# # Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com) # Modifications Copyright (c) 2013-2014 Jon Frisby (jfrisby@mrjoy.com), or their # respective authors. # # mrjoy-bundler-audit is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # mrjoy-bundler-audit is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with mrjoy-bundler-audit. If not, see . # require 'bundler/audit/scanner' require 'bundler/audit/version' require 'thor' require 'bundler' require 'bundler/vendored_thor' module Bundler module Audit class CLI < ::Thor default_task :check map '--version' => :version desc 'check', 'Checks the Gemfile.lock for insecure dependencies' method_option :verbose, :type => :boolean, :aliases => '-v' method_option :ignore, :type => :array, :aliases => '-i' def check begin scanner = Scanner.new rescue ArgumentError print_setup_instructions exit 1 end # attempt update the database before doing a scan scanner.database.update! unpatched_versions = false insecure_sources = false scanner.scan(:ignore => options.ignore) do |result| case result when Scanner::InsecureSource insecure_sources = true print_warning "Insecure Source URI found: #{result.source}" when Scanner::UnpatchedGem unpatched_versions = true print_advisory result.gem, result.advisory end end if unpatched_versions say "Unpatched versions found!", :red else say "No unpatched versions found", :green end if insecure_sources say "Insecure sources found!", :red else say "No insecure sources found", :green end if unpatched_versions || insecure_sources exit 1 end end desc 'update', 'Updates the ruby-advisory-db' def update say "Updating ruby-advisory-db ..." Database.update! puts "ruby-advisory-db: #{Database.new.size} advisories" end desc 'version', 'Prints the bundler-audit version' def version cmd = File.basename($0) advisories = nil begin database = Database.new advisories = " (advisories: #{database.size})" rescue ArgumentError # Don't have a database yet. end say "#{cmd} #{VERSION}#{advisories}", :bold if advisories.nil? print_setup_instructions exit 1 end end protected def say(message="", color=nil) color = nil unless $stdout.tty? super(message.to_s, color) end def print_warning(message) say message, :yellow end def print_advisory(gem, advisory) print_affected_gem(gem) say "Advisory: ", :red say advisory.id say "Criticality: ", :red say *(CRITICALITY_MAP[advisory.criticality] || "Unknown") say "URL: ", :red say advisory.url print_advisory_details advisory print_advisory_solution advisory say end protected def print_setup_instructions say "" print_warning "You don't have a copy of the Ruby vulnerabilities database yet." print_warning "To get the database, please run:" say "" print_warning " #{$0} update" say "" end def print_affected_gem(gem) say "Name: ", :red say gem.name say "Version: ", :red say gem.version end def print_advisory_details(advisory) if options.verbose? say "Description:", :red say print_wrapped advisory.description, :indent => 2 say else say "Title: ", :red say advisory.title end end def print_advisory_solution(advisory) unless advisory.patched_versions.empty? say "Solution: upgrade to ", :red say advisory.patched_versions.join(', ') else say "Solution: ", :red say "remove or disable this gem until a patch is available!", [:red, :bold] end end CRITICALITY_MAP = { :low => ["Low"], :medium => ["Medium", :yellow], :high => ["High", [:red, :bold]], } end end end