rubion 0.3.13 → 0.3.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +36 -40
- data/lib/rubion/scanner.rb +40 -12
- data/lib/rubion/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 99ef1ebceccefcea4bf5c67725d1ca01f0b96d93fc6f241f454d87036f66ca82
|
|
4
|
+
data.tar.gz: 0cc8829b4732831a6b4abde663adc9e03e6b8cd44036e53ba74a0786596f6c57
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5cc9368809677f92ab9943fa1b46aa29c34bf387965cdad7be2c4a7ccafd3937b5aa594d6306d64cb74dc0fd08fb3a51d5ebf0f4c7fc12f110fc128c7a6fa40b
|
|
7
|
+
data.tar.gz: 8ba9129d965c90617f8c867b1f3289eafbecf8cea776f43f06e5244e04d7983e78f57c8dbc8bed43cf283405c0b84bce7a8df8041e703697f4a84fc5878fc1f5
|
data/README.md
CHANGED
|
@@ -131,7 +131,6 @@ rubion -v
|
|
|
131
131
|
## Output Example
|
|
132
132
|
|
|
133
133
|
### Complete Scan Output
|
|
134
|
-
|
|
135
134
|
```
|
|
136
135
|
🔍 Scanning project at: /path/to/project
|
|
137
136
|
|
|
@@ -139,53 +138,53 @@ rubion -v
|
|
|
139
138
|
|
|
140
139
|
Gem Vulnerabilities:
|
|
141
140
|
|
|
142
|
-
|
|
143
|
-
| Level
|
|
144
|
-
|
|
145
|
-
| 🔴 Critical
|
|
146
|
-
| 🟠 High
|
|
147
|
-
| 🟡 Medium
|
|
148
|
-
| 🟢 Low
|
|
149
|
-
|
|
141
|
+
+--------------+----------+---------+---------------------------------------------+
|
|
142
|
+
| Level | Name | Version | Vulnerability |
|
|
143
|
+
+--------------+----------+---------+---------------------------------------------+
|
|
144
|
+
| 🔴 Critical | rexml | 3.4.1 | REXML has DoS condition when parsing... |
|
|
145
|
+
| 🟠 High | rack | 2.0.8 | Denial of Service vulnerability |
|
|
146
|
+
| 🟡 Medium | nokogiri | 1.13.8 | XML parsing vulnerability |
|
|
147
|
+
| 🟢 Low | json | 2.6.1 | JSON parsing issue |
|
|
148
|
+
+--------------+----------+---------+---------------------------------------------+
|
|
150
149
|
|
|
151
150
|
Gem Versions:
|
|
152
151
|
|
|
153
|
-
|
|
154
|
-
| Name | Current | Current
|
|
155
|
-
|
|
156
|
-
| sidekiq | 7.30 | 3/5/2024
|
|
157
|
-
| rails
|
|
158
|
-
| fastimage
|
|
159
|
-
| nokogiri
|
|
160
|
-
| redis
|
|
161
|
-
| pg
|
|
162
|
-
|
|
152
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
153
|
+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
|
|
154
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
155
|
+
| sidekiq | 7.30 | 3/5/2024 | 8.1 | 11/11/2025 | 1 year | 15 |
|
|
156
|
+
| rails | 7.0.0 | 12/15/2022 | 7.1.0 | 10/4/2024 | 1 year 10 months | 8 |
|
|
157
|
+
| fastimage | 2.2.7 | 2/2/2025 | 2.3.2 | 9/9/2025 | 7 months | 3 |
|
|
158
|
+
| nokogiri | 1.13.8 | 5/10/2023 | 1.15.0 | 8/20/2024 | 1 year 3 months | 12 |
|
|
159
|
+
| redis | 4.8.0 | 1/15/2023 | 5.0.0 | 11/1/2024 | 1 year 9 months | 20 |
|
|
160
|
+
| pg | 1.4.0 | 3/20/2023 | 1.5.0 | 9/15/2024 | 1 year 5 months | 6 |
|
|
161
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
163
162
|
|
|
164
163
|
📦 Checking NPM packages... 45/45 ✓
|
|
165
164
|
|
|
166
165
|
Package Vulnerabilities:
|
|
167
166
|
|
|
168
|
-
|
|
169
|
-
| Level
|
|
170
|
-
|
|
171
|
-
| 🔴 Critical
|
|
172
|
-
| 🟠 High
|
|
173
|
-
| 🟡 Medium
|
|
174
|
-
| 🟢 Low
|
|
175
|
-
|
|
167
|
+
+--------------+---------+---------+-----------------------------------------------+
|
|
168
|
+
| Level | Name | Version | Vulnerability |
|
|
169
|
+
+--------------+---------+---------+-----------------------------------------------+
|
|
170
|
+
| 🔴 Critical | lodash | 4.17.20 | Prototype pollution vulnerability |
|
|
171
|
+
| 🟠 High | moment | 2.29.1 | Wrong timezone date calculation |
|
|
172
|
+
| 🟡 Medium | axios | 0.21.1 | Server-Side Request Forgery (SSRF) |
|
|
173
|
+
| 🟢 Low | debug | 4.3.1 | Regular Expression Denial of Service |
|
|
174
|
+
+--------------+---------+---------+-----------------------------------------------+
|
|
176
175
|
|
|
177
176
|
Package Versions:
|
|
178
177
|
|
|
179
|
-
|
|
180
|
-
| Name | Current | Current
|
|
181
|
-
|
|
182
|
-
| react
|
|
183
|
-
| vue
|
|
184
|
-
| jquery
|
|
185
|
-
| express
|
|
186
|
-
| webpack
|
|
187
|
-
| typescript
|
|
188
|
-
|
|
178
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
179
|
+
| Name | Current | Current Released On | Latest | Latest Released On | Behind By(Time) | Behind By(Versions) |
|
|
180
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
181
|
+
| react | 17.0.2 | 3/3/2021 | 18.2.0 | 6/14/2023 | 2 years 3 months | 45 |
|
|
182
|
+
| vue | 3.2.0 | 8/5/2021 | 3.3.0 | 5/18/2023 | 1 year 9 months | 8 |
|
|
183
|
+
| jquery | 3.7.1 | 4/5/2024 | 3.9.1 | 10/11/2025 | 1 year | 8 |
|
|
184
|
+
| express | 4.18.0 | 4/25/2022 | 4.18.2 | 8/15/2023 | 1 year 3 months | 2 |
|
|
185
|
+
| webpack | 5.70.0 | 3/1/2022 | 5.88.0 | 6/1/2023 | 1 year 3 months | 18 |
|
|
186
|
+
| typescript | 4.7.0 | 5/24/2022 | 5.1.0 | 5/25/2023 | 1 year | 12 |
|
|
187
|
+
+------------------+---------+-------------------------------+---------+-------------------------------+---------------------+-----------------------+
|
|
189
188
|
```
|
|
190
189
|
|
|
191
190
|
### Direct Dependencies Only (with --exclude-dependencies)
|
|
@@ -343,9 +342,6 @@ Future features planned:
|
|
|
343
342
|
- [ ] Export formats (JSON, CSV, HTML)
|
|
344
343
|
- [ ] Summary statistics
|
|
345
344
|
- [ ] Update command suggestions
|
|
346
|
-
- [ ] Support for Python (pip) packages
|
|
347
|
-
- [ ] Support for PHP (composer) packages
|
|
348
|
-
- [ ] Support for Go modules
|
|
349
345
|
- [ ] CI/CD integration flags
|
|
350
346
|
- [ ] Configurable severity thresholds
|
|
351
347
|
- [ ] Auto-fix suggestions
|
data/lib/rubion/scanner.rb
CHANGED
|
@@ -105,18 +105,38 @@ module Rubion
|
|
|
105
105
|
# Exit code 1 is expected when vulnerabilities exist, so we still parse the output
|
|
106
106
|
# Exit code 0 means no vulnerabilities found
|
|
107
107
|
# Any other exit code or error means the command failed
|
|
108
|
-
if status.exitstatus ==
|
|
108
|
+
if status.exitstatus.nil? || status.exitstatus == 127 || stderr.include?('command not found') || stdout.include?('command not found')
|
|
109
|
+
# Command not found - try to install bundler-audit automatically
|
|
110
|
+
install_bundler_audit_and_retry
|
|
111
|
+
elsif status.exitstatus == 1 || status.success? || (!stdout.empty? && (stdout.include?('vulnerabilities found') || stdout.include?('Name:')))
|
|
109
112
|
# Exit code 1 (vulnerabilities found) or 0 (no vulnerabilities) - parse output
|
|
113
|
+
# Also try to parse if output looks valid even if exit code is unexpected
|
|
110
114
|
parse_bundler_audit_output(stdout)
|
|
111
|
-
elsif !stdout.empty? && (stdout.include?('vulnerabilities found') || stdout.include?('Name:'))
|
|
112
|
-
# Try to parse if output looks valid even if exit code is unexpected
|
|
113
|
-
parse_bundler_audit_output(stdout)
|
|
114
|
-
elsif status.exitstatus.nil?
|
|
115
|
-
# Command not found or failed to execute
|
|
116
|
-
raise "bundle-audit command failed or is not installed. Error: #{stderr}"
|
|
117
115
|
else
|
|
118
116
|
# Unexpected exit code
|
|
119
|
-
raise "bundle-audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{stderr.empty?
|
|
117
|
+
raise "bundle-audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
|
|
118
|
+
"\nError: #{stderr}"
|
|
119
|
+
end}"
|
|
120
|
+
end
|
|
121
|
+
end
|
|
122
|
+
|
|
123
|
+
def install_bundler_audit_and_retry
|
|
124
|
+
puts "\n ⚠️ bundle-audit is not installed."
|
|
125
|
+
print ' Attempting to install bundler-audit... '
|
|
126
|
+
$stdout.flush
|
|
127
|
+
|
|
128
|
+
_install_stdout, install_stderr, install_status = Open3.capture3('gem install bundler-audit 2>&1')
|
|
129
|
+
|
|
130
|
+
if install_status.success?
|
|
131
|
+
puts "✓ Successfully installed bundler-audit\n"
|
|
132
|
+
puts " Retrying gem vulnerability check...\n\n"
|
|
133
|
+
# Retry the check after installation
|
|
134
|
+
check_gem_vulnerabilities
|
|
135
|
+
else
|
|
136
|
+
puts '✗ Failed to install bundler-audit'
|
|
137
|
+
raise "bundle-audit is not installed and automatic installation failed.\n" \
|
|
138
|
+
"Please install it manually by running: gem install bundler-audit\n" \
|
|
139
|
+
"Installation error: #{install_stderr}"
|
|
120
140
|
end
|
|
121
141
|
end
|
|
122
142
|
|
|
@@ -131,7 +151,9 @@ module Rubion
|
|
|
131
151
|
raise "bundle outdated command failed or is not available. Error: #{stderr}"
|
|
132
152
|
else
|
|
133
153
|
# Command failed with non-zero exit code
|
|
134
|
-
raise "bundle outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{stderr.empty?
|
|
154
|
+
raise "bundle outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
|
|
155
|
+
"\nError: #{stderr}"
|
|
156
|
+
end}"
|
|
135
157
|
end
|
|
136
158
|
end
|
|
137
159
|
|
|
@@ -146,7 +168,9 @@ module Rubion
|
|
|
146
168
|
raise "#{@package_manager} audit command failed or is not available. Error: #{stderr}"
|
|
147
169
|
elsif !status.success? && status.exitstatus != 1
|
|
148
170
|
# Exit code 1 is expected when vulnerabilities are found, other non-zero codes are errors
|
|
149
|
-
raise "#{@package_manager} audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{stderr.empty?
|
|
171
|
+
raise "#{@package_manager} audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
|
|
172
|
+
"\nError: #{stderr}"
|
|
173
|
+
end}"
|
|
150
174
|
end
|
|
151
175
|
|
|
152
176
|
begin
|
|
@@ -177,7 +201,9 @@ module Rubion
|
|
|
177
201
|
raise "npm outdated command failed or is not available. Error: #{stderr}"
|
|
178
202
|
elsif !status.success? && status.exitstatus != 1
|
|
179
203
|
# Exit code 1 is expected when packages are outdated, other non-zero codes are errors
|
|
180
|
-
raise "npm outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{stderr.empty?
|
|
204
|
+
raise "npm outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
|
|
205
|
+
"\nError: #{stderr}"
|
|
206
|
+
end}"
|
|
181
207
|
end
|
|
182
208
|
|
|
183
209
|
begin
|
|
@@ -198,7 +224,9 @@ module Rubion
|
|
|
198
224
|
raise "yarn outdated command failed or is not available. Error: #{stderr}"
|
|
199
225
|
elsif !status.success? && status.exitstatus != 1
|
|
200
226
|
# Exit code 1 is expected when packages are outdated, other non-zero codes are errors
|
|
201
|
-
raise "yarn outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{stderr.empty?
|
|
227
|
+
raise "yarn outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
|
|
228
|
+
"\nError: #{stderr}"
|
|
229
|
+
end}"
|
|
202
230
|
end
|
|
203
231
|
|
|
204
232
|
begin
|
data/lib/rubion/version.rb
CHANGED