rtfpessoa / dependency_spy Goto Github PK
View Code? Open in Web Editor NEWFind known vulnerabilities in your dependencies
Home Page: https://github.com/rtfpessoa/dependency_spy
License: GNU Affero General Public License v3.0
Find known vulnerabilities in your dependencies
Home Page: https://github.com/rtfpessoa/dependency_spy
License: GNU Affero General Public License v3.0
On this repo:
https://github.com/ipepe/rails-app-starting-template
depspy does not detect sprockets vulnerability:
https://snyk.io/vuln/SNYK-RUBY-SPROCKETS-22032
Add support for a configuration file where the user can specify:
e.g.: .depspy.yaml
, .depspy.yml
, .depspy.json
.
Allow the user to pass a minimum severity to be considered an error.
This should affect the exit code.
Maybe we want always to show all issues but show the ones above the threshold with a color?
I think default should be all.
e.g. --severity-threshold=medium
Would it be possible to support something like D's package manager? https://code.dlang.org
Add --ignore
option to allow passing a comma separated list of ids to be ignored in the analysis.
Add support for https://github.com/jrudolph/sbt-dependency-graph to read Scala projects dependencies.
Suggestions:
Describe the bug
When passing in a CLI argument that is handled by Thor's method_option
, multi-word arguments are accessed by a symbol instead of the string it's keyed on. This works for single word arguments as the symbolization is seamless.
The only option I can see that is affected by this is currently database-path
To Reproduce
bundle exec bin/depspy check --database-path="/an/invalid/path"
YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH
Expected behavior
bundle exec bin/depspy check --database-path="/an/invalid/path"
Screenshots
Modified dependency_spy.rb
to show options handling output:
module DependencySpy
class API
def self.check(options)
puts "=== Options Input:"
puts options
puts "=== Single Word Key"
puts options["files"]
puts options[:files]
puts "=== Multi-Word Key"
puts options["database-path"]
puts options[:database_path]
# ...
# Original Options Handling
# ...
puts "=== Post Options Handling"
puts files
puts database_path
#...
Output of logging:
bundle exec bin/depspy check --files=Gemfile,Gemfile.lock --database-path="/an/invalid/path"
=== Options Input:
{"verbose"=>false, "path"=>"/Users/bryanculver/Workspace/Repos/OpenSource/dependency_spy", "formatter"=>"text", "database-path"=>"/an/invalid/path", "offline"=>false, "severity-threshold"=>"low", "with-color"=>true, "ignore"=>[], "files"=>"Gemfile,Gemfile.lock"}
=== Single Word Key
Gemfile,Gemfile.lock
Gemfile,Gemfile.lock
=== Multi-Word Key
/an/invalid/path
=== Post Options Handling
Gemfile,Gemfile.lock
/Users/bryanculver/.yavdb/yavdb/database
Desktop (please complete the following information):
@master
/v0.5.0
Additional context
Discovered this while looking to implement #5.
When a vulnerability is discovered we could try to perform the update in the manifest file.
Starting with Ruby or Javascript (since the manifests are usually easier to understand) we could try to change the vulnerable version for the latest minor that matches the user current dependency.
e.g. depspy fix
As a first step towards #8 we could have kind of an interactive guide where we would guide the user to update each dependency.
/Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block (2 levels) in check': undefined method `vulnerabilities' for #<Hash:0x00007fe2be30f018> (NoMethodError)
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block in check'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `check'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/dependency_spy:5:in `<top (required)>'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `load'
from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `<top (required)>'
from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `load'
from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `<main>'
Hacktoberfest is here. Are there any issues that You would like to be helped with?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.