pronto-bundler_audit 0.4.0 → 0.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/.travis.yml +1 -2
- data/CHANGELOG.md +5 -1
- data/Gemfile.lock +15 -15
- data/README.md +38 -6
- data/images/ci-output.png +0 -0
- data/images/{github-comment.png → github-comment-compact.png} +0 -0
- data/images/github-comment-verbose.png +0 -0
- data/lib/pronto/bundler_audit.rb +25 -7
- data/lib/pronto/bundler_audit/auditor.rb +11 -7
- data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb +14 -43
- data/lib/pronto/bundler_audit/results/base_result.rb +10 -15
- data/lib/pronto/bundler_audit/results/insecure_source.rb +11 -8
- data/lib/pronto/bundler_audit/results/pronto_messages_adapter.rb +56 -0
- data/lib/pronto/bundler_audit/results/unpatched_gem.rb +17 -12
- data/lib/pronto/bundler_audit/scanner.rb +30 -8
- data/lib/pronto/bundler_audit/version.rb +1 -1
- metadata +7 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dfd045795800e3a9d915819c4d0f3fb1bf8a33fe809621a181b90596b06c0337
|
4
|
+
data.tar.gz: 47fb28f8cae54edd5b17bb9f487a079d0a46664a081dd59e4b9d5e41be0c987c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c07df77c524372667979fa43d5500d76ef92586833f37e23e13e1240001ca042634afa626d0c512528fc35224f5c0d1d7039e21834533619767d7799c1eab43e
|
7
|
+
data.tar.gz: cf3e5d64dc3583a35ff2a5b8a32c982a9ce9336fca06a169039e3207a33af4633f65bfebfc19dbccabff9ce705ae2166e330565b82a1ab44c619eebe31ce3dd2
|
data/.rubocop.yml
CHANGED
@@ -129,6 +129,9 @@ Style/FormatString:
|
|
129
129
|
Style/Lambda:
|
130
130
|
EnforcedStyle: literal
|
131
131
|
|
132
|
+
Style/LambdaCall:
|
133
|
+
Enabled: false # Allow ServiceObject.(*). Only use on classes, not instances.
|
134
|
+
|
132
135
|
Style/NumericPredicate:
|
133
136
|
Enabled: false # Trying to be welcoming to earlier versions of Ruby.
|
134
137
|
# AutoCorrect: true
|
data/.travis.yml
CHANGED
@@ -4,14 +4,13 @@ env:
|
|
4
4
|
sudo: false
|
5
5
|
language: ruby
|
6
6
|
rvm:
|
7
|
-
- 2.3
|
8
7
|
- 2.4
|
9
8
|
- 2.5
|
10
9
|
- 2.6
|
11
10
|
- ruby-head
|
12
11
|
notifications:
|
13
12
|
email: false
|
14
|
-
before_install: gem install bundler -v 2.0.
|
13
|
+
before_install: gem install bundler -v 2.0.2 --no-document
|
15
14
|
cache: bundler
|
16
15
|
before_script:
|
17
16
|
- curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
### 0.5.0 - 2019-07-31
|
2
|
+
- Fix Pronto -> GitHub reporting errors
|
3
|
+
- Thanks to Inestor for the [bug report](https://github.com/pdobb/pronto-bundler_audit/issues/2).
|
4
|
+
- Credit for the approach taken here goes to to os6sense and [his hard work](https://github.com/pdobb/pronto-bundler_audit/pull/4/files)
|
5
|
+
|
1
6
|
### 0.4.0 - 2019-05-08
|
2
7
|
- Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
|
3
8
|
|
@@ -16,6 +21,5 @@
|
|
16
21
|
- Add line number to Pronto::Message; fixes GitHub API usage error when attempting to add errors to PR comments
|
17
22
|
- Add gem version requirements to gemspec
|
18
23
|
|
19
|
-
|
20
24
|
### 0.1.0 - 2019-04-28
|
21
25
|
- Initial release!
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
pronto-bundler_audit (0.
|
4
|
+
pronto-bundler_audit (0.5.0)
|
5
5
|
bundler-audit (~> 0)
|
6
6
|
pronto (~> 0)
|
7
7
|
|
@@ -18,16 +18,16 @@ GEM
|
|
18
18
|
thor (~> 0.18)
|
19
19
|
byebug (11.0.1)
|
20
20
|
coderay (1.1.2)
|
21
|
-
docile (1.3.
|
21
|
+
docile (1.3.2)
|
22
22
|
faraday (0.15.4)
|
23
23
|
multipart-post (>= 1.2, < 3)
|
24
|
-
gitlab (4.
|
24
|
+
gitlab (4.12.0)
|
25
25
|
httparty (~> 0.14, >= 0.14.0)
|
26
26
|
terminal-table (~> 1.5, >= 1.5.1)
|
27
27
|
httparty (0.17.0)
|
28
28
|
mime-types (~> 3.0)
|
29
29
|
multi_xml (>= 0.5.2)
|
30
|
-
jaro_winkler (1.5.
|
30
|
+
jaro_winkler (1.5.3)
|
31
31
|
json (2.2.0)
|
32
32
|
method_source (0.9.2)
|
33
33
|
mime-types (3.2.2)
|
@@ -41,7 +41,7 @@ GEM
|
|
41
41
|
ruby-progressbar
|
42
42
|
much-stub (0.1.1)
|
43
43
|
multi_xml (0.6.0)
|
44
|
-
multipart-post (2.
|
44
|
+
multipart-post (2.1.1)
|
45
45
|
octokit (4.14.0)
|
46
46
|
sawyer (~> 0.8.0, >= 0.5.3)
|
47
47
|
parallel (1.17.0)
|
@@ -60,22 +60,22 @@ GEM
|
|
60
60
|
pry-byebug (3.7.0)
|
61
61
|
byebug (~> 11.0)
|
62
62
|
pry (~> 0.10)
|
63
|
-
public_suffix (3.
|
63
|
+
public_suffix (3.1.1)
|
64
64
|
rainbow (3.0.0)
|
65
|
-
rake (12.3.
|
66
|
-
rubocop (0.
|
65
|
+
rake (12.3.3)
|
66
|
+
rubocop (0.73.0)
|
67
67
|
jaro_winkler (~> 1.5.1)
|
68
68
|
parallel (~> 1.10)
|
69
|
-
parser (>= 2.
|
69
|
+
parser (>= 2.6)
|
70
70
|
rainbow (>= 2.2.2, < 4.0)
|
71
71
|
ruby-progressbar (~> 1.7)
|
72
|
-
unicode-display_width (>= 1.4.0, < 1.
|
73
|
-
ruby-progressbar (1.10.
|
74
|
-
rugged (0.28.
|
72
|
+
unicode-display_width (>= 1.4.0, < 1.7)
|
73
|
+
ruby-progressbar (1.10.1)
|
74
|
+
rugged (0.28.2)
|
75
75
|
sawyer (0.8.2)
|
76
76
|
addressable (>= 2.3.5)
|
77
77
|
faraday (> 0.8, < 2.0)
|
78
|
-
simplecov (0.
|
78
|
+
simplecov (0.17.0)
|
79
79
|
docile (~> 1.1)
|
80
80
|
json (>= 1.8, < 3)
|
81
81
|
simplecov-html (~> 0.10.0)
|
@@ -83,7 +83,7 @@ GEM
|
|
83
83
|
terminal-table (1.8.0)
|
84
84
|
unicode-display_width (~> 1.1, >= 1.1.1)
|
85
85
|
thor (0.20.3)
|
86
|
-
unicode-display_width (1.
|
86
|
+
unicode-display_width (1.6.0)
|
87
87
|
|
88
88
|
PLATFORMS
|
89
89
|
ruby
|
@@ -102,4 +102,4 @@ DEPENDENCIES
|
|
102
102
|
simplecov (~> 0.16)
|
103
103
|
|
104
104
|
BUNDLED WITH
|
105
|
-
2.0.
|
105
|
+
2.0.2
|
data/README.md
CHANGED
@@ -26,7 +26,6 @@ Or install it yourself as:
|
|
26
26
|
## Compatibility
|
27
27
|
|
28
28
|
Tested MRI Ruby Versions:
|
29
|
-
* 2.3
|
30
29
|
* 2.4
|
31
30
|
* 2.5
|
32
31
|
* 2.6
|
@@ -42,21 +41,49 @@ Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.
|
|
42
41
|
|
43
42
|
#### Local Pronto Run
|
44
43
|
|
44
|
+
##### Compact Mode
|
45
|
+
|
45
46
|
```bash
|
46
|
-
$
|
47
|
+
$ pronto run -c=master --runner bundler_audit
|
47
48
|
Running Pronto::BundlerAudit
|
48
49
|
Gemfile.lock: E: Gem: bootstrap-sass v3.4.0 | Medium Advisory: XSS vulnerability in bootstrap-sass -- CVE-2019-8331 (https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/) | Solution: Upgrade to >= 3.4.1.
|
50
|
+
```
|
51
|
+
|
52
|
+
##### Verbose Mode
|
49
53
|
|
50
|
-
|
51
|
-
|
52
|
-
|
54
|
+
```bash
|
55
|
+
$ pronto run -c=master --runner bundler_audit
|
56
|
+
Running Pronto::BundlerAudit
|
57
|
+
Gemfile.lock: E: Name: bootstrap-sass
|
58
|
+
Version: 3.4.0
|
59
|
+
Advisory: CVE-2019-8331
|
60
|
+
Criticality: Medium
|
61
|
+
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
|
62
|
+
Title: XSS vulnerability in bootstrap-sass
|
63
|
+
Solution: Upgrade to >= 3.4.1.
|
53
64
|
```
|
54
65
|
|
66
|
+
#### Continuous Integration Output
|
67
|
+
|
68
|
+
![CI Output](images/ci-output.png)
|
69
|
+
|
70
|
+
|
55
71
|
#### Github Pull Request - Checks
|
72
|
+
|
56
73
|
![Github Check](images/github-check.png)
|
57
74
|
|
58
75
|
#### Github Pull Request - Comments
|
59
|
-
|
76
|
+
|
77
|
+
##### Verbose Mode
|
78
|
+
|
79
|
+
![Github Comment - Verbose](images/github-comment-verbose.png)
|
80
|
+
|
81
|
+
##### Compact Mode
|
82
|
+
|
83
|
+
Note: Not yet available by configuration.
|
84
|
+
|
85
|
+
![Github Comment - Compact](images/github-comment-compact.png)
|
86
|
+
|
60
87
|
|
61
88
|
## Development
|
62
89
|
|
@@ -64,6 +91,11 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
64
91
|
|
65
92
|
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
66
93
|
|
94
|
+
### Testing
|
95
|
+
|
96
|
+
GitHub integration testing isn't easy. I have created a test app for myself at: https://github.com/pdobb/pronto-bundler_audit_test_app.
|
97
|
+
|
98
|
+
|
67
99
|
## TODO
|
68
100
|
|
69
101
|
* Add configuration for compact vs expanded advisories reporting
|
Binary file
|
File without changes
|
Binary file
|
data/lib/pronto/bundler_audit.rb
CHANGED
@@ -5,21 +5,39 @@ require "bundler/audit/database"
|
|
5
5
|
require "bundler/audit/scanner"
|
6
6
|
|
7
7
|
module Pronto
|
8
|
-
# Pronto::BundlerAudit is a Pronto::Runner that:
|
8
|
+
# Pronto::BundlerAudit is a ::Pronto::Runner that:
|
9
9
|
# 1. Updates the Ruby Advisory Database,
|
10
10
|
# 2. Runs bundle-audit to scan the Gemfile.lock, and then
|
11
|
-
#
|
12
|
-
#
|
13
|
-
class BundlerAudit < Runner
|
11
|
+
# 3. Returns an Array of ::Pronto::Message objects if any issues or advisories
|
12
|
+
# are found.
|
13
|
+
class BundlerAudit < ::Pronto::Runner
|
14
14
|
GEMFILE_LOCK_FILENAME = "Gemfile.lock"
|
15
15
|
|
16
|
-
# @return [Array<Pronto::Message>]
|
16
|
+
# @return [Array<Pronto::Message>] one for each issue found
|
17
17
|
def run
|
18
|
-
|
19
|
-
|
18
|
+
results = Auditor.call
|
19
|
+
|
20
|
+
Results::ProntoMessagesAdapter.call(results, runner: self)
|
21
|
+
end
|
22
|
+
|
23
|
+
# @return [Pathname] the absolute path to the current git repo / code.
|
24
|
+
def path
|
25
|
+
Pathname.new(File.expand_path("."))
|
26
|
+
end
|
27
|
+
|
28
|
+
def filename
|
29
|
+
GEMFILE_LOCK_FILENAME
|
30
|
+
end
|
31
|
+
|
32
|
+
# Don't really need a commit SHA for Pronto's GitHubFormatter to work. Just
|
33
|
+
# need to return nil here, and in
|
34
|
+
# {Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine#commit_sha}.
|
35
|
+
def commit_sha
|
36
|
+
nil
|
20
37
|
end
|
21
38
|
end
|
22
39
|
end
|
23
40
|
|
24
41
|
require "pronto/bundler_audit/version"
|
25
42
|
require "pronto/bundler_audit/auditor"
|
43
|
+
require "pronto/bundler_audit/results/pronto_messages_adapter"
|
@@ -5,10 +5,14 @@ require "pronto/bundler_audit/scanner"
|
|
5
5
|
module Pronto
|
6
6
|
class BundlerAudit
|
7
7
|
# Pronto::BundlerAudit::Auditor:
|
8
|
-
# 1.
|
9
|
-
# 2.
|
8
|
+
# 1. Updates the local ruby security database, and then
|
9
|
+
# 2. Runs {::Pronto::BundlerAudit::Scanner#call}.
|
10
10
|
class Auditor
|
11
|
-
|
11
|
+
def self.call(*args)
|
12
|
+
new(*args).call
|
13
|
+
end
|
14
|
+
|
15
|
+
# @return (see: #run_scanner)
|
12
16
|
def call
|
13
17
|
update_ruby_advisory_db
|
14
18
|
run_scanner
|
@@ -20,11 +24,11 @@ module Pronto
|
|
20
24
|
Bundler::Audit::Database.update!(quiet: true)
|
21
25
|
end
|
22
26
|
|
23
|
-
# @return [Array
|
24
|
-
# @return [Array<Pronto::
|
27
|
+
# @return [Array<>] if no issues were found
|
28
|
+
# @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
|
29
|
+
# gem sources or if advisories were found
|
25
30
|
def run_scanner
|
26
|
-
|
27
|
-
scanner.call
|
31
|
+
Scanner.call
|
28
32
|
end
|
29
33
|
end
|
30
34
|
end
|
@@ -4,15 +4,8 @@ module Pronto
|
|
4
4
|
class BundlerAudit
|
5
5
|
module GemfileLock
|
6
6
|
# Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
|
7
|
-
# the given `gem_name` and returns
|
8
|
-
#
|
9
|
-
# objects).
|
10
|
-
#
|
11
|
-
# We use stand-in objects because we don't have or need an actual
|
12
|
-
# Pronto::Git::Line object. This is not a normal situation, but, for this
|
13
|
-
# gem, we're not worried about specific details from git patches.
|
14
|
-
# Instead, we just always scan the Gemfile.lock file for bundler_audit
|
15
|
-
# issues/advisories.
|
7
|
+
# the given `gem_name` and returns an Integer representing the line number
|
8
|
+
# of the gem in the Gemfile.lock file.
|
16
9
|
class Scanner
|
17
10
|
def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
|
18
11
|
unless File.exist?(path)
|
@@ -23,50 +16,28 @@ module Pronto
|
|
23
16
|
@path = path
|
24
17
|
end
|
25
18
|
|
19
|
+
def self.call(*args)
|
20
|
+
new(*args).call
|
21
|
+
end
|
22
|
+
|
26
23
|
def call
|
27
|
-
|
24
|
+
determine_relevant_line_number
|
28
25
|
end
|
29
26
|
|
30
27
|
private
|
31
28
|
|
32
|
-
# @return [
|
33
|
-
def
|
34
|
-
|
35
|
-
|
36
|
-
build_pronto_git_line(found_line_number)
|
37
|
-
end
|
29
|
+
# @return [Integer] the line number; or 0 if not found
|
30
|
+
def determine_relevant_line_number
|
31
|
+
line_number = 0
|
38
32
|
|
39
|
-
def determine_line_number
|
40
33
|
File.foreach(@path).with_index do |line, index|
|
41
|
-
|
42
|
-
end
|
43
|
-
end
|
34
|
+
next unless line.include?(@gem_name)
|
44
35
|
|
45
|
-
|
46
|
-
|
47
|
-
::Pronto::Git::Line.new(
|
48
|
-
Line.new(line_number),
|
49
|
-
Patch.new)
|
50
|
-
end
|
51
|
-
|
52
|
-
# Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
|
53
|
-
# the Pronto::Git::Line object.
|
54
|
-
class Line
|
55
|
-
def initialize(line_number)
|
56
|
-
@line_number = line_number
|
57
|
-
end
|
58
|
-
|
59
|
-
def new_lineno
|
60
|
-
@line_number
|
36
|
+
line_number = index.next
|
37
|
+
break
|
61
38
|
end
|
62
|
-
end
|
63
39
|
|
64
|
-
|
65
|
-
# the Pronto::Git::Patch object.
|
66
|
-
class Patch
|
67
|
-
def blame(*)
|
68
|
-
nil
|
69
|
-
end
|
40
|
+
line_number
|
70
41
|
end
|
71
42
|
end
|
72
43
|
end
|
@@ -5,6 +5,10 @@ module Pronto
|
|
5
5
|
module Results
|
6
6
|
# Pronto::BundlerAudit::Results::BaseResult is an abstract base class for
|
7
7
|
# the various Bundler::Audit::Scanner::* issue types.
|
8
|
+
#
|
9
|
+
# Note: These result objects act as a stand-in for ::Pronto::Message
|
10
|
+
# objects, which are later translated into actual ::Pronto::Message
|
11
|
+
# objects via {Pronto::BundlerAudit::MessagesAdapter}.
|
8
12
|
class BaseResult
|
9
13
|
def initialize(scan_result)
|
10
14
|
@scan_result = scan_result
|
@@ -12,26 +16,17 @@ module Pronto
|
|
12
16
|
@advisory = scan_result.advisory
|
13
17
|
end
|
14
18
|
|
15
|
-
|
16
|
-
|
17
|
-
end
|
18
|
-
|
19
|
-
private
|
20
|
-
|
21
|
-
def report_result
|
19
|
+
# @return [Symbol]
|
20
|
+
def level
|
22
21
|
raise NotImplementedError
|
23
22
|
end
|
24
23
|
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
line,
|
29
|
-
level,
|
30
|
-
message,
|
31
|
-
nil,
|
32
|
-
Pronto::BundlerAudit)
|
24
|
+
# @return [Integer, NilClass]
|
25
|
+
def line
|
26
|
+
raise NotImplementedError
|
33
27
|
end
|
34
28
|
|
29
|
+
# @return [String]
|
35
30
|
def message
|
36
31
|
raise NotImplementedError
|
37
32
|
end
|
@@ -5,18 +5,21 @@ require_relative "base_result"
|
|
5
5
|
module Pronto
|
6
6
|
class BundlerAudit
|
7
7
|
module Results
|
8
|
-
# Pronto::BundlerAudit::Results::InsecureSource
|
9
|
-
# for Bundler::Audit::Scanner::InsecureSource
|
8
|
+
# Pronto::BundlerAudit::Results::InsecureSource is a stand-in for the
|
9
|
+
# ::Pronto::Message object for ::Bundler::Audit::Scanner::InsecureSource
|
10
|
+
# issues.
|
10
11
|
class InsecureSource < BaseResult
|
11
|
-
|
12
|
+
# @return [Symbol]
|
13
|
+
def level
|
14
|
+
:warning
|
15
|
+
end
|
12
16
|
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
line: nil,
|
17
|
-
level: :warning)
|
17
|
+
# @return [NilClass]
|
18
|
+
def line
|
19
|
+
nil
|
18
20
|
end
|
19
21
|
|
22
|
+
# @return [String]
|
20
23
|
def message
|
21
24
|
"Insecure Source URI found: #{@scan_result.source}"
|
22
25
|
end
|
@@ -0,0 +1,56 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Pronto
|
4
|
+
class BundlerAudit
|
5
|
+
module Results
|
6
|
+
# Pronto::BundlerAudit::Results::ProntoMessagesAdapter is an adapter layer
|
7
|
+
# for converting {Pronto::BundlerAudit::BaseResult} objects into
|
8
|
+
# ::Pronto::Message objects for use by the Pronto gem when sending issue
|
9
|
+
# details to GitHub, etc.
|
10
|
+
class ProntoMessagesAdapter
|
11
|
+
def initialize(results, runner:)
|
12
|
+
@results = Array(results)
|
13
|
+
@runner = runner
|
14
|
+
end
|
15
|
+
|
16
|
+
def self.call(*args)
|
17
|
+
new(*args).call
|
18
|
+
end
|
19
|
+
|
20
|
+
def call
|
21
|
+
@results.map { |result|
|
22
|
+
::Pronto::Message.new(
|
23
|
+
@runner.filename,
|
24
|
+
DeepLine.new(line_number: result.line, path: @runner.path),
|
25
|
+
result.level,
|
26
|
+
result.message,
|
27
|
+
@runner.commit_sha,
|
28
|
+
Pronto::BundlerAudit) # This gem's {Pronto::BundlerAudit} class.
|
29
|
+
}
|
30
|
+
end
|
31
|
+
|
32
|
+
# Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine is a
|
33
|
+
# stand-in for ::Pronto::Git::Line object.
|
34
|
+
class DeepLine
|
35
|
+
attr_reader :line_number,
|
36
|
+
:path
|
37
|
+
|
38
|
+
def initialize(line_number:, path:)
|
39
|
+
@line_number = line_number
|
40
|
+
@path = path
|
41
|
+
end
|
42
|
+
|
43
|
+
# Since we're not passing a commit SHA into ::Proton::Message.new,
|
44
|
+
# Pronto will try calling #commit_sha on the (this) Line object.
|
45
|
+
def commit_sha
|
46
|
+
nil
|
47
|
+
end
|
48
|
+
|
49
|
+
alias_method :new_lineno, :line_number
|
50
|
+
alias_method :repo, :itself
|
51
|
+
alias_method :patch, :itself
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
@@ -8,27 +8,32 @@ require "pronto/bundler_audit/gemfile_lock/scanner"
|
|
8
8
|
module Pronto
|
9
9
|
class BundlerAudit
|
10
10
|
module Results
|
11
|
-
# Pronto::BundlerAudit::Results::UnpatchedGem
|
12
|
-
# Bundler::Audit::Scanner::UnpatchedGem
|
11
|
+
# Pronto::BundlerAudit::Results::UnpatchedGem is a stand-in for the
|
12
|
+
# ::Pronto::Message object for ::Bundler::Audit::Scanner::UnpatchedGem
|
13
|
+
# issues.
|
13
14
|
class UnpatchedGem < BaseResult
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
build_message(
|
18
|
-
message,
|
19
|
-
level: :error,
|
20
|
-
line: find_relevant_line)
|
15
|
+
# @return [Symbol]
|
16
|
+
def level
|
17
|
+
:error
|
21
18
|
end
|
22
19
|
|
23
|
-
|
24
|
-
|
25
|
-
|
20
|
+
# @return [Integer]
|
21
|
+
def line
|
22
|
+
find_relevant_line_number
|
26
23
|
end
|
27
24
|
|
25
|
+
# @return [String]
|
28
26
|
def message
|
29
27
|
advisory_formatter.to_s
|
30
28
|
end
|
31
29
|
|
30
|
+
private
|
31
|
+
|
32
|
+
# @return [Integer]
|
33
|
+
def find_relevant_line_number
|
34
|
+
Pronto::BundlerAudit::GemfileLock::Scanner.call(gem_name: @gem.name)
|
35
|
+
end
|
36
|
+
|
32
37
|
def advisory_formatter
|
33
38
|
# TODO: Switch type based on configuration options, once available.
|
34
39
|
AdvisoryFormatters::Verbose.new(gem: @gem, advisory: @advisory)
|
@@ -6,32 +6,54 @@ require_relative "results/unpatched_gem"
|
|
6
6
|
module Pronto
|
7
7
|
class BundlerAudit
|
8
8
|
# Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
|
9
|
-
# then
|
10
|
-
# result.
|
9
|
+
# then instantiates and calls an appropriate
|
10
|
+
# {Pronto::BundlerAudit::BaseResult} object for the given scan result type.
|
11
11
|
class Scanner
|
12
|
-
|
13
|
-
|
12
|
+
def self.call(*args)
|
13
|
+
new(*args).call
|
14
|
+
end
|
15
|
+
|
16
|
+
# @return [Array<>] if no issues were found
|
17
|
+
# @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
|
18
|
+
# gem sources or if advisories were found
|
14
19
|
def call
|
15
20
|
run_scan
|
16
21
|
end
|
17
22
|
|
18
23
|
private
|
19
24
|
|
25
|
+
# @return [Array<>] if no issues were found
|
26
|
+
# @return [Array<Pronto::BundlerAudit::Results::BaseResult>]
|
20
27
|
def run_scan
|
21
28
|
run_scanner.map do |scan_result|
|
22
|
-
match_result(scan_result)
|
29
|
+
match_result(scan_result)
|
23
30
|
end
|
24
31
|
end
|
25
32
|
|
33
|
+
# Invoke the 3rd-party bundler-audit Gem.
|
34
|
+
#
|
35
|
+
# @return [Array] if insecure sources are found or if gems with an
|
36
|
+
# advisory are found, the Array will contain
|
37
|
+
# ::Bundler::Audit::Scanner::InsecureSource
|
38
|
+
# or ::Bundler::Audit::Scanner::UnpatchedGem objects, respectively.
|
39
|
+
# - Bundler::Audit::Scanner::InsecureSource = Struct.new(:source)
|
40
|
+
# - Bundler::Audit::Scanner::UnpatchedGem = Struct.new(:gem, :advisory)
|
26
41
|
def run_scanner
|
27
|
-
Bundler::Audit::Scanner.new.scan
|
42
|
+
::Bundler::Audit::Scanner.new.scan
|
28
43
|
end
|
29
44
|
|
45
|
+
# Convert the passed in `scan_result` class/value into a local Results::*
|
46
|
+
# class/value.
|
47
|
+
#
|
48
|
+
# @param scan_result [::Bundler::Audit::Scanner::*] from the bundler-audit
|
49
|
+
# Gem
|
50
|
+
#
|
51
|
+
# @return [Pronto::BundlerAudit::Results::BaseResult]
|
30
52
|
def match_result(scan_result)
|
31
53
|
case scan_result
|
32
|
-
when Bundler::Audit::Scanner::InsecureSource
|
54
|
+
when ::Bundler::Audit::Scanner::InsecureSource
|
33
55
|
Results::InsecureSource.new(scan_result)
|
34
|
-
when Bundler::Audit::Scanner::UnpatchedGem
|
56
|
+
when ::Bundler::Audit::Scanner::UnpatchedGem
|
35
57
|
Results::UnpatchedGem.new(scan_result)
|
36
58
|
else
|
37
59
|
raise ArgumentError, "Unexpected type: #{scan_result.class}"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pronto-bundler_audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.5.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paul Dobbins
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-08-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler-audit
|
@@ -203,8 +203,10 @@ files:
|
|
203
203
|
- Rakefile
|
204
204
|
- bin/console
|
205
205
|
- bin/setup
|
206
|
+
- images/ci-output.png
|
206
207
|
- images/github-check.png
|
207
|
-
- images/github-comment.png
|
208
|
+
- images/github-comment-compact.png
|
209
|
+
- images/github-comment-verbose.png
|
208
210
|
- lib/pronto/bundler_audit.rb
|
209
211
|
- lib/pronto/bundler_audit/advisory_formatters/base_advisory_formatter.rb
|
210
212
|
- lib/pronto/bundler_audit/advisory_formatters/compact.rb
|
@@ -213,6 +215,7 @@ files:
|
|
213
215
|
- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
|
214
216
|
- lib/pronto/bundler_audit/results/base_result.rb
|
215
217
|
- lib/pronto/bundler_audit/results/insecure_source.rb
|
218
|
+
- lib/pronto/bundler_audit/results/pronto_messages_adapter.rb
|
216
219
|
- lib/pronto/bundler_audit/results/unpatched_gem.rb
|
217
220
|
- lib/pronto/bundler_audit/scanner.rb
|
218
221
|
- lib/pronto/bundler_audit/version.rb
|
@@ -236,7 +239,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
236
239
|
- !ruby/object:Gem::Version
|
237
240
|
version: '0'
|
238
241
|
requirements: []
|
239
|
-
rubygems_version: 3.0.
|
242
|
+
rubygems_version: 3.0.4
|
240
243
|
signing_key:
|
241
244
|
specification_version: 4
|
242
245
|
summary: Pronto runner for bundler-audit, patch-level verification for bundler.
|