Fix false nagetive when using patched and unaffected

rtfpessoa · Oct 5, 2018 · 2a2d162 · 2a2d162
1 parent 89a88d0
commit 2a2d162
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 12 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -26,6 +26,10 @@ jobs:
         paths:
           - /tmp/vendor/bundle
 
+      - name: Vulnerable dependencies
+        type: shell
+        command: bundle exec depspy check --files Gemfile,Gemfile.lock
+
       - name: Rubocop
         type: shell
         command: bundle exec rubocop

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,11 +1,11 @@
 PATH
   remote: .
   specs:
-    dependency_spy (0.1.4)
+    dependency_spy (0.2.0)
       bibliothecary (~> 6.3)
       semantic_range (~> 2.1)
       thor (~> 0.20)
-      yavdb (~> 0.1)
+      yavdb (~> 0.2)
 
 GEM
   remote: https://rubygems.org/
@@ -89,7 +89,7 @@ GEM
     typhoeus (1.3.0)
       ethon (>= 0.9.0)
     unicode-display_width (1.4.0)
-    yavdb (0.1.2)
+    yavdb (0.2.0)
       json (~> 2.1)
       kramdown (~> 1.17)
       oga (~> 2.15)

diff --git a/dependency_spy.gemspec b/dependency_spy.gemspec
@@ -38,5 +38,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'bibliothecary', ['~> 6.3']
   spec.add_runtime_dependency 'semantic_range', ['~> 2.1']
   spec.add_runtime_dependency 'thor', ['~> 0.20']
-  spec.add_runtime_dependency 'yavdb', ['~> 0.1']
+  spec.add_runtime_dependency 'yavdb', ['~> 0.2']
 end
diff --git a/lib/dependency_spy.rb b/lib/dependency_spy.rb
@@ -28,15 +28,17 @@
 module DependencySpy
   class API
 
-    def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
+    def self.check(path = Dir.pwd, files = nil, platform = nil, database_path = YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
       unless File.exist?(database_path)
         puts 'Could not find local vulnerability database, going to download the database.'
         YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
       end
 
       path             = File.expand_path(path)
       package_managers = find_platform(platform)
-      file_list        = if File.file?(path)
+      file_list        = if !files.nil?
+                           files.split(',')
+                         elsif File.file?(path)
                            path = File.dirname(path)
                            [File.basename(path)]
                          else
@@ -61,9 +63,11 @@ def self.check(path = Dir.pwd, platform = nil, database_path = YAVDB::Constants:
             unaffected = vuln.unaffected_versions ? vuln.unaffected_versions.any? { |vu| DependencySpy::SemVer.intersects(vu, version) } : false
             patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
 
-            vulnerable ||
-              (vuln.unaffected_versions&.any? && !unaffected) ||
-              (vuln.patched_versions&.any? && !patched)
+            if unaffected || patched
+              false
+            else
+              vulnerable
+            end
           end
 
           Dependency.new(package_name, version, type, vulnerabilities.uniq)

diff --git a/lib/dependency_spy/cli.rb b/lib/dependency_spy/cli.rb
@@ -40,13 +40,14 @@ class CLI < Thor
 
     desc('check', 'Check dependencies for known vulnerabilities')
     method_option('path', :aliases => :p, :type => :string, :default => Dir.pwd)
+    method_option('files', :type => :string)
     method_option('formatter', :aliases => :f, :type => :string, :enum => FORMATTERS.map { |f| f.name.split('::').last.downcase }, :default => FORMATTERS.first.name.split('::').last.downcase)
     method_option('platform', :aliases => :m, :type => :string, :enum => YAVDB::Constants::POSSIBLE_PACKAGE_MANAGERS.map(&:downcase))
     method_option('output-path', :aliases => :o, :type => :string)
     method_option('database-path', :type => :string, :aliases => :p, :default => YAVDB::Constants::DEFAULT_YAVDB_DATABASE_PATH)
 
     def check
-      manifests = API.check(options['path'], options['platform'], options['database-path'])
+      manifests = API.check(options['path'], options['files'], options['platform'], options['database-path'])
 
       formatted_output =
         FORMATTERS
@@ -58,6 +59,11 @@ def check
       else
         DependencySpy::Outputs::StdOut.write(formatted_output)
       end
+
+      has_vulnerabilities =
+        manifests.any? { |manifest| manifest.dependencies.any? { |dependency| dependency.vulnerabilities.any? } }
+
+      exit(1) if has_vulnerabilities
     end
 
     method_option('vuln-db-path', :aliases => :d, :type => :string, :default => YAVDB::Constants::DEFAULT_YAVDB_PATH)

diff --git a/lib/dependency_spy/version.rb b/lib/dependency_spy/version.rb
@@ -16,6 +16,6 @@
 
 module DependencySpy
 
-  VERSION = '0.1.4'
+  VERSION = '0.2.0'
 
 end
diff --git a/spec/dependency_spy_spec.rb b/spec/dependency_spy_spec.rb
@@ -47,7 +47,7 @@
       manifests       = detected_manifests.select { |m| m.platform == 'rubygems' }
       dependencies    = manifests.map(&:dependencies).flatten
       vulnerabilities = dependencies.map(&:vulnerabilities).flatten
-      expect(vulnerabilities).to have(11).items
+      expect(vulnerabilities).to have(3).items
     end
   end
 end