pronto-bundler_audit 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/Gemfile.lock +32 -21
- data/README.md +7 -0
- data/lib/formatter/github_pull_request_review_formatter.rb +1 -1
- data/lib/pronto/bundler_audit.rb +3 -1
- data/lib/pronto/bundler_audit/auditor.rb +2 -2
- data/lib/pronto/bundler_audit/results/pronto_messages_adapter.rb +4 -0
- data/lib/pronto/bundler_audit/results/unpatched_gem.rb +3 -1
- data/lib/pronto/bundler_audit/scanner.rb +4 -4
- data/lib/pronto/bundler_audit/version.rb +1 -1
- data/pronto-bundler_audit.gemspec +2 -2
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8112a836fbdf9cfbedc584f8a6f6546da622fea402df4be5e6a21b883504377e
|
4
|
+
data.tar.gz: 1e2c2c4e8144bc9c1dbc8d2c84887a0419d95570e357b92054ff73400517c095
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c92d25f870b348a78b3f52f16d4fd839b14c4f96a10ad59f803a27a4891160c6249ed397a7d28ce52068bf01be4c609f85a8e106710c97ab9fd10aa096455c4d
|
7
|
+
data.tar.gz: 9e12deff351a41433d0386567c46e3240a06ca71ccc7eb588ff15b95916be62221678705255619b906f1c7272c4e54f832cad10a1d7e9eb44903ded29fe885c1
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,15 @@
|
|
1
|
+
### 0.7.0 - 2021-04-29
|
2
|
+
- [#11](https://github.com/pdobb/pronto-bundler_audit/pull/11)
|
3
|
+
- Attempted Fix for `NoMethodError: undefined method 'line' for #<Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine...>`
|
4
|
+
- [#10](https://github.com/pdobb/pronto-bundler_audit/pull/10) Pronto 0.11.0 compatibility
|
5
|
+
- Fix Pronto -> GitHub call :publish_pull_request_comments instead of :create_pull_request_review
|
6
|
+
|
7
|
+
#### NOTE:
|
8
|
+
This version requires pronto 0.11+ and bundler-audit 0.8+. Use v0.6.0 if you cannot update pronto and bundler-audit at this time.
|
9
|
+
|
10
|
+
### 0.6.1 - 2021-04-08
|
11
|
+
- Unreleased... see 0.7.0 instead.
|
12
|
+
|
1
13
|
### 0.6.0 - 2019-11-30
|
2
14
|
- [#7](https://github.com/pdobb/pronto-bundler_audit/pull/7) Add configurability via .pronto-bundler_audit.yml file
|
3
15
|
- For now, the only configuration available is ignoring advisories in the bundler_audit scan. See the [README](https://github.com/pdobb/pronto-bundler_audit#configuration).
|
data/Gemfile.lock
CHANGED
@@ -1,9 +1,9 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
pronto-bundler_audit (0.
|
5
|
-
bundler-audit (~> 0)
|
6
|
-
pronto (~> 0)
|
4
|
+
pronto-bundler_audit (0.7.0)
|
5
|
+
bundler-audit (~> 0.8)
|
6
|
+
pronto (~> 0.11)
|
7
7
|
|
8
8
|
GEM
|
9
9
|
remote: https://rubygems.org/
|
@@ -13,26 +13,33 @@ GEM
|
|
13
13
|
ansi (1.5.0)
|
14
14
|
ast (2.4.0)
|
15
15
|
builder (3.2.3)
|
16
|
-
bundler-audit (0.
|
16
|
+
bundler-audit (0.8.0)
|
17
17
|
bundler (>= 1.2.0, < 3)
|
18
|
-
thor (~> 0
|
18
|
+
thor (~> 1.0)
|
19
19
|
byebug (11.0.1)
|
20
20
|
coderay (1.1.2)
|
21
21
|
docile (1.3.2)
|
22
|
-
faraday (
|
22
|
+
faraday (1.4.1)
|
23
|
+
faraday-excon (~> 1.1)
|
24
|
+
faraday-net_http (~> 1.0)
|
25
|
+
faraday-net_http_persistent (~> 1.1)
|
23
26
|
multipart-post (>= 1.2, < 3)
|
24
|
-
|
25
|
-
|
27
|
+
ruby2_keywords (>= 0.0.4)
|
28
|
+
faraday-excon (1.1.0)
|
29
|
+
faraday-net_http (1.0.1)
|
30
|
+
faraday-net_http_persistent (1.1.0)
|
31
|
+
gitlab (4.17.0)
|
32
|
+
httparty (~> 0.18)
|
26
33
|
terminal-table (~> 1.5, >= 1.5.1)
|
27
|
-
httparty (0.
|
34
|
+
httparty (0.18.1)
|
28
35
|
mime-types (~> 3.0)
|
29
36
|
multi_xml (>= 0.5.2)
|
30
37
|
jaro_winkler (1.5.3)
|
31
|
-
json (2.
|
38
|
+
json (2.3.1)
|
32
39
|
method_source (0.9.2)
|
33
|
-
mime-types (3.3)
|
40
|
+
mime-types (3.3.1)
|
34
41
|
mime-types-data (~> 3.2015)
|
35
|
-
mime-types-data (3.
|
42
|
+
mime-types-data (3.2021.0225)
|
36
43
|
minitest (5.11.3)
|
37
44
|
minitest-reporters (1.3.6)
|
38
45
|
ansi
|
@@ -42,27 +49,30 @@ GEM
|
|
42
49
|
much-stub (0.1.1)
|
43
50
|
multi_xml (0.6.0)
|
44
51
|
multipart-post (2.1.1)
|
45
|
-
octokit (4.
|
52
|
+
octokit (4.21.0)
|
53
|
+
faraday (>= 0.9)
|
46
54
|
sawyer (~> 0.8.0, >= 0.5.3)
|
47
55
|
parallel (1.17.0)
|
48
56
|
parser (2.6.3.0)
|
49
57
|
ast (~> 2.4.0)
|
50
|
-
pronto (0.
|
51
|
-
gitlab (~> 4.
|
58
|
+
pronto (0.11.0)
|
59
|
+
gitlab (~> 4.4, >= 4.4.0)
|
52
60
|
httparty (>= 0.13.7)
|
53
61
|
octokit (~> 4.7, >= 4.7.0)
|
54
62
|
rainbow (>= 2.2, < 4.0)
|
55
|
-
|
56
|
-
|
63
|
+
rexml (~> 3.2)
|
64
|
+
rugged (>= 0.23.0, < 1.1.0)
|
65
|
+
thor (>= 0.20.3, < 2.0)
|
57
66
|
pry (0.12.2)
|
58
67
|
coderay (~> 1.1.0)
|
59
68
|
method_source (~> 0.9.0)
|
60
69
|
pry-byebug (3.7.0)
|
61
70
|
byebug (~> 11.0)
|
62
71
|
pry (~> 0.10)
|
63
|
-
public_suffix (4.0.
|
72
|
+
public_suffix (4.0.6)
|
64
73
|
rainbow (3.0.0)
|
65
74
|
rake (12.3.3)
|
75
|
+
rexml (3.2.5)
|
66
76
|
rubocop (0.73.0)
|
67
77
|
jaro_winkler (~> 1.5.1)
|
68
78
|
parallel (~> 1.10)
|
@@ -71,7 +81,8 @@ GEM
|
|
71
81
|
ruby-progressbar (~> 1.7)
|
72
82
|
unicode-display_width (>= 1.4.0, < 1.7)
|
73
83
|
ruby-progressbar (1.10.1)
|
74
|
-
|
84
|
+
ruby2_keywords (0.0.4)
|
85
|
+
rugged (1.0.1)
|
75
86
|
sawyer (0.8.2)
|
76
87
|
addressable (>= 2.3.5)
|
77
88
|
faraday (> 0.8, < 2.0)
|
@@ -82,7 +93,7 @@ GEM
|
|
82
93
|
simplecov-html (0.10.2)
|
83
94
|
terminal-table (1.8.0)
|
84
95
|
unicode-display_width (~> 1.1, >= 1.1.1)
|
85
|
-
thor (
|
96
|
+
thor (1.1.0)
|
86
97
|
unicode-display_width (1.6.0)
|
87
98
|
|
88
99
|
PLATFORMS
|
@@ -102,4 +113,4 @@ DEPENDENCIES
|
|
102
113
|
simplecov (~> 0.16)
|
103
114
|
|
104
115
|
BUNDLED WITH
|
105
|
-
2.
|
116
|
+
2.2.16
|
data/README.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
# Maintainer needed
|
2
|
+
|
3
|
+
Unfortunately, I (@pdobb) am no longer working on any projects and, therefore, don't have a good way to test fixes. There are probably numerous fixes needed right now as pronto 0.11.0 has been recently released and since there is no proper API for using pronto's internals, each update to pronto will likely mean breaking changes in gems such as this one. But, probably... especially this one. This gem attempts to do something that pronto isn't made for: examine code from a file that isn't necessarily contained within the diff that pronto is analyzing. Most of pronto-bundler_audit is attempting to solve this problem by overriding the pronto API with custom adapter objects standing in for Pronto-native object.
|
4
|
+
|
5
|
+
|
1
6
|
[](https://badge.fury.io/rb/pronto-bundler_audit)
|
2
7
|
[](https://travis-ci.org/pdobb/pronto-bundler_audit)
|
3
8
|
[](https://codeclimate.com/github/pdobb/pronto-bundler_audit/maintainability)
|
@@ -31,6 +36,8 @@ Tested MRI Ruby Versions:
|
|
31
36
|
* 2.6
|
32
37
|
* edge
|
33
38
|
|
39
|
+
NOTE: pronto-bundler_audit v0.7.0 requires pronto v0.11+ and bundler-audit v0.8+. Use pronto-bundler_audit v0.6.0 if you cannot update pronto and bundler-audit at this time.
|
40
|
+
|
34
41
|
## Usage
|
35
42
|
|
36
43
|
Once installed as a gem, this runner activates automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
|
@@ -15,7 +15,7 @@ module Pronto
|
|
15
15
|
# traditional Pull Request Review comment style.
|
16
16
|
class GithubPullRequestReviewFormatter
|
17
17
|
def submit_comments(client, comments)
|
18
|
-
client.
|
18
|
+
client.publish_pull_request_comments(comments)
|
19
19
|
rescue Octokit::UnprocessableEntity, HTTParty::Error => e
|
20
20
|
# If Gemfile.lock doesn't exist in the PR, then attempt a non-review
|
21
21
|
# style comment instead (which doesn't attempt to reference a file
|
data/lib/pronto/bundler_audit.rb
CHANGED
@@ -25,7 +25,9 @@ module Pronto
|
|
25
25
|
def run
|
26
26
|
results = Auditor.call
|
27
27
|
|
28
|
-
Results::ProntoMessagesAdapter.call(
|
28
|
+
Pronto::BundlerAudit::Results::ProntoMessagesAdapter.call(
|
29
|
+
results,
|
30
|
+
runner: self)
|
29
31
|
end
|
30
32
|
|
31
33
|
# @return [Pathname] the absolute path to the current git repo / code.
|
@@ -21,14 +21,14 @@ module Pronto
|
|
21
21
|
private
|
22
22
|
|
23
23
|
def update_ruby_advisory_db
|
24
|
-
Bundler::Audit::Database.update!(quiet: true)
|
24
|
+
::Bundler::Audit::Database.update!(quiet: true)
|
25
25
|
end
|
26
26
|
|
27
27
|
# @return [Array<>] if no issues were found
|
28
28
|
# @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
|
29
29
|
# gem sources or if advisories were found
|
30
30
|
def run_scanner
|
31
|
-
Scanner.call
|
31
|
+
Pronto::BundlerAudit::Scanner.call
|
32
32
|
end
|
33
33
|
end
|
34
34
|
end
|
@@ -36,7 +36,9 @@ module Pronto
|
|
36
36
|
|
37
37
|
def advisory_formatter
|
38
38
|
# TODO: Switch type based on configuration options, once available.
|
39
|
-
AdvisoryFormatters::Verbose.new(
|
39
|
+
Pronto::BundlerAudit::AdvisoryFormatters::Verbose.new(
|
40
|
+
gem: @gem,
|
41
|
+
advisory: @advisory)
|
40
42
|
end
|
41
43
|
end
|
42
44
|
end
|
@@ -57,10 +57,10 @@ module Pronto
|
|
57
57
|
# @return [Pronto::BundlerAudit::Results::BaseResult]
|
58
58
|
def match_result(scan_result)
|
59
59
|
case scan_result
|
60
|
-
when ::Bundler::Audit::
|
61
|
-
Results::InsecureSource.new(scan_result)
|
62
|
-
when ::Bundler::Audit::
|
63
|
-
Results::UnpatchedGem.new(scan_result)
|
60
|
+
when ::Bundler::Audit::Results::InsecureSource
|
61
|
+
Pronto::BundlerAudit::Results::InsecureSource.new(scan_result)
|
62
|
+
when ::Bundler::Audit::Results::UnpatchedGem
|
63
|
+
Pronto::BundlerAudit::Results::UnpatchedGem.new(scan_result)
|
64
64
|
else
|
65
65
|
raise ArgumentError, "Unexpected type: #{scan_result.class}"
|
66
66
|
end
|
@@ -27,8 +27,8 @@ Gem::Specification.new do |spec|
|
|
27
27
|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
28
28
|
spec.require_paths = ["lib"]
|
29
29
|
|
30
|
-
spec.add_runtime_dependency "bundler-audit", "~> 0"
|
31
|
-
spec.add_runtime_dependency "pronto", "~> 0"
|
30
|
+
spec.add_runtime_dependency "bundler-audit", "~> 0.8"
|
31
|
+
spec.add_runtime_dependency "pronto", "~> 0.11"
|
32
32
|
|
33
33
|
spec.add_development_dependency "bundler", "~> 2"
|
34
34
|
spec.add_development_dependency "byebug", "~> 11"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pronto-bundler_audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paul Dobbins
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-04-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler-audit
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - "~>"
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '0'
|
19
|
+
version: '0.8'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - "~>"
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '0'
|
26
|
+
version: '0.8'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: pronto
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '0'
|
33
|
+
version: '0.11'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '0'
|
40
|
+
version: '0.11'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -241,7 +241,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
241
241
|
- !ruby/object:Gem::Version
|
242
242
|
version: '0'
|
243
243
|
requirements: []
|
244
|
-
rubygems_version: 3.0.
|
244
|
+
rubygems_version: 3.0.3.1
|
245
245
|
signing_key:
|
246
246
|
specification_version: 4
|
247
247
|
summary: Pronto runner for bundler-audit, patch-level verification for bundler.
|