pronto-bundler_audit 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/Gemfile.lock +2 -2
- data/README.md +2 -0
- data/lib/pronto/bundler_audit/auditor.rb +2 -6
- data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb +74 -0
- data/lib/pronto/bundler_audit/results/unpatched_gem.rb +4 -13
- data/lib/pronto/bundler_audit/scanner.rb +5 -9
- data/lib/pronto/bundler_audit/version.rb +1 -1
- data/lib/pronto/bundler_audit.rb +7 -25
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a6825b92770d5ec83054e365afe320ac8e201654cb1e7e8ca47df3fea622f7fc
|
4
|
+
data.tar.gz: 1446e4bac285ab84f8c415c010fdc4b0308ad1e8440ae3970f74e3c28dcb2cdf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 152d482b50806dcdc06f09e6129d0babda3598ab0b5de38b3ef4d9704dc4d67db4c9b242d4ad5218fa3c246bad881d0769c150ed593aaee4c9d8229a78581c53
|
7
|
+
data.tar.gz: 3876b7d38f7cc58086f1fa82c21ca9bd1572797dbf64165fd234fa53d1a1fc952f89b614317803683effbfa23b1c33021c0a5c69b029ec83a62f507d5669984d
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,6 @@
|
|
1
|
+
### 0.4.0 - 2019-05-08
|
2
|
+
- Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
|
3
|
+
|
1
4
|
### 0.3.0 - 2019-05-03
|
2
5
|
- Internal rewrite into smaller objects with full test coverage
|
3
6
|
- Switch to using the verbose advisory formatter by default
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
pronto-bundler_audit (0.
|
4
|
+
pronto-bundler_audit (0.4.0)
|
5
5
|
bundler-audit (~> 0)
|
6
6
|
pronto (~> 0)
|
7
7
|
|
@@ -39,7 +39,7 @@ GEM
|
|
39
39
|
builder
|
40
40
|
minitest (>= 5.0)
|
41
41
|
ruby-progressbar
|
42
|
-
much-stub (0.1.
|
42
|
+
much-stub (0.1.1)
|
43
43
|
multi_xml (0.6.0)
|
44
44
|
multipart-post (2.0.0)
|
45
45
|
octokit (4.14.0)
|
data/README.md
CHANGED
@@ -36,6 +36,8 @@ Tested MRI Ruby Versions:
|
|
36
36
|
|
37
37
|
Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
|
38
38
|
|
39
|
+
Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because that wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
|
40
|
+
|
39
41
|
### Examples
|
40
42
|
|
41
43
|
#### Local Pronto Run
|
@@ -6,12 +6,8 @@ module Pronto
|
|
6
6
|
class BundlerAudit
|
7
7
|
# Pronto::BundlerAudit::Auditor:
|
8
8
|
# 1. updates the local ruby security database, and then
|
9
|
-
# 2. runs {Pronto::BundlerAudit::Scanner#call}
|
9
|
+
# 2. runs {Pronto::BundlerAudit::Scanner#call}.
|
10
10
|
class Auditor
|
11
|
-
def initialize(patch)
|
12
|
-
@patch = patch
|
13
|
-
end
|
14
|
-
|
15
11
|
# @return (see: #run_scan)
|
16
12
|
def call
|
17
13
|
update_ruby_advisory_db
|
@@ -27,7 +23,7 @@ module Pronto
|
|
27
23
|
# @return [Array>] if no advisories were found
|
28
24
|
# @return [Array<Pronto::Message>] if advisories were found
|
29
25
|
def run_scanner
|
30
|
-
scanner = Scanner.new
|
26
|
+
scanner = Scanner.new
|
31
27
|
scanner.call
|
32
28
|
end
|
33
29
|
end
|
@@ -0,0 +1,74 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Pronto
|
4
|
+
class BundlerAudit
|
5
|
+
module GemfileLock
|
6
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
|
7
|
+
# the given `gem_name` and returns a `Pronto::Git::Line` with relevant
|
8
|
+
# info (supplied by Pronto::Git::Line and Pronto::Git::Patch stand-in
|
9
|
+
# objects).
|
10
|
+
#
|
11
|
+
# We use stand-in objects because we don't have or need an actual
|
12
|
+
# Pronto::Git::Line object. This is not a normal situation, but, for this
|
13
|
+
# gem, we're not worried about specific details from git patches.
|
14
|
+
# Instead, we just always scan the Gemfile.lock file for bundler_audit
|
15
|
+
# issues/advisories.
|
16
|
+
class Scanner
|
17
|
+
def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
|
18
|
+
unless File.exist?(path)
|
19
|
+
raise ArgumentError, "Gemfile.lock path not found"
|
20
|
+
end
|
21
|
+
|
22
|
+
@gem_name = gem_name
|
23
|
+
@path = path
|
24
|
+
end
|
25
|
+
|
26
|
+
def call
|
27
|
+
find_relevant_line
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
# @return [Pronto::Git::Line]
|
33
|
+
def find_relevant_line
|
34
|
+
return unless (found_line_number = determine_line_number)
|
35
|
+
|
36
|
+
build_pronto_git_line(found_line_number)
|
37
|
+
end
|
38
|
+
|
39
|
+
def determine_line_number
|
40
|
+
File.foreach(@path).with_index do |line, index|
|
41
|
+
break index.next if line.include?(@gem_name)
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
# @return [Pronto::Git::Line]
|
46
|
+
def build_pronto_git_line(line_number)
|
47
|
+
::Pronto::Git::Line.new(
|
48
|
+
Line.new(line_number),
|
49
|
+
Patch.new)
|
50
|
+
end
|
51
|
+
|
52
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
|
53
|
+
# the Pronto::Git::Line object.
|
54
|
+
class Line
|
55
|
+
def initialize(line_number)
|
56
|
+
@line_number = line_number
|
57
|
+
end
|
58
|
+
|
59
|
+
def new_lineno
|
60
|
+
@line_number
|
61
|
+
end
|
62
|
+
end
|
63
|
+
|
64
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner::Patch is a stand-in for
|
65
|
+
# the Pronto::Git::Patch object.
|
66
|
+
class Patch
|
67
|
+
def blame(*)
|
68
|
+
nil
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
@@ -1,8 +1,9 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require_relative "base_result"
|
4
|
-
require "pronto/bundler_audit/advisory_formatters/verbose"
|
5
4
|
require "pronto/bundler_audit/advisory_formatters/compact"
|
5
|
+
require "pronto/bundler_audit/advisory_formatters/verbose"
|
6
|
+
require "pronto/bundler_audit/gemfile_lock/scanner"
|
6
7
|
|
7
8
|
module Pronto
|
8
9
|
class BundlerAudit
|
@@ -10,11 +11,6 @@ module Pronto
|
|
10
11
|
# Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
|
11
12
|
# Bundler::Audit::Scanner::UnpatchedGem issues.
|
12
13
|
class UnpatchedGem < BaseResult
|
13
|
-
def initialize(scan_result, patch:)
|
14
|
-
super(scan_result)
|
15
|
-
@patch = patch
|
16
|
-
end
|
17
|
-
|
18
14
|
private
|
19
15
|
|
20
16
|
def report_result
|
@@ -24,14 +20,9 @@ module Pronto
|
|
24
20
|
line: find_relevant_line)
|
25
21
|
end
|
26
22
|
|
27
|
-
# @return [Pronto::Git::Line]
|
28
23
|
def find_relevant_line
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
# @return [Pronto::Git::Line]
|
33
|
-
def first_added_line_for_affected_gem_name(gem_name)
|
34
|
-
@patch.added_lines.detect { |line| line.content.include?(gem_name) }
|
24
|
+
scanner = GemfileLock::Scanner.new(gem_name: @gem.name)
|
25
|
+
scanner.call
|
35
26
|
end
|
36
27
|
|
37
28
|
def message
|
@@ -5,14 +5,10 @@ require_relative "results/unpatched_gem"
|
|
5
5
|
|
6
6
|
module Pronto
|
7
7
|
class BundlerAudit
|
8
|
-
# Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan
|
9
|
-
#
|
10
|
-
#
|
8
|
+
# Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
|
9
|
+
# then calls a {Pronto::BundlerAudit::BaseResult} based for each scan
|
10
|
+
# result.
|
11
11
|
class Scanner
|
12
|
-
def initialize(patch)
|
13
|
-
@patch = patch
|
14
|
-
end
|
15
|
-
|
16
12
|
# @return [Array>] if no advisories were found
|
17
13
|
# @return [Array<Pronto::Message>] if advisories were found)
|
18
14
|
def call
|
@@ -34,9 +30,9 @@ module Pronto
|
|
34
30
|
def match_result(scan_result)
|
35
31
|
case scan_result
|
36
32
|
when Bundler::Audit::Scanner::InsecureSource
|
37
|
-
Results::InsecureSource.new(scan_result
|
33
|
+
Results::InsecureSource.new(scan_result)
|
38
34
|
when Bundler::Audit::Scanner::UnpatchedGem
|
39
|
-
Results::UnpatchedGem.new(scan_result
|
35
|
+
Results::UnpatchedGem.new(scan_result)
|
40
36
|
else
|
41
37
|
raise ArgumentError, "Unexpected type: #{scan_result.class}"
|
42
38
|
end
|
data/lib/pronto/bundler_audit.rb
CHANGED
@@ -6,35 +6,17 @@ require "bundler/audit/scanner"
|
|
6
6
|
|
7
7
|
module Pronto
|
8
8
|
# Pronto::BundlerAudit is a Pronto::Runner that:
|
9
|
-
# 1.
|
10
|
-
#
|
11
|
-
#
|
12
|
-
#
|
13
|
-
# 4. Returns an Array of Pronto::Message objects if any advisories are found
|
9
|
+
# 1. Updates the Ruby Advisory Database,
|
10
|
+
# 2. Runs bundle-audit to scan the Gemfile.lock, and then
|
11
|
+
# 4. Returns an Array of Pronto::Message objects if any issues or advisories
|
12
|
+
# are found.
|
14
13
|
class BundlerAudit < Runner
|
15
14
|
GEMFILE_LOCK_FILENAME = "Gemfile.lock"
|
16
15
|
|
17
|
-
# @return [Array] per Pronto expectation
|
16
|
+
# @return [Array<Pronto::Message>] per Pronto expectation
|
18
17
|
def run
|
19
|
-
|
20
|
-
|
21
|
-
auditor.call
|
22
|
-
else
|
23
|
-
[]
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
private
|
28
|
-
|
29
|
-
def find_relevant_patch
|
30
|
-
@patches.to_a.reverse.detect { |patch|
|
31
|
-
patch.additions > 0 && relevant_patch_path?(patch)
|
32
|
-
}
|
33
|
-
end
|
34
|
-
|
35
|
-
def relevant_patch_path?(patch)
|
36
|
-
patch_path = patch.new_file_full_path.to_s
|
37
|
-
patch_path.end_with?(GEMFILE_LOCK_FILENAME)
|
18
|
+
auditor = Auditor.new
|
19
|
+
auditor.call
|
38
20
|
end
|
39
21
|
end
|
40
22
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pronto-bundler_audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paul Dobbins
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-05-
|
11
|
+
date: 2019-05-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler-audit
|
@@ -210,6 +210,7 @@ files:
|
|
210
210
|
- lib/pronto/bundler_audit/advisory_formatters/compact.rb
|
211
211
|
- lib/pronto/bundler_audit/advisory_formatters/verbose.rb
|
212
212
|
- lib/pronto/bundler_audit/auditor.rb
|
213
|
+
- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
|
213
214
|
- lib/pronto/bundler_audit/results/base_result.rb
|
214
215
|
- lib/pronto/bundler_audit/results/insecure_source.rb
|
215
216
|
- lib/pronto/bundler_audit/results/unpatched_gem.rb
|