RubyGems - still_active - Versions diffs - 1.4.2 → 1.6.0 - Mend

still_active 1.4.2 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +20 -0
data/README.md +100 -19
data/lib/helpers/alternatives_helper.rb +42 -0
data/lib/helpers/bot_context.rb +132 -0
data/lib/helpers/catalog_index.rb +98 -0
data/lib/helpers/cyclonedx_helper.rb +159 -0
data/lib/helpers/markdown_helper.rb +20 -2
data/lib/helpers/ruby_advisory_db.rb +93 -0
data/lib/helpers/sarif_helper.rb +9 -2
data/lib/helpers/terminal_helper.rb +27 -3
data/lib/helpers/version_helper.rb +9 -0
data/lib/helpers/vulnerability_helper.rb +35 -0
data/lib/still_active/cli.rb +55 -4
data/lib/still_active/config.rb +7 -1
data/lib/still_active/deps_dev_client.rb +1 -0
data/lib/still_active/options.rb +12 -0
data/lib/still_active/version.rb +1 -1
data/lib/still_active/workflow.rb +35 -7
data/still_active.gemspec +6 -1
metadata +22 -3

data/lib/still_active/workflow.rb CHANGED Viewed

@@ -3,9 +3,14 @@
 require_relative "deps_dev_client"
 require_relative "gitlab_client"
 require_relative "repository"
+require_relative "../helpers/activity_helper"
+require_relative "../helpers/alternatives_helper"
+require_relative "../helpers/catalog_index"
 require_relative "../helpers/libyear_helper"
+require_relative "../helpers/ruby_advisory_db"
 require_relative "../helpers/ruby_helper"
 require_relative "../helpers/version_helper"
+require_relative "../helpers/vulnerability_helper"
 require "async"
 require "async/barrier"
 require "async/semaphore"
@@ -17,6 +22,10 @@ module StillActive
     def call(&on_progress)
       task = Async do
+        # Load the optional ruby-advisory-db once, before the fan-out, so the
+        # read-only Database is shared across fibers rather than reloaded per gem.
+        advisory_db = RubyAdvisoryDb.load
+        catalog = StillActive.config.alternatives ? CatalogIndex.load : nil
         barrier = Async::Barrier.new
         semaphore = Async::Semaphore.new(StillActive.config.parallelism, parent: barrier)
         result_object = {}
@@ -30,6 +39,8 @@ module StillActive
               gem_version: gem[:version],
               source_type: gem[:source_type] || :rubygems,
               source_uri: gem[:source_uri],
+              advisory_db: advisory_db,
+              catalog: catalog,
             )
           rescue Octokit::TooManyRequests
             $stderr.print("\r\e[K") if on_progress
@@ -54,24 +65,27 @@ module StillActive
     private
-    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil)
+    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil, advisory_db: nil, catalog: nil)
       result_object[gem_name] = { source_type: source_type }
       result_object[gem_name][:version_used] = gem_version if gem_version
       case source_type
       when :path, :git
-        gem_info_non_rubygems(gem_name: gem_name, gem_version: gem_version, result_object: result_object, source_uri: source_uri)
+        gem_info_non_rubygems(gem_name: gem_name, gem_version: gem_version, result_object: result_object, source_uri: source_uri, advisory_db: advisory_db)
       else
         gem_info_rubygems(
           gem_name: gem_name,
           gem_version: gem_version,
           result_object: result_object,
           source_uri: source_uri,
+          advisory_db: advisory_db,
         )
       end
+      attach_alternatives(gem_name: gem_name, result_object: result_object, catalog: catalog)
     end
-    def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:)
+    def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:, advisory_db: nil)
       vs = versions(gem_name: gem_name, source_uri: source_uri)
       repo_info = repository_info(gem_name: gem_name, versions: vs)
       commit_date = last_commit_date(
@@ -89,6 +103,7 @@ module StillActive
       deps_dev = fetch_deps_dev_info(
         gem_name: gem_name,
         version: gem_version || VersionHelper.gem_version(version_hash: last_release),
+        advisory_db: advisory_db,
       )
       result_object[gem_name].merge!({
         latest_version: VersionHelper.gem_version(version_hash: last_release),
@@ -118,6 +133,7 @@ module StillActive
           version_used_release_date: VersionHelper.release_date(version_hash: version_used),
           version_yanked: !vs.empty? && version_used.nil?,
+          license: VersionHelper.license(version_hash: version_used),
           libyear: LibyearHelper.gem_libyear(
             version_used_release_date: VersionHelper.release_date(version_hash: version_used),
             latest_version_release_date: VersionHelper.release_date(version_hash: last_release),
@@ -126,10 +142,10 @@ module StillActive
       end
     end
-    def gem_info_non_rubygems(gem_name:, gem_version:, result_object:, source_uri: nil)
+    def gem_info_non_rubygems(gem_name:, gem_version:, result_object:, source_uri: nil, advisory_db: nil)
       repo_info = repository_info_for_non_rubygems(gem_name: gem_name, source_uri: source_uri)
       source, owner, name = repo_info.values_at(:source, :owner, :name)
-      deps_dev = gem_version ? fetch_deps_dev_info(gem_name: gem_name, version: gem_version) : {}
+      deps_dev = gem_version ? fetch_deps_dev_info(gem_name: gem_name, version: gem_version, advisory_db: advisory_db) : {}
       # Fall back to repo-derived project_id for scorecard when deps.dev doesn't have the version
       deps_dev[:scorecard_score] ||= DepsDevClient.project_scorecard(project_id: repo_info[:project_id])&.dig(:score)
@@ -142,11 +158,23 @@ module StillActive
       })
     end
-    def fetch_deps_dev_info(gem_name:, version:)
+    def attach_alternatives(gem_name:, result_object:, catalog:)
+      return if catalog.nil?
+      return unless [:archived, :critical].include?(ActivityHelper.activity_level(result_object[gem_name]))
+      leads = AlternativesHelper.leads_for(gem_name: gem_name, index: catalog)
+      result_object[gem_name][:alternatives] = leads unless leads.empty?
+    rescue StandardError
+      nil # cosmetic best-effort: lead-fetching must never break the core audit
+    end
+    def fetch_deps_dev_info(gem_name:, version:, advisory_db: nil)
       info = DepsDevClient.version_info(gem_name: gem_name, version: version)
       scorecard = DepsDevClient.project_scorecard(project_id: info&.dig(:project_id))
       advisory_keys = info&.dig(:advisory_keys) || []
-      vulnerabilities = advisory_keys.filter_map { |id| DepsDevClient.advisory_detail(advisory_id: id) }
+      deps_dev_vulns = advisory_keys.filter_map { |id| DepsDevClient.advisory_detail(advisory_id: id) }
+      radb_vulns = RubyAdvisoryDb.advisories_for(database: advisory_db, gem_name: gem_name, version: version)
+      vulnerabilities = VulnerabilityHelper.merge_advisories(deps_dev: deps_dev_vulns, ruby_advisory_db: radb_vulns)
       {
         scorecard_score: scorecard&.dig(:score),
         vulnerability_count: vulnerabilities.length,

data/still_active.gemspec CHANGED Viewed

@@ -36,6 +36,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Abin/still_active}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
+  spec.add_development_dependency("bundler-audit")
   spec.add_development_dependency("debug")
   spec.add_development_dependency("faker")
   spec.add_development_dependency("json_schemer")
@@ -44,7 +45,11 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency("rubocop-rspec")
   spec.add_development_dependency("rubocop-shopify")
-  spec.add_runtime_dependency("async")
+  # 2.0/2.1 ship a scheduler that breaks our fan-out (io_read); 2.2 is the
+  # verified floor (checked against Ruby 3.3 in Docker). octokit/faraday-retry/
+  # gems work down to ancient versions, so they stay unpinned rather than
+  # carry an artificial floor.
+  spec.add_runtime_dependency("async", ">= 2.2")
   spec.add_runtime_dependency("bundler", ">= 2.0")
   spec.add_runtime_dependency("faraday-retry")
   spec.add_runtime_dependency("gems")

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: still_active
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.6.0
 platform: ruby
 authors:
 - Sean Floyd
@@ -9,6 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -113,14 +127,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -197,14 +211,19 @@ files:
 - README.md
 - bin/still_active
 - lib/helpers/activity_helper.rb
+- lib/helpers/alternatives_helper.rb
 - lib/helpers/ansi_helper.rb
+- lib/helpers/bot_context.rb
 - lib/helpers/bundler_helper.rb
+- lib/helpers/catalog_index.rb
+- lib/helpers/cyclonedx_helper.rb
 - lib/helpers/diff_markdown_helper.rb
 - lib/helpers/emoji_helper.rb
 - lib/helpers/http_helper.rb
 - lib/helpers/libyear_helper.rb
 - lib/helpers/lockfile_indexer.rb
 - lib/helpers/markdown_helper.rb
+- lib/helpers/ruby_advisory_db.rb
 - lib/helpers/ruby_helper.rb
 - lib/helpers/sarif_helper.rb
 - lib/helpers/terminal_helper.rb