RubyGems - rubion - Versions diffs - 0.3.16 → 0.3.18 - Mend

rubion 0.3.16 → 0.3.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1749851afa6f0075dc159a4f4d406a6c1900d8404eaf61fc4737d9d350deb3d7
-  data.tar.gz: c59e82269f8e505a62c9fdd54141547ccd67d0ee72ceb139a47d65fb02627293
+  metadata.gz: 25866a240d194626328073cc8f0e78b970dd1e8389563f8a2a636a23ccc545e3
+  data.tar.gz: bc7061c95fe6a24fd7cc464bf3671f26bc9d1a53eb248512d7b15c1c67efdbf6
 SHA512:
-  metadata.gz: b842fac77f18bfbbd548a2a7ae43f6f98022a47c2c2ad4678e755349c712ffb4ec6c27404b7b7b6c4ed6719e4b65d3bd9f66aa44f4adefb9b3f8681b387cb2ca
-  data.tar.gz: 1fcc0c42ca646da4ecd88b178969663a4b45b79d1c95657dfe0f5948e293b49fb4042b9e0b710e42a62b8832050266e662b7366c02b433ca8aeeb80c8a5cb746
+  metadata.gz: aa33bfe89c56497e77cb63b9e518fe4f57673c53440971ee50b3ebe56f82f83ea39af26e74b5bd3e38036ef85270be2a778b900afce56027234e50c80acb7603
+  data.tar.gz: 536c26c682881e1516baeeb9833214fb3a761fa0c65df777961d434da28a4e4ba5a39c6e6013251e3b27a6baca3ba9b424e7465282832ed298d061564c859959

data/lib/rubion/scanner.rb CHANGED Viewed

@@ -125,14 +125,17 @@ module Rubion
     def check_gem_versions
       stdout, stderr, status = Open3.capture3('bundle outdated --parseable', chdir: @project_path)
-      if status.success?
-        # Command succeeded - parse output (may be empty if all gems are up to date)
+      # bundle outdated returns exit code 1 when outdated gems are found (expected behavior)
+      # Exit code 0 means no outdated gems or command succeeded
+      # Exit code 1 means outdated gems found - this is success, not an error
+      if status.success? || status.exitstatus == 1
+        # Command succeeded or outdated gems found - parse output
         parse_bundle_outdated_output(stdout)
       elsif status.exitstatus.nil?
         # Command not found or failed to execute
         raise "bundle outdated command failed or is not available. Error: #{stderr}"
       else
-        # Command failed with non-zero exit code
+        # Command failed with unexpected non-zero exit code
         raise "bundle outdated failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                 "\nError: #{stderr}"
                                                                                               end}"
@@ -148,16 +151,26 @@ module Rubion
       if status.exitstatus.nil?
         # Command not found or failed to execute
         raise "#{@package_manager} audit command failed or is not available. Error: #{stderr}"
-      elsif !status.success? && status.exitstatus != 1
-        # Exit code 1 is expected when vulnerabilities are found, other non-zero codes are errors
+      elsif @package_manager == 'npm' && !status.success? && status.exitstatus != 1
+        # For npm, exit code 1 means vulnerabilities were found; any other non-zero code is an error
         raise "#{@package_manager} audit failed with exit code #{status.exitstatus}. Output: #{stdout}#{unless stderr.empty?
                                                                                                           "\nError: #{stderr}"
                                                                                                         end}"
+      elsif @package_manager == 'yarn' && !status.success?
+        # For Yarn (classic), any non-zero exit code is a bitmask of severities:
+        # 1=info, 2=low, 4=moderate, 8=high, 16=critical. The exit code is the sum of severities found.
+        # Non-zero here indicates vulnerabilities were found; we'll still try to parse the JSON output below.
+        # Do not raise here so that vulnerabilities are handled gracefully.
       end
       begin
-        data = JSON.parse(stdout)
-        parse_npm_audit_output(data)
+        # Yarn audit outputs JSON line by line, need to parse each line
+        if @package_manager == 'yarn'
+          parse_yarn_audit_output(stdout)
+        else
+          data = JSON.parse(stdout)
+          parse_npm_audit_output(data)
+        end
       rescue JSON::ParserError => e
         raise "Failed to parse #{@package_manager} audit JSON output: #{e.message}. Raw output: #{stdout}"
       end
@@ -364,6 +377,55 @@ module Rubion
       @result.package_vulnerabilities = vulnerabilities
     end
+    def parse_yarn_audit_output(output)
+      vulnerabilities = []
+      seen_advisories = {}
+      # Yarn audit outputs JSON line by line
+      output.each_line do |line|
+        next if line.strip.empty?
+        begin
+          json_obj = JSON.parse(line)
+          next unless json_obj.is_a?(Hash)
+          # Parse auditAdvisory type
+          if json_obj['type'] == 'auditAdvisory' && json_obj['data'] && json_obj['data']['advisory']
+            advisory = json_obj['data']['advisory']
+            advisory_id = advisory['id']
+            # Skip if we've already seen this advisory
+            next if seen_advisories[advisory_id]
+            seen_advisories[advisory_id] = true
+            # Extract package name and version from findings
+            if advisory['findings'] && advisory['findings'].is_a?(Array) && advisory['findings'].first
+              finding = advisory['findings'].first
+              version = finding['version'] || 'unknown'
+            else
+              version = 'unknown'
+            end
+            # Get severity (yarn uses lowercase)
+            severity = (advisory['severity'] || 'unknown').downcase
+            vulnerabilities << {
+              package: advisory['module_name'] || 'unknown',
+              version: version,
+              severity: severity,
+              title: advisory['title'] || advisory['overview'] || 'Vulnerability detected'
+            }
+          end
+        rescue JSON::ParserError
+          # Skip invalid JSON lines
+          next
+        end
+      end
+      @result.package_vulnerabilities = vulnerabilities
+    end
     def parse_npm_outdated_output(data)
       versions = []
@@ -789,7 +851,14 @@ module Rubion
       puts "\n  Both npm and yarn are available. Which would you like to use?"
       print "  Enter 'n' for npm or 'y' for yarn (default: npm): "
-      choice = $stdin.gets.chomp.strip.downcase
+      input = $stdin.gets
+      if input.nil?
+        # stdin not available (e.g., running through bundle exec in non-interactive mode)
+        puts "  (stdin not available, using npm as default)\n"
+        return 'npm'
+      end
+      choice = input.chomp.strip.downcase
       if choice.empty? || choice == 'n' || choice == 'npm'
         'npm'

data/lib/rubion/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Rubion
-  VERSION = "0.3.16"
+  VERSION = "0.3.18"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubion
 version: !ruby/object:Gem::Version
-  version: 0.3.16
+  version: 0.3.18
 platform: ruby
 authors:
 - bipashant
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-17 00:00:00.000000000 Z
+date: 2025-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: terminal-table