feature: Log ignored vulnerabilities

Move some logs under verbose flag Update the tests
rtfpessoa · Jul 3, 2019 · f0d6625 · f0d6625
1 parent d0015ba
commit f0d6625
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 34 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    dependency_spy (0.4.1)
+    dependency_spy (0.5.0)
       bibliothecary (~> 6.6)
       colorize (= 0.8.1)
       semantic_range (~> 2.2)
@@ -13,12 +13,14 @@ GEM
   specs:
     ansi (1.5.0)
     ast (2.4.0)
-    bibliothecary (6.6.0)
+    bibliothecary (6.7.3)
       commander
       deb_control
       librariesio-gem-parser
       ox (>= 2.8.1)
       sdl4r
+      strings
+      strings-ansi
       toml-rb (~> 1.0)
       typhoeus
     citrus (3.0.2)
@@ -29,21 +31,21 @@ GEM
       highline (~> 2.0.0)
     deb_control (0.0.1)
     diff-lcs (1.3)
-    docile (1.3.1)
+    docile (1.3.2)
     ethon (0.12.0)
       ffi (>= 1.3.0)
     execjs (2.7.0)
-    ffi (1.11.0)
+    ffi (1.11.1)
     highline (2.0.2)
-    jaro_winkler (1.5.2)
+    jaro_winkler (1.5.3)
     json (2.2.0)
-    kramdown (1.17.0)
+    kramdown (2.1.0)
     librariesio-gem-parser (1.0.0)
     libv8 (3.16.14.19-x86_64-linux)
     oga (2.15)
       ast
       ruby-ll (~> 2.1)
-    ox (2.10.0)
+    ox (2.11.0)
     parallel (1.17.0)
     parser (2.6.3.0)
       ast (~> 2.4.0)
@@ -56,16 +58,16 @@ GEM
       rspec-mocks (~> 3.8.0)
     rspec-collection_matchers (1.1.3)
       rspec-expectations (>= 2.99.0.beta1)
-    rspec-core (3.8.0)
+    rspec-core (3.8.2)
       rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.3)
+    rspec-expectations (3.8.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+    rspec-mocks (3.8.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    rubocop (0.69.0)
+    rspec-support (3.8.2)
+    rubocop (0.72.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.6)
@@ -77,15 +79,20 @@ GEM
     ruby-ll (2.1.2)
       ansi
       ast
-    ruby-progressbar (1.10.0)
+    ruby-progressbar (1.10.1)
     sdl4r (0.9.11)
     semantic_interval (0.1.0)
     semantic_range (2.2.1)
-    simplecov (0.16.1)
+    simplecov (0.17.0)
       docile (~> 1.1)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
+    strings (0.1.5)
+      strings-ansi (~> 0.1)
+      unicode-display_width (~> 1.5)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.1.0)
     therubyracer (0.12.3)
       libv8 (~> 3.16.14.15)
       ref
@@ -95,10 +102,11 @@ GEM
     typhoeus (1.3.1)
       ethon (>= 0.9.0)
     unicode-display_width (1.6.0)
-    yavdb (0.5.1)
-      execjs (~> 2.7.0)
-      json (~> 2.1)
-      kramdown (~> 1.17)
+    unicode_utils (1.4.0)
+    yavdb (0.5.2)
+      execjs (~> 2.7)
+      json (~> 2.2)
+      kramdown (~> 2.1)
       oga (~> 2.15)
       semantic_interval (~> 0.1)
       therubyracer (~> 0.12)

diff --git a/lib/dependency_spy.rb b/lib/dependency_spy.rb
@@ -29,6 +29,7 @@ module DependencySpy
   class API
 
     def self.check(options)
+      verbose = options[:verbose]
       path = options[:path] || Dir.pwd
       files = options[:files]
       platform = options[:platform]
@@ -40,7 +41,7 @@ def self.check(options)
         puts 'No local database found. Cannot obtain database since offline mode is enabled.'
         exit(10)
       elsif !offline
-        puts 'Going to update the local vulnerability database.'
+        puts 'Going to update the local vulnerability database.' if verbose
         YAVDB::API.download_database(false, YAVDB::Constants::DEFAULT_YAVDB_PATH)
       end
 
@@ -73,7 +74,10 @@ def self.check(options)
             patched    = vuln.patched_versions ? vuln.patched_versions.any? { |vp| DependencySpy::SemVer.intersects(vp, version) } : false
             ignored    = ignore.include?(vuln.id)
 
-            if unaffected || patched || ignored
+            if unaffected || patched
+              false
+            elsif ignored
+              puts "Skipping ignored vulnerability with #{vuln.id}." if verbose
               false
             else
               vulnerable

diff --git a/lib/dependency_spy/formatters/json.rb b/lib/dependency_spy/formatters/json.rb
@@ -29,7 +29,7 @@ def self.format(manifests)
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_json
       end
 
     end

diff --git a/lib/dependency_spy/formatters/text.rb b/lib/dependency_spy/formatters/text.rb
@@ -28,13 +28,15 @@ def self.format(manifests, severity_threshold = nil)
 
             package_header = "    Vulnerable: #{package.name}/#{package.type}:#{package.version}"
             package_body = package.vulnerabilities.map do |vuln|
-              first = "        Title: #{vuln.title}\n"
-              second = "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
-              third = "        Source: #{vuln.source_url}\n\n"
+              body = ''
+              body += "        Title: #{vuln.title}\n"
+              body += "        Severity: #{(vuln.severity || 'unknown').capitalize}\n"
+              body += "        Source: #{vuln.source_url}\n"
+              body += "        Identifier: #{vuln.id}\n\n"
               if severity_threshold && DependencySpy::Helper.severity_above_threshold?(vuln.severity, severity_threshold)
-                "#{first}#{second}#{third}".red
+                body.red
               else
-                "#{first}#{second}#{third}"
+                body
               end
             end
 

diff --git a/lib/dependency_spy/formatters/yaml.rb b/lib/dependency_spy/formatters/yaml.rb
@@ -29,7 +29,7 @@ def self.format(manifests)
 
         filtered_manifests
           .reject { |m| m[:dependencies].nil? }
-          .map(&:to_json)
+          .to_yaml
       end
 
     end

diff --git a/lib/dependency_spy/version.rb b/lib/dependency_spy/version.rb
@@ -16,6 +16,6 @@
 
 module DependencySpy
 
-  VERSION = '0.4.1'
+  VERSION = '0.5.0'
 
 end
diff --git a/spec/dependency_spy_spec.rb b/spec/dependency_spy_spec.rb
@@ -34,7 +34,7 @@
       manifests       = detected_manifests.select { |m| m.platform == 'npm' }
       dependencies    = manifests.map(&:dependencies).flatten
       vulnerabilities = dependencies.map(&:vulnerabilities).flatten
-      expect(vulnerabilities).to have(118).items
+      expect(vulnerabilities).to have(121).items
     end
 
     it 'can read all dependencies for rubygems manifest' do
@@ -54,15 +54,15 @@
       manifests       = detected_manifests.select { |m| m.platform == 'rubygems' }
       dependencies    = manifests.map(&:dependencies).flatten
       vulnerabilities = dependencies.map(&:vulnerabilities).flatten
-      select_count = vulnerabilities.select { |v| v.id == 'snykio:rubygems:rubocop:CVE-2017-8418' }.count
-      expect(select_count).to be(1)
+      select_count = vulnerabilities.select { |v| v.id == 'snykio:rubygems:rubocop:20447' }.count
+      expect(select_count).to eq(1)
 
-      filtered_detected_manifests = DependencySpy::API.check(:path => 'examples', :ignore => ['snykio:rubygems:rubocop:CVE-2017-8418'])
+      filtered_detected_manifests = DependencySpy::API.check(:path => 'examples', :ignore => ['snykio:rubygems:rubocop:20447'])
       manifests       = filtered_detected_manifests.select { |m| m.platform == 'rubygems' }
       dependencies    = manifests.map(&:dependencies).flatten
       vulnerabilities = dependencies.map(&:vulnerabilities).flatten
-      select_count = vulnerabilities.select { |v| v.id == 'snykio:rubygems:rubocop:CVE-2017-8418' }.count
-      expect(select_count).to be(0)
+      select_count = vulnerabilities.select { |v| v.id == 'snykio:rubygems:rubocop:20447' }.count
+      expect(select_count).to eq(0)
     end
   end
 end