Skip to content
This repository was archived by the owner on Jan 22, 2026. It is now read-only.

Commit 9470c75

Browse files
andrewandrew
committed
Add vulnerability management commands
1 parent dbcd030 commit 9470c75

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

44 files changed

+5671
-153
lines changed

.gitattributes

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
# git-pkgs textconv for lockfiles
2+
Brewfile.lock.json diff=pkgs
3+
Cargo.lock diff=pkgs
4+
Cartfile.resolved diff=pkgs
5+
Gemfile.lock diff=pkgs
6+
Gopkg.lock diff=pkgs
7+
Package.resolved diff=pkgs
8+
Pipfile.lock diff=pkgs
9+
Podfile.lock diff=pkgs
10+
Project.lock.json diff=pkgs
11+
bun.lock diff=pkgs
12+
composer.lock diff=pkgs
13+
gems.locked diff=pkgs
14+
glide.lock diff=pkgs
15+
go.mod diff=pkgs
16+
mix.lock diff=pkgs
17+
npm-shrinkwrap.json diff=pkgs
18+
package-lock.json diff=pkgs
19+
packages.lock.json diff=pkgs
20+
paket.lock diff=pkgs
21+
pnpm-lock.yaml diff=pkgs
22+
poetry.lock diff=pkgs
23+
project.assets.json diff=pkgs
24+
pubspec.lock diff=pkgs
25+
pylock.toml diff=pkgs
26+
shard.lock diff=pkgs
27+
uv.lock diff=pkgs
28+
yarn.lock diff=pkgs

.ruby-version

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
4.0.0

Gemfile

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,13 @@ source "https://rubygems.org"
55
gemspec
66

77
gem "ecosystems-bibliothecary", git: "https://github.com/ecosyste-ms/bibliothecary.git", require: "bibliothecary"
8-
# gem "ecosystems-bibliothecary", path: "/Users/andrew/code/ecosystems/bibliothecary", require: "bibliothecary"
8+
gem "sarif-ruby", git: "https://github.com/andrew/sarif.git", require: "sarif"
99
gem "ostruct"
1010

1111
gem "irb"
1212
gem "rake"
13-
gem "minitest"
1413
gem "benchmark"
15-
gem "simplecov"
14+
gem "minitest"
15+
gem "simplecov"
16+
gem "webmock"
17+
gem "json_schemer"

Gemfile.lock

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
GIT
2+
remote: https://github.com/andrew/sarif.git
3+
revision: 48857dc7c3ffcadd2b48b57c96ded48848b5ab25
4+
specs:
5+
sarif-ruby (0.1.0)
6+
17
GIT
28
remote: https://github.com/ecosyste-ms/bibliothecary.git
39
revision: f591866b2398af9fab378cf46dfcdaf2ffd2dec3
@@ -15,25 +21,40 @@ PATH
1521
specs:
1622
git-pkgs (0.6.2)
1723
ecosystems-bibliothecary (~> 15.1)
24+
purl (~> 1.7)
1825
rugged (~> 1.0)
26+
sarif-ruby
1927
sequel (>= 5.0)
2028
sqlite3 (>= 2.0)
29+
vers (~> 1.0)
2130

2231
GEM
2332
remote: https://rubygems.org/
2433
specs:
34+
addressable (2.8.8)
35+
public_suffix (>= 2.0.2, < 8.0)
2536
benchmark (0.5.0)
2637
bigdecimal (4.0.1)
38+
crack (1.0.1)
39+
bigdecimal
40+
rexml
2741
csv (3.3.5)
2842
date (3.5.1)
2943
docile (1.4.1)
3044
erb (6.0.1)
45+
hana (1.3.7)
46+
hashdiff (1.2.1)
3147
io-console (0.8.2)
3248
irb (1.16.0)
3349
pp (>= 0.6.0)
3450
rdoc (>= 4.0.0)
3551
reline (>= 0.4.2)
3652
json (2.18.0)
53+
json_schemer (2.5.0)
54+
bigdecimal
55+
hana (~> 1.3)
56+
regexp_parser (~> 2.0)
57+
simpleidn (~> 0.2)
3758
minitest (6.0.1)
3859
prism (~> 1.5)
3960
ostruct (0.6.3)
@@ -46,14 +67,19 @@ GEM
4667
psych (5.3.1)
4768
date
4869
stringio
70+
public_suffix (7.0.2)
71+
purl (1.7.0)
72+
addressable (~> 2.8)
4973
racc (1.8.1)
5074
rake (13.3.1)
5175
rdoc (7.0.3)
5276
erb
5377
psych (>= 4.0.0)
5478
tsort
79+
regexp_parser (2.11.3)
5580
reline (0.6.3)
5681
io-console (~> 0.5)
82+
rexml (3.4.4)
5783
rugged (1.9.0)
5884
sequel (5.100.0)
5985
bigdecimal
@@ -63,6 +89,7 @@ GEM
6389
simplecov_json_formatter (~> 0.1)
6490
simplecov-html (0.13.2)
6591
simplecov_json_formatter (0.1.4)
92+
simpleidn (0.2.3)
6693
sqlite3 (2.9.0-aarch64-linux-gnu)
6794
sqlite3 (2.9.0-aarch64-linux-musl)
6895
sqlite3 (2.9.0-arm-linux-gnu)
@@ -76,6 +103,11 @@ GEM
76103
stringio (3.2.0)
77104
tomlrb (2.0.4)
78105
tsort (0.2.0)
106+
vers (1.0.2)
107+
webmock (3.26.1)
108+
addressable (>= 2.8.0)
109+
crack (>= 0.3.2)
110+
hashdiff (>= 0.4.0, < 2.0.0)
79111

80112
PLATFORMS
81113
aarch64-linux-gnu
@@ -94,39 +126,53 @@ DEPENDENCIES
94126
ecosystems-bibliothecary!
95127
git-pkgs!
96128
irb
129+
json_schemer
97130
minitest
98131
ostruct
99132
rake
133+
sarif-ruby!
100134
simplecov
135+
webmock
101136

102137
CHECKSUMS
138+
addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
103139
benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
104140
bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
141+
crack (1.0.1) sha256=ff4a10390cd31d66440b7524eb1841874db86201d5b70032028553130b6d4c7e
105142
csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f
106143
date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
107144
docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
108145
ecosystems-bibliothecary (15.1.0)
109146
erb (6.0.1) sha256=28ecdd99c5472aebd5674d6061e3c6b0a45c049578b071e5a52c2a7f13c197e5
110147
git-pkgs (0.6.2)
148+
hana (1.3.7) sha256=5425db42d651fea08859811c29d20446f16af196308162894db208cac5ce9b0d
149+
hashdiff (1.2.1) sha256=9c079dbc513dfc8833ab59c0c2d8f230fa28499cc5efb4b8dd276cf931457cd1
111150
io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc
112151
irb (1.16.0) sha256=2abe56c9ac947cdcb2f150572904ba798c1e93c890c256f8429981a7675b0806
113152
json (2.18.0) sha256=b10506aee4183f5cf49e0efc48073d7b75843ce3782c68dbeb763351c08fd505
153+
json_schemer (2.5.0) sha256=2f01fb4cce721a4e08dd068fc2030cffd0702a7f333f1ea2be6e8991f00ae396
114154
minitest (6.0.1) sha256=7854c74f48e2e975969062833adc4013f249a4b212f5e7b9d5c040bf838d54bb
115155
ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
116156
ox (2.14.23) sha256=4a9aedb4d6c78c5ebac1d7287dc7cc6808e14a8831d7adb727438f6a1b461b66
117157
pp (0.6.3) sha256=2951d514450b93ccfeb1df7d021cae0da16e0a7f95ee1e2273719669d0ab9df6
118158
prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
119159
prism (1.7.0) sha256=10062f734bf7985c8424c44fac382ac04a58124ea3d220ec3ba9fe4f2da65103
120160
psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974
161+
public_suffix (7.0.2) sha256=9114090c8e4e7135c1fd0e7acfea33afaab38101884320c65aaa0ffb8e26a857
162+
purl (1.7.0) sha256=e25a6b951975e94104a17d8d40e8529fa882a5a63717c68af2390e9b8d0ac3f2
121163
racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
122164
rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c
123165
rdoc (7.0.3) sha256=dfe3d0981d19b7bba71d9dbaeb57c9f4e3a7a4103162148a559c4fc687ea81f9
166+
regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
124167
reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
168+
rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
125169
rugged (1.9.0) sha256=7faaa912c5888d6e348d20fa31209b6409f1574346b1b80e309dbc7e8d63efac
170+
sarif-ruby (0.1.0)
126171
sequel (5.100.0) sha256=cb0329b62287a01db68eead46759c14497a3fae01b174e2c41da108a9e9b4a12
127172
simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
128173
simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
129174
simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
175+
simpleidn (0.2.3) sha256=08ce96f03fa1605286be22651ba0fc9c0b2d6272c9b27a260bc88be05b0d2c29
130176
sqlite3 (2.9.0-aarch64-linux-gnu) sha256=cfe1e0216f46d7483839719bf827129151e6c680317b99d7b8fc1597a3e13473
131177
sqlite3 (2.9.0-aarch64-linux-musl) sha256=56a35cb2d70779afc2ac191baf2c2148242285ecfed72f9b021218c5c4917913
132178
sqlite3 (2.9.0-arm-linux-gnu) sha256=a19a21504b0d7c8c825fbbf37b358ae316b6bd0d0134c619874060b2eef05435
@@ -140,6 +186,8 @@ CHECKSUMS
140186
stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
141187
tomlrb (2.0.4) sha256=262f77947ac3ac9b3366a0a5940ecd238300c553e2e14f22009e2afcd2181b99
142188
tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
189+
vers (1.0.2) sha256=0ea9a63acbe1f197268c7da93f0708a4fc99bd88d86aa49dccf5b1b8d4c68de5
190+
webmock (3.26.1) sha256=4f696fb57c90a827c20aadb2d4f9058bbff10f7f043bd0d4c3f58791143b1cd7
143191

144192
BUNDLED WITH
145193
4.0.3

README.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,18 @@ git pkgs outdated # alias for stale
243243

244244
Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
245245

246+
### Vulnerability scanning
247+
248+
```bash
249+
git pkgs vulns # scan current dependencies for known CVEs
250+
git pkgs vulns -s high # only critical and high severity
251+
git pkgs vulns blame # who introduced each vulnerability
252+
git pkgs vulns praise # who fixed vulnerabilities
253+
git pkgs vulns exposure --all-time --summary # remediation metrics
254+
```
255+
256+
Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
257+
246258
### Diff between commits
247259

248260
```bash

0 commit comments

Comments
 (0)