rubion 0.3.15 → 0.3.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99ef1ebceccefcea4bf5c67725d1ca01f0b96d93fc6f241f454d87036f66ca82
-  data.tar.gz: 0cc8829b4732831a6b4abde663adc9e03e6b8cd44036e53ba74a0786596f6c57
+  metadata.gz: 1d382653589bad6b28b68444b231efafa582f375cf1d4c7284d8df5faae04d50
+  data.tar.gz: 3edfba9269ed3024943544887422101b7512cd4309c5e689fbd6f8a7cf655a60
 SHA512:
-  metadata.gz: 5cc9368809677f92ab9943fa1b46aa29c34bf387965cdad7be2c4a7ccafd3937b5aa594d6306d64cb74dc0fd08fb3a51d5ebf0f4c7fc12f110fc128c7a6fa40b
-  data.tar.gz: 8ba9129d965c90617f8c867b1f3289eafbecf8cea776f43f06e5244e04d7983e78f57c8dbc8bed43cf283405c0b84bce7a8df8041e703697f4a84fc5878fc1f5
+  metadata.gz: a5f3c72e3d1f257c426e0df25efb3b1ae62751527324bd5a8991986dd12aa6652cb0ca81aecd2941c3b00a19a5ceff090d1718ff5d540e59c0ddbc509707dd73
+  data.tar.gz: bc17b9ebd3c5081cb040deba4358eae42f4a941169fa7a5db919ea9ef92065dfa33fcb11dcc0a2925e58a62ebbb9ea4dad3364c69ff46133b7a2f79447885503

data/lib/rubion/scanner.rb

@@ -106,8 +106,10 @@ module Rubion
       # Exit code 0 means no vulnerabilities found
       # Any other exit code or error means the command failed
       if status.exitstatus.nil? || status.exitstatus == 127 || stderr.include?('command not found') || stdout.include?('command not found')
-        # Command not found - try to install bundler-audit automatically
-        install_bundler_audit_and_retry
+        # Command not found - show friendly message and skip vulnerability check
+        puts "\n  ℹ️  bundle-audit is not installed. Skipping gem vulnerability check."
+        puts "     To enable vulnerability scanning, install it with: gem install bundler-audit\n"
+        @result.gem_vulnerabilities = []
       elsif status.exitstatus == 1 || status.success? || (!stdout.empty? && (stdout.include?('vulnerabilities found') || stdout.include?('Name:')))
         # Exit code 1 (vulnerabilities found) or 0 (no vulnerabilities) - parse output
         # Also try to parse if output looks valid even if exit code is unexpected
@@ -120,37 +122,20 @@ module Rubion
       end
     end
 
-    def install_bundler_audit_and_retry
-      puts "\n  ⚠️  bundle-audit is not installed."
-      print '  Attempting to install bundler-audit... '
-      $stdout.flush
-
-      _install_stdout, install_stderr, install_status = Open3.capture3('gem install bundler-audit 2>&1')
-
-      if install_status.success?
-        puts "✓ Successfully installed bundler-audit\n"
-        puts "  Retrying gem vulnerability check...\n\n"
-        # Retry the check after installation
-        check_gem_vulnerabilities
-      else
-        puts '✗ Failed to install bundler-audit'
-        raise "bundle-audit is not installed and automatic installation failed.\n" \
-              "Please install it manually by running: gem install bundler-audit\n" \
-              "Installation error: #{install_stderr}"
-      end
-    end
-
     def check_gem_versions
       stdout, stderr, status = Open3.capture3('bundle outdated --parseable', chdir: @project_path)
 
-      if status.success?
-        # Command succeeded - parse output (may be empty if all gems are up to date)
+      # bundle outdated returns exit code 1 when outdated gems are found (expected behavior)
+      # Exit code 0 means no outdated gems or command succeeded
+      # Exit code 1 means outdated gems found - this is success, not an error
+      if status.success? || status.exitstatus == 1
+        # Command succeeded or outdated gems found - parse output
         parse_bundle_outdated_output(stdout)
       elsif status.exitstatus.nil?
         # Command not found or failed to execute
         raise "bundle outdated command failed or is not available. Error: #{stderr}"
       else
-        # Command failed with non-zero exit code
+        # Command failed with unexpected non-zero exit code
         raise "bundle outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                 "\nError: #{stderr}"
                                                                                               end}"
@@ -166,16 +151,22 @@ module Rubion
       if status.exitstatus.nil?
         # Command not found or failed to execute
         raise "#{@package_manager} audit command failed or is not available. Error: #{stderr}"
-      elsif !status.success? && status.exitstatus != 1
-        # Exit code 1 is expected when vulnerabilities are found, other non-zero codes are errors
+      elsif !status.success? && status.exitstatus != 1 && status.exitstatus != 4
+        # Exit code 1 (npm) or 4 (yarn) is expected when vulnerabilities are found
+        # Other non-zero codes are errors
         raise "#{@package_manager} audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                           "\nError: #{stderr}"
                                                                                                         end}"
       end
 
       begin
-        data = JSON.parse(stdout)
-        parse_npm_audit_output(data)
+        # Yarn audit outputs JSON line by line, need to parse each line
+        if @package_manager == 'yarn'
+          parse_yarn_audit_output(stdout)
+        else
+          data = JSON.parse(stdout)
+          parse_npm_audit_output(data)
+        end
       rescue JSON::ParserError => e
         raise "Failed to parse #{@package_manager} audit JSON output: #{e.message}. Raw output: #{stdout}"
       end
@@ -382,6 +373,55 @@ module Rubion
       @result.package_vulnerabilities = vulnerabilities
     end
 
+    def parse_yarn_audit_output(output)
+      vulnerabilities = []
+      seen_advisories = {}
+
+      # Yarn audit outputs JSON line by line
+      output.each_line do |line|
+        next if line.strip.empty?
+
+        begin
+          json_obj = JSON.parse(line)
+          next unless json_obj.is_a?(Hash)
+
+          # Parse auditAdvisory type
+          if json_obj['type'] == 'auditAdvisory' && json_obj['data'] && json_obj['data']['advisory']
+            advisory = json_obj['data']['advisory']
+            advisory_id = advisory['id']
+
+            # Skip if we've already seen this advisory
+            next if seen_advisories[advisory_id]
+
+            seen_advisories[advisory_id] = true
+
+            # Extract package name and version from findings
+            if advisory['findings'] && advisory['findings'].is_a?(Array) && advisory['findings'].first
+              finding = advisory['findings'].first
+              version = finding['version'] || 'unknown'
+            else
+              version = 'unknown'
+            end
+
+            # Get severity (yarn uses lowercase)
+            severity = (advisory['severity'] || 'unknown').downcase
+
+            vulnerabilities << {
+              package: advisory['module_name'] || 'unknown',
+              version: version,
+              severity: severity,
+              title: advisory['title'] || advisory['overview'] || 'Vulnerability detected'
+            }
+          end
+        rescue JSON::ParserError
+          # Skip invalid JSON lines
+          next
+        end
+      end
+
+      @result.package_vulnerabilities = vulnerabilities
+    end
+
     def parse_npm_outdated_output(data)
       versions = []
 
@@ -807,7 +847,14 @@ module Rubion
       puts "\n  Both npm and yarn are available. Which would you like to use?"
       print "  Enter 'n' for npm or 'y' for yarn (default: npm): "
 
-      choice = $stdin.gets.chomp.strip.downcase
+      input = $stdin.gets
+      if input.nil?
+        # stdin not available (e.g., running through bundle exec in non-interactive mode)
+        puts "  (stdin not available, using npm as default)\n"
+        return 'npm'
+      end
+
+      choice = input.chomp.strip.downcase
 
       if choice.empty? || choice == 'n' || choice == 'npm'
         'npm'

data/lib/rubion/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
 module Rubion
-  VERSION = "0.3.15"
+  VERSION = "0.3.17"
 end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubion
 version: !ruby/object:Gem::Version
-  version: 0.3.15
+  version: 0.3.17
 platform: ruby
 authors:
 - bipashant