still_active 1.6.0 → 2.0.0

data/lib/still_active/suppressions.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+require "date"
+
+module StillActive
+  # Granular, auditable suppression of individual findings, loaded from the
+  # `ignore:` block of a committed .still_active.yml. Each entry silences one
+  # signal (activity / libyear) or one advisory for one gem, optionally until an
+  # expiry date, replacing the all-or-nothing whole-gem --ignore. A bare gem
+  # name (or a gem-only mapping) keeps the old whole-gem behaviour so --ignore
+  # can union into the same list.
+  #
+  # Two guardrails keep suppression from hiding live risk: a lapsed entry stops
+  # applying so the finding re-surfaces, and a vulnerability suppression must
+  # name an explicit advisory id, so a newly disclosed CVE on the same gem is
+  # never pre-silenced.
+  class Suppressions
+    GATEABLE_SIGNALS = [:activity, :vulnerability, :libyear].freeze
+
+    Entry = Struct.new(:gem, :advisory, :signal, :reason, :expires, keyword_init: true) do
+      def whole_gem?
+        signal.nil? && advisory.nil?
+      end
+
+      def expired?(today)
+        !expires.nil? && expires < today
+      end
+
+      def covers?(signal:, advisory:, aliases:)
+        return true if whole_gem?
+
+        if self.signal == :vulnerability
+          [advisory, *aliases].compact.include?(self.advisory)
+        else
+          self.signal == signal
+        end
+      end
+    end
+
+    class << self
+      def from(raw, today: Date.today)
+        warnings = []
+        entries = Array(raw).filter_map { |item| parse_entry(item, warnings) }
+        new(entries, warnings, today)
+      end
+
+      private
+
+      def parse_entry(item, warnings)
+        return Entry.new(gem: item, advisory: nil, signal: nil, reason: nil, expires: nil) if item.is_a?(String)
+
+        unless item.is_a?(Hash)
+          warnings << "ignoring suppression entry #{item.inspect}: expected a gem name or a mapping"
+          return
+        end
+
+        gem = item["gem"]
+        advisory = item["advisory"]
+        signal = item["signal"]&.to_sym
+        signal ||= :vulnerability if advisory
+        expires = parse_expires(item["expires"], item, warnings)
+        return if expires == :invalid
+
+        label = gem || advisory || "entry"
+        return unless valid?(gem:, advisory:, signal:, label:, warnings:)
+
+        Entry.new(gem:, advisory:, signal:, reason: item["reason"], expires:)
+      end
+
+      # Returns true when the entry is well-formed, otherwise records a warning
+      # and returns false so the caller skips (does not apply) the entry.
+      def valid?(gem:, advisory:, signal:, label:, warnings:)
+        if gem.nil? && signal.nil? && advisory.nil?
+          warnings << "ignoring suppression entry: needs a gem, signal, or advisory"
+          return false
+        end
+        if signal && !GATEABLE_SIGNALS.include?(signal)
+          warnings << "ignoring suppression for #{label}: unknown signal #{signal.inspect} (expected activity, vulnerability, or libyear)"
+          return false
+        end
+        if signal == :vulnerability && advisory.nil?
+          warnings << "ignoring vulnerability suppression for #{label}: must name an advisory id so newly disclosed advisories still surface"
+          return false
+        end
+        if [:activity, :libyear].include?(signal) && gem.nil?
+          warnings << "ignoring #{signal} suppression: must name a gem"
+          return false
+        end
+
+        true
+      end
+
+      def parse_expires(value, item, warnings)
+        return if value.nil?
+        return value if value.is_a?(Date)
+
+        Date.parse(value.to_s)
+      rescue ArgumentError, TypeError
+        warnings << "ignoring suppression #{item.inspect}: unparseable expires #{value.inspect}"
+        :invalid
+      end
+    end
+
+    attr_reader :warnings
+
+    def initialize(entries, warnings, today)
+      @entries = entries
+      @warnings = warnings
+      @today = today
+    end
+
+    def suppressed?(gem:, signal:, advisory: nil, aliases: [])
+      !match(gem:, signal:, advisory:, aliases:).nil?
+    end
+
+    # Warnings for live entries that name a gem absent from the audited set: they
+    # can never match, so they are dead config (a typo, or a gem removed since
+    # the suppression was written). This is the presence axis of suppression rot;
+    # `expired?` already covers the time axis, so an expired entry isn't
+    # re-reported here, and a gem-agnostic advisory entry (gem nil) is skipped
+    # since it applies across the whole graph.
+    def stale_gem_warnings(present_gems)
+      @entries.filter_map do |entry|
+        next if entry.expired?(@today)
+        next unless entry.gem && !present_gems.include?(entry.gem)
+
+        "suppression for #{entry.gem} never applies: it is not in the audited dependencies (typo, or removed since it was suppressed?)"
+      end
+    end
+
+    # The first live entry covering this finding, or nil. Used by SARIF to carry
+    # the suppression's reason as the native suppressions[] justification.
+    def match(gem:, signal:, advisory: nil, aliases: [])
+      @entries.find do |entry|
+        next false if entry.expired?(@today)
+        next false unless entry.gem.nil? || entry.gem == gem
+
+        entry.covers?(signal:, advisory:, aliases:)
+      end
+    end
+  end
+end

data/lib/still_active/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module StillActive
-  VERSION = "1.6.0"
+  VERSION = "2.0.0"
 end

data/lib/still_active/workflow.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
 
+require_relative "artifactory_client"
 require_relative "deps_dev_client"
+require_relative "forgejo_client"
+require_relative "github_client"
 require_relative "gitlab_client"
 require_relative "repository"
 require_relative "../helpers/activity_helper"
@@ -14,6 +17,7 @@ require_relative "../helpers/vulnerability_helper"
 require "async"
 require "async/barrier"
 require "async/semaphore"
+require "cgi"
 require "gems"
 
 module StillActive
@@ -39,6 +43,8 @@ module StillActive
               gem_version: gem[:version],
               source_type: gem[:source_type] || :rubygems,
               source_uri: gem[:source_uri],
+              direct: gem.fetch(:direct, true),
+              dependency_path: gem[:dependency_path],
               advisory_db: advisory_db,
               catalog: catalog,
             )
@@ -54,7 +60,10 @@ module StillActive
           end
         end
         barrier.wait
-        result_object
+        # Gems are inserted as their async tasks finish, so the natural order is
+        # nondeterministic completion order. Sort by name once here so every
+        # consumer (JSON, SARIF, the baseline diff) gets a stable, diffable order.
+        result_object.sort_by { |name, _| name }.to_h
       end
       task.wait
     end
@@ -65,8 +74,9 @@ module StillActive
 
     private
 
-    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil, advisory_db: nil, catalog: nil)
-      result_object[gem_name] = { source_type: source_type }
+    def gem_info(gem_name:, result_object:, gem_version: nil, source_type: :rubygems, source_uri: nil, direct: true, dependency_path: nil, advisory_db: nil, catalog: nil)
+      result_object[gem_name] = { source_type: source_type, direct: direct }
+      result_object[gem_name][:dependency_path] = dependency_path if dependency_path
       result_object[gem_name][:version_used] = gem_version if gem_version
 
       case source_type
@@ -87,17 +97,14 @@ module StillActive
 
     def gem_info_rubygems(gem_name:, gem_version:, result_object:, source_uri:, advisory_db: nil)
       vs = versions(gem_name: gem_name, source_uri: source_uri)
-      repo_info = repository_info(gem_name: gem_name, versions: vs)
-      commit_date = last_commit_date(
-        source: repo_info[:source],
-        repository_owner: repo_info[:owner],
-        repository_name: repo_info[:name],
-      )
-      archived = repo_archived(
+      repo_info = repository_info(gem_name: gem_name, versions: vs, source_uri: source_uri)
+      signals = repo_signals(
         source: repo_info[:source],
         repository_owner: repo_info[:owner],
         repository_name: repo_info[:name],
       )
+      commit_date = signals[:last_commit_date]
+      archived = signals[:archived]
       last_release = VersionHelper.find_version(versions: vs, pre_release: false)
       last_pre_release = VersionHelper.find_version(versions: vs, pre_release: true)
       deps_dev = fetch_deps_dev_info(
@@ -122,6 +129,15 @@ module StillActive
         result_object[gem_name][:ruby_gems_url] = "https://rubygems.org/gems/#{gem_name}"
       end
 
+      if StillActive.config.unreleased_commits
+        result_object[gem_name][:unreleased_commits] = unreleased_commits(
+          source: repo_info[:source],
+          repository_owner: repo_info[:owner],
+          repository_name: repo_info[:name],
+          version: VersionHelper.gem_version(version_hash: last_release),
+        )
+      end
+
       if gem_version
         version_used = VersionHelper.find_version(versions: vs, version_string: gem_version)
         result_object[gem_name].merge!({
@@ -150,16 +166,21 @@ module StillActive
       # Fall back to repo-derived project_id for scorecard when deps.dev doesn't have the version
       deps_dev[:scorecard_score] ||= DepsDevClient.project_scorecard(project_id: repo_info[:project_id])&.dig(:score)
 
+      signals = repo_signals(source:, repository_owner: owner, repository_name: name)
       result_object[gem_name].merge!({
         repository_url: repo_info[:url],
-        last_commit_date: last_commit_date(source:, repository_owner: owner, repository_name: name),
-        archived: repo_archived(source:, repository_owner: owner, repository_name: name),
+        last_commit_date: signals[:last_commit_date],
+        archived: signals[:archived],
         **deps_dev,
       })
     end
 
     def attach_alternatives(gem_name:, result_object:, catalog:)
       return if catalog.nil?
+      # Direct-only by design: "replace gem X with better-maintained Y" is
+      # incoherent for a transitive gem the user never chose (#60). The
+      # path-to-parent points them at the direct gem they can actually swap.
+      return unless result_object[gem_name][:direct]
       return unless [:archived, :critical].include?(ActivityHelper.activity_level(result_object[gem_name]))
 
       leads = AlternativesHelper.leads_for(gem_name: gem_name, index: catalog)
@@ -185,6 +206,11 @@ module StillActive
     def versions(gem_name:, source_uri: nil)
       if github_packages_uri?(source_uri)
         fetch_github_packages_versions(gem_name: gem_name, source_uri: source_uri)
+      elsif ArtifactoryClient.artifactory_uri?(source_uri)
+        ArtifactoryClient.versions(gem_name: gem_name, source_uri: source_uri)
+      elsif unqueryable_private_source?(source_uri)
+        warn_unqueryable_private_source(gem_name: gem_name, source_uri: source_uri)
+        []
       else
         Gems.versions(gem_name)
       end
@@ -201,10 +227,36 @@ module StillActive
       false
     end
 
+    # A rubygems-type source that isn't public rubygems.org and that we have no
+    # client for (Gemfury, Gemstash, geminabox, a private mirror). We must NOT
+    # fall through to Gems.versions, which always hits public rubygems.org: that
+    # would silently report a public name-collision's data, or blanks, as if it
+    # were the private gem's. github_packages/artifactory are handled above, so
+    # anything left with a non-rubygems.org host is unqueryable. Refs #43.
+    def unqueryable_private_source?(source_uri)
+      return false unless source_uri.is_a?(String)
+
+      # Hostnames are case-insensitive; a trailing dot (FQDN form) is equivalent.
+      host = URI(source_uri).host&.downcase&.chomp(".")
+      return false if host.nil?
+
+      host != "rubygems.org" && !host.end_with?(".rubygems.org")
+    rescue URI::InvalidURIError
+      false
+    end
+
+    def warn_unqueryable_private_source(gem_name:, source_uri:)
+      host = URI(source_uri).host
+      $stderr.puts(
+        "warning: #{gem_name} resolves from a private source (#{host}) still_active cannot query; " \
+          "reporting no version/latest/libyear data for it rather than substituting public rubygems.org data",
+      )
+    end
+
     def fetch_github_packages_versions(gem_name:, source_uri:)
       base = URI(source_uri.chomp("/"))
       namespace_path = base.path
-      path = "#{namespace_path}/api/v1/gems/#{gem_name}/versions.json"
+      path = "#{namespace_path}/api/v1/gems/#{CGI.escape(gem_name)}/versions.json"
       token = StillActive.config.github_oauth_token
       headers = token ? { "Authorization" => "Bearer #{token}" } : {}
       HttpHelper.get_json(base, path, headers: headers) || []
@@ -214,32 +266,47 @@ module StillActive
       valid_repository_url =
         [source_uri, *installed_gem_urls(gem_name: gem_name)].find { |url| Repository.valid?(url: url) }
       repo = Repository.url_with_owner_and_name(url: valid_repository_url)
-      project_id = if repo[:url]
-        host = repo[:source] == :gitlab ? "gitlab.com" : "github.com"
-        "#{host}/#{repo[:owner]}/#{repo[:name]}"
-      end
-      repo.merge(project_id: project_id)
+      repo.merge(project_id: deps_dev_project_id(repo))
     end
 
     def repository_info_from_installed_gem(gem_name:)
       valid_repository_url =
         installed_gem_urls(gem_name: gem_name).find { |url| Repository.valid?(url: url) }
       repo = Repository.url_with_owner_and_name(url: valid_repository_url)
-      project_id = if repo[:url]
-        host = repo[:source] == :gitlab ? "gitlab.com" : "github.com"
-        "#{host}/#{repo[:owner]}/#{repo[:name]}"
-      end
-      repo.merge(project_id: project_id)
+      repo.merge(project_id: deps_dev_project_id(repo))
+    end
+
+    # deps.dev scorecards index github.com and gitlab.com only. A Forgejo/Codeberg
+    # repo has no deps.dev project, so leave its project_id nil rather than minting
+    # a bogus github.com/owner/name that would fetch the wrong (or no) scorecard.
+    DEPS_DEV_HOST_BY_SOURCE = { github: "github.com", gitlab: "gitlab.com" }.freeze
+
+    def deps_dev_project_id(repo)
+      host = DEPS_DEV_HOST_BY_SOURCE[repo[:source]]
+      return unless repo[:url] && host
+
+      "#{host}/#{repo[:owner]}/#{repo[:name]}"
     end
 
-    def repository_info(gem_name:, versions:)
+    def repository_info(gem_name:, versions:, source_uri: nil)
       valid_repository_url =
         installed_gem_urls(gem_name: gem_name).find { |url| Repository.valid?(url: url) } ||
         rubygems_versions_repository_url(versions: versions).find { |url| Repository.valid?(url: url) } ||
-        rubygems_gem_repository_url(gem_name: gem_name).find { |url| Repository.valid?(url: url) }
+        public_rubygems_repository_url(gem_name: gem_name, source_uri: source_uri)
       Repository.url_with_owner_and_name(url: valid_repository_url)
     end
 
+    # Locally-installed gem metadata and the gem's own version payload are
+    # source-accurate. This public rubygems.org Gems.info lookup is the last
+    # resort, and is skipped for an unqueryable private source: otherwise a
+    # public name-collision's repo/archived/last-commit data would stand in for
+    # the private gem, the same substitution #43 prevents for versions.
+    def public_rubygems_repository_url(gem_name:, source_uri:)
+      return if unqueryable_private_source?(source_uri)
+
+      rubygems_gem_repository_url(gem_name: gem_name).find { |url| Repository.valid?(url: url) }
+    end
+
     def installed_gem_urls(gem_name:)
       info = Gem::Dependency.new(gem_name).matching_specs.first
       return [] if info.nil?
@@ -268,40 +335,31 @@ module StillActive
       []
     end
 
-    def repo_archived(source:, repository_owner:, repository_name:)
+    # The repo-signal provider for a source, or nil for an unhandled host. Every
+    # provider answers archived/last_commit_date; richer signals (e.g.
+    # commits_since_release) are duck-typed and dispatched by respond_to?, so a
+    # provider opts into them by defining the method, with no base class and no
+    # assumption that every source supports every signal.
+    def provider_for(source)
       case source
-      when :github
-        repo = StillActive.config.github_client.repository("#{repository_owner}/#{repository_name}")
-        repo&.archived
-      when :gitlab
-        GitlabClient.archived(owner: repository_owner, name: repository_name)
+      when :github then GithubClient
+      when :gitlab then GitlabClient
+      when :forgejo then ForgejoClient
       end
-    rescue Octokit::Error, Faraday::Error => e
-      $stderr.puts("warning: archived check failed for #{repository_owner}/#{repository_name}: #{e.class}")
-      nil
     end
 
-    def last_commit_date(source:, repository_owner:, repository_name:)
-      case source
-      when :github
-        commit = StillActive.config.github_client.commits("#{repository_owner}/#{repository_name}", per_page: 1)&.first
-        date = commit&.commit&.author&.date
-        case date
-        when Time then date
-        when String
-          begin
-            Time.parse(date)
-          rescue ArgumentError
-            $stderr.puts("warning: could not parse commit date for #{repository_owner}/#{repository_name}: #{date.inspect}")
-            nil
-          end
-        end
-      when :gitlab
-        GitlabClient.last_commit_date(owner: repository_owner, name: repository_name)
-      end
-    rescue Octokit::Error, Faraday::Error => e
-      $stderr.puts("warning: last commit check failed for #{repository_owner}/#{repository_name}: #{e.class}")
-      nil
+    # One provider call yields both archived and the last-activity date (the
+    # repo object carries both), so a gem's repo signals cost a single request
+    # instead of two. Returns {} for an unhandled host.
+    def repo_signals(source:, repository_owner:, repository_name:)
+      provider_for(source)&.repo_signals(owner: repository_owner, name: repository_name) || {}
+    end
+
+    def unreleased_commits(source:, repository_owner:, repository_name:, version:)
+      provider = provider_for(source)
+      return unless provider.respond_to?(:commits_since_release)
+
+      provider.commits_since_release(owner: repository_owner, name: repository_name, version: version)
     end
   end
 end

data/still_active.gemspec

@@ -9,13 +9,15 @@ Gem::Specification.new do |spec|
   spec.email         = ["contact@seanfloyd.dev"]
 
   spec.summary       = "Audit your Ruby dependencies for maintenance health, outdated versions, vulnerabilities, and abandoned gems."
-  spec.description   = "Analyses your Gemfile for dependency health: checks if gems are actively maintained " \
-    "(last commit dates via GitHub and GitLab, release dates), outdated versions, archived repos, " \
-    "OpenSSF Scorecard security scores, known vulnerabilities via deps.dev, and libyear drift. " \
-    "Ruby version freshness with EOL detection. " \
-    "Handles rubygems, git, path, and GitHub Packages sources. " \
-    "Outputs coloured terminal tables, markdown, or JSON. " \
-    "CI quality gates with --fail-if-critical, --fail-if-warning, --fail-if-vulnerable, --fail-if-outdated, and --ignore. " \
+  spec.description   = "Analyses your Gemfile.lock for dependency health across the full transitive graph: " \
+    "whether each gem is actively maintained (last activity on GitHub, GitLab, or Codeberg/Forgejo, plus " \
+    "release recency), outdated versions, archived repos, OpenSSF Scorecard scores, known vulnerabilities " \
+    "(deps.dev merged with ruby-advisory-db), and libyear drift. Ruby version freshness with EOL detection. " \
+    "Handles rubygems, git, path, GitHub Packages, and JFrog Artifactory sources. " \
+    "Outputs coloured terminal tables, markdown, JSON (with a versioned, contract-tested schema), " \
+    "SARIF for GitHub code scanning, and a CycloneDX SBOM. " \
+    "CI quality gates (--fail-if-critical / -warning / -vulnerable / -outdated) with granular, committed " \
+    "suppression via .still_active.yml. " \
     "A comprehensive alternative to running bundle outdated, bundler-audit, and libyear-bundler separately."
   spec.homepage      = "https://github.com/SeanLF/still_active"
   spec.license       = "MIT"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: still_active
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Sean Floyd
@@ -191,14 +191,17 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 'Analyses your Gemfile for dependency health: checks if gems are actively
-  maintained (last commit dates via GitHub and GitLab, release dates), outdated versions,
-  archived repos, OpenSSF Scorecard security scores, known vulnerabilities via deps.dev,
+description: 'Analyses your Gemfile.lock for dependency health across the full transitive
+  graph: whether each gem is actively maintained (last activity on GitHub, GitLab,
+  or Codeberg/Forgejo, plus release recency), outdated versions, archived repos, OpenSSF
+  Scorecard scores, known vulnerabilities (deps.dev merged with ruby-advisory-db),
   and libyear drift. Ruby version freshness with EOL detection. Handles rubygems,
-  git, path, and GitHub Packages sources. Outputs coloured terminal tables, markdown,
-  or JSON. CI quality gates with --fail-if-critical, --fail-if-warning, --fail-if-vulnerable,
-  --fail-if-outdated, and --ignore. A comprehensive alternative to running bundle
-  outdated, bundler-audit, and libyear-bundler separately.'
+  git, path, GitHub Packages, and JFrog Artifactory sources. Outputs coloured terminal
+  tables, markdown, JSON (with a versioned, contract-tested schema), SARIF for GitHub
+  code scanning, and a CycloneDX SBOM. CI quality gates (--fail-if-critical / -warning
+  / -vulnerable / -outdated) with granular, committed suppression via .still_active.yml.
+  A comprehensive alternative to running bundle outdated, bundler-audit, and libyear-bundler
+  separately.'
 email:
 - contact@seanfloyd.dev
 executables:
@@ -221,25 +224,33 @@ files:
 - lib/helpers/emoji_helper.rb
 - lib/helpers/http_helper.rb
 - lib/helpers/libyear_helper.rb
+- lib/helpers/lockfile_dependency_parser.rb
 - lib/helpers/lockfile_indexer.rb
+- lib/helpers/markdown_escape.rb
 - lib/helpers/markdown_helper.rb
 - lib/helpers/ruby_advisory_db.rb
 - lib/helpers/ruby_helper.rb
 - lib/helpers/sarif_helper.rb
+- lib/helpers/summary_helper.rb
 - lib/helpers/terminal_helper.rb
 - lib/helpers/version_helper.rb
 - lib/helpers/vulnerability_helper.rb
 - lib/still_active.rb
+- lib/still_active/artifactory_client.rb
 - lib/still_active/cli.rb
 - lib/still_active/config.rb
+- lib/still_active/config_file.rb
 - lib/still_active/core_ext.rb
 - lib/still_active/deps_dev_client.rb
 - lib/still_active/diff.rb
 - lib/still_active/errors.rb
+- lib/still_active/forgejo_client.rb
+- lib/still_active/github_client.rb
 - lib/still_active/gitlab_client.rb
 - lib/still_active/options.rb
 - lib/still_active/repository.rb
 - lib/still_active/sarif/rules.rb
+- lib/still_active/suppressions.rb
 - lib/still_active/version.rb
 - lib/still_active/workflow.rb
 - still_active.gemspec