still_active 1.6.0 → 2.0.0

data/lib/still_active/config_file.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+require "yaml"
+require_relative "suppressions"
+require_relative "../helpers/vulnerability_helper"
+
+module StillActive
+  # Loads a committed .still_active.yml and applies it to the config as the layer
+  # below env vars and CLI flags (CLI flag > env var > config file > default).
+  # Mirrors the policy flags (gates, thresholds, output, alternatives, scope)
+  # and the granular suppression list; deliberately NOT secrets (tokens) or
+  # invocation-specific paths (--gemfile/--gems/--baseline/output paths), which
+  # stay CLI/env-only so a committed file never carries a credential.
+  module ConfigFile
+    FILENAME = ".still_active.yml"
+    BUNDLER_AUDIT_FILE = ".bundler-audit.yml"
+
+    extend self
+
+    def load(dir: Dir.pwd)
+      path = File.join(dir, FILENAME)
+      return {} unless File.file?(path)
+
+      data = YAML.safe_load_file(path, permitted_classes: [Date, Time])
+      return {} if data.nil?
+
+      unless data.is_a?(Hash)
+        $stderr.puts("warning: #{FILENAME} must be a mapping of settings; ignoring it")
+        return {}
+      end
+
+      data
+    rescue Psych::Exception => e
+      # Covers a syntax error and a disallowed tag (e.g. !ruby/object); either
+      # way the committed file must never take the audit down with it.
+      $stderr.puts("warning: #{FILENAME} could not be loaded (#{e.message}); ignoring it")
+      {}
+    end
+
+    # Applies data to config and returns an array of warning strings (unknown
+    # keys, invalid values, suppression/import problems). Booleans/numbers are
+    # passed through as the gate expects them.
+    def apply(config, data, base_dir: Dir.pwd)
+      warnings = []
+      ignore_entries = Array(data["ignore"])
+
+      data.each do |key, value|
+        case key
+        when "fail_if_critical" then set_boolean(config, :fail_if_critical=, value, key, warnings)
+        when "fail_if_warning" then set_boolean(config, :fail_if_warning=, value, key, warnings)
+        when "alternatives" then set_boolean(config, :alternatives=, value, key, warnings)
+        when "unreleased_commits" then set_boolean(config, :unreleased_commits=, value, key, warnings)
+        when "direct_only" then set_boolean(config, :direct_only=, value, key, warnings)
+        when "safe_range_end" then set_number(config, :no_warning_range_end=, value, key, warnings)
+        when "warning_range_end" then set_number(config, :warning_range_end=, value, key, warnings)
+        when "fail_if_outdated" then apply_fail_if_outdated(config, value, warnings)
+        when "parallelism" then apply_parallelism(config, value, warnings)
+        when "fail_if_vulnerable" then apply_fail_if_vulnerable(config, value, warnings)
+        when "output" then apply_output(config, value, warnings)
+        when "ignore" then nil # handled below, after imports are gathered
+        when "import" then ignore_entries.concat(import_advisories(value, base_dir, warnings))
+        else warnings << "#{FILENAME}: unknown setting #{key.inspect}, ignoring it"
+        end
+      end
+
+      suppressions = Suppressions.from(ignore_entries)
+      warnings.concat(suppressions.warnings)
+      config.suppressions = suppressions
+      warnings
+    end
+
+    # Suggests honouring an existing bundler-audit ignore list rather than
+    # silently inheriting it. Auto-importing another tool's suppressions would
+    # hide vulnerabilities the user only accepted in bundler-audit's context,
+    # with no reason/expiry and no explicit opt-in here, the exact over-broad
+    # muting this feature exists to replace. So nudge, don't absorb, and only
+    # when the vulnerability gate is on (suppression is otherwise moot) and the
+    # file isn't already imported. Returns the hint string or nil.
+    def import_hint(data, config: StillActive.config, dir: Dir.pwd)
+      return unless config.fail_if_vulnerable
+      return if Array(data["import"]).include?(BUNDLER_AUDIT_FILE)
+
+      path = File.join(dir, BUNDLER_AUDIT_FILE)
+      return unless File.file?(path)
+
+      count = bundler_audit_ignore_count(path)
+      return unless count.positive?
+
+      noun = count == 1 ? "advisory" : "advisories"
+      "#{BUNDLER_AUDIT_FILE} lists #{count} accepted #{noun}; add `import: [#{BUNDLER_AUDIT_FILE}]` to #{FILENAME} to honour them in still_active's --fail-if-vulnerable gate too"
+    end
+
+    private
+
+    def bundler_audit_ignore_count(path)
+      data = YAML.safe_load_file(path, permitted_classes: [Date, Time])
+      data.is_a?(Hash) ? Array(data["ignore"]).size : 0
+    rescue Psych::Exception
+      0
+    end
+
+    # A malformed value must warn and leave the default in place, never silently
+    # flip a gate off (`!!""` is false) or crash the audit (`false.to_f` raises,
+    # since `&.` guards only nil). Validate before assigning, like the gates do.
+    def set_boolean(config, setter, value, key, warnings)
+      if [true, false].include?(value)
+        config.public_send(setter, value)
+      else
+        warnings << "#{FILENAME}: #{key} must be true or false (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    def set_number(config, setter, value, key, warnings)
+      if value.is_a?(Numeric)
+        config.public_send(setter, value.to_f)
+      else
+        warnings << "#{FILENAME}: #{key} must be a number (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    def apply_fail_if_outdated(config, value, warnings)
+      case value
+      when nil, false then config.fail_if_outdated = nil # gate off
+      when Numeric then config.fail_if_outdated = value.to_f
+      else warnings << "#{FILENAME}: fail_if_outdated must be a number or false (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    def apply_parallelism(config, value, warnings)
+      if value.is_a?(Integer) && value.positive?
+        config.parallelism = value
+      else
+        warnings << "#{FILENAME}: parallelism must be a positive integer (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    def apply_fail_if_vulnerable(config, value, warnings)
+      if value == true || value == false
+        config.fail_if_vulnerable = value || nil
+      elsif VulnerabilityHelper::SEVERITY_ORDER.include?(value)
+        config.fail_if_vulnerable = value
+      else
+        warnings << "#{FILENAME}: fail_if_vulnerable severity must be one of #{VulnerabilityHelper::SEVERITY_ORDER.join(", ")} (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    def apply_output(config, value, warnings)
+      format = value.to_s.to_sym
+      if [:terminal, :markdown, :json].include?(format)
+        config.output_format = format
+      else
+        warnings << "#{FILENAME}: output must be terminal, markdown, or json (got #{value.inspect}), ignoring it"
+      end
+    end
+
+    # Reads each referenced bundler-audit config and converts its ignore list of
+    # advisory ids into advisory-scoped (gem-agnostic) suppression entries, so a
+    # team keeps one ignore list instead of two.
+    def import_advisories(paths, base_dir, warnings)
+      Array(paths).flat_map do |rel|
+        path = File.expand_path(rel, base_dir)
+        unless File.file?(path)
+          warnings << "#{FILENAME}: import target #{rel} not found, skipping it"
+          next []
+        end
+
+        imported = YAML.safe_load_file(path, permitted_classes: [Date, Time]) || {}
+        unless imported.is_a?(Hash)
+          warnings << "#{FILENAME}: import target #{rel} is not a mapping, skipping it"
+          next []
+        end
+
+        Array(imported["ignore"]).map { |advisory| { "advisory" => advisory, "reason" => "imported from #{rel}" } }
+      rescue Psych::Exception => e
+        warnings << "#{FILENAME}: import target #{rel} could not be loaded (#{e.message}), skipping it"
+        []
+      end
+    end
+  end
+end

data/lib/still_active/deps_dev_client.rb

@@ -48,7 +48,7 @@ module StillActive
         id: body.dig("advisoryKey", "id"),
         url: body["url"],
         title: body["title"],
-        aliases: body["aliases"]&.map { |a| a["id"] } || [],
+        aliases: body["aliases"]&.filter_map { |a| a["id"] } || [],
         cvss3_score: body["cvss3Score"],
         cvss3_vector: body["cvss3Vector"],
         cvss2_score: body["cvss2Score"],
@@ -58,15 +58,36 @@ module StillActive
 
     private
 
-    # Extracts "host/owner/repo" from the SOURCE_REPO link URL.
-    # URLs may have trailing slashes or extra path segments (e.g. /tree/v1.0).
+    # Builds a deps.dev project id ("host/owner/repo", or a deeper path for
+    # GitLab subgroups) from the SOURCE_REPO link URL. GitHub/Bitbucket projects
+    # are always host/owner/repo, but GitLab namespaces nest arbitrarily
+    # (host/group/subgroup/.../project), so we can't just keep three segments.
     def extract_project_id(body)
       url = body.dig("links")&.find { |l| l["label"] == "SOURCE_REPO" }&.dig("url")
       return if url.nil?
 
-      path = url.delete_prefix("https://").delete_prefix("http://")
-      segments = path.split("/")
-      segments[0..2].join("/") if segments.length >= 3
+      host, *segments = url.sub(%r{\Ahttps?://}, "").split("/")
+      segments = repo_path_segments(host, segments)
+      return if host.nil? || segments.empty?
+
+      [host, *segments].join("/")
+    end
+
+    # Trims a repo URL's path to just the project. On GitLab the project path
+    # ends at the "/-/" separator (before tree/blob/etc) and may be nested;
+    # elsewhere it's owner/repo. Drops trailing slashes and a ".git" suffix.
+    def repo_path_segments(host, segments)
+      segments = segments.reject(&:empty?)
+
+      if host.to_s.start_with?("gitlab.")
+        separator = segments.index("-")
+        segments = segments[0...separator] if separator
+      else
+        segments = segments.first(2)
+      end
+
+      segments[-1] = segments[-1].delete_suffix(".git") unless segments.empty?
+      segments
     end
 
     def encode(value)

data/lib/still_active/diff.rb

@@ -74,10 +74,67 @@ module StillActive
     end
 
     def validate_schema!(snapshot, role)
+      # A user can point --baseline at any JSON file. Reject a wrong shape here
+      # as an UnsupportedSchemaError (which emit_diff turns into a clean exit 2)
+      # rather than letting snapshot["..."] / gems.keys raise a raw stack trace.
+      unless snapshot.is_a?(Hash)
+        raise UnsupportedSchemaError, "#{role} is not a still_active JSON object (got #{snapshot.class})"
+      end
+
       version = snapshot["schema_version"]
-      return if SUPPORTED_SCHEMA_VERSIONS.include?(version)
+      unless SUPPORTED_SCHEMA_VERSIONS.include?(version)
+        raise UnsupportedSchemaError, "#{role} has schema_version=#{version.inspect}; supported: #{SUPPORTED_SCHEMA_VERSIONS.join(", ")}"
+      end
+
+      ruby = snapshot["ruby"]
+      unless ruby.nil? || ruby.is_a?(Hash)
+        raise UnsupportedSchemaError, "#{role} has a malformed ruby section (expected an object, got #{ruby.class})"
+      end
+
+      gems = snapshot["gems"]
+      return if gems.nil?
+
+      unless gems.is_a?(Hash)
+        raise UnsupportedSchemaError, "#{role} has a malformed gems section (expected an object, got #{gems.class})"
+      end
+
+      gems.each { |name, data| validate_gem!(role, name, data) }
+    end
 
-      raise UnsupportedSchemaError, "#{role} has schema_version=#{version.inspect}; supported: #{SUPPORTED_SCHEMA_VERSIONS.join(", ")}"
+    # The diff dereferences gem fields with type-sensitive operations: a non-Hash
+    # value crashes the intersection branch, an arithmetic field that isn't
+    # numeric crashes (libyear/scorecard) or silently fabricates a count
+    # (vulnerability_count via .to_i), and a non-array vulnerabilities silently
+    # drops advisory ids. The baseline is untrusted user input, so validate the
+    # shape the diff requires here and let the rest of the code assume it.
+    NUMERIC_GEM_FIELDS = ["vulnerability_count", "scorecard_score", "libyear"].freeze
+
+    def validate_gem!(role, name, data)
+      unless data.is_a?(Hash)
+        raise UnsupportedSchemaError, "#{role} gem #{name.inspect} is malformed (expected an object, got #{data.class})"
+      end
+
+      NUMERIC_GEM_FIELDS.each do |field|
+        value = data[field]
+        next if value.nil? || value.is_a?(Numeric)
+
+        raise UnsupportedSchemaError, "#{role} gem #{name.inspect} has a non-numeric #{field} (got #{value.class})"
+      end
+
+      vulns = data["vulnerabilities"]
+      return if vulns.nil?
+
+      unless vulns.is_a?(Array)
+        raise UnsupportedSchemaError, "#{role} gem #{name.inspect} has a malformed vulnerabilities list (expected an array, got #{vulns.class})"
+      end
+
+      # advisory_ids dereferences each entry as a hash (entry["id"]); a scalar
+      # element would crash there, so reject non-object entries up front.
+      vulns.each do |entry|
+        next if entry.is_a?(Hash)
+
+        raise UnsupportedSchemaError, "#{role} gem #{name.inspect} has a malformed vulnerability entry (expected an object, got #{entry.class})"
+      end
     end
 
     # Categorises a version bump:

data/lib/still_active/forgejo_client.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "time"
+require_relative "../helpers/http_helper"
+
+module StillActive
+  # Repo signals (archived?, last commit date) for Forgejo/Gitea-hosted gems.
+  # Codeberg.org is the only host wired into the workflow today, but every
+  # Forgejo/Gitea instance speaks the same `/api/v1` surface, so the host is a
+  # parameter for later self-hosted support. Mirrors GitlabClient: HttpHelper
+  # against a documented JSON API, anonymous by default with an optional token.
+  module ForgejoClient
+    extend self
+
+    DEFAULT_HOST = "codeberg.org"
+
+    # archived + last-activity date from a single repository call. The repo
+    # object's updated_at matches the latest commit date to the day in practice,
+    # so folding the two signals into one call halves the per-gem requests.
+    # Returns {} when the repo can't be read.
+    def repo_signals(owner:, name:, host: DEFAULT_HOST)
+      return {} if owner.nil? || name.nil?
+
+      body = HttpHelper.get_json(base_uri(host), "/api/v1/repos/#{owner}/#{name}", headers: auth_headers)
+      return {} if body.nil?
+
+      { archived: body["archived"] == true, last_commit_date: parse_time(body["updated_at"], owner, name) }
+    end
+
+    private
+
+    def parse_time(value, owner, name)
+      return if value.nil?
+
+      Time.parse(value)
+    rescue ArgumentError
+      $stderr.puts("warning: could not parse repo date for #{owner}/#{name}: #{value.inspect}")
+      nil
+    end
+
+    def base_uri(host)
+      URI("https://#{host}/")
+    end
+
+    def auth_headers
+      token = StillActive.config.forgejo_token
+      token ? { "Authorization" => "token #{token}" } : {}
+    end
+  end
+end

data/lib/still_active/github_client.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "time"
+require "octokit"
+
+module StillActive
+  # Repo signals (archived?, last commit date) for github.com-hosted gems.
+  # Wraps Octokit so the rest of the workflow dispatches to a provider with the
+  # same shape as GitlabClient, rather than reaching into Octokit inline. The
+  # Octokit dependency stays internal to this module.
+  module GithubClient
+    extend self
+
+    # A rate-limit response whose reset is at most this many seconds away is
+    # waited out and retried; a longer wait (hourly-limit exhaustion) is not
+    # auto-taken and falls through to the caller's rescue (warn + nil).
+    MAX_RATE_LIMIT_WAIT = 60
+
+    # archived + last-activity date from a single repository call. The repo
+    # object's pushed_at (last push) stands in for the last-commit date: it
+    # matches the default-branch commit date to the day in practice, and folding
+    # the two signals into one call halves the per-gem GitHub requests. Returns
+    # {} when the repo can't be read, so the caller leaves both signals blank.
+    def repo_signals(owner:, name:)
+      return {} if owner.nil? || name.nil?
+
+      repo = with_rate_limit_retry("repo #{owner}/#{name}") do
+        StillActive.config.github_client.repository("#{owner}/#{name}")
+      end
+      return {} unless repo
+
+      { archived: repo.archived, last_commit_date: as_time(repo.pushed_at, owner, name) }
+    rescue Octokit::Error, Faraday::Error => e
+      $stderr.puts("warning: repo signals failed for #{owner}/#{name}: #{e.class}")
+      {}
+    end
+
+    # Commits on the default branch since the latest release's tag: the
+    # "unreleased work" signal. GitHub's compare endpoint returns ahead_by as a
+    # single scalar, so this is one cheap call. The git tag name isn't carried
+    # by RubyGems, so resolve it from the version by trying the two ubiquitous
+    # forms (v7.0.1, 7.0.1) as the compare base; a wrong form 404s and we try
+    # the next. Returns nil when neither resolves (non-tagging repo, monorepo
+    # tag scheme we don't guess). Only GithubClient implements this; the
+    # workflow dispatches by respond_to?, so GitLab/Forgejo simply don't.
+    def commits_since_release(owner:, name:, version:)
+      return if owner.nil? || name.nil? || version.nil?
+
+      repo = "#{owner}/#{name}"
+      ["v#{version}", version.to_s].each do |tag|
+        return with_rate_limit_retry("unreleased-commits #{repo}") { StillActive.config.github_client.compare(repo, tag, "HEAD").ahead_by }
+      rescue Octokit::NotFound
+        # this tag form doesn't exist; fall through to try the next one
+      end
+      nil
+    rescue Octokit::Error, Faraday::Error => e
+      $stderr.puts("warning: unreleased-commits check failed for #{owner}/#{name}: #{e.class}")
+      nil
+    end
+
+    private
+
+    # Pause-and-retry on a rate-limit response when the reset is near, so a
+    # transient secondary/burst limit (which GitHub's concurrent fan-out can
+    # trip even with a token) self-heals instead of dropping the gem's signal.
+    # Retries at most once. Under the async reactor, sleep yields to other
+    # fibers rather than blocking the thread.
+    def with_rate_limit_retry(label)
+      retried = false
+      begin
+        yield
+      rescue Octokit::TooManyRequests => e
+        wait = rate_limit_wait(e)
+        if retried || wait.nil? || wait > MAX_RATE_LIMIT_WAIT
+          # Hourly-limit exhaustion (or a far reset): not worth auto-waiting.
+          # Surface the one actionable hint rather than a generic class name,
+          # then return nil so this signal is simply absent for the gem.
+          $stderr.puts("rate limited on #{label}; set GITHUB_TOKEN to raise your limit, or run less often")
+          return
+        end
+
+        retried = true
+        $stderr.puts("rate limited on #{label}; waiting #{wait}s for reset")
+        sleep(wait)
+        retry
+      end
+    end
+
+    # Seconds to wait before retrying, from the Retry-After header (secondary
+    # limits) or x-ratelimit-reset (primary), or nil when neither is present.
+    def rate_limit_wait(error)
+      # Octokit normalises response headers to lowercase (Faraday is
+      # case-insensitive), so a single lowercase lookup covers any casing.
+      headers = response_headers(error)
+      return if headers.nil? || headers.empty?
+
+      if (retry_after = headers["retry-after"])
+        return retry_after.to_i
+      end
+
+      reset = headers["x-ratelimit-reset"]
+      return if reset.nil?
+
+      [reset.to_i - Time.now.to_i, 0].max
+    end
+
+    # Octokit raises NoMethodError reading headers off an error with no response
+    # attached; treat only that as "can't tell" so the limiter degrades to no
+    # wait, while a real NoMethodError elsewhere still surfaces.
+    def response_headers(error)
+      error.response_headers
+    rescue NoMethodError
+      nil
+    end
+
+    def as_time(value, owner, name)
+      return value if value.is_a?(Time)
+      return if value.nil?
+
+      Time.parse(value)
+    rescue ArgumentError
+      $stderr.puts("warning: could not parse repo date for #{owner}/#{name}: #{value.inspect}")
+      nil
+    end
+  end
+end

data/lib/still_active/gitlab_client.rb

@@ -9,36 +9,31 @@ module StillActive
 
     BASE_URI = URI("https://gitlab.com/")
 
-    def archived(owner:, name:)
-      return if owner.nil? || name.nil?
+    # archived + last-activity date from a single project call. The project
+    # object's last_activity_at matches the latest commit date to the day in
+    # practice, so folding the two signals into one call halves the per-gem
+    # requests. Returns {} when the project can't be read.
+    def repo_signals(owner:, name:)
+      return {} if owner.nil? || name.nil?
 
       path = "/api/v4/projects/#{encode_project(owner, name)}"
       body = HttpHelper.get_json(BASE_URI, path, headers: auth_headers)
-      return if body.nil?
+      return {} if body.nil?
 
-      body["archived"] == true
+      { archived: body["archived"] == true, last_commit_date: parse_time(body["last_activity_at"], owner, name) }
     end
 
-    def last_commit_date(owner:, name:)
-      return if owner.nil? || name.nil?
-
-      path = "/api/v4/projects/#{encode_project(owner, name)}/repository/commits"
-      body = HttpHelper.get_json(BASE_URI, path, headers: auth_headers, params: { per_page: 1 })
-      return if body.nil? || body.empty?
+    private
 
-      date = body.first["committed_date"]
-      return unless date
+    def parse_time(value, owner, name)
+      return if value.nil?
 
-      begin
-        Time.parse(date)
-      rescue ArgumentError
-        $stderr.puts("warning: could not parse commit date for #{owner}/#{name}: #{date.inspect}")
-        nil
-      end
+      Time.parse(value)
+    rescue ArgumentError
+      $stderr.puts("warning: could not parse repo date for #{owner}/#{name}: #{value.inspect}")
+      nil
     end
 
-    private
-
     def auth_headers
       token = StillActive.config.gitlab_token
       token ? { "PRIVATE-TOKEN" => token } : {}

data/lib/still_active/options.rb

@@ -50,7 +50,8 @@ module StillActive
     def add_gems_option(opts)
       opts.on("--gems=GEM,GEM2,...", Array, "Gem(s)") do |value|
         options[:provided_gems] = true
-        StillActive.config { |config| config.gems = value.map { |g| { name: g } } }
+        # Explicitly named gems are direct by definition (the user chose them).
+        StillActive.config { |config| config.gems = value.map { |g| { name: g, direct: true } } }
       end
     end
 
@@ -65,6 +66,8 @@ module StillActive
       opts.on("--markdown", "Markdown table output") { StillActive.config { |config| config.output_format = :markdown } }
       opts.on("--json", "JSON output (default when piped)") { StillActive.config { |config| config.output_format = :json } }
       opts.on("--alternatives", "Suggest maintained alternatives (Ruby Toolbox leads) for archived/critical gems") { StillActive.config { |config| config.alternatives = true } }
+      opts.on("--unreleased-commits", "Count commits on the default branch since the latest release (GitHub only; opt-in, one extra API call per gem)") { StillActive.config { |config| config.unreleased_commits = true } }
+      opts.on("--direct-only", "Audit only direct (declared) dependencies, not the full transitive lockfile graph") { StillActive.config { |config| config.direct_only = true } }
       opts.on("--sarif[=PATH]", "SARIF 2.1.0 output for GitHub Code Scanning (default path: still_active.sarif.json; '-' for stdout). Overrides --terminal/--markdown/--json.") do |value|
         StillActive.config { |config| config.sarif_path = value || "still_active.sarif.json" }
       end
@@ -91,6 +94,12 @@ module StillActive
       opts.on("--gitlab-token=TOKEN", String, "GitLab personal access token for API calls") do |value|
         StillActive.config { |config| config.gitlab_token = value }
       end
+      opts.on("--artifactory-token=TOKEN", String, "Artifactory token for private gem registry API calls") do |value|
+        StillActive.config { |config| config.artifactory_token = value }
+      end
+      opts.on("--artifactory-host=HOST", String, "Artifactory host that may receive the global token (e.g. my-org.jfrog.io)") do |value|
+        StillActive.config { |config| config.artifactory_host = value }
+      end
     end
 
     def add_parallelism_options(opts)
@@ -102,15 +111,15 @@ module StillActive
     def add_range_options(opts)
       opts.on(
         "--safe-range-end=YEARS",
-        Integer,
-        "maximum years since last activity considered safe (no warning)",
+        Float,
+        "maximum years since last release considered safe, no warning (default 1.5; fractional allowed)",
       ) do |value|
         StillActive.config { |config| config.no_warning_range_end = value }
       end
       opts.on(
         "--warning-range-end=YEARS",
-        Integer,
-        "maximum years since last activity that triggers a warning (beyond this is critical)",
+        Float,
+        "maximum years since last release that triggers a warning, beyond this is critical (default 3)",
       ) do |value|
         StillActive.config { |config| config.warning_range_end = value }
       end

data/lib/still_active/repository.rb

@@ -2,7 +2,15 @@
 
 module StillActive
   module Repository
-    REPO_REGEX = %r{(https?://(?:www\.)?(github|gitlab)\.com/([\w.\-]+)/([\w.\-]+))}i
+    # codeberg.org is the one Forgejo/Gitea host wired up today; it speaks the
+    # same Gitea API as any self-hosted instance, so its source is :forgejo (the
+    # forge software, what ForgejoClient handles), not :codeberg (the host).
+    SOURCE_BY_HOST = {
+      "github.com" => :github,
+      "gitlab.com" => :gitlab,
+      "codeberg.org" => :forgejo,
+    }.freeze
+    REPO_REGEX = %r{(?<url>https?://(?:www\.)?(?<host>github\.com|gitlab\.com|codeberg\.org)/(?<owner>[\w.\-]+)/(?<name>[\w.\-]+))}i
 
     extend self
 
@@ -16,10 +24,10 @@ module StillActive
       match = url&.match(REPO_REGEX)
       return { source: :unhandled, owner: nil, name: nil } unless match
 
-      url = match[1].delete_suffix(".git")
-      name = match[4].delete_suffix(".git")
+      clean_url = match[:url].delete_suffix(".git")
+      name = match[:name].delete_suffix(".git")
 
-      { url: url, source: match[2].to_sym, owner: match[3], name: name }
+      { url: clean_url, source: SOURCE_BY_HOST.fetch(match[:host].downcase), owner: match[:owner], name: name }
     end
   end
 end

data/lib/still_active/sarif/rules.rb

@@ -48,8 +48,8 @@ module StillActive
         {
           id: "SA002",
           name: "AbandonedGem",
-          short: "Gem has had no commits for over 2 years",
-          full: "The gem's source repository shows no commit activity for over 2 years. Not formally archived, but a strong dormancy signal.",
+          short: "Gem has had no release for over 3 years",
+          full: "The gem's latest release is over 3 years old. Not formally archived, but a strong abandonment signal: a consumer cannot pull fixes that were never released. For a gem with no releases at all (e.g. git-sourced), the last commit date is used instead.",
           help_text: "Verify the gem still works on supported Ruby versions and consider a maintained alternative.",
           level: "warning",
           security_severity: nil,