rubion 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f3dc20ad2e0d8a10c9819577c5370327e860d1406b866fa02504e472dbb1e673
+  data.tar.gz: b7954923cc22c872f7a20520db5bf2496af0615886978d2701188357b1e3cdf2
+SHA512:
+  metadata.gz: c8997bc21f73e51e7e904e8372fd779d85f5b162ff0d7b7187ce4136571343913d6362d61a2cb2839d3c8333f91b3af8724192a6b7bff9ae361c357975d8dce6
+  data.tar.gz: 8e18d1257ef3cc883c7dba88355c3c7928c60f31bb17d20135b19954ad4ac055b2aeb21338d9453156959330ad3432aa36ab2e7772c315ec9bc8bb81a9946ab2

data/Gemfile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in rubion.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 1.21"
+

data/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2025 [Your Name]
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

data/README.md

@@ -0,0 +1,273 @@
+# 🔒 Rubion
+
+**Rubion** is a security and version scanner for Ruby and JavaScript projects. It helps you identify vulnerabilities and outdated dependencies in your Ruby gems and NPM packages.
+
+## Features
+
+- 📛 **Gem Vulnerabilities**: Scans for known security vulnerabilities in Ruby gems using `bundle-audit`
+- 📦 **Gem Versions**: Identifies outdated Ruby gems with release dates and version counts
+- 📛 **Package Vulnerabilities**: Scans for known security vulnerabilities in NPM packages using `npm audit`
+- 📦 **Package Versions**: Identifies outdated NPM packages with release dates and version counts
+- 📊 **Beautiful Reports**: Organized table output with severity icons (🔴 Critical, 🟠 High, 🟡 Medium, 🟢 Low, ⚪ Unknown)
+- 🚀 **Fast & Efficient**: Parallel API processing (10 concurrent threads) for quick results
+- ⚡ **Incremental Output**: Shows gem results immediately, then scans packages
+- 📅 **Release Dates**: Fetches actual release dates from RubyGems.org and NPM registry
+- 🔢 **Version Analysis**: Shows how many versions behind and time difference
+
+## Installation
+
+### Install from RubyGems (when published)
+
+```bash
+gem install rubion
+```
+
+### Install from source
+
+```bash
+git clone https://github.com/yourusername/rubion.git
+cd rubion
+bundle install
+rake install_local
+```
+
+## Usage
+
+### Scan your project
+
+Navigate to your project directory and run:
+
+```bash
+rubion scan
+```
+
+This will scan your project for:
+- Ruby gem vulnerabilities (if `Gemfile.lock` exists)
+- Outdated Ruby gems with release dates
+- NPM package vulnerabilities (if `package.json` exists)
+- Outdated NPM packages with release dates
+
+### Scan options
+
+```bash
+# Scan only Ruby gems (skip NPM packages)
+rubion scan --gems-only
+# or
+rubion scan -g
+
+# Scan only NPM packages (skip Ruby gems)
+rubion scan --packages-only
+# or
+rubion scan -p
+
+# Scan both (default)
+rubion scan
+```
+
+### View help
+
+```bash
+rubion help
+```
+
+### Check version
+
+```bash
+rubion version
+# or
+rubion -v
+```
+
+## Output Example
+
+```
+🔍 Scanning project at: /path/to/project
+
+📦 Checking Ruby gems... 139/139 ✓
+
+Gem Vulnerabilities:
+
++----------+--------+---------+------------------------------------------+
+| Level    | Name   | Version | Vulnerability                            |
++----------+--------+---------+------------------------------------------+
+| 🔴 Critical | rexml | 3.4.1   | REXML has DoS condition when parsing... |
+| 🟠 High  | rack   | 2.0.8   | Denial of Service vulnerability         |
++----------+--------+---------+------------------------------------------+
+
+Gem Versions:
+
++----------+---------+-----------+---------+-----------+-----------+----------+
+| Name     | Current | Date      | Latest  | Date      | Behind By | Versions |
++----------+---------+-----------+---------+-----------+-----------+----------+
+| sidekiq  | 7.30    | 3/5/2024  | 8.1     | 11/11/2025| 1 year    | 15       |
+| fastimage| 2.2.7   | 2/2/2025  | 2.3.2   | 9/9/2025  | 7 months  | 3        |
++----------+---------+-----------+---------+-----------+-----------+----------+
+
+📦 Checking NPM packages... 45/45 ✓
+
+Package Vulnerabilities:
+
++----------+--------+---------+------------------------------------------+
+| Level    | Name   | Version | Vulnerability                            |
++----------+--------+---------+------------------------------------------+
+| 🟠 High  | moment | 1.2.3   | Wrong timezone date calculation         |
++----------+--------+---------+------------------------------------------+
+
+Package Versions:
+
++----------+---------+-----------+---------+-----------+-----------+----------+
+| Name     | Current | Date      | Latest  | Date      | Behind By | Versions |
++----------+---------+-----------+---------+-----------+-----------+----------+
+| jquery   | 3.7.1   | 4/5/2024  | 3.9.1   | 10/11/2025| 1 year    | 8        |
++----------+---------+-----------+---------+-----------+-----------+----------+
+```
+
+## Requirements
+
+- Ruby 2.6 or higher
+- Bundler (for Ruby gem scanning)
+- NPM (optional, for NPM package scanning)
+- `bundler-audit` (optional, for enhanced gem vulnerability detection)
+
+### Installing bundler-audit (recommended)
+
+```bash
+gem install bundler-audit
+```
+
+**Note:** Without `bundler-audit`, gem vulnerability scanning will be skipped.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt.
+
+### Running tests
+
+```bash
+rake spec
+```
+
+### Running RuboCop
+
+```bash
+rake rubocop
+```
+
+### Building the gem
+
+```bash
+gem build rubion.gemspec
+```
+
+### Installing locally
+
+```bash
+rake install_local
+```
+
+## How It Works
+
+Rubion uses a modular architecture:
+
+1. **Scanner** (`lib/rubion/scanner.rb`): Executes various commands to scan for vulnerabilities and outdated versions
+   - `bundle-audit check` for gem vulnerabilities
+   - `bundle outdated --parseable` for gem versions
+   - `npm audit --json` for package vulnerabilities
+   - `npm outdated --json` for package versions
+   - Fetches release dates and version data from RubyGems.org and NPM registry APIs
+   - Uses parallel processing (10 concurrent threads) for fast API calls
+
+2. **Reporter** (`lib/rubion/reporter.rb`): Formats scan results into beautiful terminal tables using `terminal-table`
+   - Adds severity icons (🔴 🟠 🟡 🟢 ⚪)
+   - Formats dates, time differences, and version counts
+   - Supports incremental output (gems first, then packages)
+
+3. **CLI** (`lib/rubion.rb`): Provides the command-line interface
+   - Parses command-line options (`--gems-only`, `--packages-only`)
+   - Coordinates scanning and reporting
+
+For detailed information about data collection and mapping, see [HOW_IT_WORKS.md](HOW_IT_WORKS.md).
+
+## Extending Rubion
+
+Rubion is designed to be easily extensible. To add new scanners:
+
+1. Add a new method in `lib/rubion/scanner.rb`
+2. Add a corresponding report method in `lib/rubion/reporter.rb`
+3. Update the scan flow in `Scanner#scan`
+
+Example:
+
+```ruby
+# In scanner.rb
+def scan_python_packages
+  # Your scanning logic here
+  @result.python_vulnerabilities = check_pip_vulnerabilities
+end
+
+# In reporter.rb
+def print_python_vulnerabilities
+  # Your reporting logic here
+end
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/yourusername/rubion.
+
+1. Fork it
+2. Create your feature branch (`git checkout -b feature/my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin feature/my-new-feature`)
+5. Create new Pull Request
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Rubion project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.
+
+## Support
+
+If you have any questions or need help, please:
+- Open an issue on GitHub
+- Check the documentation
+- Contact the maintainers
+
+## Performance
+
+Rubion is optimized for speed:
+
+- **Parallel API Processing**: Uses 10 concurrent threads to fetch version data from RubyGems.org and NPM registry
+- **Single API Call Per Package**: Fetches all necessary data (dates, version list) in one request
+- **Incremental Output**: Shows gem results immediately, then scans packages (better UX)
+- **Progress Indicators**: Shows real-time progress like "Checking Ruby gems... 10/54"
+
+Typical scan times:
+- Gems only: ~4-5 seconds (for ~140 gems)
+- Packages only: ~3-4 seconds (for ~50 packages)
+- Both: ~7-9 seconds total
+
+## Roadmap
+
+Future features planned:
+- [ ] Sorting options (by severity, name, date, etc.)
+- [ ] Filtering options (by severity, outdated threshold, etc.)
+- [ ] Export formats (JSON, CSV, HTML)
+- [ ] Summary statistics
+- [ ] Update command suggestions
+- [ ] Support for Python (pip) packages
+- [ ] Support for PHP (composer) packages
+- [ ] Support for Go modules
+- [ ] CI/CD integration flags
+- [ ] Configurable severity thresholds
+- [ ] Auto-fix suggestions
+- [ ] Historical tracking of vulnerabilities
+
+## Acknowledgments
+
+- Built with [terminal-table](https://github.com/tj/terminal-table)
+- Inspired by tools like `bundle-audit` and `npm audit`
+

data/bin/rubion

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/rubion'
+
+Rubion::CLI.start(ARGV)
+

data/lib/rubion/reporter.rb

@@ -0,0 +1,246 @@
+# frozen_string_literal: true
+
+require 'terminal-table'
+
+module Rubion
+  class Reporter
+    def initialize(scan_result)
+      @result = scan_result
+    end
+
+    def report
+      print_header
+      _print_gem_vulnerabilities
+      _print_gem_versions
+      _print_package_vulnerabilities
+      _print_package_versions
+      print_summary
+    end
+
+    # Public methods for incremental reporting
+    def print_gem_vulnerabilities
+      _print_gem_vulnerabilities
+    end
+
+    def print_gem_versions
+      _print_gem_versions
+    end
+
+    def print_package_vulnerabilities
+      _print_package_vulnerabilities
+    end
+
+    def print_package_versions
+      _print_package_versions
+    end
+
+    private
+
+    def _print_gem_vulnerabilities
+      puts "Gem Vulnerabilities:\n\n"
+
+      if @result.gem_vulnerabilities.empty?
+        puts "  ✅ No vulnerabilities found!\n\n"
+        return
+      end
+
+      table = Terminal::Table.new do |t|
+        t.headings = %w[Level Name Version Vulnerability]
+
+        @result.gem_vulnerabilities.each do |vuln|
+          t.add_row [
+            severity_with_icon(vuln[:severity]),
+            vuln[:gem],
+            vuln[:version],
+            truncate(vuln[:title], 50)
+          ]
+        end
+      end
+
+      puts table
+      puts "\n"
+    end
+
+    def print_header
+      # Simplified header
+      puts "\n"
+    end
+
+    def _print_gem_vulnerabilities
+      if @result.gem_vulnerabilities.empty?
+        puts "  ✅ No vulnerabilities found!\n\n"
+        return
+      end
+
+      table = Terminal::Table.new do |t|
+        t.headings = %w[Level Name Version Vulnerability]
+
+        @result.gem_vulnerabilities.each do |vuln|
+          t.add_row [
+            severity_with_icon(vuln[:severity]),
+            vuln[:gem],
+            vuln[:version],
+            truncate(vuln[:title], 50)
+          ]
+        end
+      end
+
+      puts table
+      puts "\n"
+    end
+
+    def _print_gem_versions
+      puts "Gem Versions:\n\n"
+
+      if @result.gem_versions.empty?
+        puts "  ✅ All gems are up to date!\n\n"
+        return
+      end
+
+      table = Terminal::Table.new do |t|
+        t.headings = ['Name', 'Current', 'Date', 'Latest', 'Date', 'Behind By(Time)', 'Behind By(Versions)']
+
+        @result.gem_versions.each do |gem|
+          t.add_row [
+            gem[:gem],
+            gem[:current],
+            gem[:current_date] || 'N/A',
+            gem[:latest],
+            gem[:latest_date] || 'N/A',
+            gem[:time_diff] || 'N/A',
+            gem[:version_count] || 'N/A'
+          ]
+        end
+      end
+
+      puts table
+      puts "\n"
+    end
+
+    def _print_package_vulnerabilities
+      puts "Package Vulnerabilities:\n\n"
+
+      if @result.package_vulnerabilities.empty?
+        puts "  ✅ No vulnerabilities found!\n\n"
+        return
+      end
+
+      table = Terminal::Table.new do |t|
+        t.headings = %w[Level Name Version Vulnerability]
+
+        @result.package_vulnerabilities.each do |vuln|
+          t.add_row [
+            severity_with_icon(vuln[:severity]),
+            vuln[:package],
+            vuln[:version],
+            truncate(vuln[:title], 50)
+          ]
+        end
+      end
+
+      puts table
+      puts "\n"
+    end
+
+    def _print_package_versions
+      puts "Package Versions:\n\n"
+
+      if @result.package_versions.empty?
+        puts "  ✅ All packages are up to date!\n\n"
+        return
+      end
+
+      table = Terminal::Table.new do |t|
+        t.headings = ['Name', 'Current', 'Date', 'Latest', 'Date', 'Behind By', 'Versions']
+
+        @result.package_versions.each do |pkg|
+          t.add_row [
+            pkg[:package],
+            pkg[:current],
+            pkg[:current_date] || 'N/A',
+            pkg[:latest],
+            pkg[:latest_date] || 'N/A',
+            pkg[:time_diff] || 'N/A',
+            pkg[:version_count] || 'N/A'
+          ]
+        end
+      end
+
+      puts table
+      puts "\n"
+    end
+
+    def print_summary
+      # Minimal summary at the end
+      puts "\n"
+    end
+
+    # Helpers
+
+    def severity_with_icon(severity)
+      severity_str = severity.to_s.capitalize
+
+      case severity.to_s.downcase
+      when 'critical'
+        "🔴 #{severity_str}"
+      when 'high'
+        "🟠 #{severity_str}"
+      when 'medium', 'moderate'
+        "🟡 #{severity_str}"
+      when 'low'
+        "🟢 #{severity_str}"
+      when 'unknown'
+        "⚪ #{severity_str}"
+      else
+        severity_str
+      end
+    end
+
+    def colorize_severity(severity)
+      case severity.to_s.downcase
+      when 'critical'
+        "🔴 #{severity}"
+      when 'high'
+        "🟠 #{severity}"
+      when 'medium', 'moderate'
+        "🟡 #{severity}"
+      when 'low'
+        "🟢 #{severity}"
+      else
+        severity
+      end
+    end
+
+    def colorize_count(count)
+      count > 0 ? "🔴 #{count}" : "✅ #{count}"
+    end
+
+    def truncate(text, length = 50)
+      return text if text.length <= length
+
+      "#{text[0..length - 3]}..."
+    end
+
+    def version_difference(current, latest)
+      # Simple version difference calculation
+      current_parts = current.split('.').map(&:to_i)
+      latest_parts = latest.split('.').map(&:to_i)
+
+      major_diff = (latest_parts[0] || 0) - (current_parts[0] || 0)
+      minor_diff = (latest_parts[1] || 0) - (current_parts[1] || 0)
+      patch_diff = (latest_parts[2] || 0) - (current_parts[2] || 0)
+
+      if major_diff > 0
+        "#{major_diff} major"
+      elsif minor_diff > 0
+        "#{minor_diff} minor"
+      elsif patch_diff > 0
+        "#{patch_diff} patch"
+      else
+        'up to date'
+      end
+    rescue StandardError
+      'unknown'
+    end
+  end
+end