rails_cve 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7710d41cfcbd020a20e7e80c182d9ca3dfc1833d
-  data.tar.gz: c2fd962891aa4517b740ffb40976385d28e5c485
+  metadata.gz: ee33e9208ca227aaa6caceead83033303a54fc79
+  data.tar.gz: c3631d55f3581dc8998df794fe81541b08796c26
 SHA512:
-  metadata.gz: c9a4fe45b865081da707e6c6fc582ab87fec7540e53e76b8947c18af9bd45780881a4322b9e3a23a8bb4d0fcc360c7aa2fd372f9b89e319cbbe9dd0ad89592a5
-  data.tar.gz: 557546b6e29aeaf568f33d434df27708b2fd4cf9b621bc61592af3dbbd6317b48dbd90c96cfdb9df90d2496761a22ceddcbffecb958b0c2b7c94b1699ff3a378
+  metadata.gz: 73903c5d2356ad202bdd45dbdb5c76ab879ee380e8255bd2dca97f97dab7e45c97b099a06a22143b52582fd44459e750745bb030d09717b653428ff2015cc2d4
+  data.tar.gz: 1dd6b542fb355d3a06d3b97051efc1ee9168c02dd7f4bf259719bcb9ea821912d71eb0f109e0fbabf86dcba1d5a9e17eaace7848fce185cdade3865dfdef0354

data/README.md

@@ -9,51 +9,82 @@ tasks, notably searching the CVE descriptions:
 ```ruby
 # in `rails console`
 
-list = RailsCVE::Entry.search 'ruby'
-# SELECT "rails_cve_entries".* FROM "rails_cve_entries"
-#  WHERE (to_tsvector('english', description) @@ to_tsquery('ruby'))
-#  ORDER BY ts_rank(to_tsvector(description), plainto_tsquery('ruby')) DESC
+list = RailsCVE::Entry.search_plain 'ruby gem'
+#=> SELECT "rails_cve_entries".*
+#  FROM "rails_cve_entries"
+#  WHERE (to_tsvector('english', description) @@ plainto_tsquery('ruby gem'))
+#  ORDER BY "rails_cve_entries"."id" ASC
 
 list.count
-#=> 165
+#=> 41
 
-list.last
-# #<RailsCVE::Entry
-#   id: 29523,
-#   name: "CVE-2007-6183",
-#   descri ption: "Format string vulnerability in the mdiag_initialize...",
+list.first
+#=> #<RailsCVE::Entry
+#   id: 48583,
+#   name: "CVE-2011-0739",
+#   description: "The deliver function in the sendmail delivery agent...",
 #   references: [
-#     "BUGTRAQ:20071127 Ruby/Gnome2 0.16.0 Format String Vulnerability",
-#     "URL:http://www.securityfocus.com/archive/1/archive/1/484240/100/0/threaded",
-#     "MISC:http://em386.blogspot.com/2007/11/your-favorite-better-than-c-scripting.html",
-#     "MISC:https://bugzilla.redhat.com/show_bug.cgi?id=402871",
-#     …,
-#     "XF:rubygnome2-mdiaginitialize-format-string(38757)",
-#     "URL:http://xforce.iss.net/xforce/xfdb/38757"
+#     "MISC:https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch",
+#     "CONFIRM:http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1",
+#     "BID:46021",
+#     "URL:http://www.securityfocus.com/bid/46021",
+#     "OSVDB:70667",
+#     "URL:http://osvdb.org/70667",
+#     "SECUNIA:43077",
+#     "URL:http://secunia.com/advisories/43077",
+#     "VUPEN:ADV-2011-0233",
+#     "URL:http://www.vupen.com/english/advisories/2011/0233",
+#     "XF:ruby-mail-deliver-command-execution(65010)",
+#     "URL:http://xforce.iss.net/xforce/xfdb/65010"
 # ]>
+
+list.first.reference_uris
+#=> [
+#   "https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch",
+#   "http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1",
+#   "http://www.securityfocus.com/bid/46021",
+#   "http://osvdb.org/70667",
+#   "http://secunia.com/advisories/43077",
+#   "http://www.vupen.com/english/advisories/2011/0233",
+#   "http://xforce.iss.net/xforce/xfdb/65010"
+# ]
 ```
 
 ## Full text search capabilities
 
-As you can see in the example above, we take advantage of PostgreSQL's text
-search features. Hence, you will need to migrate to PostgreSQL unless you
-haven't already.
 
-I should mention, that it is **strongly recommended** to change your schema
-format from Ruby to SQL, like so:
+There exist two distinct search queries, which both are using Postgres'
+advanced [text search capabilities][2]:
+
+- `RailsCVE::Entry.search_plain(str)` and
+- `RailsCVE::Entry.search_ranked(str)`
+
+While `#search_plain` does not predefine an order on the result set (except
+from ActiveRecord's default order), `#search_ranked` calculates a matching
+rank and uses this as sort criteria.
+
+Keep in mind that creating a ranked search result requires a little more
+processing time and restricts the ActiveRecord query chaining possibilities:
 
 ```ruby
-# in config/application.rb
-config.active_record.schema_format = :sql
-```
+# possible, does not reorder the query:
+RailsCVE::Entry.search_ranked('ruby rails').first
 
-While `RailsCVE::Entry.search` uses a predefined search query, you can, of
-course, build your own using Postgres' [text search functions and operators][2]
+# not possible, tries but fails to reorder by ascending rank:
+RailsCVE::Entry.search_ranked('ruby rails').last
 
+# not possible:
+RailsCVE::Entry.search_ranked('ruby rails').search_ranked('windows')
+
+# use this instead:
+RailsCVE::Entry.search_ranked('ruby rails & windows')
+```
 
 ## Installation
 
-Add `rails-cve` to your Gemfile and run `bundle install`
+**This engine requires a PostgreSQL database!**
+
+Add `rails-cve` to your Gemfile and run `bundle install`:
 
 ```ruby
 gem 'rails-cve'
@@ -72,6 +103,24 @@ writing):
 rake rails_cve:seed
 ```
 
+Repeat the last step if you'd like to rebuild the entire CVE database.
+
+
+## Schema format
+
+As you can see in the example above, we take advantage of PostgreSQL's text
+search features. Hence, you will need to migrate to PostgreSQL unless you
+haven't already.
+
+I should mention, that it is **strongly recommended** to change your schema
+format from Ruby to SQL, like so:
+
+```ruby
+# in config/application.rb
+config.active_record.schema_format = :sql
+```
+
+
 ## Maintenance
 
 You should (at least daily) import the updates. RailsCVE currently uses the

data/app/models/concerns/rails_cve/entry/references.rb

@@ -1,22 +1,35 @@
 module RailsCVE::Entry::References
   extend ActiveSupport::Concern
 
+  REF_DELIMITER = '   |   '
+  REF_URI_RE = begin
+    prefix    = /(?:ASCEND|CISCO|CONFIRM|MISC|REDHAT|URL|XF)/
+    scheme    = /(?:https?|ftp|mailto)/
+    rest      = /.*/
+    structure = /\A#{prefix}:(?<uri>#{scheme}:#{rest})\z/
+  end
+
   def reference_uris
     return [] unless references?
-    references.grep(/^URL:/).map{|r| r.gsub(/^URL:/, '') }
+    @reference_uris = references.inject([]) do |refs, r|
+      REF_URI_RE.match(r){|m| refs << m[:uri] }
+      refs
+    end
   end
 
   def references=(refs)
-    case refs
-      when Array
-        references_will_change!
-        super refs.flatten
-      when String
-        references_will_change!
-        super refs.split('   |   ')
-      else
-        raise ArgumentError, 'invalid type'
+    unless Array === refs || String === refs
+      raise ArgumentError, 'invalid type'
     end
+
+    _refs = if Array === refs
+      refs.flatten
+    elsif String === refs
+      refs.split REF_DELIMITER
+    end
+
+    references_will_change!
+    super _refs.map(&:to_s).map(&:strip)
   end
 
 end

data/app/models/concerns/rails_cve/entry/search.rb

@@ -1,14 +1,21 @@
 module RailsCVE::Entry::Search
   extend ActiveSupport::Concern
 
+  TS_QUERY = "to_tsvector('english', description) @@ plainto_tsquery(%{q})"
+  TS_RANK  = "ts_rank(to_tsvector(description), plainto_tsquery(%{q}))"
+
   included do
-    scope :search, ->(query){
+    scope :search_ranked, ->(query){
       q = sanitize(query)
+      rank = "#{TS_RANK} AS rank" % { q: q }
 
-      rank = "ts_rank(to_tsvector(description), plainto_tsquery(%{q}))" % { q: q }
-      cond = "to_tsvector('english', description) @@ to_tsquery(%{q})"  % { q: q }
+      select("*, #{rank}")
+        .search_plain(query)
+        .order("rank DESC")
+    }
 
-      where(cond).order("#{rank} desc")
+    scope :search_plain, ->(query){
+      where(TS_QUERY % { q: sanitize(query) })
     }
   end
 end

data/lib/rails_cve/version.rb

@@ -1,3 +1,3 @@
 module RailsCVE
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rails_cve
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Dominik Menke