subspace 3.0.20 → 3.0.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60535a3d51d04728b59132a9a0db1ca1c4e13fb61a912daa0c507d74af77ba3c
-  data.tar.gz: ddeb0f458623dd033215b7ee6c72710da921d653d6bbcf43cdee54e7772bfd55
+  metadata.gz: df4ca7c7afe682b2ea4aa12fd7ce11ea9fd7d87a380cd9b7adc9b4b3aa554228
+  data.tar.gz: 5f14219cb20dcfdb6adf6dde79b49dbdd33f1db12223dee02c8ddc76e5f72138
 SHA512:
-  metadata.gz: 5022d270ed1eba11e31d7a61aedb9a8744b40075b0d7b7670be57f6bee4e1f7c3c813bd38b4d86f39fef333701b3f97d47c5e441dc87123cb61aad8d4d5e3884
-  data.tar.gz: bbefbc1564cac47009312fc388d0786d3de8361f41e21cac4005c3068c62940c021c068cc47512e749a72fbe1b1813b2a2d6f494e5e56550b8ad10a73e548a78
+  metadata.gz: 6cccd145a57a66a18dc2224496e250b022801d1f57643bbddd14bc4e7a844d684d9656d919c19fd339455ac209e1ef204702e0ea68a179faf6990181514479d0
+  data.tar.gz: b0eeed81c79e8637f78db6be40f32e8d6fff8ad552bf44e1305dad4fe57d0ede687bf3aa32de842ebaaee5cd4bbf1f38330a6ef74224b7412fa7f9e1ff02eb3d

data/CHANGELOG.md

@@ -12,6 +12,9 @@ This project attempts to follow [semantic versioning](https://semver.org/).
 
 ## Unreleased
 
+## 3.0.21
+  * Add gem-patch-report role. Sends stats for each vulnerable gem fixed since the start of the month.
+
 ## 3.0.20
   * Update postgresql-client role to get the actual psql database version instead of the local client version
 

data/ansible/roles/gem-patch-report/README.md

@@ -0,0 +1,137 @@
+# Gem Patch Report Role
+
+This Ansible role generates reports on Ruby gems that had security vulnerabilities at the beginning of the current month and have since been patched. It compares the Gemfile.lock from the start of the month (retrieved from the Capistrano git repo) against the current Gemfile.lock using bundle-audit, and reports only the gems that have been fixed.
+
+## Requirements
+
+- Ruby application deployed with Capistrano (requires the `repo/` directory)
+- bundler-audit gem (automatically installed if missing)
+- Stats server configuration (same as other subspace roles)
+
+## Role Variables
+
+Available variables with their default values:
+
+```yaml
+# Path to the Rails/Ruby application (Capistrano current symlink)
+gem_patch_report_app_path: "/u/apps/{{project_name}}/current"
+
+# Required for stats reporting (inherited from other roles)
+send_stats: false
+stats_url: ""
+stats_api_key: ""
+hostname: ""
+```
+
+## Usage
+
+1. Enable the role in your playbook:
+   ```yaml
+   roles:
+     - gem-patch-report
+   ```
+
+2. Configure the required variables:
+   ```yaml
+   send_stats: true
+   stats_url: "https://your-stats-server.com/api/stats"
+   stats_api_key: "your-api-key"
+   ```
+
+## How It Works
+
+1. Retrieves the Gemfile.lock from the last commit before the 1st of the current month using the Capistrano bare git repo at `<deploy_to>/repo/`
+2. Runs `bundle-audit` against both the old and current Gemfile.lock
+3. Compares the results to identify vulnerabilities that existed at the start of the month but are no longer present (i.e. patched)
+4. Outputs a report containing only the patched gems
+
+## Bundle-Audit Input Format
+
+The role processes JSON output from `bundle-audit check --format json`. Here's the simplified structure:
+
+```json
+{
+  "version": "0.9.2",
+  "created_at": "2026-03-06 12:16:58 -0600",
+  "results": [
+    {
+      "type": "unpatched_gem",
+      "gem": {
+        "name": "nokogiri",
+        "version": "1.18.9"
+      },
+      "advisory": {
+        "id": "GHSA-wx95-c6cv-8532",
+        "title": "Nokogiri does not check the return value from xmlC14NExecute",
+        "criticality": "medium",
+        "cve": null,
+        "patched_versions": [">= 1.19.1"]
+      }
+    }
+  ]
+}
+```
+
+### Key Fields Used
+
+The role extracts data from these fields:
+- `results[].type` - Filters for `"unpatched_gem"`
+- `results[].gem.name` - Gem name
+- `results[].gem.version` - Vulnerable version
+- `results[].advisory.id` - Advisory ID (CVE, GHSA, etc.)
+- `results[].advisory.criticality` - Severity level
+
+## Report Format
+
+The role generates a JSON array of gems that were patched during the current month. If a gem had multiple advisories that were all fixed, each advisory appears as its own entry.
+
+```json
+[
+  {
+    "name": "activestorage",
+    "version": "8.0.2.1",
+    "current_version": "8.0.4.1",
+    "advisory_id": "CVE-2026-33658",
+    "criticality": null
+  },
+  {
+    "name": "bcrypt",
+    "version": "3.1.20",
+    "current_version": "3.1.22",
+    "advisory_id": "CVE-2026-33306",
+    "criticality": null
+  },
+  {
+    "name": "devise",
+    "version": "4.9.4",
+    "current_version": "5.0.3",
+    "advisory_id": "CVE-2026-32700",
+    "criticality": null
+  }
+]
+```
+
+### Gem Objects
+
+Each gem object contains:
+- `name`: The gem name
+- `version`: The vulnerable version from the start of the month
+- `current_version`: The current patched version (parsed from the current Gemfile.lock)
+- `advisory_id`: The security advisory ID (CVE, GHSA, etc.)
+- `criticality`: The severity level (low, medium, high, critical, or null if not specified)
+
+## Tags
+
+This role supports the following tags:
+- `maintenance`
+- `stats`
+- `gem-patch-report`
+
+## Error Handling
+
+The role includes error handling for common scenarios:
+- Missing Gemfile.lock
+- No git history before the current month
+- bundle-audit execution failures
+
+Errors are logged but don't fail the entire playbook execution. If no patched gems are found, an empty array `[]` is reported.

data/ansible/roles/gem-patch-report/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+gem_patch_report_app_path: "/u/apps/{{project_name}}/current"

data/ansible/roles/gem-patch-report/tasks/main.yml

@@ -0,0 +1,89 @@
+---
+- name: Check if gem patch reporting is enabled and required variables are set
+  debug:
+    msg: "Gem patch reporting is enabled"
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Install bundler-audit gem globally
+  gem:
+    name: bundler-audit
+    state: present
+    user_install: false
+  become: true
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Generate gem patch report script
+  template:
+    src: gem-patch-report.sh.j2
+    dest: /tmp/gem-patch-report.sh
+    mode: '0755'
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+
+- name: Run gem patch report script
+  shell: /tmp/gem-patch-report.sh
+  register: gem_patch_report_result
+  become: true
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Read gem patch report file
+  slurp:
+    src: /tmp/gem-patch-report.json
+  register: gem_patch_report_file
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Send gem patch report to stats server
+  uri:
+    url: "{{ stats_url }}"
+    method: POST
+    headers:
+      X-API-Version: 1
+      X-Client-Api-key: "{{ stats_api_key }}"
+    body_format: json
+    body:
+      client_stat:
+        stat_type: gem_patch_report
+        value: "{{ (gem_patch_report_file.content | b64decode) | from_json }}"
+        hostname: "{{ hostname }}"
+  when: send_stats == true and stats_url is defined and stats_api_key is defined and gem_patch_report_file is defined and gem_patch_report_file is not failed
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes
+
+- name: Clean up temporary gem patch report files
+  file:
+    path: "{{ item }}"
+    state: absent
+  become: true
+  loop:
+    - /tmp/gem-patch-report.sh
+    - /tmp/gem-patch-report.json
+  when: send_stats == true and stats_url is defined and stats_api_key is defined
+  tags:
+    - maintenance
+    - stats
+    - gem-patch-report
+  ignore_errors: yes

data/ansible/roles/gem-patch-report/templates/gem-patch-report.sh.j2

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+APP_PATH="{{ gem_patch_report_app_path }}"
+DEPLOY_DIR=$(cd "$APP_PATH" && cd .. && pwd)
+REPO_DIR="$DEPLOY_DIR/repo"
+TEMP_DIR="/tmp/gem-patch-report-$$"
+REPORT_FILE="$TEMP_DIR/report.json"
+OLD_AUDIT_FILE="$TEMP_DIR/audit_old.json"
+CURRENT_AUDIT_FILE="$TEMP_DIR/audit_current.json"
+OLD_GEMFILE_LOCK="$APP_PATH/Gemfile.lock.old"
+
+# Create temp directory
+mkdir -p "$TEMP_DIR"
+
+# Check if current Gemfile.lock exists
+if [ ! -f "$APP_PATH/Gemfile.lock" ]; then
+    echo '[]' > /tmp/gem-patch-report.json
+    rm -rf "$TEMP_DIR"
+    exit 0
+fi
+
+# Update bundle-audit advisory database
+cd "$APP_PATH"
+bundle exec bundle-audit update 2>/dev/null || true
+
+# Get old Gemfile.lock from the beginning of the month
+FIRST_OF_MONTH=$(date +"%Y-%m-01")
+OLD_COMMIT=$(git -c safe.directory="$REPO_DIR" --git-dir="$REPO_DIR" log --all --before="$FIRST_OF_MONTH" -1 --format="%H" -- Gemfile.lock 2>/dev/null)
+
+if [ -z "$OLD_COMMIT" ]; then
+    # No commit before this month, nothing to compare
+    echo '[]' > /tmp/gem-patch-report.json
+    rm -rf "$TEMP_DIR"
+    exit 0
+fi
+
+git -c safe.directory="$REPO_DIR" --git-dir="$REPO_DIR" show "${OLD_COMMIT}:Gemfile.lock" > "$OLD_GEMFILE_LOCK"
+
+# Run bundle-audit on the old Gemfile.lock
+# bundle-audit exits non-zero when vulnerabilities are found, so ignore the exit code
+bundle exec bundle-audit check --gemfile-lock Gemfile.lock.old --format json > "$OLD_AUDIT_FILE" 2>/dev/null || true
+
+# Run bundle-audit on current Gemfile.lock
+bundle exec bundle-audit check --format json > "$CURRENT_AUDIT_FILE" 2>/dev/null || true
+
+# Set environment variables for Ruby script
+export OLD_AUDIT_FILE="$OLD_AUDIT_FILE"
+export CURRENT_AUDIT_FILE="$CURRENT_AUDIT_FILE"
+export CURRENT_GEMFILE_LOCK="$APP_PATH/Gemfile.lock"
+
+# Generate patch report using Ruby
+ruby << 'RUBY' > "$REPORT_FILE"
+require 'json'
+require 'set'
+
+begin
+  old_audit = JSON.parse(File.read(ENV['OLD_AUDIT_FILE']))
+  current_audit = JSON.parse(File.read(ENV['CURRENT_AUDIT_FILE']))
+
+  old_results = old_audit['results'] || []
+  current_results = current_audit['results'] || []
+
+  # Build a set of current vulnerability keys (gem name + advisory id)
+  current_vuln_keys = current_results
+    .select { |r| r['type'] == 'unpatched_gem' && r['gem'] && r['advisory'] }
+    .map { |r| "#{r['gem']['name']}:#{r['advisory']['id']}" }
+    .to_set
+
+  # Parse current Gemfile.lock to get current gem versions
+  current_versions = {}
+  gemfile_lock = File.read(ENV['CURRENT_GEMFILE_LOCK']) rescue ''
+  in_specs = false
+  gemfile_lock.each_line do |line|
+    if line.strip == 'specs:'
+      in_specs = true
+      next
+    end
+    if in_specs
+      if line =~ /^\s{4}(\S+)\s+\(([^)]+)\)/
+        current_versions[$1] = $2
+      elsif line !~ /^\s/
+        in_specs = false
+      end
+    end
+  end
+
+  # Only include gems that were vulnerable at start of month but are now patched
+  patched_gems = old_results
+    .select { |r| r['type'] == 'unpatched_gem' && r['gem'] && r['advisory'] }
+    .reject { |r| current_vuln_keys.include?("#{r['gem']['name']}:#{r['advisory']['id']}") }
+    .map { |r|
+      {
+        'name' => r['gem']['name'],
+        'version' => r['gem']['version'],
+        'current_version' => current_versions[r['gem']['name']] || 'unknown',
+        'advisory_id' => r['advisory']['id'],
+        'criticality' => r['advisory']['criticality']
+      }
+    }
+    .sort_by { |g| [g['name'], g['advisory_id']] }
+
+  puts JSON.pretty_generate(patched_gems)
+
+rescue JSON::ParserError => e
+  puts '[]'
+rescue => e
+  puts '[]'
+end
+RUBY
+
+# Copy report to known location and clean up
+cp "$REPORT_FILE" /tmp/gem-patch-report.json
+rm -rf "$TEMP_DIR"
+rm -f "$OLD_GEMFILE_LOCK"

data/lib/subspace/version.rb

@@ -1,3 +1,3 @@
 module Subspace
-  VERSION = "3.0.20"
+  VERSION = "3.0.21"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 3.0.20
+  version: 3.0.21
 platform: ruby
 authors:
 - Brian Samson
@@ -153,6 +153,10 @@ files:
 - ansible/roles/delayed_job/tasks/main.yml
 - ansible/roles/delayed_job/templates/delayed-job-monit-rc
 - ansible/roles/delayed_job/templates/delayed-job-systemd.service
+- ansible/roles/gem-patch-report/README.md
+- ansible/roles/gem-patch-report/defaults/main.yml
+- ansible/roles/gem-patch-report/tasks/main.yml
+- ansible/roles/gem-patch-report/templates/gem-patch-report.sh.j2
 - ansible/roles/letsencrypt/defaults/main.yml
 - ansible/roles/letsencrypt/tasks/legacy.yml
 - ansible/roles/letsencrypt/tasks/main.yml