rtfpessoa / dependency_spy Goto Github PK

View Code? Open in Web Editor NEW

89.0 5.0 7.0 152 KB

Find known vulnerabilities in your dependencies

Home Page: https://github.com/rtfpessoa/dependency_spy

License: GNU Affero General Public License v3.0

Ruby 99.78% Shell 0.22%

dependencies versions vulnerabilities scanner npm bower maven composer rubygems hacktoberfest

dependency_spy's Introduction

dependency_spy

Finds known vulnerabilities in your dependencies using yavdb as the source agregator of vulnerabilities.

Thanks to the amazing work done by libraries.io all the dependency manifest parsing is handled by bibliothecary and this means we have support for more than 20 package managers. Due to the limited sources of information we only have identified vulnerabilities for the ones listed in yavdb.

Disclaimer

This projects aims to provide an OSS alternative to identify known vulnerabilities for your dependencies. Although it makes a good effort in doing this, there is no assurance it is finding all the publicly available vulnerabilities. The maintainers take no responsibility for any harm caused by you relying on it. Use as a complement to other tools at your own risk.

Supported Package Managers

NPM
RubyGems
Maven
Nuget
Packagist
Pypi
Go
Cargo

Prerequisites

Ruby 2.3 or newer

Installation

gem install dependency_spy

Usage

Examples

Check current directory project

depspy

TODO:

Tests

Version Comparison

Features/Improvements

Ignore vulnerabilities
Improve output formatters
Add more output options

Help

Commands:
  depspy check           # Check dependencies for known vulnerabilities
  depspy help [COMMAND]  # Describe available commands or one specific command
  depspy update          # Update known vulnerabilities database

Options:
  [--verbose], [--no-verbose]   
  d, [--vuln-db-path=VULN-DB-PATH]  # Default: <HOME>/.yavdb/yavdb

Development

After checking out the repo, run bin/setup to install dependencies. Then, run bundle exec rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/rtfpessoa/dependency_spy. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

Copyright

dependency_spy's People

Contributors

Stargazers

Watchers

Forkers

ipepe sonic45132 sundus-y chubbymaggie bryanculver l3dlp-sandbox convisoappsec

dependency_spy's Issues

Add support for sbt with sbt-dependency-graph

Add support for https://github.com/jrudolph/sbt-dependency-graph to read Scala projects dependencies.

Suggestions:

Help user setup sbt-dependency-graph
Execute sbt-dependency-graph and retrieve the dependencies like we do with bibliothecary for the others.
Analyse the dependencies like the other sources
Create some tests

Support for dub

Would it be possible to support something like D's package manager? https://code.dlang.org

Hacktoberfest

Hacktoberfest is here. Are there any issues that You would like to be helped with?

Undetected vulnerability

On this repo:
https://github.com/ipepe/rails-app-starting-template
depspy does not detect sprockets vulnerability:
https://snyk.io/vuln/SNYK-RUBY-SPROCKETS-22032

Allow to configure severity threshold

Allow the user to pass a minimum severity to be considered an error.
This should affect the exit code.
Maybe we want always to show all issues but show the ones above the threshold with a color?

I think default should be all.

e.g. --severity-threshold=medium

Multi-Word CLI Arugments Not Respected

Describe the bug
When passing in a CLI argument that is handled by Thor's method_option, multi-word arguments are accessed by a symbol instead of the string it's keyed on. This works for single word arguments as the symbolization is seamless.

The only option I can see that is affected by this is currently database-path

To Reproduce

Clone repo
Execute bundle exec bin/depspy check --database-path="/an/invalid/path"
See list of vulns, as it's defaulting to YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH

Expected behavior

Execute bundle exec bin/depspy check --database-path="/an/invalid/path"
See no vulns as database is empty/invalid

Screenshots
Modified dependency_spy.rb to show options handling output:

module DependencySpy
  class API

    def self.check(options)

      puts "=== Options Input:"
      puts options
      puts "=== Single Word Key"
      puts options["files"]
      puts options[:files]
      puts "=== Multi-Word Key"
      puts options["database-path"]
      puts options[:database_path]

      # ...
      # Original Options Handling
      # ...

      puts "=== Post Options Handling"
      puts files
      puts database_path
#...

Output of logging:

bundle exec bin/depspy check --files=Gemfile,Gemfile.lock --database-path="/an/invalid/path"
=== Options Input:
{"verbose"=>false, "path"=>"/Users/bryanculver/Workspace/Repos/OpenSource/dependency_spy", "formatter"=>"text", "database-path"=>"/an/invalid/path", "offline"=>false, "severity-threshold"=>"low", "with-color"=>true, "ignore"=>[], "files"=>"Gemfile,Gemfile.lock"}
=== Single Word Key
Gemfile,Gemfile.lock
Gemfile,Gemfile.lock
=== Multi-Word Key
/an/invalid/path

=== Post Options Handling
Gemfile,Gemfile.lock
/Users/bryanculver/.yavdb/yavdb/database

Desktop (please complete the following information):

OS: Mac
Ruby Version 2.5.5
Bundler Version: 1.17.3
Version @master/v0.5.0

Additional context
Discovered this while looking to implement #5.

Support configuration file

Add support for a configuration file where the user can specify:

Files/Globs to check
Files/Globs to ignore
Package managers to check
Vulnerabilities to ignore

e.g.: .depspy.yaml, .depspy.yml, .depspy.json.

Exception when printing json output

/Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block (2 levels) in check': undefined method `vulnerabilities' for #<Hash:0x00007fe2be30f018> (NoMethodError)
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `block in check'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `any?'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/lib/dependency_spy/cli.rb:64:in `check'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/dependency_spy:5:in `<top (required)>'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `load'
        from /Users/pptasinski/.rbenv/versions/2.4.3/lib/ruby/gems/2.4.0/gems/dependency_spy-0.2.0/bin/depspy:3:in `<top (required)>'
        from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `load'
        from /Users/pptasinski/.rbenv/versions/2.4.3/bin/depspy:23:in `<main>'

e.g. depspy fix