yavdb 0.4.6 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0c6a16c1ad341800e014e831881b5318861121f2
-  data.tar.gz: 7f94a479c7e8c9e27e2a1c09c45aa8e97d555d00
+  metadata.gz: '098100217162c420c325d890510998f31dd80f1f'
+  data.tar.gz: cb80e815cc5360812cfe708990fe49e739799828
 SHA512:
-  metadata.gz: 560fae6458957d62ef613c6dba814f65fcb5c2a689af994a3a108da645ef585d0099ae09103f576f7d7899f394ca475538265b67743f93498a7c00ca350d09cb
-  data.tar.gz: 48cf2d4beb8079751e49dc64dd60bb16b62d9de060ff1731216d753c87ca6ecfad7ac31b8cf4f4c10367bc35f2b794236700f02dac9e583e688d044cb584513e
+  metadata.gz: '06800098df9eed75b94e2b6206e598c19b177194a2cdffc6a7c2aeaab3f1848ece390afeb6c93c168f3b789d5eb4ccaea4ed9731f4d85192d80c34b8957724d7'
+  data.tar.gz: f38a8088c2b9832b4fb8fe5b616318a0e4b3111f000fd046627657441f7495a7a75ef14b7e9c525a82dac437368fae8953bc9df75dc8e41161e3d19d2338b00c

data/.circleci/config.yml

@@ -8,10 +8,6 @@ jobs:
     steps:
     - checkout
 
-    - name: Install Bundler Version
-      type: shell
-      command: gem install bundler -v 1.16
-
     - name: Prepare yavdb cache
       type: shell
       command: echo "$(date)" > /tmp/yavdb.cache.log
@@ -19,22 +15,23 @@ jobs:
     - name: Restore gem cache
       type: cache-restore
       keys:
-      - 2-gem-yavdb-{{ checksum "Gemfile.lock" }}
-      - 2-gem-yavdb-
+      - gem-cache-1-{{ checksum "Gemfile.lock" }}
 
     - name: Restore yavdb cache
       type: cache-restore
       keys:
-      - 1-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
-      - 1-crawler-yavdb-cache-
+      - 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
+      - 2-crawler-yavdb-cache
 
     - name: Bundle Install
       type: shell
-      command: bundle install --path /tmp/vendor/bundle
+      command: |
+        sudo gem update --system
+        bundle install --path /tmp/vendor/bundle
 
     - name: Save bundler cache
       type: cache-save
-      key: 2-gem-yavdb-{{ checksum "Gemfile.lock" }}
+      key: gem-cache-1-{{ checksum "Gemfile.lock" }}
       paths:
       - /tmp/vendor/bundle
 
@@ -48,7 +45,7 @@ jobs:
 
     - name: Save yavdb cache
       type: cache-save
-      key: 1-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
+      key: 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
       paths:
       - ~/.yavdb/cache
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    yavdb (0.4.6)
+    yavdb (0.5.0)
       execjs (~> 2.7.0)
       json (~> 2.1)
       kramdown (~> 1.17)
@@ -9,12 +9,14 @@ PATH
       semantic_interval (~> 0.1)
       therubyracer (~> 0.12)
       thor (~> 0.20)
+      toml-rb (~> 1.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ansi (1.5.0)
     ast (2.4.0)
+    citrus (3.0.2)
     codacy-coverage (2.1.0)
       simplecov
     diff-lcs (1.3)
@@ -27,8 +29,8 @@ GEM
     oga (2.15)
       ast
       ruby-ll (~> 2.1)
-    parallel (1.12.1)
-    parser (2.5.3.0)
+    parallel (1.13.0)
+    parser (2.6.0.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     rainbow (3.0.0)
@@ -49,7 +51,7 @@ GEM
     rspec-support (3.8.0)
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.62.0)
+    rubocop (0.64.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.5, != 2.5.1.1)
@@ -57,7 +59,7 @@ GEM
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.4.0)
-    rubocop-rspec (1.31.0)
+    rubocop-rspec (1.32.0)
       rubocop (>= 0.60.0)
     ruby-ll (2.1.2)
       ansi
@@ -73,6 +75,8 @@ GEM
       libv8 (~> 3.16.14.15)
       ref
     thor (0.20.3)
+    toml-rb (1.1.2)
+      citrus (~> 3.0, > 3.0)
     unicode-display_width (1.4.1)
 
 PLATFORMS
@@ -89,4 +93,4 @@ DEPENDENCIES
   yavdb!
 
 BUNDLED WITH
-   1.16.0
+   1.17.3

data/README.md

@@ -12,10 +12,10 @@ developers identify and fix know vulnerabilities in their apps.
 The sources for this database include 
 [Rubysec](https://rubysec.com/),
 [snyk](https://snyk.io/),
-[OSSIndex (deprecated)](https://ossindex.net/),
 [Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
 [Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
-[Victims CVE Database](https://github.com/victims/victims-cve-db)
+[Victims CVE Database](https://github.com/victims/victims-cve-db),
+[RustSec](https://github.com/RustSec/advisory-db)
 
 ## Prerequisites
 

data/lib/yavdb/constants.rb

@@ -28,7 +28,7 @@ module YAVDB
     DEFAULT_YAVDB_DATABASE_PATH = File.expand_path(File.join(DEFAULT_YAVDB_PATH, 'database')).freeze
     DEFAULT_CACHE_PATH          = File.expand_path(File.join(ENV['HOME'], '.yavdb', 'cache')).freeze
 
-    POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go'].freeze
+    POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go', 'cargo'].freeze
 
     SEVERITIES = ['low', 'medium', 'high'].freeze
 

data/lib/yavdb/sources/rustsec.rb

@@ -0,0 +1,89 @@
+# yavdb - The Free and Open Source vulnerability database
+# Copyright (C) 2017-present Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+require 'date'
+require 'toml-rb'
+
+require_relative '../dtos/advisory'
+require_relative '../source_types/git_repo'
+
+module YAVDB
+  module Sources
+    module RustSec
+      class Client
+
+        REPOSITORY_URL = 'https://github.com/RustSec/advisory-db'.freeze
+        PACKAGE_MANAGER = 'cargo'.freeze
+
+        def self.advisories
+          YAVDB::SourceTypes::GitRepo.search('crates/**/*.toml', REPOSITORY_URL).map do |repo_path, file_paths|
+            Dir.chdir(repo_path) do
+              file_paths.map do |file_path|
+                advisory_hash = TomlRB.load_file(file_path)
+                create(advisory_hash['advisory'])
+              end
+            end
+          end.flatten
+        end
+
+        class << self
+
+          private
+
+          def create(advisory_hash)
+            date = Date.strptime(advisory_hash['date'].to_s, '%Y-%m-%d')
+            severity = 'high' # since no value is provided will use highest
+            cve = advisory_hash['aliases']&.select { |a| a.start_with?('CVE') }
+            references = advisory_hash['url'] && [advisory_hash['url']]
+
+            vuln_id = "rustsec:cargo:#{advisory_hash['package']}:#{advisory_hash['id']}"
+
+            YAVDB::Advisory.new(
+              vuln_id,
+              advisory_hash['title'],
+              advisory_hash['description'],
+              advisory_hash['package'],
+              nil,
+              advisory_hash['unaffected_versions'],
+              advisory_hash['patched_versions'],
+              severity,
+              PACKAGE_MANAGER,
+              cve,
+              nil, #:cwe
+              nil,
+              nil, #:cvss_v2_vector
+              nil,
+              nil, #:cvss_v3_vector
+              nil,
+              date,
+              date,
+              date,
+              ['RustSec'],
+              references,
+              generate_url(advisory_hash)
+            )
+          end
+
+          def generate_url(advisory_hash)
+            "#{REPOSITORY_URL}/blob/master/crates/#{advisory_hash['package']}/#{advisory_hash['id']}.toml"
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/yavdb/version.rb

@@ -16,6 +16,6 @@
 
 module YAVDB
 
-  VERSION = '0.4.6'
+  VERSION = '0.5.0'
 
 end

data/yavdb.gemspec

@@ -42,4 +42,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'semantic_interval', ['~> 0.1']
   spec.add_runtime_dependency 'therubyracer', ['~> 0.12']
   spec.add_runtime_dependency 'thor', ['~> 0.20']
+  spec.add_runtime_dependency 'toml-rb', ['~> 1.1']
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yavdb
 version: !ruby/object:Gem::Version
-  version: 0.4.6
+  version: 0.5.0
 platform: ruby
 authors:
 - Rodrigo Fernandes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-15 00:00:00.000000000 Z
+date: 2019-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codacy-coverage
@@ -206,6 +206,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: toml-rb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
 description: "\n    Yet Another Vulnerability Database\n    The Free and Open Source
   vulnerability database.\n  "
 email:
@@ -242,8 +256,8 @@ files:
 - lib/yavdb/source_types/git_repo.rb
 - lib/yavdb/sources/friends_of_php.rb
 - lib/yavdb/sources/npmjs.rb
-- lib/yavdb/sources/ossindex.rb
 - lib/yavdb/sources/ruby_advisory.rb
+- lib/yavdb/sources/rustsec.rb
 - lib/yavdb/sources/snyk_io.rb
 - lib/yavdb/sources/victims.rb
 - lib/yavdb/utils/cache.rb

data/lib/yavdb/sources/ossindex.rb

@@ -1,140 +0,0 @@
-# yavdb - The Free and Open Source vulnerability database
-# Copyright (C) 2017-present Rodrigo Fernandes
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-require 'oga'
-require 'oga/xml/entities'
-
-require_relative '../dtos/advisory'
-require_relative '../utils/http'
-
-module YAVDB
-  module Sources
-    module OSSIndex
-      class Client
-
-        API_URL               = 'https://ossindex.net'
-        PACKAGE_MANAGERS      = ['npm', 'maven', 'composer', 'nuget', 'rubygems', 'pypi']
-        PACKAGE_MANAGER_ALIAS = Hash['composer' => 'packagist']
-
-        def self.advisories
-          PACKAGE_MANAGERS.map do |package_manager|
-            packages = fetch_packages(package_manager)
-            parse_vulnerabilities(package_manager, packages)
-          end.flatten
-        end
-
-        class << self
-
-          private
-
-          def fetch_packages(package_manager)
-            next_url = start_url(package_manager)
-            packages = []
-
-            while next_url
-              ossindex      = YAVDB::Utils::HTTP.get_page_contents(next_url, true, 'ossindex/advisories')
-              ossindex_json = JSON.parse(ossindex.join)
-              page_packages = ossindex_json['packages']
-
-              packages.concat(page_packages)
-
-              next_url = ossindex_json['next']
-            end
-
-            packages
-          end
-
-          def parse_vulnerabilities(package_manager, packages)
-            packages
-              .map do |package|
-              package['vulnerabilities'].map do |advisory|
-                create(package_manager, package, advisory)
-              end
-            end.flatten
-          end
-
-          def create(package_manager, package, advisory)
-            published_date = Date.strptime((advisory['published'] / 1000).to_s, '%s')
-            updated_date   = Date.strptime((advisory['updated'] / 1000).to_s, '%s')
-
-            cve = if advisory['cve']
-                    [advisory['cve']].map(&:strip).reject(&:empty?)
-                  else
-                    []
-                  end
-
-            package_manager = PACKAGE_MANAGER_ALIAS[package_manager] || package_manager
-
-            package_name =
-              if package_manager == 'maven'
-                "#{package['group']}:#{package['name']}"
-              elsif package_manager == 'packagist'
-                "#{package['group']}/#{package['name']}"
-              else
-                package['name']
-              end
-
-            versions = advisory['versions']
-                         .map { |v| v.split('||') }
-                         .flatten
-                         .map(&:strip)
-                         .reject(&:empty?)
-                         .reject { |v| v == '-' }
-                         .map { |version| version.gsub("''", '') }
-            versions = ['*'] unless versions.any?
-
-            vuln_id = "ossindex:#{package_manager}:#{package_name}:#{advisory['id']}"
-
-            YAVDB::Advisory.new(
-              vuln_id,
-              advisory['title'],
-              advisory['description'],
-              package_name,
-              versions,
-              nil, #:unaffected_versions
-              nil, #:patched_versions
-              nil, #:severity
-              package_manager,
-              cve,
-              nil, #:cwe
-              nil, #:osvdb
-              nil, #:cvss_v2_vector
-              nil, #:cvss_v2_score
-              nil, #:cvss_v3_vector
-              nil, #:cvss_v3_score
-              published_date,
-              published_date,
-              updated_date,
-              ['OSSIndex'],
-              advisory['references'],
-              website_url(package['id'])
-            )
-          end
-
-          def start_url(package_manager)
-            "#{API_URL}/v2.0/vulnerability/pm/#{package_manager}/fromtill/0/-1"
-          end
-
-          def website_url(id)
-            "#{API_URL}/resource/package/#{id}/vulnerabilities"
-          end
-
-        end
-
-      end
-    end
-  end
-end