_audit/configuration"
 require "pronto/bundler_audit/version"
 require "pronto/bundler_audit/auditor"
+require "pronto/bundler_audit/results/pronto_messages_adapter"

data/lib/pronto/bundler_audit/auditor.rb

@@ -5,14 +5,14 @@ require "pronto/bundler_audit/scanner"
 module Pronto
   class BundlerAudit
     # Pronto::BundlerAudit::Auditor:
-    # 1. updates the local ruby security database, and then
-    # 2. runs {Pronto::BundlerAudit::Scanner#call} on the given `patch`.
+    # 1. Updates the local ruby security database, and then
+    # 2. Runs {::Pronto::BundlerAudit::Scanner#call}.
     class Auditor
-      def initialize(patch)
-        @patch = patch
+      def self.call(*args)
+        new(*args).call
       end
 
-      # @return (see: #run_scan)
+      # @return (see: #run_scanner)
       def call
         update_ruby_advisory_db
         run_scanner
@@ -21,14 +21,14 @@ module Pronto
       private
 
       def update_ruby_advisory_db
-        Bundler::Audit::Database.update!(quiet: true)
+        ::Bundler::Audit::Database.update!(quiet: true)
       end
 
-      # @return [Array>] if no advisories were found
-      # @return [Array<Pronto::Message>] if advisories were found
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
+      #   gem sources or if advisories were found
       def run_scanner
-        scanner = Scanner.new(@patch)
-        scanner.call
+        Pronto::BundlerAudit::Scanner.call
       end
     end
   end

data/lib/pronto/bundler_audit/configuration.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Pronto
+  class BundlerAudit
+    # Pronto::BundlerAudit::Configuration loads configuration for the
+    # pronto-bundler_audit gem from the `.pronto-bundler_audit.yml` file and
+    # provides service methods for reading configuration settings.
+    class Configuration
+      def initialize(path: ".pronto-bundler_audit.yml")
+        @config_file_path = path
+      end
+
+      # @return [Array<Sring>] the Advisory Names for bundler_audit to ignore
+      def ignored_advisories
+        configuration.dig("Advisories", "Ignore")
+      end
+
+      private
+
+      def configuration
+        @configuration ||=
+          if File.exist?(@config_file_path)
+            YAML.load(configuration_file.read)
+          else
+            {}
+          end
+      end
+
+      def configuration_file
+        File.open(@config_file_path)
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Pronto
+  class BundlerAudit
+    module GemfileLock
+      # Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
+      # the given `gem_name` and returns an Integer representing the line number
+      # of the gem in the Gemfile.lock file.
+      class Scanner
+        def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
+          unless File.exist?(path)
+            raise ArgumentError, "Gemfile.lock path not found"
+          end
+
+          @gem_name = gem_name
+          @path = path
+        end
+
+        def self.call(*args)
+          new(*args).call
+        end
+
+        def call
+          determine_relevant_line_number
+        end
+
+        private
+
+        # @return [Integer] the line number; or 0 if not found
+        def determine_relevant_line_number
+          line_number = 0
+
+          File.foreach(@path).with_index do |line, index|
+            next unless line.include?(@gem_name)
+
+            line_number = index.next
+            break
+          end
+
+          line_number
+        end
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/results/base_result.rb

@@ -5,6 +5,10 @@ module Pronto
     module Results
       # Pronto::BundlerAudit::Results::BaseResult is an abstract base class for
       # the various Bundler::Audit::Scanner::* issue types.
+      #
+      # Note: These result objects act as a stand-in for ::Pronto::Message
+      # objects, which are later translated into actual ::Pronto::Message
+      # objects via {Pronto::BundlerAudit::MessagesAdapter}.
       class BaseResult
         def initialize(scan_result)
           @scan_result = scan_result
@@ -12,26 +16,17 @@ module Pronto
           @advisory = scan_result.advisory
         end
 
-        def call
-          report_result
-        end
-
-        private
-
-        def report_result
+        # @return [Symbol]
+        def level
           raise NotImplementedError
         end
 
-        def build_message(message, level:, line:)
-          Message.new(
-            GEMFILE_LOCK_FILENAME,
-            line,
-            level,
-            message,
-            nil,
-            Pronto::BundlerAudit)
+        # @return [Integer, NilClass]
+        def line
+          raise NotImplementedError
         end
 
+        # @return [String]
         def message
           raise NotImplementedError
         end

data/lib/pronto/bundler_audit/results/insecure_source.rb

@@ -5,18 +5,21 @@ require_relative "base_result"
 module Pronto
   class BundlerAudit
     module Results
-      # Pronto::BundlerAudit::Results::InsecureSource builds a Pronto::Message
-      # for Bundler::Audit::Scanner::InsecureSource issues.
+      # Pronto::BundlerAudit::Results::InsecureSource is a stand-in for the
+      # ::Pronto::Message object for ::Bundler::Audit::Scanner::InsecureSource
+      # issues.
       class InsecureSource < BaseResult
-        private
+        # @return [Symbol]
+        def level
+          :warning
+        end
 
-        def report_result
-          build_message(
-            message,
-            line: nil,
-            level: :warning)
+        # @return [NilClass]
+        def line
+          nil
         end
 
+        # @return [String]
         def message
           "Insecure Source URI found: #{@scan_result.source}"
         end

data/lib/pronto/bundler_audit/results/pronto_messages_adapter.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+module Pronto
+  class BundlerAudit
+    module Results
+      # Pronto::BundlerAudit::Results::ProntoMessagesAdapter is an adapter layer
+      # for converting {Pronto::BundlerAudit::BaseResult} objects into
+      # ::Pronto::Message objects for use by the Pronto gem when sending issue
+      # details to GitHub, etc.
+      class ProntoMessagesAdapter
+        def initialize(results, runner:)
+          @results = Array(results)
+          @runner = runner
+        end
+
+        def self.call(*args)
+          new(*args).call
+        end
+
+        def call
+          @results.map { |result|
+            ::Pronto::Message.new(
+              @runner.filename,
+              DeepLine.new(line_number: result.line, path: @runner.path),
+              result.level,
+              result.message,
+              @runner.commit_sha,
+              Pronto::BundlerAudit) # This gem's {Pronto::BundlerAudit} class.
+          }
+        end
+
+        # Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine is a
+        # stand-in for ::Pronto::Git::Line object.
+        class DeepLine
+          attr_reader :line_number,
+                      :path
+
+          def initialize(line_number:, path:)
+            @line_number = line_number
+            @path = path
+          end
+
+          # Since we're not passing a commit SHA into ::Pronto::Message.new,
+          # Pronto will try calling #commit_sha on the (this) Line object.
+          def commit_sha
+            nil
+          end
+
+          def line
+            self
+          end
+
+          alias_method :new_lineno, :line_number
+          alias_method :repo, :itself
+          alias_method :patch, :itself
+        end
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/results/unpatched_gem.rb

@@ -1,46 +1,44 @@
 # frozen_string_literal: true
 
 require_relative "base_result"
-require "pronto/bundler_audit/advisory_formatters/verbose"
 require "pronto/bundler_audit/advisory_formatters/compact"
+require "pronto/bundler_audit/advisory_formatters/verbose"
+require "pronto/bundler_audit/gemfile_lock/scanner"
 
 module Pronto
   class BundlerAudit
     module Results
-      # Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
-      # Bundler::Audit::Scanner::UnpatchedGem issues.
+      # Pronto::BundlerAudit::Results::UnpatchedGem is a stand-in for the
+      # ::Pronto::Message object for ::Bundler::Audit::Scanner::UnpatchedGem
+      # issues.
       class UnpatchedGem < BaseResult
-        def initialize(scan_result, patch:)
-          super(scan_result)
-          @patch = patch
+        # @return [Symbol]
+        def level
+          :error
         end
 
-        private
-
-        def report_result
-          build_message(
-            message,
-            level: :error,
-            line: find_relevant_line)
+        # @return [Integer]
+        def line
+          find_relevant_line_number
         end
 
-        # @return [Pronto::Git::Line]
-        def find_relevant_line
-          first_added_line_for_affected_gem_name(@gem.name)
+        # @return [String]
+        def message
+          advisory_formatter.to_s
         end
 
-        # @return [Pronto::Git::Line]
-        def first_added_line_for_affected_gem_name(gem_name)
-          @patch.added_lines.detect { |line| line.content.include?(gem_name) }
-        end
+        private
 
-        def message
-          advisory_formatter.to_s
+        # @return [Integer]
+        def find_relevant_line_number
+          Pronto::BundlerAudit::GemfileLock::Scanner.call(gem_name: @gem.name)
         end
 
         def advisory_formatter
           # TODO: Switch type based on configuration options, once available.
-          AdvisoryFormatters::Verbose.new(gem: @gem, advisory: @advisory)
+          Pronto::BundlerAudit::AdvisoryFormatters::Verbose.new(
+            gem: @gem,
+            advisory: @advisory)
         end
       end
     end

data/lib/pronto/bundler_audit/scanner.rb

@@ -2,41 +2,65 @@
 
 require_relative "results/insecure_source"
 require_relative "results/unpatched_gem"
+require "yaml"
 
 module Pronto
   class BundlerAudit
-    # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan on
-    # the given patch and then calls a {Pronto::BundlerAudit::BaseResult} based
-    # for each scan result.
+    # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
+    # then instantiates and calls an appropriate
+    # {Pronto::BundlerAudit::BaseResult} object for the given scan result type.
     class Scanner
-      def initialize(patch)
-        @patch = patch
+      def self.call(*args)
+        new(*args).call
       end
 
-      # @return [Array>] if no advisories were found
-      # @return [Array<Pronto::Message>] if advisories were found)
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
+      #   gem sources or if advisories were found
       def call
         run_scan
       end
 
       private
 
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>]
       def run_scan
         run_scanner.map do |scan_result|
-          match_result(scan_result).call
+          match_result(scan_result)
         end
       end
 
-      def run_scanner
-        Bundler::Audit::Scanner.new.scan
+      # Invoke the 3rd-party bundler-audit Gem.
+      #
+      # @param ignore_advisories [Array<String>] the advisories to be ignored
+      #   by the bundler_audit scan
+      #
+      # @return [Array] if insecure sources are found or if gems with an
+      #   advisory are found, the Array will contain
+      #   ::Bundler::Audit::Scanner::InsecureSource
+      #   or ::Bundler::Audit::Scanner::UnpatchedGem objects, respectively.
+      #     - Bundler::Audit::Scanner::InsecureSource = Struct.new(:source)
+      #     - Bundler::Audit::Scanner::UnpatchedGem = Struct.new(:gem, :advisory)
+      def run_scanner(
+            ignored_advisories:
+              Pronto::BundlerAudit.configuration.ignored_advisories)
+        ::Bundler::Audit::Scanner.new.scan(ignore: ignored_advisories)
       end
 
+      # Convert the passed in `scan_result` class/value into a local Results::*
+      # class/value.
+      #
+      # @param scan_result [::Bundler::Audit::Scanner::*] from the bundler-audit
+      #   Gem
+      #
+      # @return [Pronto::BundlerAudit::Results::BaseResult]
       def match_result(scan_result)
         case scan_result
-        when Bundler::Audit::Scanner::InsecureSource
-          Results::InsecureSource.new(scan_result, patch: @patch)
-        when Bundler::Audit::Scanner::UnpatchedGem
-          Results::UnpatchedGem.new(scan_result, patch: @patch)
+        when ::Bundler::Audit::Results::InsecureSource
+          Pronto::BundlerAudit::Results::InsecureSource.new(scan_result)
+        when ::Bundler::Audit::Results::UnpatchedGem
+          Pronto::BundlerAudit::Results::UnpatchedGem.new(scan_result)
         else
           raise ArgumentError, "Unexpected type: #{scan_result.class}"
         end

data/lib/pronto/bundler_audit/version.rb

@@ -3,6 +3,6 @@
 module Pronto
   # Pronto::BundlerAuditVersion
   module BundlerAuditVersion
-    VERSION = "0.3.0"
+    VERSION = "0.7.0"
   end
 end

data/pronto-bundler_audit.gemspec

@@ -27,8 +27,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "bundler-audit", "~> 0"
-  spec.add_runtime_dependency "pronto", "~> 0"
+  spec.add_runtime_dependency "bundler-audit", "~> 0.8"
+  spec.add_runtime_dependency "pronto", "~> 0.11"
 
   spec.add_development_dependency "bundler", "~> 2"
   spec.add_development_dependency "byebug", "~> 11"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pronto-bundler_audit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Paul Dobbins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-03 00:00:00.000000000 Z
+date: 2021-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.8'
 - !ruby/object:Gem::Dependency
   name: pronto
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.11'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.11'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -203,15 +203,21 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- images/ci-output.png
 - images/github-check.png
-- images/github-comment.png
+- images/github-comment-compact.png
+- images/github-comment-verbose.png
+- lib/formatter/github_pull_request_review_formatter.rb
 - lib/pronto/bundler_audit.rb
 - lib/pronto/bundler_audit/advisory_formatters/base_advisory_formatter.rb
 - lib/pronto/bundler_audit/advisory_formatters/compact.rb
 - lib/pronto/bundler_audit/advisory_formatters/verbose.rb
 - lib/pronto/bundler_audit/auditor.rb
+- lib/pronto/bundler_audit/configuration.rb
+- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
 - lib/pronto/bundler_audit/results/base_result.rb
 - lib/pronto/bundler_audit/results/insecure_source.rb
+- lib/pronto/bundler_audit/results/pronto_messages_adapter.rb
 - lib/pronto/bundler_audit/results/unpatched_gem.rb
 - lib/pronto/bundler_audit/scanner.rb
 - lib/pronto/bundler_audit/version.rb
@@ -235,7 +241,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Pronto runner for bundler-audit, patch-level verification for bundler.