pronto-bundler_audit 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2a6328fffd859750def2c69f570ea970ecc44aa1b31362dfa03b5933cde49201
4
- data.tar.gz: c6c226e11867996c7d19d53089a31e20b87acaebe3593713f11d310f7e1b602b
3
+ metadata.gz: a6825b92770d5ec83054e365afe320ac8e201654cb1e7e8ca47df3fea622f7fc
4
+ data.tar.gz: 1446e4bac285ab84f8c415c010fdc4b0308ad1e8440ae3970f74e3c28dcb2cdf
5
5
  SHA512:
6
- metadata.gz: df67a7343d90292e9b15fdfeb6c75eab64b76b27a98ee1feffb3ac9b2c1ef3f0e20822048a595018904d19655c8c82142635644409e01faaee3fa313fccc5826
7
- data.tar.gz: 167db3c4bfbd04bec6b25d519f0fd060809de610f899d8e3cc166601baac28ffcc512129ab02496305899df4b7f192fc77a274352f4cc2fcdfcb8f6c846e5edb
6
+ metadata.gz: 152d482b50806dcdc06f09e6129d0babda3598ab0b5de38b3ef4d9704dc4d67db4c9b242d4ad5218fa3c246bad881d0769c150ed593aaee4c9d8229a78581c53
7
+ data.tar.gz: 3876b7d38f7cc58086f1fa82c21ca9bd1572797dbf64165fd234fa53d1a1fc952f89b614317803683effbfa23b1c33021c0a5c69b029ec83a62f507d5669984d
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ### 0.4.0 - 2019-05-08
2
+ - Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
3
+
1
4
  ### 0.3.0 - 2019-05-03
2
5
  - Internal rewrite into smaller objects with full test coverage
3
6
  - Switch to using the verbose advisory formatter by default
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- pronto-bundler_audit (0.3.0)
4
+ pronto-bundler_audit (0.4.0)
5
5
  bundler-audit (~> 0)
6
6
  pronto (~> 0)
7
7
 
@@ -39,7 +39,7 @@ GEM
39
39
  builder
40
40
  minitest (>= 5.0)
41
41
  ruby-progressbar
42
- much-stub (0.1.0)
42
+ much-stub (0.1.1)
43
43
  multi_xml (0.6.0)
44
44
  multipart-post (2.0.0)
45
45
  octokit (4.14.0)
data/README.md CHANGED
@@ -36,6 +36,8 @@ Tested MRI Ruby Versions:
36
36
 
37
37
  Once installed as a gem, this runner activate automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
38
38
 
39
+ Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because that wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
40
+
39
41
  ### Examples
40
42
 
41
43
  #### Local Pronto Run
@@ -6,12 +6,8 @@ module Pronto
6
6
  class BundlerAudit
7
7
  # Pronto::BundlerAudit::Auditor:
8
8
  # 1. updates the local ruby security database, and then
9
- # 2. runs {Pronto::BundlerAudit::Scanner#call} on the given `patch`.
9
+ # 2. runs {Pronto::BundlerAudit::Scanner#call}.
10
10
  class Auditor
11
- def initialize(patch)
12
- @patch = patch
13
- end
14
-
15
11
  # @return (see: #run_scan)
16
12
  def call
17
13
  update_ruby_advisory_db
@@ -27,7 +23,7 @@ module Pronto
27
23
  # @return [Array>] if no advisories were found
28
24
  # @return [Array<Pronto::Message>] if advisories were found
29
25
  def run_scanner
30
- scanner = Scanner.new(@patch)
26
+ scanner = Scanner.new
31
27
  scanner.call
32
28
  end
33
29
  end
@@ -0,0 +1,74 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Pronto
4
+ class BundlerAudit
5
+ module GemfileLock
6
+ # Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
7
+ # the given `gem_name` and returns a `Pronto::Git::Line` with relevant
8
+ # info (supplied by Pronto::Git::Line and Pronto::Git::Patch stand-in
9
+ # objects).
10
+ #
11
+ # We use stand-in objects because we don't have or need an actual
12
+ # Pronto::Git::Line object. This is not a normal situation, but, for this
13
+ # gem, we're not worried about specific details from git patches.
14
+ # Instead, we just always scan the Gemfile.lock file for bundler_audit
15
+ # issues/advisories.
16
+ class Scanner
17
+ def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
18
+ unless File.exist?(path)
19
+ raise ArgumentError, "Gemfile.lock path not found"
20
+ end
21
+
22
+ @gem_name = gem_name
23
+ @path = path
24
+ end
25
+
26
+ def call
27
+ find_relevant_line
28
+ end
29
+
30
+ private
31
+
32
+ # @return [Pronto::Git::Line]
33
+ def find_relevant_line
34
+ return unless (found_line_number = determine_line_number)
35
+
36
+ build_pronto_git_line(found_line_number)
37
+ end
38
+
39
+ def determine_line_number
40
+ File.foreach(@path).with_index do |line, index|
41
+ break index.next if line.include?(@gem_name)
42
+ end
43
+ end
44
+
45
+ # @return [Pronto::Git::Line]
46
+ def build_pronto_git_line(line_number)
47
+ ::Pronto::Git::Line.new(
48
+ Line.new(line_number),
49
+ Patch.new)
50
+ end
51
+
52
+ # Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
53
+ # the Pronto::Git::Line object.
54
+ class Line
55
+ def initialize(line_number)
56
+ @line_number = line_number
57
+ end
58
+
59
+ def new_lineno
60
+ @line_number
61
+ end
62
+ end
63
+
64
+ # Pronto::BundlerAudit::GemfileLock::Scanner::Patch is a stand-in for
65
+ # the Pronto::Git::Patch object.
66
+ class Patch
67
+ def blame(*)
68
+ nil
69
+ end
70
+ end
71
+ end
72
+ end
73
+ end
74
+ end
@@ -1,8 +1,9 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require_relative "base_result"
4
- require "pronto/bundler_audit/advisory_formatters/verbose"
5
4
  require "pronto/bundler_audit/advisory_formatters/compact"
5
+ require "pronto/bundler_audit/advisory_formatters/verbose"
6
+ require "pronto/bundler_audit/gemfile_lock/scanner"
6
7
 
7
8
  module Pronto
8
9
  class BundlerAudit
@@ -10,11 +11,6 @@ module Pronto
10
11
  # Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
11
12
  # Bundler::Audit::Scanner::UnpatchedGem issues.
12
13
  class UnpatchedGem < BaseResult
13
- def initialize(scan_result, patch:)
14
- super(scan_result)
15
- @patch = patch
16
- end
17
-
18
14
  private
19
15
 
20
16
  def report_result
@@ -24,14 +20,9 @@ module Pronto
24
20
  line: find_relevant_line)
25
21
  end
26
22
 
27
- # @return [Pronto::Git::Line]
28
23
  def find_relevant_line
29
- first_added_line_for_affected_gem_name(@gem.name)
30
- end
31
-
32
- # @return [Pronto::Git::Line]
33
- def first_added_line_for_affected_gem_name(gem_name)
34
- @patch.added_lines.detect { |line| line.content.include?(gem_name) }
24
+ scanner = GemfileLock::Scanner.new(gem_name: @gem.name)
25
+ scanner.call
35
26
  end
36
27
 
37
28
  def message
@@ -5,14 +5,10 @@ require_relative "results/unpatched_gem"
5
5
 
6
6
  module Pronto
7
7
  class BundlerAudit
8
- # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan on
9
- # the given patch and then calls a {Pronto::BundlerAudit::BaseResult} based
10
- # for each scan result.
8
+ # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
9
+ # then calls a {Pronto::BundlerAudit::BaseResult} based for each scan
10
+ # result.
11
11
  class Scanner
12
- def initialize(patch)
13
- @patch = patch
14
- end
15
-
16
12
  # @return [Array>] if no advisories were found
17
13
  # @return [Array<Pronto::Message>] if advisories were found)
18
14
  def call
@@ -34,9 +30,9 @@ module Pronto
34
30
  def match_result(scan_result)
35
31
  case scan_result
36
32
  when Bundler::Audit::Scanner::InsecureSource
37
- Results::InsecureSource.new(scan_result, patch: @patch)
33
+ Results::InsecureSource.new(scan_result)
38
34
  when Bundler::Audit::Scanner::UnpatchedGem
39
- Results::UnpatchedGem.new(scan_result, patch: @patch)
35
+ Results::UnpatchedGem.new(scan_result)
40
36
  else
41
37
  raise ArgumentError, "Unexpected type: #{scan_result.class}"
42
38
  end
@@ -3,6 +3,6 @@
3
3
  module Pronto
4
4
  # Pronto::BundlerAuditVersion
5
5
  module BundlerAuditVersion
6
- VERSION = "0.3.0"
6
+ VERSION = "0.4.0"
7
7
  end
8
8
  end
@@ -6,35 +6,17 @@ require "bundler/audit/scanner"
6
6
 
7
7
  module Pronto
8
8
  # Pronto::BundlerAudit is a Pronto::Runner that:
9
- # 1. Finds the most relevant patch (the last patch that contains a change to
10
- # Gemfile.lock)
11
- # 2. Updates the Ruby Advisory Database
12
- # 3. Runs bundle-audit to scan the Gemfile.lock
13
- # 4. Returns an Array of Pronto::Message objects if any advisories are found
9
+ # 1. Updates the Ruby Advisory Database,
10
+ # 2. Runs bundle-audit to scan the Gemfile.lock, and then
11
+ # 4. Returns an Array of Pronto::Message objects if any issues or advisories
12
+ # are found.
14
13
  class BundlerAudit < Runner
15
14
  GEMFILE_LOCK_FILENAME = "Gemfile.lock"
16
15
 
17
- # @return [Array] per Pronto expectation
16
+ # @return [Array<Pronto::Message>] per Pronto expectation
18
17
  def run
19
- if (patch = find_relevant_patch)
20
- auditor = Auditor.new(patch)
21
- auditor.call
22
- else
23
- []
24
- end
25
- end
26
-
27
- private
28
-
29
- def find_relevant_patch
30
- @patches.to_a.reverse.detect { |patch|
31
- patch.additions > 0 && relevant_patch_path?(patch)
32
- }
33
- end
34
-
35
- def relevant_patch_path?(patch)
36
- patch_path = patch.new_file_full_path.to_s
37
- patch_path.end_with?(GEMFILE_LOCK_FILENAME)
18
+ auditor = Auditor.new
19
+ auditor.call
38
20
  end
39
21
  end
40
22
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pronto-bundler_audit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paul Dobbins
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-05-03 00:00:00.000000000 Z
11
+ date: 2019-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler-audit
@@ -210,6 +210,7 @@ files:
210
210
  - lib/pronto/bundler_audit/advisory_formatters/compact.rb
211
211
  - lib/pronto/bundler_audit/advisory_formatters/verbose.rb
212
212
  - lib/pronto/bundler_audit/auditor.rb
213
+ - lib/pronto/bundler_audit/gemfile_lock/scanner.rb
213
214
  - lib/pronto/bundler_audit/results/base_result.rb
214
215
  - lib/pronto/bundler_audit/results/insecure_source.rb
215
216
  - lib/pronto/bundler_audit/results/unpatched_gem.rb