security_report 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 99b4d40e7864b7321e4fe114f416115a9871ceb1
+  data.tar.gz: ddabf21cb626701b170ec34c3653f16da4a35318
+SHA512:
+  metadata.gz: 404d4bd5a7705fa4141f8e7ea40685cdfeff5712fb85861071fa330de245f25e8c2a2d8f51e35aa5c119baa26608417d2355202b441bc6e6f5a2fb24207f8ae3
+  data.tar.gz: 767fd7bd20cd9fd35dc55e611f9464308ee8610d213bee9d07f47f30213010aafd718d4da92a06ba38cb794d42df00e64e7b9ac91a86262fbd437c59de046802

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,5 @@
+language: ruby
+rvm:
+  - 2.5
+  - 2.4
+  - 2.3

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in security_report.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,46 @@
+PATH
+  remote: .
+  specs:
+    security_report (0.1.0)
+      bundler-audit (~> 0.6)
+      clap (~> 1.0)
+      terminal-table (~> 1.8)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bundler-audit (0.6.0)
+      bundler (~> 1.2)
+      thor (~> 0.18)
+    clap (1.0.0)
+    diff-lcs (1.3)
+    rake (12.3.1)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    terminal-table (1.8.0)
+      unicode-display_width (~> 1.1, >= 1.1.1)
+    thor (0.20.0)
+    unicode-display_width (1.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  rake (~> 12.3)
+  rspec (~> 3.0)
+  security_report!
+
+BUNDLED WITH
+   1.16.3

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Lucas Dohmen
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,76 @@
+# security_report
+
+[![Build Status](https://travis-ci.org/innoq/security_report.svg?branch=master)](https://travis-ci.org/innoq/security_report)
+[![Depfu](https://badges.depfu.com/badges/d566920d877cee415e76cd9a4e680eb0/count.svg)](https://depfu.com/github/innoq/security_report?project=Bundler)
+
+Check Ruby projects for dependencies with known security problems. This project
+uses [bundler-audit](https://github.com/rubysec/bundler-audit) to check the
+Gemfiles. It then generates a report like this:
+
+    # jquery-rails (3.0.4)
+    Projects: spec/examples/project_1
+    Solution: Upgrade to a new version
+    Problems:
+    * CVE-2015-1840 (CSRF Vulnerability in jquery-r...)
+
+    # paperclip (2.8.0)
+    Projects: spec/examples/project_1
+    Solution: Upgrade to a new version
+    Problems:
+    * CVE-2017-0889 (Paperclip ruby gem suffers fro...)
+    * CVE-2015-2963 (Paperclip Gem for Ruby vulnera...)
+    * 103151 (Paperclip Gem for Ruby contain...)
+
+    # rest-client (1.6.7)
+    Projects: spec/examples/project_1
+    Solution: Upgrade to a new version
+    Problems:
+    * CVE-2015-1820 (rubygem-rest-client: session f...)
+    * CVE-2015-3448 (Rest-Client Gem for Ruby logs...)
+
+    # rubyzip (1.1.7)
+    Projects: spec/examples/project_1, spec/examples/project_2
+    Solution: Upgrade to a new version
+    Problems:
+    * CVE-2017-5946 (Directory traversal vulnerabil...)
+    * CVE-2017-5946 (Directory traversal vulnerabil...)
+
+The goal of this project is to provide a functionality similar to Github's
+security mail for projects that are self hosted on Bitbucket or other
+self-hosted version control repository hosting services. You can add a
+scheduled job that runs security_report every night for each of your Ruby
+projects and mail out the result to the developers.
+
+security_report **does not check your code for security problems**. If you need
+something like that and are using Rails, check out
+[brakeman](https://github.com/presidentbeef/brakeman).
+
+## Installation
+
+    $ gem install security_report
+
+## Usage
+
+Run security_report like this:
+
+    security_report path_to_your_project
+
+This will output the security report to your terminal. You can also provide the
+path to multiple projects. To run the security report for each project in the
+projects folder, run:
+
+    security_report projects/*
+
+The tool uses a database of known vulnerabilities. To update the database, use
+the `--update` option:
+
+    security_report --update projects/*
+
+You can also use a different output format. The default format is called plain.
+There is also a table output. If you want to use it instead, run:
+
+    security_report --format table projects/*
+
+## License
+
+security_report is licensed under Apache 2.0 License.

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/exe/security_report

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'clap'
+require 'security_report/cli'
+
+cli = SecurityReport::CLI.new
+
+files = Clap.run ARGV,
+  "-h" => cli.method(:help),
+  "--help" => cli.method(:help),
+  "--format" => cli.method(:format=),
+  "--update" => cli.method(:update)
+
+cli.run(files)

data/lib/security_report/cli.rb

@@ -0,0 +1,51 @@
+require 'security_report'
+
+module SecurityReport
+  class CLI
+    attr_accessor :format
+
+    def initialize
+      @format = "plain"
+    end
+
+    def help
+      puts <<~HELPTEXT
+        security_report [options] files...
+
+        -h, --help
+          Print this message
+        --format
+          Provide the format: plain or table (default: plain)
+        --update
+          Update the vulnerability database before running
+      HELPTEXT
+      exit
+    end
+
+    def reporter
+      case format
+      when "plain"
+        require 'security_report/plain_reporter'
+        @reporter = PlainReporter.new
+      when "table"
+        require 'security_report/table_reporter'
+        @reporter = TableReporter.new
+      else
+        puts "Unknown format '#{format}'"
+        exit 1
+      end
+    end
+
+    def update
+      return if Database.update
+      puts "Failed updating database!"
+      exit 1
+    end
+
+    def run(files)
+      auditor = Auditor.audit(files)
+      reporter.report(auditor.results, auditor.skipped)
+      exit 1 if auditor.results.any?
+    end
+  end
+end

data/lib/security_report/database.rb

@@ -0,0 +1,9 @@
+require 'bundler/audit/database'
+
+module SecurityReport
+  module Database
+    def self.update
+      ::Bundler::Audit::Database.update!(quiet: true)
+    end
+  end
+end

data/lib/security_report/grouped_result.rb

@@ -0,0 +1,30 @@
+module SecurityReport
+  class GroupedResult
+    def initialize(results)
+      @results = results
+    end
+
+    def identifier
+      @results.first.identifier
+    end
+
+    def targets
+      @results.map(&:target).uniq
+    end
+
+    def problems
+      @results.map(&:problem)
+    end
+
+    def solution
+      @results.map(&:solution).uniq.join(", ")
+    end
+
+    def criticality
+      criticalities = @results.map(&:criticality).uniq
+      return :high if criticalities.include? :high
+      return :medium if criticalities.include? :high
+      :low
+    end
+  end
+end

data/lib/security_report/insecure_source_result.rb

@@ -0,0 +1,27 @@
+module SecurityReport
+  class InsecureSourceResult
+    attr_reader :identifier
+    attr_reader :target
+
+    def initialize(scan_result, target)
+      @identifier = scan_result.source
+      @target = target
+    end
+
+    def problem
+      Problem.new("Insecure URI", "Do not use an insecure Source URI", nil)
+    end
+
+    def solution
+      "Use a secure URI"
+    end
+
+    def criticality
+      :high
+    end
+
+    def self.matches?(obj)
+      obj.instance_of? ::Bundler::Audit::Scanner::InsecureSource
+    end
+  end
+end

data/lib/security_report/plain_reporter.rb

@@ -0,0 +1,42 @@
+module SecurityReport
+  class PlainReporter
+    def report(results, skipped)
+      if results.any?
+        high, medium_or_lower = results.partition { |result| result.criticality == :high }
+        medium, low_or_unknown = medium_or_lower.partition { |result| result.criticality == :medium }
+
+        puts format_results(high) if high.any?
+        puts format_results(medium) if medium.any?
+        puts format_results(low_or_unknown) if low_or_unknown.any?
+      else
+        puts "No vulnerabilities found"
+      end
+
+      if skipped.any?
+        puts
+        puts "Skipped #{skipped.join(", ")}: No Gemfile.lock found"
+      end
+    end
+
+    private
+
+    def format_results(results)
+      results.map do |result|
+        <<~HELPTEXT
+        # #{result.identifier}"
+        Projects: #{result.targets.join(", ")}"
+        Criticality: #{result.criticality}"
+        Solution: #{result.solution}"
+        Problems:
+        #{format_problems(result.problems)}
+        HELPTEXT
+      end.join("\n") + "\n"
+    end
+
+    def format_problems(problems)
+      problems.map do |problem|
+        "* #{problem.summary}"
+      end.join("\n")
+    end
+  end
+end

data/lib/security_report/problem.rb

@@ -0,0 +1,19 @@
+module SecurityReport
+  class Problem
+    def initialize(identifier, description, url)
+      @identifier = identifier
+      @description = description
+      @url = url
+    end
+
+    def summary
+      "#{@identifier} (#{truncate(@description, 30)})"
+    end
+
+    private
+
+    def truncate(string, max)
+      string.length > max ? "#{string[0...max].strip}..." : string
+    end
+  end
+end

data/lib/security_report/scanner.rb

@@ -0,0 +1,39 @@
+require 'fileutils'
+require 'bundler/audit/scanner'
+require 'security_report/unpatched_gem_result'
+require 'security_report/insecure_source_result'
+
+module SecurityReport
+  class Scanner
+    def scan(directory)
+      results = with_gemfile do
+        ::Bundler::Audit::Scanner.new(directory).scan
+      end
+
+      results.map do |scan_result|
+        detected_matching_result_class(scan_result).new(scan_result, directory)
+      end
+    end
+
+    private
+
+    # This is a weird workaround, for methods that
+    # require a Gemfile in the current directory
+    def with_gemfile
+      if File.exist? 'Gemfile'
+        yield
+      else
+        FileUtils.touch 'Gemfile'
+        return_value = yield
+        FileUtils.rm 'Gemfile'
+        return_value
+      end
+    end
+
+    def detected_matching_result_class(scan_result)
+      [InsecureSourceResult, UnpatchedGemResult].detect do |result_class|
+        result_class.matches? scan_result
+      end
+    end
+  end
+end

data/lib/security_report/table_reporter.rb

@@ -0,0 +1,41 @@
+require 'terminal-table'
+
+module SecurityReport
+  class TableReporter
+    def report(results, skipped)
+      if results.any?
+        high, medium_or_lower = results.partition { |result| result.criticality == :high }
+        medium, low_or_unknown = medium_or_lower.partition { |result| result.criticality == :medium }
+
+        puts tableize("High criticality", high) if high.any?
+        puts tableize("Medium criticality", medium) if medium.any?
+        puts tableize("Low or unknown criticality", low_or_unknown) if low_or_unknown.any?
+        puts
+        puts "Vulnerabilities (#{high.size} high, #{medium.size} medium, #{low_or_unknown.size} low or unkown) found!"
+      else
+        puts "No vulnerabilities found"
+      end
+
+      if skipped.any?
+        puts "Skipped #{skipped.join(", ")}: No Gemfile.lock found"
+      end
+    end
+
+    private
+
+    def tableize(title, results)
+      Terminal::Table.new(
+        title: title,
+        headings: ['Identifier', 'Target', 'Solution', 'Problem'],
+        rows: results.map do |result|
+          [
+            result.identifier,
+            result.targets.join(", "),
+            result.solution,
+            result.problems.map(&:summary).join("\n")
+          ]
+        end
+      )
+    end
+  end
+end

data/lib/security_report/unpatched_gem_result.rb

@@ -0,0 +1,47 @@
+require 'forwardable'
+require 'security_report/problem'
+
+module SecurityReport
+  class UnpatchedGemResult
+    extend Forwardable
+
+    attr_reader :identifier
+    attr_reader :target
+
+    def_delegator :advisory, :criticality
+
+    def initialize(scan_result, target)
+      @identifier = scan_result.gem.to_s
+      @advisory = scan_result.advisory
+      @target = target
+    end
+
+    def problem
+      Problem.new(problem_id, advisory.title, advisory.url)
+    end
+
+    def solution
+      if advisory.patched_versions.empty?
+        "Remove or disable this gem until a patch is available!"
+      else
+        "Upgrade to a new version"
+      end
+    end
+
+    def self.matches?(obj)
+      obj.instance_of? ::Bundler::Audit::Scanner::UnpatchedGem
+    end
+
+    private
+
+    attr_reader :advisory
+
+    def problem_id
+      if advisory.cve
+        "CVE-#{advisory.cve}"
+      elsif advisory.osvdb
+        advisory.osvdb
+      end
+    end
+  end
+end

data/lib/security_report/version.rb

@@ -0,0 +1,3 @@
+module SecurityReport
+  VERSION = "0.1.0".freeze
+end

data/lib/security_report.rb

@@ -0,0 +1,38 @@
+require 'security_report/version'
+require 'security_report/database'
+require 'security_report/scanner'
+require 'security_report/grouped_result'
+
+module SecurityReport
+  class Auditor
+    def self.audit(directories)
+      auditor = new
+
+      directories.each do |directory|
+        auditor.check(directory)
+      end
+
+      auditor
+    end
+
+    attr_reader :skipped
+
+    def initialize
+      @results = []
+      @skipped = []
+      @scanner = Scanner.new
+    end
+
+    def check(directory)
+      @results.concat(@scanner.scan(directory))
+    rescue Errno::ENOENT
+      @skipped.push(directory)
+    end
+
+    def results
+      @results.group_by(&:identifier).map do |_, results|
+        GroupedResult.new(results)
+      end
+    end
+  end
+end

data/security_report.gemspec

@@ -0,0 +1,31 @@
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "security_report/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "security_report"
+  spec.version       = SecurityReport::VERSION
+  spec.authors       = ["Lucas Dohmen"]
+  spec.email         = ["lucas.dohmen@innoq.com"]
+  spec.license       = "Apache-2.0"
+
+  spec.summary       = "Generate a security report"
+  spec.description   = "Check Ruby projects for dependencies with known security problems"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "bundler-audit", "~> 0.6"
+  spec.add_dependency "clap", "~> 1.0"
+  spec.add_dependency "terminal-table", "~> 1.8"
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata

@@ -0,0 +1,150 @@
+--- !ruby/object:Gem::Specification
+name: security_report
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Lucas Dohmen
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2018-08-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: clap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Check Ruby projects for dependencies with known security problems
+email:
+- lucas.dohmen@innoq.com
+executables:
+- security_report
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- exe/security_report
+- lib/security_report.rb
+- lib/security_report/cli.rb
+- lib/security_report/database.rb
+- lib/security_report/grouped_result.rb
+- lib/security_report/insecure_source_result.rb
+- lib/security_report/plain_reporter.rb
+- lib/security_report/problem.rb
+- lib/security_report/scanner.rb
+- lib/security_report/table_reporter.rb
+- lib/security_report/unpatched_gem_result.rb
+- lib/security_report/version.rb
+- security_report.gemspec
+homepage: 
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14.1
+signing_key: 
+specification_version: 4
+summary: Generate a security report
+test_files: []