RubyGems - rubion - Versions diffs - 0.3.7 → 0.3.9 - Mend

rubion 0.3.7 → 0.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8699b79a4501e6f466fc31e5ff30e26d04d516c39ddc26ebc7feca06c5f21dfb
-  data.tar.gz: b9dc8ea8e40ec891d99632b5a1e5b74518feace3eee80c5bc1b9aca0f8d7f4c8
+  metadata.gz: cbfa8d01b6cef9604c0b32e7075db67ed38d96141419fad0dd02b44e8930609a
+  data.tar.gz: 2aaa821116bdd6cf9a02268f523db47573b4accfdeaae6277a8fe97207b24a3f
 SHA512:
-  metadata.gz: 882f8c6228137d7e5814df1b7ee0ab199d2b69abaf828ef4e9676b4df747b2c916a74e25208c92f6b0e941beeb71bc6e2095faad8e3109e173d4f72172e48ccc
-  data.tar.gz: 5388ff2bef79e8b19f75e0ec051ba3a6891675c666fbf2f41564d4cb065521f4d6570f21e3d8ca91c4c95618ce18fd6c22c8074c177609839184044e51e2e575
+  metadata.gz: f00a408ee14d7615a42de4d091a6bc10fb8d1f91d255fd2425126f241acfad3466e49064f4925eace4df986276d9052df8dca31974c70c52ca5127e91cf1b56e
+  data.tar.gz: 17cb903ed78b6a6cc11622fe706f2c48f98bd47daeb487abc8ccd90d356d15f8468b9747a9aa077823a083740910fe0a95647b0f417108f2ee6b272f070062fd

data/lib/rubion/scanner.rb CHANGED Viewed

@@ -148,17 +148,43 @@ module Rubion
     def check_npm_versions
       return unless @package_manager
-      command = "#{@package_manager} outdated --json 2>&1"
+      # Yarn v1 doesn't support --json flag, so handle it differently
+      if @package_manager == 'yarn'
+        check_yarn_outdated
+      else
+        check_npm_outdated
+      end
+    end
+    def check_npm_outdated
+      command = 'npm outdated --json 2>&1'
       stdout, stderr, status = Open3.capture3(command, chdir: @project_path)
       begin
         data = JSON.parse(stdout) unless stdout.empty?
         parse_npm_outdated_output(data || {})
-      rescue JSON::ParserError
+      rescue JSON::ParserError => e
+        puts "  ⚠️  Error parsing npm outdated JSON output: #{e.message}"
+        @result.package_versions = []
+      end
+    rescue StandardError => e
+      puts "  ⚠️  Could not run npm outdated (#{e.message}). Skipping package version check."
+      @result.package_versions = []
+    end
+    def check_yarn_outdated
+      # Yarn v1 doesn't support --json, so parse text output
+      command = 'yarn outdated 2>&1'
+      stdout, stderr, status = Open3.capture3(command, chdir: @project_path)
+      begin
+        parse_yarn_outdated_output(stdout)
+      rescue StandardError => e
+        puts "  ⚠️  Could not parse yarn outdated output (#{e.message}). Skipping package version check."
         @result.package_versions = []
       end
     rescue StandardError => e
-      puts "  ⚠️  Could not run #{@package_manager} outdated (#{e.message}). Skipping package version check."
+      puts "  ⚠️  Could not run yarn outdated (#{e.message}). Skipping package version check."
       @result.package_versions = []
     end
@@ -395,6 +421,104 @@ module Rubion
       @result.package_versions = []
     end
+    def parse_yarn_outdated_output(output)
+      versions = []
+      packages_to_process = []
+      # Yarn v1 outdated output format:
+      # Package Name    Current Wanted Latest
+      # package-name    1.0.0   1.0.0  2.0.0
+      # Skip header lines and parse package info
+      output.each_line do |line|
+        line = line.strip
+        next if line.empty?
+        next if line.start_with?('Package') || line.start_with?('yarn') || line.start_with?('Done')
+        next if line.include?('─') # Skip separator lines
+        # Parse format: package-name    current    wanted    latest    location
+        # Or: package-name    current    wanted    latest
+        parts = line.split(/\s+/)
+        next if parts.length < 4
+        package_name = parts[0]
+        current_version = parts[1]
+        latest_version = parts[3] # Skip wanted (parts[2]), use latest
+        # Skip if versions are the same (not outdated)
+        next if current_version == latest_version
+        packages_to_process << {
+          name: package_name,
+          current_version: current_version,
+          latest_version: latest_version
+        }
+      end
+      total = packages_to_process.size
+      return if total == 0
+      # Process in parallel with threads (limit to 10 concurrent requests)
+      mutex = Mutex.new
+      thread_pool = []
+      max_threads = 10
+      packages_to_process.each_with_index do |pkg_data, index|
+        # Wait if we have too many threads
+        thread_pool.shift.join if thread_pool.size >= max_threads
+        thread = Thread.new do
+          # Fetch all version info once per package (includes dates and version list)
+          pkg_data_full = fetch_npm_all_versions(pkg_data[:name])
+          # Extract dates for current and latest versions
+          current_date = pkg_data_full[:versions][pkg_data[:current_version]] || 'N/A'
+          latest_date = pkg_data_full[:versions][pkg_data[:latest_version]] || 'N/A'
+          # Calculate time difference
+          time_diff = calculate_time_difference(current_date, latest_date)
+          # Count versions between current and latest
+          version_count = count_versions_from_list(pkg_data_full[:version_list], pkg_data[:current_version],
+                                                   pkg_data[:latest_version])
+          # Check if this is a direct dependency
+          direct_dependency = is_direct_package?(pkg_data[:name])
+          result = {
+            package: pkg_data[:name],
+            current: pkg_data[:current_version],
+            current_date: current_date,
+            latest: pkg_data[:latest_version],
+            latest_date: latest_date,
+            time_diff: time_diff,
+            version_count: version_count,
+            direct: direct_dependency,
+            index: index
+          }
+          mutex.synchronize do
+            versions << result
+            print "\r📦 Checking NPM packages... #{versions.size}/#{total}"
+            $stdout.flush
+          end
+        end
+        thread_pool << thread
+      end
+      # Wait for all threads to complete
+      thread_pool.each(&:join)
+      # Sort by original index to maintain order
+      versions.sort_by! { |v| v[:index] }
+      versions.each { |v| v.delete(:index) }
+      puts "\r📦 Checking NPM packages... #{total}/#{total} ✓" if total > 0
+      @result.package_versions = versions
+    end
     # Dummy data for demonstration (commented out - only show real data)
     # Uncomment these methods if you need dummy data for testing

data/lib/rubion/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Rubion
-  VERSION = "0.3.7"
+  VERSION = "0.3.9"
 end

data/lib/rubion.rb CHANGED Viewed

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
-require_relative "rubion/version"
-require_relative "rubion/scanner"
-require_relative "rubion/reporter"
+require_relative 'rubion/version'
+require_relative 'rubion/scanner'
+require_relative 'rubion/reporter'
 module Rubion
   class Error < StandardError; end
@@ -10,7 +10,7 @@ module Rubion
   class CLI
     def self.start(args)
       command = args[0]
       case command
       when 'scan'
         # Parse options
@@ -29,8 +29,8 @@ module Rubion
     def self.parse_scan_options(args)
       # Default to sorting by "Behind By(Time)" in descending order
-      options = { gems: true, packages: true, sort_by: "Behind By(Time)", sort_desc: true, exclude_dependencies: false }
+      options = { gems: true, packages: true, sort_by: 'Behind By(Time)', sort_desc: true, exclude_dependencies: false }
       # Check for --gems-only or --packages-only flags
       if args.include?('--gems-only') || args.include?('-g')
         options[:gems] = true
@@ -43,50 +43,54 @@ module Rubion
         options[:gems] = args.include?('--gems')
         options[:packages] = args.include?('--packages')
       end
       # Parse --sort-by or -s option
       sort_index = args.index('--sort-by') || args.index('-s')
-      if sort_index && args[sort_index + 1]
-        options[:sort_by] = args[sort_index + 1]
+      options[:sort_by] = args[sort_index + 1] if sort_index && args[sort_index + 1]
+      # Parse --asc/--ascending or --desc/--descending for sort order
+      if args.include?('--asc') || args.include?('--ascending')
+        options[:sort_desc] = false
+      elsif args.include?('--desc') || args.include?('--descending')
+        options[:sort_desc] = true
       end
-      # Parse --asc or --ascending for ascending order (descending is default)
-      options[:sort_desc] = false if args.include?('--asc') || args.include?('--ascending')
       # Parse --exclude-dependencies flag
       options[:exclude_dependencies] = true if args.include?('--exclude-dependencies')
       options
     end
-    def self.scan(options = { gems: true, packages: true, sort_by: "Behind By(Time)", sort_desc: true, exclude_dependencies: false })
+    def self.scan(options = { gems: true, packages: true, sort_by: 'Behind By(Time)', sort_desc: true,
+                              exclude_dependencies: false })
       project_path = Dir.pwd
       scanner = Scanner.new(project_path: project_path)
       result = scanner.scan_incremental(options)
       # Results are already printed incrementally based on options
       # Package results are printed in scan_incremental, but we need to ensure
       # they use the same reporter instance with sort_by
       # Actually, scan_incremental handles gem printing, but package printing
       # happens here, so we need a reporter for packages
-      if options[:packages]
-        reporter = Reporter.new(result, sort_by: options[:sort_by], sort_desc: options[:sort_desc], exclude_dependencies: options[:exclude_dependencies])
-        reporter.print_package_vulnerabilities
-        reporter.print_package_versions
-      end
+      return unless options[:packages]
+      reporter = Reporter.new(result, sort_by: options[:sort_by], sort_desc: options[:sort_desc],
+                                      exclude_dependencies: options[:exclude_dependencies])
+      reporter.print_package_vulnerabilities
+      reporter.print_package_versions
     end
     def self.print_help
       puts <<~HELP
         🔒 Rubion - Security & Version Scanner for Ruby and JavaScript projects
         USAGE:
           rubion scan [OPTIONS]       Scan current project for vulnerabilities and outdated versions
           rubion version              Display Rubion version
           rubion help                 Display this help message
         SCAN OPTIONS:
           --gems, --gem, -g           Scan only Ruby gems (skip NPM packages)
           --packages, --npm, -p       Scan only NPM packages (skip Ruby gems)
@@ -94,61 +98,64 @@ module Rubion
           --sort-by COLUMN, -s COLUMN Sort results by column (Name, Current, Date, Latest, Behind By(Time), Behind By(Versions))
                                      (default: "Behind By(Time)" in descending order)
           --asc, --ascending          Sort in ascending order (use with --sort-by)
+          --desc, --descending        Sort in descending order (use with --sort-by, default)
           --exclude-dependencies      Show only direct dependencies (from Gemfile/package.json)
         DESCRIPTION:
           Rubion scans your project for:
             - Ruby gem vulnerabilities (using bundler-audit)
             - Outdated Ruby gems (using bundle outdated)
             - NPM/JavaScript package vulnerabilities (using npm audit or yarn audit)
             - Outdated NPM/JavaScript packages (using npm outdated or yarn outdated)
         OUTPUT:
           Results are displayed in organized tables with:
             📛 Vulnerabilities with severity icons (🔴 Critical, 🟠 High, 🟡 Medium, 🟢 Low)
             📦 Version information with release dates
             ⏱️  Time difference ("Behind By" column)
             🔢 Version count between current and latest
         EXAMPLES:
           # Scan both gems and packages (default)
           rubion scan
+        #{'  '}
           # Scan only Ruby gems
           rubion scan --gems
+        #{'  '}
           # Scan only NPM packages
           rubion scan --packages
+        #{'  '}
           # Sort by name
           rubion scan --sort-by Name
+        #{'  '}
           # Sort by versions behind
           rubion scan -s "Behind By(Versions)"
+        #{'  '}
           # Sort by name in descending order (default)
           rubion scan --sort-by Name
+        #{'  '}
           # Sort by name in ascending order
           rubion scan --sort-by Name --asc
+        #{'  '}
+          # Sort by name in descending order
+          rubion scan --sort-by Name --desc
+        #{'  '}
           # Show only direct dependencies
           rubion scan --exclude-dependencies
+        #{'  '}
           # Get help
           rubion help
         REQUIREMENTS:
           - Ruby 2.6+
           - Bundler (for gem scanning)
           - NPM or Yarn (for package scanning, optional)
           - bundler-audit (optional, install with: gem install bundler-audit)
+        #{'  '}
         NOTE:
           If both npm and yarn are available, you will be prompted to choose which one to use.
       HELP
     end
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubion
 version: !ruby/object:Gem::Version
-  version: 0.3.7
+  version: 0.3.9
 platform: ruby
 authors:
 - bipashant