rtfpessoa / dependency_spy Goto Github PK
View Code? Open in Web Editor NEWFind known vulnerabilities in your dependencies
Home Page: https://github.com/rtfpessoa/dependency_spy
License: GNU Affero General Public License v3.0
dependency_spy's Issues
Undetected vulnerability
On this repo:
https://github.com/ipepe/rails-app-starting-template
depspy does not detect sprockets vulnerability:
https://snyk.io/vuln/SNYK-RUBY-SPROCKETS-22032
Support configuration file
Add support for a configuration file where the user can specify:
- Files/Globs to check
- Files/Globs to ignore
- Package managers to check
- Vulnerabilities to ignore
e.g.: .depspy.yaml, .depspy.yml, .depspy.json.
Allow to configure severity threshold
Allow the user to pass a minimum severity to be considered an error.
This should affect the exit code.
Maybe we want always to show all issues but show the ones above the threshold with a color?
I think default should be all.
e.g. --severity-threshold=medium
Support for dub
Would it be possible to support something like D's package manager? https://code.dlang.org
Add option to ignore vulnerabilities by the id
Add --ignore option to allow passing a comma separated list of ids to be ignored in the analysis.
Add support for sbt with sbt-dependency-graph
Add support for https://github.com/jrudolph/sbt-dependency-graph to read Scala projects dependencies.
Suggestions:
- Help user setup sbt-dependency-graph
- Execute sbt-dependency-graph and retrieve the dependencies like we do with bibliothecary for the others.
- Analyse the dependencies like the other sources
- Create some tests
Multi-Word CLI Arugments Not Respected
Describe the bug
When passing in a CLI argument that is handled by Thor's method_option, multi-word arguments are accessed by a symbol instead of the string it's keyed on. This works for single word arguments as the symbolization is seamless.
The only option I can see that is affected by this is currently database-path
To Reproduce
- Clone repo
- Execute
bundle exec bin/depspy check --database-path="/an/invalid/path" - See list of vulns, as it's defaulting to
YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
Expected behavior
- Execute
bundle exec bin/depspy check --database-path="/an/invalid/path" - See no vulns as database is empty/invalid
Screenshots
Modified dependency_spy.rb to show options handling output:
module DependencySpy
class API
def self.check(options)
puts "=== Options Input:"
puts options
puts "=== Single Word Key"
puts options["files"]
puts options[:files]
puts "=== Multi-Word Key"
puts options["database-path"]
puts options[:database_path]
# ...
# Original Options Handling
# ...
puts "=== Post Options Handling"
puts files
puts database_path
#...Output of logging:
bundle exec bin/depspy check --files=Gemfile,Gemfile.lock --database-path="/an/invalid/path"
=== Options Input:
{"verbose"=>false, "path"=>"/Users/bryanculver/Workspace/Repos/OpenSource/dependency_spy", "formatter"=>"text", "database-path"=>"/an/invalid/path", "offline"=>false, "severity-threshold"=>"low", "with-color"=>true, "ignore"=>[], "files"=>"Gemfile,Gemfile.lock"}
=== Single Word Key
Gemfile,Gemfile.lock
Gemfile,Gemfile.lock
=== Multi-Word Key
/an/invalid/path
=== Post Options Handling
Gemfile,Gemfile.lock
/Users/bryanculver/.yavdb/yavdb/database
Desktop (please complete the following information):
- OS: Mac
- Ruby Version 2.5.5
- Bundler Version: 1.17.3
- Version
@master/v0.5.0
Additional context
Discovered this while looking to implement #5.
Add fix feature
When a vulnerability is discovered we could try to perform the update in the manifest file.
Starting with Ruby or Javascript (since the manifests are usually easier to understand) we could try to change the vulnerable version for the latest minor that matches the user current dependency.
e.g. depspy fix
Walk user through the update of vulnerable versions
As a first step towards #8 we could have kind of an interactive guide where we would guide the user to update each dependency.
Exception when printing json output
/Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block (2 levels) in check': undefined method `vulnerabilities' for #<Hash:0x00007fe2be30f018> (NoMethodError)
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block in check'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `check'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/dependency_spy:5:in `<top (required)>'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `load'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `<top (required)>'
from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `load'
from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `<main>'
Hacktoberfest
Hacktoberfest is here. Are there any issues that You would like to be helped with?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.