pronto-bundler_audit 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/Gemfile.lock +2 -2
- data/README.md +2 -0
- data/lib/pronto/bundler_audit/auditor.rb +2 -6
- data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb +74 -0
- data/lib/pronto/bundler_audit/results/unpatched_gem.rb +4 -13
- data/lib/pronto/bundler_audit/scanner.rb +5 -9
- data/lib/pronto/bundler_audit/version.rb +1 -1
- data/lib/pronto/bundler_audit.rb +7 -25
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a6825b92770d5ec83054e365afe320ac8e201654cb1e7e8ca47df3fea622f7fc
|
|
4
|
+
data.tar.gz: 1446e4bac285ab84f8c415c010fdc4b0308ad1e8440ae3970f74e3c28dcb2cdf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 152d482b50806dcdc06f09e6129d0babda3598ab0b5de38b3ef4d9704dc4d67db4c9b242d4ad5218fa3c246bad881d0769c150ed593aaee4c9d8229a78581c53
|
|
7
|
+
data.tar.gz: 3876b7d38f7cc58086f1fa82c21ca9bd1572797dbf64165fd234fa53d1a1fc952f89b614317803683effbfa23b1c33021c0a5c69b029ec83a62f507d5669984d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,6 @@
|
|
|
1
|
+
### 0.4.0 - 2019-05-08
|
|
2
|
+
- Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
|
|
3
|
+
|
|
1
4
|
### 0.3.0 - 2019-05-03
|
|
2
5
|
- Internal rewrite into smaller objects with full test coverage
|
|
3
6
|
- Switch to using the verbose advisory formatter by default
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
pronto-bundler_audit (0.
|
|
4
|
+
pronto-bundler_audit (0.4.0)
|
|
5
5
|
bundler-audit (~> 0)
|
|
6
6
|
pronto (~> 0)
|
|
7
7
|
|
|
@@ -39,7 +39,7 @@ GEM
|
|
|
39
39
|
builder
|
|
40
40
|
minitest (>= 5.0)
|
|
41
41
|
ruby-progressbar
|
|
42
|
-
much-stub (0.1.
|
|
42
|
+
much-stub (0.1.1)
|
|
43
43
|
multi_xml (0.6.0)
|
|
44
44
|
multipart-post (2.0.0)
|
|
45
45
|
octokit (4.14.0)
|
data/README.md
CHANGED
|
@@ -36,6 +36,8 @@ Tested MRI Ruby Versions:
|
|
|
36
36
|
|
|
37
37
|
Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
|
|
38
38
|
|
|
39
|
+
Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because that wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
|
|
40
|
+
|
|
39
41
|
### Examples
|
|
40
42
|
|
|
41
43
|
#### Local Pronto Run
|
|
@@ -6,12 +6,8 @@ module Pronto
|
|
|
6
6
|
class BundlerAudit
|
|
7
7
|
# Pronto::BundlerAudit::Auditor:
|
|
8
8
|
# 1. updates the local ruby security database, and then
|
|
9
|
-
# 2. runs {Pronto::BundlerAudit::Scanner#call}
|
|
9
|
+
# 2. runs {Pronto::BundlerAudit::Scanner#call}.
|
|
10
10
|
class Auditor
|
|
11
|
-
def initialize(patch)
|
|
12
|
-
@patch = patch
|
|
13
|
-
end
|
|
14
|
-
|
|
15
11
|
# @return (see: #run_scan)
|
|
16
12
|
def call
|
|
17
13
|
update_ruby_advisory_db
|
|
@@ -27,7 +23,7 @@ module Pronto
|
|
|
27
23
|
# @return [Array>] if no advisories were found
|
|
28
24
|
# @return [Array<Pronto::Message>] if advisories were found
|
|
29
25
|
def run_scanner
|
|
30
|
-
scanner = Scanner.new
|
|
26
|
+
scanner = Scanner.new
|
|
31
27
|
scanner.call
|
|
32
28
|
end
|
|
33
29
|
end
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Pronto
|
|
4
|
+
class BundlerAudit
|
|
5
|
+
module GemfileLock
|
|
6
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
|
|
7
|
+
# the given `gem_name` and returns a `Pronto::Git::Line` with relevant
|
|
8
|
+
# info (supplied by Pronto::Git::Line and Pronto::Git::Patch stand-in
|
|
9
|
+
# objects).
|
|
10
|
+
#
|
|
11
|
+
# We use stand-in objects because we don't have or need an actual
|
|
12
|
+
# Pronto::Git::Line object. This is not a normal situation, but, for this
|
|
13
|
+
# gem, we're not worried about specific details from git patches.
|
|
14
|
+
# Instead, we just always scan the Gemfile.lock file for bundler_audit
|
|
15
|
+
# issues/advisories.
|
|
16
|
+
class Scanner
|
|
17
|
+
def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
|
|
18
|
+
unless File.exist?(path)
|
|
19
|
+
raise ArgumentError, "Gemfile.lock path not found"
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
@gem_name = gem_name
|
|
23
|
+
@path = path
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def call
|
|
27
|
+
find_relevant_line
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
# @return [Pronto::Git::Line]
|
|
33
|
+
def find_relevant_line
|
|
34
|
+
return unless (found_line_number = determine_line_number)
|
|
35
|
+
|
|
36
|
+
build_pronto_git_line(found_line_number)
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def determine_line_number
|
|
40
|
+
File.foreach(@path).with_index do |line, index|
|
|
41
|
+
break index.next if line.include?(@gem_name)
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
# @return [Pronto::Git::Line]
|
|
46
|
+
def build_pronto_git_line(line_number)
|
|
47
|
+
::Pronto::Git::Line.new(
|
|
48
|
+
Line.new(line_number),
|
|
49
|
+
Patch.new)
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
|
|
53
|
+
# the Pronto::Git::Line object.
|
|
54
|
+
class Line
|
|
55
|
+
def initialize(line_number)
|
|
56
|
+
@line_number = line_number
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def new_lineno
|
|
60
|
+
@line_number
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
# Pronto::BundlerAudit::GemfileLock::Scanner::Patch is a stand-in for
|
|
65
|
+
# the Pronto::Git::Patch object.
|
|
66
|
+
class Patch
|
|
67
|
+
def blame(*)
|
|
68
|
+
nil
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
|
@@ -1,8 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require_relative "base_result"
|
|
4
|
-
require "pronto/bundler_audit/advisory_formatters/verbose"
|
|
5
4
|
require "pronto/bundler_audit/advisory_formatters/compact"
|
|
5
|
+
require "pronto/bundler_audit/advisory_formatters/verbose"
|
|
6
|
+
require "pronto/bundler_audit/gemfile_lock/scanner"
|
|
6
7
|
|
|
7
8
|
module Pronto
|
|
8
9
|
class BundlerAudit
|
|
@@ -10,11 +11,6 @@ module Pronto
|
|
|
10
11
|
# Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
|
|
11
12
|
# Bundler::Audit::Scanner::UnpatchedGem issues.
|
|
12
13
|
class UnpatchedGem < BaseResult
|
|
13
|
-
def initialize(scan_result, patch:)
|
|
14
|
-
super(scan_result)
|
|
15
|
-
@patch = patch
|
|
16
|
-
end
|
|
17
|
-
|
|
18
14
|
private
|
|
19
15
|
|
|
20
16
|
def report_result
|
|
@@ -24,14 +20,9 @@ module Pronto
|
|
|
24
20
|
line: find_relevant_line)
|
|
25
21
|
end
|
|
26
22
|
|
|
27
|
-
# @return [Pronto::Git::Line]
|
|
28
23
|
def find_relevant_line
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
# @return [Pronto::Git::Line]
|
|
33
|
-
def first_added_line_for_affected_gem_name(gem_name)
|
|
34
|
-
@patch.added_lines.detect { |line| line.content.include?(gem_name) }
|
|
24
|
+
scanner = GemfileLock::Scanner.new(gem_name: @gem.name)
|
|
25
|
+
scanner.call
|
|
35
26
|
end
|
|
36
27
|
|
|
37
28
|
def message
|
|
@@ -5,14 +5,10 @@ require_relative "results/unpatched_gem"
|
|
|
5
5
|
|
|
6
6
|
module Pronto
|
|
7
7
|
class BundlerAudit
|
|
8
|
-
# Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan
|
|
9
|
-
#
|
|
10
|
-
#
|
|
8
|
+
# Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
|
|
9
|
+
# then calls a {Pronto::BundlerAudit::BaseResult} based for each scan
|
|
10
|
+
# result.
|
|
11
11
|
class Scanner
|
|
12
|
-
def initialize(patch)
|
|
13
|
-
@patch = patch
|
|
14
|
-
end
|
|
15
|
-
|
|
16
12
|
# @return [Array>] if no advisories were found
|
|
17
13
|
# @return [Array<Pronto::Message>] if advisories were found)
|
|
18
14
|
def call
|
|
@@ -34,9 +30,9 @@ module Pronto
|
|
|
34
30
|
def match_result(scan_result)
|
|
35
31
|
case scan_result
|
|
36
32
|
when Bundler::Audit::Scanner::InsecureSource
|
|
37
|
-
Results::InsecureSource.new(scan_result
|
|
33
|
+
Results::InsecureSource.new(scan_result)
|
|
38
34
|
when Bundler::Audit::Scanner::UnpatchedGem
|
|
39
|
-
Results::UnpatchedGem.new(scan_result
|
|
35
|
+
Results::UnpatchedGem.new(scan_result)
|
|
40
36
|
else
|
|
41
37
|
raise ArgumentError, "Unexpected type: #{scan_result.class}"
|
|
42
38
|
end
|
data/lib/pronto/bundler_audit.rb
CHANGED
|
@@ -6,35 +6,17 @@ require "bundler/audit/scanner"
|
|
|
6
6
|
|
|
7
7
|
module Pronto
|
|
8
8
|
# Pronto::BundlerAudit is a Pronto::Runner that:
|
|
9
|
-
# 1.
|
|
10
|
-
#
|
|
11
|
-
#
|
|
12
|
-
#
|
|
13
|
-
# 4. Returns an Array of Pronto::Message objects if any advisories are found
|
|
9
|
+
# 1. Updates the Ruby Advisory Database,
|
|
10
|
+
# 2. Runs bundle-audit to scan the Gemfile.lock, and then
|
|
11
|
+
# 4. Returns an Array of Pronto::Message objects if any issues or advisories
|
|
12
|
+
# are found.
|
|
14
13
|
class BundlerAudit < Runner
|
|
15
14
|
GEMFILE_LOCK_FILENAME = "Gemfile.lock"
|
|
16
15
|
|
|
17
|
-
# @return [Array] per Pronto expectation
|
|
16
|
+
# @return [Array<Pronto::Message>] per Pronto expectation
|
|
18
17
|
def run
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
auditor.call
|
|
22
|
-
else
|
|
23
|
-
[]
|
|
24
|
-
end
|
|
25
|
-
end
|
|
26
|
-
|
|
27
|
-
private
|
|
28
|
-
|
|
29
|
-
def find_relevant_patch
|
|
30
|
-
@patches.to_a.reverse.detect { |patch|
|
|
31
|
-
patch.additions > 0 && relevant_patch_path?(patch)
|
|
32
|
-
}
|
|
33
|
-
end
|
|
34
|
-
|
|
35
|
-
def relevant_patch_path?(patch)
|
|
36
|
-
patch_path = patch.new_file_full_path.to_s
|
|
37
|
-
patch_path.end_with?(GEMFILE_LOCK_FILENAME)
|
|
18
|
+
auditor = Auditor.new
|
|
19
|
+
auditor.call
|
|
38
20
|
end
|
|
39
21
|
end
|
|
40
22
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pronto-bundler_audit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paul Dobbins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-05-
|
|
11
|
+
date: 2019-05-09 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler-audit
|
|
@@ -210,6 +210,7 @@ files:
|
|
|
210
210
|
- lib/pronto/bundler_audit/advisory_formatters/compact.rb
|
|
211
211
|
- lib/pronto/bundler_audit/advisory_formatters/verbose.rb
|
|
212
212
|
- lib/pronto/bundler_audit/auditor.rb
|
|
213
|
+
- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
|
|
213
214
|
- lib/pronto/bundler_audit/results/base_result.rb
|
|
214
215
|
- lib/pronto/bundler_audit/results/insecure_source.rb
|
|
215
216
|
- lib/pronto/bundler_audit/results/unpatched_gem.rb
|