pronto-bundler_audit 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a6328fffd859750def2c69f570ea970ecc44aa1b31362dfa03b5933cde49201
-  data.tar.gz: c6c226e11867996c7d19d53089a31e20b87acaebe3593713f11d310f7e1b602b
+  metadata.gz: a6825b92770d5ec83054e365afe320ac8e201654cb1e7e8ca47df3fea622f7fc
+  data.tar.gz: 1446e4bac285ab84f8c415c010fdc4b0308ad1e8440ae3970f74e3c28dcb2cdf
 SHA512:
-  metadata.gz: df67a7343d90292e9b15fdfeb6c75eab64b76b27a98ee1feffb3ac9b2c1ef3f0e20822048a595018904d19655c8c82142635644409e01faaee3fa313fccc5826
-  data.tar.gz: 167db3c4bfbd04bec6b25d519f0fd060809de610f899d8e3cc166601baac28ffcc512129ab02496305899df4b7f192fc77a274352f4cc2fcdfcb8f6c846e5edb
+  metadata.gz: 152d482b50806dcdc06f09e6129d0babda3598ab0b5de38b3ef4d9704dc4d67db4c9b242d4ad5218fa3c246bad881d0769c150ed593aaee4c9d8229a78581c53
+  data.tar.gz: 3876b7d38f7cc58086f1fa82c21ca9bd1572797dbf64165fd234fa53d1a1fc952f89b614317803683effbfa23b1c33021c0a5c69b029ec83a62f507d5669984d

data/CHANGELOG.md

@@ -1,3 +1,6 @@
+### 0.4.0 - 2019-05-08
+- Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
+
 ### 0.3.0 - 2019-05-03
 - Internal rewrite into smaller objects with full test coverage
 - Switch to using the verbose advisory formatter by default

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    pronto-bundler_audit (0.3.0)
+    pronto-bundler_audit (0.4.0)
       bundler-audit (~> 0)
       pronto (~> 0)
 
@@ -39,7 +39,7 @@ GEM
       builder
       minitest (>= 5.0)
       ruby-progressbar
-    much-stub (0.1.0)
+    much-stub (0.1.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
     octokit (4.14.0)

data/README.md

@@ -36,6 +36,8 @@ Tested MRI Ruby Versions:
 
 Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
 
+Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because that wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
+
 ### Examples
 
 #### Local Pronto Run

data/lib/pronto/bundler_audit/auditor.rb

@@ -6,12 +6,8 @@ module Pronto
   class BundlerAudit
     # Pronto::BundlerAudit::Auditor:
     # 1. updates the local ruby security database, and then
-    # 2. runs {Pronto::BundlerAudit::Scanner#call} on the given `patch`.
+    # 2. runs {Pronto::BundlerAudit::Scanner#call}.
     class Auditor
-      def initialize(patch)
-        @patch = patch
-      end
-
       # @return (see: #run_scan)
       def call
         update_ruby_advisory_db
@@ -27,7 +23,7 @@ module Pronto
       # @return [Array>] if no advisories were found
       # @return [Array<Pronto::Message>] if advisories were found
       def run_scanner
-        scanner = Scanner.new(@patch)
+        scanner = Scanner.new
         scanner.call
       end
     end

data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Pronto
+  class BundlerAudit
+    module GemfileLock
+      # Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
+      # the given `gem_name` and returns a `Pronto::Git::Line` with relevant
+      # info (supplied by Pronto::Git::Line and Pronto::Git::Patch stand-in
+      # objects).
+      #
+      # We use stand-in objects because we don't have or need an actual
+      # Pronto::Git::Line object. This is not a normal situation, but, for this
+      # gem, we're not worried about specific details from git patches.
+      # Instead, we just always scan the Gemfile.lock file for bundler_audit
+      # issues/advisories.
+      class Scanner
+        def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
+          unless File.exist?(path)
+            raise ArgumentError, "Gemfile.lock path not found"
+          end
+
+          @gem_name = gem_name
+          @path = path
+        end
+
+        def call
+          find_relevant_line
+        end
+
+        private
+
+        # @return [Pronto::Git::Line]
+        def find_relevant_line
+          return unless (found_line_number = determine_line_number)
+
+          build_pronto_git_line(found_line_number)
+        end
+
+        def determine_line_number
+          File.foreach(@path).with_index do |line, index|
+            break index.next if line.include?(@gem_name)
+          end
+        end
+
+        # @return [Pronto::Git::Line]
+        def build_pronto_git_line(line_number)
+          ::Pronto::Git::Line.new(
+            Line.new(line_number),
+            Patch.new)
+        end
+
+        # Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
+        # the Pronto::Git::Line object.
+        class Line
+          def initialize(line_number)
+            @line_number = line_number
+          end
+
+          def new_lineno
+            @line_number
+          end
+        end
+
+        # Pronto::BundlerAudit::GemfileLock::Scanner::Patch is a stand-in for
+        # the Pronto::Git::Patch object.
+        class Patch
+          def blame(*)
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/results/unpatched_gem.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
 require_relative "base_result"
-require "pronto/bundler_audit/advisory_formatters/verbose"
 require "pronto/bundler_audit/advisory_formatters/compact"
+require "pronto/bundler_audit/advisory_formatters/verbose"
+require "pronto/bundler_audit/gemfile_lock/scanner"
 
 module Pronto
   class BundlerAudit
@@ -10,11 +11,6 @@ module Pronto
       # Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
       # Bundler::Audit::Scanner::UnpatchedGem issues.
       class UnpatchedGem < BaseResult
-        def initialize(scan_result, patch:)
-          super(scan_result)
-          @patch = patch
-        end
-
         private
 
         def report_result
@@ -24,14 +20,9 @@ module Pronto
             line: find_relevant_line)
         end
 
-        # @return [Pronto::Git::Line]
         def find_relevant_line
-          first_added_line_for_affected_gem_name(@gem.name)
-        end
-
-        # @return [Pronto::Git::Line]
-        def first_added_line_for_affected_gem_name(gem_name)
-          @patch.added_lines.detect { |line| line.content.include?(gem_name) }
+          scanner = GemfileLock::Scanner.new(gem_name: @gem.name)
+          scanner.call
         end
 
         def message

data/lib/pronto/bundler_audit/scanner.rb

@@ -5,14 +5,10 @@ require_relative "results/unpatched_gem"
 
 module Pronto
   class BundlerAudit
-    # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan on
-    # the given patch and then calls a {Pronto::BundlerAudit::BaseResult} based
-    # for each scan result.
+    # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
+    # then calls a {Pronto::BundlerAudit::BaseResult} based for each scan
+    # result.
     class Scanner
-      def initialize(patch)
-        @patch = patch
-      end
-
       # @return [Array>] if no advisories were found
       # @return [Array<Pronto::Message>] if advisories were found)
       def call
@@ -34,9 +30,9 @@ module Pronto
       def match_result(scan_result)
         case scan_result
         when Bundler::Audit::Scanner::InsecureSource
-          Results::InsecureSource.new(scan_result, patch: @patch)
+          Results::InsecureSource.new(scan_result)
         when Bundler::Audit::Scanner::UnpatchedGem
-          Results::UnpatchedGem.new(scan_result, patch: @patch)
+          Results::UnpatchedGem.new(scan_result)
         else
           raise ArgumentError, "Unexpected type: #{scan_result.class}"
         end

data/lib/pronto/bundler_audit/version.rb

@@ -3,6 +3,6 @@
 module Pronto
   # Pronto::BundlerAuditVersion
   module BundlerAuditVersion
-    VERSION = "0.3.0"
+    VERSION = "0.4.0"
   end
 end

data/lib/pronto/bundler_audit.rb

@@ -6,35 +6,17 @@ require "bundler/audit/scanner"
 
 module Pronto
   # Pronto::BundlerAudit is a Pronto::Runner that:
-  # 1. Finds the most relevant patch (the last patch that contains a change to
-  #    Gemfile.lock)
-  # 2. Updates the Ruby Advisory Database
-  # 3. Runs bundle-audit to scan the Gemfile.lock
-  # 4. Returns an Array of Pronto::Message objects if any advisories are found
+  # 1. Updates the Ruby Advisory Database,
+  # 2. Runs bundle-audit to scan the Gemfile.lock, and then
+  # 4. Returns an Array of Pronto::Message objects if any issues or advisories
+  # are found.
   class BundlerAudit < Runner
     GEMFILE_LOCK_FILENAME = "Gemfile.lock"
 
-    # @return [Array] per Pronto expectation
+    # @return [Array<Pronto::Message>] per Pronto expectation
     def run
-      if (patch = find_relevant_patch)
-        auditor = Auditor.new(patch)
-        auditor.call
-      else
-        []
-      end
-    end
-
-    private
-
-    def find_relevant_patch
-      @patches.to_a.reverse.detect { |patch|
-        patch.additions > 0 && relevant_patch_path?(patch)
-      }
-    end
-
-    def relevant_patch_path?(patch)
-      patch_path = patch.new_file_full_path.to_s
-      patch_path.end_with?(GEMFILE_LOCK_FILENAME)
+      auditor = Auditor.new
+      auditor.call
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pronto-bundler_audit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Paul Dobbins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-03 00:00:00.000000000 Z
+date: 2019-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -210,6 +210,7 @@ files:
 - lib/pronto/bundler_audit/advisory_formatters/compact.rb
 - lib/pronto/bundler_audit/advisory_formatters/verbose.rb
 - lib/pronto/bundler_audit/auditor.rb
+- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
 - lib/pronto/bundler_audit/results/base_result.rb
 - lib/pronto/bundler_audit/results/insecure_source.rb
 - lib/pronto/bundler_audit/results/unpatched_gem.rb