pronto-bundler_audit 0.5.1 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/Gemfile.lock +2 -2
- data/README.md +25 -8
- data/lib/formatter/github_pull_request_review_formatter.rb +3 -1
- data/lib/pronto/bundler_audit.rb +5 -0
- data/lib/pronto/bundler_audit/configuration.rb +34 -0
- data/lib/pronto/bundler_audit/scanner.rb +8 -2
- data/lib/pronto/bundler_audit/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: be60a36fb202bbe2b740917510a6b190658d68791240662551954367515ebd12
|
|
4
|
+
data.tar.gz: d568065fff3c7b49dbc4f46a19615093bdcc4c13b0f6a067f519afb000d8a896
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: aa11ae92eb8809537687a93540da7b25fb2fe9cd4940ec625483e2eb10e639b3b0aea994e62f17e0b3128d3b38b54fec1e67ed53f4a33e50e7a6cf5f02c1ab1b
|
|
7
|
+
data.tar.gz: d33d55ffb3414f7cd0b7bf64b48ea3b439f93b0c5e9954063565bd63a9c863e7bcc509599c84999d11b57a40a7fa5dbbf22880b5109ee8b59584648a40d8e582
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
### 0.6.0 - 2019-11-30
|
|
2
|
+
- [#7](https://github.com/pdobb/pronto-bundler_audit/pull/7) Add configurability via .pronto-bundler_audit.yml file
|
|
3
|
+
- For now, the only configuration available is ignoring advisories in the bundler_audit scan. See the [README](https://github.com/pdobb/pronto-bundler_audit#configuration).
|
|
4
|
+
|
|
1
5
|
### 0.5.1 - 2019-10-24
|
|
2
6
|
- Fix Pronto -> GitHub reporting errors
|
|
3
7
|
- If Gemfile.lock is not in the PR then Pronto would fail when attempting to create a comment on the Gemfile.lock file withing the PR.
|
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
pronto-bundler_audit (0.
|
|
4
|
+
pronto-bundler_audit (0.6.0)
|
|
5
5
|
bundler-audit (~> 0)
|
|
6
6
|
pronto (~> 0)
|
|
7
7
|
|
|
@@ -19,7 +19,7 @@ GEM
|
|
|
19
19
|
byebug (11.0.1)
|
|
20
20
|
coderay (1.1.2)
|
|
21
21
|
docile (1.3.2)
|
|
22
|
-
faraday (0.17.
|
|
22
|
+
faraday (0.17.1)
|
|
23
23
|
multipart-post (>= 1.2, < 3)
|
|
24
24
|
gitlab (4.12.0)
|
|
25
25
|
httparty (~> 0.14, >= 0.14.0)
|
data/README.md
CHANGED
|
@@ -33,15 +33,32 @@ Tested MRI Ruby Versions:
|
|
|
33
33
|
|
|
34
34
|
## Usage
|
|
35
35
|
|
|
36
|
-
Once installed as a gem, this runner
|
|
36
|
+
Once installed as a gem, this runner activates automatically when [running Pronto](https://github.com/prontolabs/pronto#usage) -- no configuration is required.
|
|
37
37
|
|
|
38
|
-
Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because
|
|
38
|
+
Note: Unlike most Pronto runners, pronto-bundler_audit will always scan Gemfile.lock whenever Pronto is run. That is, this runner does not only run against patches/diffs made on Gemfile.lock. The point is to find issues/advisories on every Pronto run, not just when Gemfile.lock has been updated. Because, otherwise, this gem wouldn't really help us find vulnerabilities in a project's gems in a timely fashion.
|
|
39
39
|
|
|
40
|
-
|
|
40
|
+
## Configuration
|
|
41
41
|
|
|
42
|
-
|
|
42
|
+
Configuration of the pronto-bundler_audit gem is available by creating a YAML file on the project root, called `.pronto-bundler_audit.yml`.
|
|
43
43
|
|
|
44
|
-
|
|
44
|
+
Available configuration options include:
|
|
45
|
+
|
|
46
|
+
```yaml
|
|
47
|
+
Advisories:
|
|
48
|
+
# Send the following advisory names to bundler_audit's `ignored` option.
|
|
49
|
+
Ignore:
|
|
50
|
+
- CVE-YYYY-####1
|
|
51
|
+
- CVE-YYYY-####2
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
The above acts the same as running `bundle-audit check --ignore CVE-YYYY-####1 CVE-YYYY-####2`.
|
|
55
|
+
|
|
56
|
+
|
|
57
|
+
## Examples
|
|
58
|
+
|
|
59
|
+
### Local Pronto Run
|
|
60
|
+
|
|
61
|
+
#### Compact Mode
|
|
45
62
|
|
|
46
63
|
```bash
|
|
47
64
|
$ pronto run -c=master --runner bundler_audit
|
|
@@ -49,7 +66,7 @@ Running Pronto::BundlerAudit
|
|
|
49
66
|
Gemfile.lock: E: Gem: bootstrap-sass v3.4.0 | Medium Advisory: XSS vulnerability in bootstrap-sass -- CVE-2019-8331 (https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/) | Solution: Upgrade to >= 3.4.1.
|
|
50
67
|
```
|
|
51
68
|
|
|
52
|
-
|
|
69
|
+
#### Verbose Mode
|
|
53
70
|
|
|
54
71
|
```bash
|
|
55
72
|
$ pronto run -c=master --runner bundler_audit
|
|
@@ -74,11 +91,11 @@ Solution: Upgrade to >= 3.4.1.
|
|
|
74
91
|
|
|
75
92
|
#### Github Pull Request - Comments
|
|
76
93
|
|
|
77
|
-
|
|
94
|
+
#### Verbose Mode
|
|
78
95
|
|
|
79
96
|
|
|
80
97
|
|
|
81
|
-
|
|
98
|
+
#### Compact Mode
|
|
82
99
|
|
|
83
100
|
Note: Not yet available by configuration.
|
|
84
101
|
|
|
@@ -3,7 +3,9 @@ module Pronto
|
|
|
3
3
|
# Pronto::Formatter::GithubPullRequestReviewFormatter comes from the
|
|
4
4
|
# Pronto gem itself.
|
|
5
5
|
#
|
|
6
|
-
#
|
|
6
|
+
# # Note: Ignore `method redefined` warnings on these methods.
|
|
7
|
+
#
|
|
8
|
+
# The methods below are feature overrides to:
|
|
7
9
|
# 1. prevent the {#line_number} class from failing if none of the patches
|
|
8
10
|
# contain the `message.line.new_lineno` value found. Which can happen
|
|
9
11
|
# in the context of this pronto-bundler audit gem since we aren't
|
data/lib/pronto/bundler_audit.rb
CHANGED
|
@@ -17,6 +17,10 @@ module Pronto
|
|
|
17
17
|
class BundlerAudit < ::Pronto::Runner
|
|
18
18
|
GEMFILE_LOCK_FILENAME = "Gemfile.lock"
|
|
19
19
|
|
|
20
|
+
def self.configuration
|
|
21
|
+
@configuration ||= Pronto::BundlerAudit::Configuration.new
|
|
22
|
+
end
|
|
23
|
+
|
|
20
24
|
# @return [Array<Pronto::Message>] one for each issue found
|
|
21
25
|
def run
|
|
22
26
|
results = Auditor.call
|
|
@@ -42,6 +46,7 @@ module Pronto
|
|
|
42
46
|
end
|
|
43
47
|
end
|
|
44
48
|
|
|
49
|
+
require "pronto/bundler_audit/configuration"
|
|
45
50
|
require "pronto/bundler_audit/version"
|
|
46
51
|
require "pronto/bundler_audit/auditor"
|
|
47
52
|
require "pronto/bundler_audit/results/pronto_messages_adapter"
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Pronto
|
|
4
|
+
class BundlerAudit
|
|
5
|
+
# Pronto::BundlerAudit::Configuration loads configuration for the
|
|
6
|
+
# pronto-bundler_audit gem from the `.pronto-bundler_audit.yml` file and
|
|
7
|
+
# provides service methods for reading configuration settings.
|
|
8
|
+
class Configuration
|
|
9
|
+
def initialize(path: ".pronto-bundler_audit.yml")
|
|
10
|
+
@config_file_path = path
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
# @return [Array<Sring>] the Advisory Names for bundler_audit to ignore
|
|
14
|
+
def ignored_advisories
|
|
15
|
+
configuration.dig("Advisories", "Ignore")
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
private
|
|
19
|
+
|
|
20
|
+
def configuration
|
|
21
|
+
@configuration ||=
|
|
22
|
+
if File.exist?(@config_file_path)
|
|
23
|
+
YAML.load(configuration_file.read)
|
|
24
|
+
else
|
|
25
|
+
{}
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def configuration_file
|
|
30
|
+
File.open(@config_file_path)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
require_relative "results/insecure_source"
|
|
4
4
|
require_relative "results/unpatched_gem"
|
|
5
|
+
require "yaml"
|
|
5
6
|
|
|
6
7
|
module Pronto
|
|
7
8
|
class BundlerAudit
|
|
@@ -32,14 +33,19 @@ module Pronto
|
|
|
32
33
|
|
|
33
34
|
# Invoke the 3rd-party bundler-audit Gem.
|
|
34
35
|
#
|
|
36
|
+
# @param ignore_advisories [Array<String>] the advisories to be ignored
|
|
37
|
+
# by the bundler_audit scan
|
|
38
|
+
#
|
|
35
39
|
# @return [Array] if insecure sources are found or if gems with an
|
|
36
40
|
# advisory are found, the Array will contain
|
|
37
41
|
# ::Bundler::Audit::Scanner::InsecureSource
|
|
38
42
|
# or ::Bundler::Audit::Scanner::UnpatchedGem objects, respectively.
|
|
39
43
|
# - Bundler::Audit::Scanner::InsecureSource = Struct.new(:source)
|
|
40
44
|
# - Bundler::Audit::Scanner::UnpatchedGem = Struct.new(:gem, :advisory)
|
|
41
|
-
def run_scanner
|
|
42
|
-
|
|
45
|
+
def run_scanner(
|
|
46
|
+
ignored_advisories:
|
|
47
|
+
Pronto::BundlerAudit.configuration.ignored_advisories)
|
|
48
|
+
::Bundler::Audit::Scanner.new.scan(ignore: ignored_advisories)
|
|
43
49
|
end
|
|
44
50
|
|
|
45
51
|
# Convert the passed in `scan_result` class/value into a local Results::*
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: pronto-bundler_audit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paul Dobbins
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-11-30 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler-audit
|
|
@@ -213,6 +213,7 @@ files:
|
|
|
213
213
|
- lib/pronto/bundler_audit/advisory_formatters/compact.rb
|
|
214
214
|
- lib/pronto/bundler_audit/advisory_formatters/verbose.rb
|
|
215
215
|
- lib/pronto/bundler_audit/auditor.rb
|
|
216
|
+
- lib/pronto/bundler_audit/configuration.rb
|
|
216
217
|
- lib/pronto/bundler_audit/gemfile_lock/scanner.rb
|
|
217
218
|
- lib/pronto/bundler_audit/results/base_result.rb
|
|
218
219
|
- lib/pronto/bundler_audit/results/insecure_source.rb
|