pronto-bundler_audit 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a6825b92770d5ec83054e365afe320ac8e201654cb1e7e8ca47df3fea622f7fc
-  data.tar.gz: 1446e4bac285ab84f8c415c010fdc4b0308ad1e8440ae3970f74e3c28dcb2cdf
+  metadata.gz: dfd045795800e3a9d915819c4d0f3fb1bf8a33fe809621a181b90596b06c0337
+  data.tar.gz: 47fb28f8cae54edd5b17bb9f487a079d0a46664a081dd59e4b9d5e41be0c987c
 SHA512:
-  metadata.gz: 152d482b50806dcdc06f09e6129d0babda3598ab0b5de38b3ef4d9704dc4d67db4c9b242d4ad5218fa3c246bad881d0769c150ed593aaee4c9d8229a78581c53
-  data.tar.gz: 3876b7d38f7cc58086f1fa82c21ca9bd1572797dbf64165fd234fa53d1a1fc952f89b614317803683effbfa23b1c33021c0a5c69b029ec83a62f507d5669984d
+  metadata.gz: c07df77c524372667979fa43d5500d76ef92586833f37e23e13e1240001ca042634afa626d0c512528fc35224f5c0d1d7039e21834533619767d7799c1eab43e
+  data.tar.gz: cf3e5d64dc3583a35ff2a5b8a32c982a9ce9336fca06a169039e3207a33af4633f65bfebfc19dbccabff9ce705ae2166e330565b82a1ab44c619eebe31ce3dd2

data/.rubocop.yml

@@ -129,6 +129,9 @@ Style/FormatString:
 Style/Lambda:
   EnforcedStyle: literal
 
+Style/LambdaCall:
+  Enabled: false # Allow ServiceObject.(*). Only use on classes, not instances.
+
 Style/NumericPredicate:
   Enabled: false # Trying to be welcoming to earlier versions of Ruby.
   # AutoCorrect: true

data/.travis.yml

@@ -4,14 +4,13 @@ env:
 sudo: false
 language: ruby
 rvm:
-  - 2.3
   - 2.4
   - 2.5
   - 2.6
   - ruby-head
 notifications:
   email: false
-before_install: gem install bundler -v 2.0.1
+before_install: gem install bundler -v 2.0.2 --no-document
 cache: bundler
 before_script:
   - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+### 0.5.0 - 2019-07-31
+- Fix Pronto -> GitHub reporting errors
+  - Thanks to Inestor for the [bug report](https://github.com/pdobb/pronto-bundler_audit/issues/2).
+  - Credit for the approach taken here goes to to os6sense and [his hard work](https://github.com/pdobb/pronto-bundler_audit/pull/4/files)
+
 ### 0.4.0 - 2019-05-08
 - Remove patch-level processing... just always scan Gemfile.lock when this runner is invoked.
 
@@ -16,6 +21,5 @@
 - Add line number to Pronto::Message; fixes GitHub API usage error when attempting to add errors to PR comments
 - Add gem version requirements to gemspec
 
-
 ### 0.1.0 - 2019-04-28
 - Initial release!

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    pronto-bundler_audit (0.4.0)
+    pronto-bundler_audit (0.5.0)
       bundler-audit (~> 0)
       pronto (~> 0)
 
@@ -18,16 +18,16 @@ GEM
       thor (~> 0.18)
     byebug (11.0.1)
     coderay (1.1.2)
-    docile (1.3.1)
+    docile (1.3.2)
     faraday (0.15.4)
       multipart-post (>= 1.2, < 3)
-    gitlab (4.11.0)
+    gitlab (4.12.0)
       httparty (~> 0.14, >= 0.14.0)
       terminal-table (~> 1.5, >= 1.5.1)
     httparty (0.17.0)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
-    jaro_winkler (1.5.2)
+    jaro_winkler (1.5.3)
     json (2.2.0)
     method_source (0.9.2)
     mime-types (3.2.2)
@@ -41,7 +41,7 @@ GEM
       ruby-progressbar
     much-stub (0.1.1)
     multi_xml (0.6.0)
-    multipart-post (2.0.0)
+    multipart-post (2.1.1)
     octokit (4.14.0)
       sawyer (~> 0.8.0, >= 0.5.3)
     parallel (1.17.0)
@@ -60,22 +60,22 @@ GEM
     pry-byebug (3.7.0)
       byebug (~> 11.0)
       pry (~> 0.10)
-    public_suffix (3.0.3)
+    public_suffix (3.1.1)
     rainbow (3.0.0)
-    rake (12.3.2)
-    rubocop (0.68.1)
+    rake (12.3.3)
+    rubocop (0.73.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
-      parser (>= 2.5, != 2.5.1.1)
+      parser (>= 2.6)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.6)
-    ruby-progressbar (1.10.0)
-    rugged (0.28.1)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    ruby-progressbar (1.10.1)
+    rugged (0.28.2)
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
-    simplecov (0.16.1)
+    simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
@@ -83,7 +83,7 @@ GEM
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
-    unicode-display_width (1.5.0)
+    unicode-display_width (1.6.0)
 
 PLATFORMS
   ruby
@@ -102,4 +102,4 @@ DEPENDENCIES
   simplecov (~> 0.16)
 
 BUNDLED WITH
-   2.0.1
+   2.0.2

data/README.md

@@ -26,7 +26,6 @@ Or install it yourself as:
 ## Compatibility
 
 Tested MRI Ruby Versions:
-* 2.3
 * 2.4
 * 2.5
 * 2.6
@@ -42,21 +41,49 @@ Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.
 
 #### Local Pronto Run
 
+##### Compact Mode
+
 ```bash
-$ time pronto run -c=development --runner bundler_audit
+$ pronto run -c=master --runner bundler_audit
 Running Pronto::BundlerAudit
 Gemfile.lock: E: Gem: bootstrap-sass v3.4.0 | Medium Advisory: XSS vulnerability in bootstrap-sass -- CVE-2019-8331 (https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/) | Solution: Upgrade to >= 3.4.1.
+```
+
+##### Verbose Mode
 
-real  0m1.417s
-user  0m0.773s
-sys 0m0.252s
+```bash
+$ pronto run -c=master --runner bundler_audit
+Running Pronto::BundlerAudit
+Gemfile.lock: E: Name: bootstrap-sass
+Version: 3.4.0
+Advisory: CVE-2019-8331
+Criticality: Medium
+URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
+Title: XSS vulnerability in bootstrap-sass
+Solution: Upgrade to >= 3.4.1.
 ```
 
+#### Continuous Integration Output
+
+![CI Output](images/ci-output.png)
+
+
 #### Github Pull Request - Checks
+
 ![Github Check](images/github-check.png)
 
 #### Github Pull Request - Comments
-![Github Comment](images/github-comment.png)
+
+##### Verbose Mode
+
+![Github Comment - Verbose](images/github-comment-verbose.png)
+
+##### Compact Mode
+
+Note: Not yet available by configuration.
+
+![Github Comment - Compact](images/github-comment-compact.png)
+
 
 ## Development
 
@@ -64,6 +91,11 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+### Testing
+
+GitHub integration testing isn't easy. I have created a test app for myself at: https://github.com/pdobb/pronto-bundler_audit_test_app.
+
+
 ## TODO
 
 * Add configuration for compact vs expanded advisories reporting

data/lib/pronto/bundler_audit.rb

@@ -5,21 +5,39 @@ require "bundler/audit/database"
 require "bundler/audit/scanner"
 
 module Pronto
-  # Pronto::BundlerAudit is a Pronto::Runner that:
+  # Pronto::BundlerAudit is a ::Pronto::Runner that:
   # 1. Updates the Ruby Advisory Database,
   # 2. Runs bundle-audit to scan the Gemfile.lock, and then
-  # 4. Returns an Array of Pronto::Message objects if any issues or advisories
-  # are found.
-  class BundlerAudit < Runner
+  # 3. Returns an Array of ::Pronto::Message objects if any issues or advisories
+  #    are found.
+  class BundlerAudit < ::Pronto::Runner
     GEMFILE_LOCK_FILENAME = "Gemfile.lock"
 
-    # @return [Array<Pronto::Message>] per Pronto expectation
+    # @return [Array<Pronto::Message>] one for each issue found
     def run
-      auditor = Auditor.new
-      auditor.call
+      results = Auditor.call
+
+      Results::ProntoMessagesAdapter.call(results, runner: self)
+    end
+
+    # @return [Pathname] the absolute path to the current git repo / code.
+    def path
+      Pathname.new(File.expand_path("."))
+    end
+
+    def filename
+      GEMFILE_LOCK_FILENAME
+    end
+
+    # Don't really need a commit SHA for Pronto's GitHubFormatter to work. Just
+    # need to return nil here, and in
+    # {Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine#commit_sha}.
+    def commit_sha
+      nil
     end
   end
 end
 
 require "pronto/bundler_audit/version"
 require "pronto/bundler_audit/auditor"
+require "pronto/bundler_audit/results/pronto_messages_adapter"

data/lib/pronto/bundler_audit/auditor.rb

@@ -5,10 +5,14 @@ require "pronto/bundler_audit/scanner"
 module Pronto
   class BundlerAudit
     # Pronto::BundlerAudit::Auditor:
-    # 1. updates the local ruby security database, and then
-    # 2. runs {Pronto::BundlerAudit::Scanner#call}.
+    # 1. Updates the local ruby security database, and then
+    # 2. Runs {::Pronto::BundlerAudit::Scanner#call}.
     class Auditor
-      # @return (see: #run_scan)
+      def self.call(*args)
+        new(*args).call
+      end
+
+      # @return (see: #run_scanner)
       def call
         update_ruby_advisory_db
         run_scanner
@@ -20,11 +24,11 @@ module Pronto
         Bundler::Audit::Database.update!(quiet: true)
       end
 
-      # @return [Array>] if no advisories were found
-      # @return [Array<Pronto::Message>] if advisories were found
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
+      #   gem sources or if advisories were found
       def run_scanner
-        scanner = Scanner.new
-        scanner.call
+        Scanner.call
       end
     end
   end

data/lib/pronto/bundler_audit/gemfile_lock/scanner.rb

@@ -4,15 +4,8 @@ module Pronto
   class BundlerAudit
     module GemfileLock
       # Pronto::BundlerAudit::GemfileLock::Scanner scans the given `path` for
-      # the given `gem_name` and returns a `Pronto::Git::Line` with relevant
-      # info (supplied by Pronto::Git::Line and Pronto::Git::Patch stand-in
-      # objects).
-      #
-      # We use stand-in objects because we don't have or need an actual
-      # Pronto::Git::Line object. This is not a normal situation, but, for this
-      # gem, we're not worried about specific details from git patches.
-      # Instead, we just always scan the Gemfile.lock file for bundler_audit
-      # issues/advisories.
+      # the given `gem_name` and returns an Integer representing the line number
+      # of the gem in the Gemfile.lock file.
       class Scanner
         def initialize(gem_name:, path: GEMFILE_LOCK_FILENAME)
           unless File.exist?(path)
@@ -23,50 +16,28 @@ module Pronto
           @path = path
         end
 
+        def self.call(*args)
+          new(*args).call
+        end
+
         def call
-          find_relevant_line
+          determine_relevant_line_number
         end
 
         private
 
-        # @return [Pronto::Git::Line]
-        def find_relevant_line
-          return unless (found_line_number = determine_line_number)
-
-          build_pronto_git_line(found_line_number)
-        end
+        # @return [Integer] the line number; or 0 if not found
+        def determine_relevant_line_number
+          line_number = 0
 
-        def determine_line_number
           File.foreach(@path).with_index do |line, index|
-            break index.next if line.include?(@gem_name)
-          end
-        end
+            next unless line.include?(@gem_name)
 
-        # @return [Pronto::Git::Line]
-        def build_pronto_git_line(line_number)
-          ::Pronto::Git::Line.new(
-            Line.new(line_number),
-            Patch.new)
-        end
-
-        # Pronto::BundlerAudit::GemfileLock::Scanner::Line is a stand-in for
-        # the Pronto::Git::Line object.
-        class Line
-          def initialize(line_number)
-            @line_number = line_number
-          end
-
-          def new_lineno
-            @line_number
+            line_number = index.next
+            break
           end
-        end
 
-        # Pronto::BundlerAudit::GemfileLock::Scanner::Patch is a stand-in for
-        # the Pronto::Git::Patch object.
-        class Patch
-          def blame(*)
-            nil
-          end
+          line_number
         end
       end
     end

data/lib/pronto/bundler_audit/results/base_result.rb

@@ -5,6 +5,10 @@ module Pronto
     module Results
       # Pronto::BundlerAudit::Results::BaseResult is an abstract base class for
       # the various Bundler::Audit::Scanner::* issue types.
+      #
+      # Note: These result objects act as a stand-in for ::Pronto::Message
+      # objects, which are later translated into actual ::Pronto::Message
+      # objects via {Pronto::BundlerAudit::MessagesAdapter}.
       class BaseResult
         def initialize(scan_result)
           @scan_result = scan_result
@@ -12,26 +16,17 @@ module Pronto
           @advisory = scan_result.advisory
         end
 
-        def call
-          report_result
-        end
-
-        private
-
-        def report_result
+        # @return [Symbol]
+        def level
           raise NotImplementedError
         end
 
-        def build_message(message, level:, line:)
-          Message.new(
-            GEMFILE_LOCK_FILENAME,
-            line,
-            level,
-            message,
-            nil,
-            Pronto::BundlerAudit)
+        # @return [Integer, NilClass]
+        def line
+          raise NotImplementedError
         end
 
+        # @return [String]
         def message
           raise NotImplementedError
         end

data/lib/pronto/bundler_audit/results/insecure_source.rb

@@ -5,18 +5,21 @@ require_relative "base_result"
 module Pronto
   class BundlerAudit
     module Results
-      # Pronto::BundlerAudit::Results::InsecureSource builds a Pronto::Message
-      # for Bundler::Audit::Scanner::InsecureSource issues.
+      # Pronto::BundlerAudit::Results::InsecureSource is a stand-in for the
+      # ::Pronto::Message object for ::Bundler::Audit::Scanner::InsecureSource
+      # issues.
       class InsecureSource < BaseResult
-        private
+        # @return [Symbol]
+        def level
+          :warning
+        end
 
-        def report_result
-          build_message(
-            message,
-            line: nil,
-            level: :warning)
+        # @return [NilClass]
+        def line
+          nil
         end
 
+        # @return [String]
         def message
           "Insecure Source URI found: #{@scan_result.source}"
         end

data/lib/pronto/bundler_audit/results/pronto_messages_adapter.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Pronto
+  class BundlerAudit
+    module Results
+      # Pronto::BundlerAudit::Results::ProntoMessagesAdapter is an adapter layer
+      # for converting {Pronto::BundlerAudit::BaseResult} objects into
+      # ::Pronto::Message objects for use by the Pronto gem when sending issue
+      # details to GitHub, etc.
+      class ProntoMessagesAdapter
+        def initialize(results, runner:)
+          @results = Array(results)
+          @runner = runner
+        end
+
+        def self.call(*args)
+          new(*args).call
+        end
+
+        def call
+          @results.map { |result|
+            ::Pronto::Message.new(
+              @runner.filename,
+              DeepLine.new(line_number: result.line, path: @runner.path),
+              result.level,
+              result.message,
+              @runner.commit_sha,
+              Pronto::BundlerAudit) # This gem's {Pronto::BundlerAudit} class.
+          }
+        end
+
+        # Pronto::BundlerAudit::Results::ProntoMessagesAdapter::DeepLine is a
+        # stand-in for ::Pronto::Git::Line object.
+        class DeepLine
+          attr_reader :line_number,
+                      :path
+
+          def initialize(line_number:, path:)
+            @line_number = line_number
+            @path = path
+          end
+
+          # Since we're not passing a commit SHA into ::Proton::Message.new,
+          # Pronto will try calling #commit_sha on the (this) Line object.
+          def commit_sha
+            nil
+          end
+
+          alias_method :new_lineno, :line_number
+          alias_method :repo, :itself
+          alias_method :patch, :itself
+        end
+      end
+    end
+  end
+end

data/lib/pronto/bundler_audit/results/unpatched_gem.rb

@@ -8,27 +8,32 @@ require "pronto/bundler_audit/gemfile_lock/scanner"
 module Pronto
   class BundlerAudit
     module Results
-      # Pronto::BundlerAudit::Results::UnpatchedGem builds a Pronto::Message for
-      # Bundler::Audit::Scanner::UnpatchedGem issues.
+      # Pronto::BundlerAudit::Results::UnpatchedGem is a stand-in for the
+      # ::Pronto::Message object for ::Bundler::Audit::Scanner::UnpatchedGem
+      # issues.
       class UnpatchedGem < BaseResult
-        private
-
-        def report_result
-          build_message(
-            message,
-            level: :error,
-            line: find_relevant_line)
+        # @return [Symbol]
+        def level
+          :error
         end
 
-        def find_relevant_line
-          scanner = GemfileLock::Scanner.new(gem_name: @gem.name)
-          scanner.call
+        # @return [Integer]
+        def line
+          find_relevant_line_number
         end
 
+        # @return [String]
         def message
           advisory_formatter.to_s
         end
 
+        private
+
+        # @return [Integer]
+        def find_relevant_line_number
+          Pronto::BundlerAudit::GemfileLock::Scanner.call(gem_name: @gem.name)
+        end
+
         def advisory_formatter
           # TODO: Switch type based on configuration options, once available.
           AdvisoryFormatters::Verbose.new(gem: @gem, advisory: @advisory)

data/lib/pronto/bundler_audit/scanner.rb

@@ -6,32 +6,54 @@ require_relative "results/unpatched_gem"
 module Pronto
   class BundlerAudit
     # Pronto::BundlerAudit::Scanner runs runs Bundler::Audit::Scanner#scan and
-    # then calls a {Pronto::BundlerAudit::BaseResult} based for each scan
-    # result.
+    # then instantiates and calls an appropriate
+    # {Pronto::BundlerAudit::BaseResult} object for the given scan result type.
     class Scanner
-      # @return [Array>] if no advisories were found
-      # @return [Array<Pronto::Message>] if advisories were found)
+      def self.call(*args)
+        new(*args).call
+      end
+
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>] if unpatched
+      #   gem sources or if advisories were found
       def call
         run_scan
       end
 
       private
 
+      # @return [Array<>] if no issues were found
+      # @return [Array<Pronto::BundlerAudit::Results::BaseResult>]
       def run_scan
         run_scanner.map do |scan_result|
-          match_result(scan_result).call
+          match_result(scan_result)
         end
       end
 
+      # Invoke the 3rd-party bundler-audit Gem.
+      #
+      # @return [Array] if insecure sources are found or if gems with an
+      #   advisory are found, the Array will contain
+      #   ::Bundler::Audit::Scanner::InsecureSource
+      #   or ::Bundler::Audit::Scanner::UnpatchedGem objects, respectively.
+      #     - Bundler::Audit::Scanner::InsecureSource = Struct.new(:source)
+      #     - Bundler::Audit::Scanner::UnpatchedGem = Struct.new(:gem, :advisory)
       def run_scanner
-        Bundler::Audit::Scanner.new.scan
+        ::Bundler::Audit::Scanner.new.scan
       end
 
+      # Convert the passed in `scan_result` class/value into a local Results::*
+      # class/value.
+      #
+      # @param scan_result [::Bundler::Audit::Scanner::*] from the bundler-audit
+      #   Gem
+      #
+      # @return [Pronto::BundlerAudit::Results::BaseResult]
       def match_result(scan_result)
         case scan_result
-        when Bundler::Audit::Scanner::InsecureSource
+        when ::Bundler::Audit::Scanner::InsecureSource
           Results::InsecureSource.new(scan_result)
-        when Bundler::Audit::Scanner::UnpatchedGem
+        when ::Bundler::Audit::Scanner::UnpatchedGem
           Results::UnpatchedGem.new(scan_result)
         else
           raise ArgumentError, "Unexpected type: #{scan_result.class}"

data/lib/pronto/bundler_audit/version.rb

@@ -3,6 +3,6 @@
 module Pronto
   # Pronto::BundlerAuditVersion
   module BundlerAuditVersion
-    VERSION = "0.4.0"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pronto-bundler_audit
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Paul Dobbins
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-09 00:00:00.000000000 Z
+date: 2019-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -203,8 +203,10 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- images/ci-output.png
 - images/github-check.png
-- images/github-comment.png
+- images/github-comment-compact.png
+- images/github-comment-verbose.png
 - lib/pronto/bundler_audit.rb
 - lib/pronto/bundler_audit/advisory_formatters/base_advisory_formatter.rb
 - lib/pronto/bundler_audit/advisory_formatters/compact.rb
@@ -213,6 +215,7 @@ files:
 - lib/pronto/bundler_audit/gemfile_lock/scanner.rb
 - lib/pronto/bundler_audit/results/base_result.rb
 - lib/pronto/bundler_audit/results/insecure_source.rb
+- lib/pronto/bundler_audit/results/pronto_messages_adapter.rb
 - lib/pronto/bundler_audit/results/unpatched_gem.rb
 - lib/pronto/bundler_audit/scanner.rb
 - lib/pronto/bundler_audit/version.rb
@@ -236,7 +239,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.4
 signing_key: 
 specification_version: 4
 summary: Pronto runner for bundler-audit, patch-level verification for bundler.