still_active 1.6.0 → 2.0.0

data/lib/helpers/terminal_helper.rb

@@ -2,6 +2,7 @@
 
 require_relative "activity_helper"
 require_relative "ansi_helper"
+require_relative "summary_helper"
 require_relative "libyear_helper"
 require_relative "version_helper"
 require_relative "vulnerability_helper"
@@ -22,7 +23,10 @@ module StillActive
       lines << separator_line(widths)
       names.each_with_index do |name, i|
         lines << row_line(rows[i], widths)
-        extra = alternatives_line(result[name])
+        data = result[name]
+        # Transitive gems can't be swapped directly, so point at the direct
+        # parent instead of suggesting alternatives for them (#60).
+        extra = data[:direct] == false ? dependency_path_line(data) : alternatives_line(data)
         lines << extra if extra
       end
       lines << ""
@@ -142,6 +146,18 @@ module StillActive
       end
     end
 
+    # For a flagged transitive gem, name the direct dependency that pulls it in,
+    # the gem the user can actually act on (#60).
+    def dependency_path_line(data)
+      path = data[:dependency_path]
+      return unless path && path.length >= 2
+
+      level = ActivityHelper.activity_level(data)
+      return unless [:archived, :critical].include?(level) || data[:vulnerability_count].to_i.positive?
+
+      AnsiHelper.dim("  ↳ transitive, pulled in by #{path.first}")
+    end
+
     def ruby_summary_line(ruby_info)
       version = ruby_info[:version]
       latest = ruby_info[:latest_version]
@@ -161,29 +177,23 @@ module StillActive
       end
     end
 
+    # Reuse the same digest the JSON output emits so the human summary line can
+    # never drift from the machine one (the #63 "computed two ways" trap). The
+    # terminal keeps a coarser grouping (critical folds into stale) and adds its
+    # own yanked / total-libyear extras that the JSON digest doesn't carry.
     def summary_line(result)
-      total = result.size
-      level_counts = result.each_value.map { |d| ActivityHelper.activity_level(d) }.tally
-      version_counts = result.each_value
-        .map { |d| VersionHelper.up_to_date(version_used: d[:version_used], latest_version: d[:latest_version]) }
-        .tally
-
-      up_to_date = version_counts.fetch(true, 0)
-      outdated = version_counts.fetch(false, 0)
+      summary = SummaryHelper.summarize(result)
+      active = summary[:activity][:ok]
+      stale = summary[:activity][:stale] + summary[:activity][:critical]
+      archived = summary[:activity][:archived]
       yanked = result.each_value.count { |d| d[:version_yanked] }
-      active = level_counts.fetch(:ok, 0)
-      archived = level_counts.fetch(:archived, 0)
-      stale = level_counts.fetch(:stale, 0) + level_counts.fetch(:critical, 0)
-      vulns = result.each_value.sum { |d| d[:vulnerability_count] || 0 }
 
-      parts = [
-        "#{total} gems: #{up_to_date} up to date, #{outdated} outdated",
-      ]
+      parts = ["#{summary[:total_gems]} gems: #{summary[:up_to_date]} up to date, #{summary[:outdated]} outdated"]
       parts.last << ", #{yanked} yanked" if yanked > 0
       activity = "#{active} active, #{stale} stale"
       activity << ", #{archived} archived" if archived > 0
       parts << activity
-      parts << "#{vulns} vulnerabilities"
+      parts << "#{summary[:vulnerabilities]} vulnerabilities"
       total_libyear = LibyearHelper.total_libyear(result)
       parts << "#{total_libyear.round(1)} libyears behind" if total_libyear > 0
       parts.join(" · ")

data/lib/helpers/version_helper.rb

@@ -12,7 +12,13 @@ module StillActive
       elsif !version_string.nil?
         versions&.find { |v| v["number"] == version_string }
       else
-        versions&.find { |v| v["prerelease"] == pre_release }
+        # The "latest" of a kind: pick the highest by version rather than trust
+        # the source's ordering. RubyGems happens to return newest-first, but
+        # GitHub Packages and other sources don't, and a wrong "latest" cascades
+        # into up_to_date and libyear.
+        versions
+          &.select { |v| v["prerelease"] == pre_release }
+          &.max_by { |v| to_gem_version(v["number"]) || Gem::Version.new("0") }
       end
     end
 

data/lib/still_active/artifactory_client.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "bundler"
+require "cgi"
+require "json"
+require "uri"
+require_relative "../helpers/http_helper"
+
+module StillActive
+  module ArtifactoryClient
+    extend self
+
+    def artifactory_uri?(uri)
+      # Hostnames are case-insensitive, so downcase before the suffix check; an
+      # uppercase jfrog host would otherwise be misread as an unqueryable source.
+      uri.is_a?(String) && URI(uri).host&.downcase&.end_with?(".jfrog.io")
+    rescue URI::InvalidURIError
+      false
+    end
+
+    def versions(gem_name:, source_uri:)
+      headers = auth_headers(gem_name: gem_name, source_uri: source_uri)
+      vs = RubygemsClient.versions(gem_name: gem_name, source_uri: source_uri, headers: headers)
+      return vs unless vs.empty?
+
+      AqlClient.versions(gem_name: gem_name, source_uri: source_uri, headers: headers)
+    rescue Errno::ECONNRESET, Errno::ECONNREFUSED, Net::OpenTimeout, Net::ReadTimeout, SocketError
+      []
+    end
+
+    private
+
+    def credentials(gem_name:, source_uri:)
+      host = URI(source_uri).host
+      bundler = Bundler.settings[source_uri] || Bundler.settings[host]
+      return bundler if bundler && !bundler.empty?
+
+      global = StillActive.config.artifactory_token
+      return unless global
+
+      configured_host = StillActive.config.artifactory_host
+      unless configured_host && host&.casecmp?(configured_host)
+        warn_unauthorized_host(gem_name: gem_name, host: host)
+        return
+      end
+
+      global
+    end
+
+    def warn_unauthorized_host(gem_name:, host:)
+      $stderr.puts(
+        "warning: an Artifactory token is set but #{host} (source for #{gem_name}) is not an authorized host, " \
+          "so the token will not be sent. " \
+          "To allow it, set --artifactory-host=#{host} or STILL_ACTIVE_ARTIFACTORY_HOST=#{host}",
+      )
+    end
+
+    def auth_headers(gem_name:, source_uri:)
+      creds = credentials(gem_name: gem_name, source_uri: source_uri)
+      return {} unless creds
+
+      if creds.include?(":")
+        user, pass = creds.split(":", 2).map { |part| CGI.unescape(part) }
+        { "Authorization" => "Basic #{["#{user}:#{pass}"].pack("m0")}" }
+      else
+        { "Authorization" => "Bearer #{creds}" }
+      end
+    end
+
+    # Artifactory's Rubygems-compatible API
+    module RubygemsClient
+      extend self
+
+      def versions(gem_name:, source_uri:, headers: {})
+        base = URI(source_uri.chomp("/"))
+        path = "#{base.path}/api/v1/versions/#{encode(gem_name)}.json"
+        HttpHelper.get_json(base, path, headers: headers) || []
+      end
+
+      private
+
+      def encode(value)
+        CGI.escape(value)
+      end
+    end
+
+    # AQL stands for Artifactory Query Language
+    # https://docs.jfrog.com/artifactory/docs/artifactory-query-language
+    module AqlClient
+      extend self
+
+      SOURCE_URL_PATTERN = %r{\A(https?://[^/]+\.jfrog\.io/[^/]+)/api/gems/([^/]+)/?\z}
+      AQL_PATH = "/api/search/aql"
+
+      def versions(gem_name:, source_uri:, headers: {})
+        artifactory_base, repo_key = parse_source_url(source_uri)
+        return [] if artifactory_base.nil?
+
+        base = URI(artifactory_base)
+        path = "#{base.path}#{AQL_PATH}"
+        query = {
+          "name" => { "$match" => "#{gem_name}-*.gem" },
+          "repo" => repo_key,
+        }
+        body = %(items.find(#{JSON.generate(query)}).include("repo", "path", "name", "created"))
+        response = HttpHelper.post_json(base, path, body: body, headers: headers.merge("Content-Type" => "text/plain"))
+        return [] if response.nil?
+
+        results = response["results"] || []
+        build_version_hashes(results: results, gem_name: gem_name)
+      end
+
+      private
+
+      def parse_source_url(source_uri)
+        match = source_uri.match(SOURCE_URL_PATTERN)
+        unless match
+          $stderr.puts("warning: unrecognized Artifactory source URL for AQL fallback: #{source_uri}")
+          return [nil, nil]
+        end
+
+        [match[1], match[2]]
+      end
+
+      def build_version_hashes(results:, gem_name:)
+        results
+          .filter_map do |item|
+            version = extract_version(item["name"], gem_name)
+            next if version.nil?
+
+            {
+              "number" => version,
+              "created_at" => item["created"],
+              "prerelease" => Gem::Version.new(version).prerelease?,
+            }
+          end
+          .uniq { |h| h["number"] }
+          .sort_by { |h| Gem::Version.new(h["number"]) }
+          .reverse
+      end
+
+      def extract_version(filename, gem_name)
+        prefix = "#{gem_name}-"
+        return unless filename&.end_with?(".gem") && filename.start_with?(prefix)
+
+        version_part = filename[prefix.length..-5]
+        return if version_part.nil? || version_part.empty?
+
+        parse_version_from_filename_tail(version_part)
+      end
+
+      # Given the portion of a `.gem` filename after `name-`, returns the
+      # leading semver (e.g. `7.0.0` from `7.0.0-x86_64-linux`). Ignores
+      # unrelated artifacts that share a prefix (e.g. `datadog-ruby_core_source`
+      # when the gem name is `datadog`).
+      def parse_version_from_filename_tail(version_part)
+        segments = version_part.split("-")
+        segments.length.times do |i|
+          candidate = segments[0, i + 1].join("-")
+          return candidate if Gem::Version.correct?(candidate)
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/still_active/cli.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "options"
+require_relative "config_file"
 require_relative "diff"
 require_relative "../helpers/activity_helper"
 require_relative "../helpers/bot_context"
@@ -10,6 +11,7 @@ require_relative "../helpers/diff_markdown_helper"
 require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
 require_relative "../helpers/sarif_helper"
+require_relative "../helpers/summary_helper"
 require_relative "../helpers/terminal_helper"
 require_relative "../helpers/version_helper"
 require_relative "../helpers/vulnerability_helper"
@@ -17,8 +19,20 @@ require_relative "workflow"
 
 module StillActive
   class CLI
+    # The committed JSON Schema for the --json output. Emitted as `$schema` so
+    # the output is self-describing and a consumer can validate it.
+    SCHEMA_URL = "https://raw.githubusercontent.com/SeanLF/still_active/main/docs/still_active.schema.json"
+
     def run(args)
+      # Apply the committed .still_active.yml first so CLI flags (parsed next)
+      # win over it: CLI flag > env var > config file > default.
+      config_data = ConfigFile.load
+      ConfigFile.apply(StillActive.config, config_data).each { |warning| $stderr.puts("warning: #{warning}") }
       options = Options.new.parse!(args)
+      # After CLI flags resolve, nudge (don't auto-inherit) an un-imported
+      # bundler-audit ignore list when the vulnerability gate is on.
+      hint = ConfigFile.import_hint(config_data)
+      $stderr.puts("hint: #{hint}") if hint
       unless options[:provided_gems]
         begin
           StillActive.config.gems = BundlerHelper.gemfile_dependencies
@@ -29,6 +43,7 @@ module StillActive
       end
 
       warn_output_flag_conflicts(options)
+      warn_stale_suppressions
 
       result = if $stderr.tty?
         Workflow.call { |done, total| $stderr.print("\rChecking #{done}/#{total} gems...") }
@@ -50,14 +65,20 @@ module StillActive
         case resolve_format
         when :json
           output = {
+            "$schema": SCHEMA_URL,
             schema_version: 1,
             tool: { name: "still_active", version: StillActive::VERSION },
             generated_at: Time.now.utc.iso8601,
-            gems: result,
+            # A one-object digest of the audit's posture, so a machine/LLM
+            # consumer reads the headline counts without iterating every gem.
+            summary: SummaryHelper.summarize(result, ruby_info: ruby_info),
+            # Surface the derived verdict so a machine/LLM consumer reads it
+            # directly instead of re-deriving it from the raw dates.
+            gems: result.transform_values { |data| data.merge(activity_level: ActivityHelper.activity_level(data)) },
           }
           output[:ruby] = ruby_info if ruby_info
           output[:pr_context] = pr_context if pr_context
-          puts output.to_json
+          puts iso8601_times(output).to_json
         when :terminal
           puts BotContext.summary(pr_context) if pr_context
           puts TerminalHelper.render(result, ruby_info: ruby_info)
@@ -71,6 +92,29 @@ module StillActive
 
     private
 
+    # Dates live in the result as real Time objects (the activity/libyear math
+    # needs them), but the JSON contract is ISO8601 UTC strings, matching
+    # generated_at. Normalize at the serialization boundary only, so the
+    # terminal/markdown/SARIF paths keep their Time objects untouched.
+    def iso8601_times(value)
+      case value
+      when Time then value.utc.iso8601
+      when Hash then value.transform_values { |v| iso8601_times(v) }
+      when Array then value.map { |v| iso8601_times(v) }
+      else value
+      end
+    end
+
+    # A suppression naming a gem that isn't in the resolved dependency set can
+    # never fire, so it's dead config worth surfacing (the presence half of
+    # suppression rot, alongside the expiry half the entries handle themselves).
+    def warn_stale_suppressions
+      present = StillActive.config.gems.map { |gem| gem[:name] }
+      StillActive.config.suppressions.stale_gem_warnings(present).each do |warning|
+        $stderr.puts("warning: #{warning}")
+      end
+    end
+
     # The output destinations are mutually exclusive and resolved by precedence
     # (baseline > sarif > cyclonedx > terminal/markdown/json). Warn rather than
     # silently dropping the loser when more than one is set.
@@ -192,6 +236,8 @@ module StillActive
       end
       alternatives = MarkdownHelper.alternatives_section(result)
       puts alternatives unless alternatives.empty?
+      transitive = MarkdownHelper.transitive_section(result)
+      puts transitive unless transitive.empty?
       if ruby_info
         puts ""
         puts MarkdownHelper.ruby_line(ruby_info)
@@ -202,27 +248,50 @@ module StillActive
       config = StillActive.config
       return unless config.fail_if_critical || config.fail_if_warning || config.fail_if_vulnerable || config.fail_if_outdated
 
-      ignored = config.ignored_gems
-      checked = result.reject { |name, _| ignored.include?(name) }
+      exit(1) if result.any? { |name, data| gate_failed?(name, data, config) }
+    end
 
-      if config.fail_if_critical || config.fail_if_warning
-        levels = checked.each_value.map { |gem_data| ActivityHelper.activity_level(gem_data) }
-        exit(1) if config.fail_if_warning && levels.intersect?([:stale, :critical, :archived])
-        exit(1) if config.fail_if_critical && levels.intersect?([:critical, :archived])
-      end
+    # A gem fails the run when it trips an enabled gate that is neither
+    # whole-gem --ignore'd nor covered by a granular .still_active.yml
+    # suppression. Each signal is checked independently so accepting one finding
+    # (e.g. a single advisory) never blinds the others.
+    def gate_failed?(name, data, config)
+      return false if config.ignored_gems.include?(name)
 
-      if (vuln_setting = config.fail_if_vulnerable)
-        checked.each_value do |d|
-          next unless d[:vulnerability_count]&.positive?
+      suppressions = config.suppressions
+      failed_activity?(name, data, config, suppressions) ||
+        failed_vulnerability?(name, data, config, suppressions) ||
+        failed_outdated?(name, data, config, suppressions)
+    end
 
-          exit(1) if vuln_setting == true
-          exit(1) if VulnerabilityHelper.severity_at_or_above?(d[:vulnerabilities], vuln_setting)
-        end
-      end
+    def failed_activity?(name, data, config, suppressions)
+      return false unless config.fail_if_warning || config.fail_if_critical
+      return false if suppressions.suppressed?(gem: name, signal: :activity)
+
+      level = ActivityHelper.activity_level(data)
+      (config.fail_if_warning && [:stale, :critical, :archived].include?(level)) ||
+        (config.fail_if_critical && [:critical, :archived].include?(level))
+    end
+
+    def failed_vulnerability?(name, data, config, suppressions)
+      setting = config.fail_if_vulnerable
+      return false unless setting
+      return false unless data[:vulnerability_count]&.positive?
 
-      if (threshold = config.fail_if_outdated)
-        exit(1) if checked.each_value.any? { |d| d[:libyear] && d[:libyear] > threshold }
+      live = Array(data[:vulnerabilities]).reject do |vuln|
+        suppressions.suppressed?(gem: name, signal: :vulnerability, advisory: vuln[:id], aliases: Array(vuln[:aliases]))
       end
+      return false if live.empty?
+
+      setting == true || VulnerabilityHelper.severity_at_or_above?(live, setting)
+    end
+
+    def failed_outdated?(name, data, config, suppressions)
+      threshold = config.fail_if_outdated
+      return false unless threshold
+      return false if suppressions.suppressed?(gem: name, signal: :libyear)
+
+      data[:libyear] && data[:libyear] > threshold
     end
   end
 end

data/lib/still_active/config.rb

@@ -3,11 +3,14 @@
 require "bundler"
 require "octokit"
 require "open3"
+require_relative "suppressions"
 
 module StillActive
   class Config
-    attr_writer :github_oauth_token, :gitlab_token, :gemfile_path
+    attr_writer :github_oauth_token, :gitlab_token, :forgejo_token, :artifactory_token, :artifactory_host, :gemfile_path
     attr_accessor :alternatives,
+      :unreleased_commits,
+      :direct_only,
       :baseline_path,
       :critical_warning_emoji,
       :cyclonedx_path,
@@ -24,12 +27,15 @@ module StillActive
       :no_warning_range_end,
       :sarif_path,
       :success_emoji,
+      :suppressions,
       :unsure_emoji,
       :warning_emoji,
       :warning_range_end
 
     def initialize
       @alternatives = false
+      @unreleased_commits = false
+      @direct_only = false
       @fail_if_critical = false
       @fail_if_outdated = nil
       @fail_if_vulnerable = nil
@@ -37,8 +43,12 @@ module StillActive
       @gemfile_path = nil
       @gems = []
       @ignored_gems = []
+      @suppressions = Suppressions.from(nil)
       @github_oauth_token = nil
       @gitlab_token = nil
+      @forgejo_token = nil
+      @artifactory_token = nil
+      @artifactory_host = nil
 
       @parallelism = 10
 
@@ -54,7 +64,11 @@ module StillActive
       @unsure_emoji = "❓"
       @warning_emoji = "⚠️"
 
-      @no_warning_range_end = 1
+      # Release-age thresholds (years) calibrated against real RubyGems cadence,
+      # not the npm-derived 12-month convention: healthy mature gems routinely go
+      # 12-18 months between releases, so the ok ceiling is 18 months. > 3 years
+      # is critical. See #32.
+      @no_warning_range_end = 1.5
       @warning_range_end = 3
     end
 
@@ -71,6 +85,22 @@ module StillActive
       @gitlab_token ||= presence(ENV["GITLAB_TOKEN"]) || glab_cli_token
     end
 
+    # Codeberg/Forgejo has no ubiquitous CLI to borrow a token from (unlike
+    # gh/glab), so it's env-var only. Anonymous works for public repos; a token
+    # only raises the rate limit. CODEBERG_TOKEN is accepted as a convenience
+    # alias for the codeberg.org default host.
+    def forgejo_token
+      @forgejo_token ||= presence(ENV["STILL_ACTIVE_FORGEJO_TOKEN"]) || presence(ENV["CODEBERG_TOKEN"])
+    end
+
+    def artifactory_token
+      @artifactory_token ||= presence(ENV["STILL_ACTIVE_ARTIFACTORY_TOKEN"])
+    end
+
+    def artifactory_host
+      @artifactory_host ||= presence(ENV["STILL_ACTIVE_ARTIFACTORY_HOST"])
+    end
+
     # Lazy so that running with --gems=... (no Gemfile needed) doesn't crash
     # when invoked from a directory without a Gemfile in the tree.
     def gemfile_path