RubyGems - rubion - Versions diffs - 0.3.16 → 0.3.17 - Mend

rubion 0.3.16 → 0.3.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1749851afa6f0075dc159a4f4d406a6c1900d8404eaf61fc4737d9d350deb3d7
-  data.tar.gz: c59e82269f8e505a62c9fdd54141547ccd67d0ee72ceb139a47d65fb02627293
+  metadata.gz: 1d382653589bad6b28b68444b231efafa582f375cf1d4c7284d8df5faae04d50
+  data.tar.gz: 3edfba9269ed3024943544887422101b7512cd4309c5e689fbd6f8a7cf655a60
 SHA512:
-  metadata.gz: b842fac77f18bfbbd548a2a7ae43f6f98022a47c2c2ad4678e755349c712ffb4ec6c27404b7b7b6c4ed6719e4b65d3bd9f66aa44f4adefb9b3f8681b387cb2ca
-  data.tar.gz: 1fcc0c42ca646da4ecd88b178969663a4b45b79d1c95657dfe0f5948e293b49fb4042b9e0b710e42a62b8832050266e662b7366c02b433ca8aeeb80c8a5cb746
+  metadata.gz: a5f3c72e3d1f257c426e0df25efb3b1ae62751527324bd5a8991986dd12aa6652cb0ca81aecd2941c3b00a19a5ceff090d1718ff5d540e59c0ddbc509707dd73
+  data.tar.gz: bc17b9ebd3c5081cb040deba4358eae42f4a941169fa7a5db919ea9ef92065dfa33fcb11dcc0a2925e58a62ebbb9ea4dad3364c69ff46133b7a2f79447885503

data/lib/rubion/scanner.rb CHANGED Viewed

@@ -125,14 +125,17 @@ module Rubion
     def check_gem_versions
       stdout, stderr, status = Open3.capture3('bundle outdated --parseable', chdir: @project_path)
-      if status.success?
-        # Command succeeded - parse output (may be empty if all gems are up to date)
+      # bundle outdated returns exit code 1 when outdated gems are found (expected behavior)
+      # Exit code 0 means no outdated gems or command succeeded
+      # Exit code 1 means outdated gems found - this is success, not an error
+      if status.success? || status.exitstatus == 1
+        # Command succeeded or outdated gems found - parse output
         parse_bundle_outdated_output(stdout)
       elsif status.exitstatus.nil?
         # Command not found or failed to execute
         raise "bundle outdated command failed or is not available. Error: #{stderr}"
       else
-        # Command failed with non-zero exit code
+        # Command failed with unexpected non-zero exit code
         raise "bundle outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                 "\nError: #{stderr}"
                                                                                               end}"
@@ -148,16 +151,22 @@ module Rubion
       if status.exitstatus.nil?
         # Command not found or failed to execute
         raise "#{@package_manager} audit command failed or is not available. Error: #{stderr}"
-      elsif !status.success? && status.exitstatus != 1
-        # Exit code 1 is expected when vulnerabilities are found, other non-zero codes are errors
+      elsif !status.success? && status.exitstatus != 1 && status.exitstatus != 4
+        # Exit code 1 (npm) or 4 (yarn) is expected when vulnerabilities are found
+        # Other non-zero codes are errors
         raise "#{@package_manager} audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                           "\nError: #{stderr}"
                                                                                                         end}"
       end
       begin
-        data = JSON.parse(stdout)
-        parse_npm_audit_output(data)
+        # Yarn audit outputs JSON line by line, need to parse each line
+        if @package_manager == 'yarn'
+          parse_yarn_audit_output(stdout)
+        else
+          data = JSON.parse(stdout)
+          parse_npm_audit_output(data)
+        end
       rescue JSON::ParserError => e
         raise "Failed to parse #{@package_manager} audit JSON output: #{e.message}. Raw output: #{stdout}"
       end
@@ -364,6 +373,55 @@ module Rubion
       @result.package_vulnerabilities = vulnerabilities
     end
+    def parse_yarn_audit_output(output)
+      vulnerabilities = []
+      seen_advisories = {}
+      # Yarn audit outputs JSON line by line
+      output.each_line do |line|
+        next if line.strip.empty?
+        begin
+          json_obj = JSON.parse(line)
+          next unless json_obj.is_a?(Hash)
+          # Parse auditAdvisory type
+          if json_obj['type'] == 'auditAdvisory' && json_obj['data'] && json_obj['data']['advisory']
+            advisory = json_obj['data']['advisory']
+            advisory_id = advisory['id']
+            # Skip if we've already seen this advisory
+            next if seen_advisories[advisory_id]
+            seen_advisories[advisory_id] = true
+            # Extract package name and version from findings
+            if advisory['findings'] && advisory['findings'].is_a?(Array) && advisory['findings'].first
+              finding = advisory['findings'].first
+              version = finding['version'] || 'unknown'
+            else
+              version = 'unknown'
+            end
+            # Get severity (yarn uses lowercase)
+            severity = (advisory['severity'] || 'unknown').downcase
+            vulnerabilities << {
+              package: advisory['module_name'] || 'unknown',
+              version: version,
+              severity: severity,
+              title: advisory['title'] || advisory['overview'] || 'Vulnerability detected'
+            }
+          end
+        rescue JSON::ParserError
+          # Skip invalid JSON lines
+          next
+        end
+      end
+      @result.package_vulnerabilities = vulnerabilities
+    end
     def parse_npm_outdated_output(data)
       versions = []
@@ -789,7 +847,14 @@ module Rubion
       puts "\n  Both npm and yarn are available. Which would you like to use?"
       print "  Enter 'n' for npm or 'y' for yarn (default: npm): "
-      choice = $stdin.gets.chomp.strip.downcase
+      input = $stdin.gets
+      if input.nil?
+        # stdin not available (e.g., running through bundle exec in non-interactive mode)
+        puts "  (stdin not available, using npm as default)\n"
+        return 'npm'
+      end
+      choice = input.chomp.strip.downcase
       if choice.empty? || choice == 'n' || choice == 'npm'
         'npm'

data/lib/rubion/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Rubion
-  VERSION = "0.3.16"
+  VERSION = "0.3.17"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubion
 version: !ruby/object:Gem::Version
-  version: 0.3.16
+  version: 0.3.17
 platform: ruby
 authors:
 - bipashant