diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..cf4ae55 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,28 @@ +# git-pkgs textconv for lockfiles +Brewfile.lock.json diff=pkgs +Cargo.lock diff=pkgs +Cartfile.resolved diff=pkgs +Gemfile.lock diff=pkgs +Gopkg.lock diff=pkgs +Package.resolved diff=pkgs +Pipfile.lock diff=pkgs +Podfile.lock diff=pkgs +Project.lock.json diff=pkgs +bun.lock diff=pkgs +composer.lock diff=pkgs +gems.locked diff=pkgs +glide.lock diff=pkgs +go.mod diff=pkgs +mix.lock diff=pkgs +npm-shrinkwrap.json diff=pkgs +package-lock.json diff=pkgs +packages.lock.json diff=pkgs +paket.lock diff=pkgs +pnpm-lock.yaml diff=pkgs +poetry.lock diff=pkgs +project.assets.json diff=pkgs +pubspec.lock diff=pkgs +pylock.toml diff=pkgs +shard.lock diff=pkgs +uv.lock diff=pkgs +yarn.lock diff=pkgs diff --git a/.ruby-version b/.ruby-version index 0c89fc9..fcdb2e1 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -4.0.0 \ No newline at end of file +4.0.0 diff --git a/Gemfile b/Gemfile index 7872d0e..78fa68d 100644 --- a/Gemfile +++ b/Gemfile @@ -7,6 +7,7 @@ gemspec group :development do # gem "ecosystems-bibliothecary", git: "https://github.com/ecosyste-ms/bibliothecary.git", require: "bibliothecary" # gem "ecosystems-bibliothecary", path: "../ecosystems/bibliothecary", require: "bibliothecary" + gem "sarif-ruby", git: "https://github.com/andrew/sarif.git", require: "sarif" gem "ostruct" gem "irb" @@ -14,4 +15,6 @@ group :development do gem "minitest" gem "benchmark" gem "simplecov" -end \ No newline at end of file + gem "webmock" + gem "json_schemer" +end diff --git a/Gemfile.lock b/Gemfile.lock index 471137c..3c3c52e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,17 +1,31 @@ +GIT + remote: https://github.com/andrew/sarif.git + revision: 48857dc7c3ffcadd2b48b57c96ded48848b5ab25 + specs: + sarif-ruby (0.1.0) + PATH remote: . specs: git-pkgs (0.6.2) ecosystems-bibliothecary (~> 15.2) + purl (~> 1.7) rugged (~> 1.0) + sarif-ruby sequel (>= 5.0) sqlite3 (>= 2.0) + vers (~> 1.0) GEM remote: https://rubygems.org/ specs: + addressable (2.8.8) + public_suffix (>= 2.0.2, < 8.0) benchmark (0.5.0) bigdecimal (4.0.1) + crack (1.0.1) + bigdecimal + rexml csv (3.3.5) date (3.5.1) docile (1.4.1) @@ -23,12 +37,19 @@ GEM racc tomlrb (~> 2.0) erb (6.0.1) + hana (1.3.7) + hashdiff (1.2.1) io-console (0.8.2) irb (1.16.0) pp (>= 0.6.0) rdoc (>= 4.0.0) reline (>= 0.4.2) json (2.18.0) + json_schemer (2.5.0) + bigdecimal + hana (~> 1.3) + regexp_parser (~> 2.0) + simpleidn (~> 0.2) minitest (6.0.1) prism (~> 1.5) ostruct (0.6.3) @@ -41,14 +62,19 @@ GEM psych (5.3.1) date stringio + public_suffix (7.0.2) + purl (1.7.0) + addressable (~> 2.8) racc (1.8.1) rake (13.3.1) rdoc (7.0.3) erb psych (>= 4.0.0) tsort + regexp_parser (2.11.3) reline (0.6.3) io-console (~> 0.5) + rexml (3.4.4) rugged (1.9.0) sequel (5.100.0) bigdecimal @@ -58,6 +84,7 @@ GEM simplecov_json_formatter (~> 0.1) simplecov-html (0.13.2) simplecov_json_formatter (0.1.4) + simpleidn (0.2.3) sqlite3 (2.9.0-aarch64-linux-gnu) sqlite3 (2.9.0-aarch64-linux-musl) sqlite3 (2.9.0-arm-linux-gnu) @@ -71,6 +98,11 @@ GEM stringio (3.2.0) tomlrb (2.0.4) tsort (0.2.0) + vers (1.0.2) + webmock (3.26.1) + addressable (>= 2.8.0) + crack (>= 0.3.2) + hashdiff (>= 0.4.0, < 2.0.0) PLATFORMS aarch64-linux-gnu @@ -88,23 +120,31 @@ DEPENDENCIES benchmark git-pkgs! irb + json_schemer minitest ostruct rake + sarif-ruby! simplecov + webmock CHECKSUMS + addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057 benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7 + crack (1.0.1) sha256=ff4a10390cd31d66440b7524eb1841874db86201d5b70032028553130b6d4c7e csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0 docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e ecosystems-bibliothecary (15.2.0) sha256=bef81a0175f8bdf1d61938d5d5d32e226ec4ff44a54d5d5d34faea663ed67a24 erb (6.0.1) sha256=28ecdd99c5472aebd5674d6061e3c6b0a45c049578b071e5a52c2a7f13c197e5 git-pkgs (0.6.2) + hana (1.3.7) sha256=5425db42d651fea08859811c29d20446f16af196308162894db208cac5ce9b0d + hashdiff (1.2.1) sha256=9c079dbc513dfc8833ab59c0c2d8f230fa28499cc5efb4b8dd276cf931457cd1 io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc irb (1.16.0) sha256=2abe56c9ac947cdcb2f150572904ba798c1e93c890c256f8429981a7675b0806 json (2.18.0) sha256=b10506aee4183f5cf49e0efc48073d7b75843ce3782c68dbeb763351c08fd505 + json_schemer (2.5.0) sha256=2f01fb4cce721a4e08dd068fc2030cffd0702a7f333f1ea2be6e8991f00ae396 minitest (6.0.1) sha256=7854c74f48e2e975969062833adc4013f249a4b212f5e7b9d5c040bf838d54bb ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912 ox (2.14.23) sha256=4a9aedb4d6c78c5ebac1d7287dc7cc6808e14a8831d7adb727438f6a1b461b66 @@ -112,15 +152,21 @@ CHECKSUMS prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193 prism (1.7.0) sha256=10062f734bf7985c8424c44fac382ac04a58124ea3d220ec3ba9fe4f2da65103 psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974 + public_suffix (7.0.2) sha256=9114090c8e4e7135c1fd0e7acfea33afaab38101884320c65aaa0ffb8e26a857 + purl (1.7.0) sha256=e25a6b951975e94104a17d8d40e8529fa882a5a63717c68af2390e9b8d0ac3f2 racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c rdoc (7.0.3) sha256=dfe3d0981d19b7bba71d9dbaeb57c9f4e3a7a4103162148a559c4fc687ea81f9 + regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4 reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835 + rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142 rugged (1.9.0) sha256=7faaa912c5888d6e348d20fa31209b6409f1574346b1b80e309dbc7e8d63efac + sarif-ruby (0.1.0) sequel (5.100.0) sha256=cb0329b62287a01db68eead46759c14497a3fae01b174e2c41da108a9e9b4a12 simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5 simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246 simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428 + simpleidn (0.2.3) sha256=08ce96f03fa1605286be22651ba0fc9c0b2d6272c9b27a260bc88be05b0d2c29 sqlite3 (2.9.0-aarch64-linux-gnu) sha256=cfe1e0216f46d7483839719bf827129151e6c680317b99d7b8fc1597a3e13473 sqlite3 (2.9.0-aarch64-linux-musl) sha256=56a35cb2d70779afc2ac191baf2c2148242285ecfed72f9b021218c5c4917913 sqlite3 (2.9.0-arm-linux-gnu) sha256=a19a21504b0d7c8c825fbbf37b358ae316b6bd0d0134c619874060b2eef05435 @@ -134,6 +180,8 @@ CHECKSUMS stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1 tomlrb (2.0.4) sha256=262f77947ac3ac9b3366a0a5940ecd238300c553e2e14f22009e2afcd2181b99 tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f + vers (1.0.2) sha256=0ea9a63acbe1f197268c7da93f0708a4fc99bd88d86aa49dccf5b1b8d4c68de5 + webmock (3.26.1) sha256=4f696fb57c90a827c20aadb2d4f9058bbff10f7f043bd0d4c3f58791143b1cd7 BUNDLED WITH 4.0.3 diff --git a/README.md b/README.md index bb792bb..5e464d6 100644 --- a/README.md +++ b/README.md @@ -259,6 +259,18 @@ git pkgs outdated # alias for stale Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review. +### Vulnerability scanning + +```bash +git pkgs vulns # scan current dependencies for known CVEs +git pkgs vulns -s high # only critical and high severity +git pkgs vulns blame # who introduced each vulnerability +git pkgs vulns praise # who fixed vulnerabilities +git pkgs vulns exposure --all-time --summary # remediation metrics +``` + +Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation. + ### Diff between commits ```bash diff --git a/docs/README.md b/docs/README.md index 6f302d5..d905958 100644 --- a/docs/README.md +++ b/docs/README.md @@ -4,6 +4,7 @@ Technical documentation for git-pkgs maintainers and contributors. - [internals.md](internals.md) - Architecture overview, how commands work, key algorithms - [schema.md](schema.md) - Database tables and relationships +- [vulns.md](vulns.md) - Vulnerability scanning commands and OSV integration - [benchmarking.md](benchmarking.md) - Performance profiling tools For user-facing documentation, see the main [README](../README.md). diff --git a/docs/vulns.md b/docs/vulns.md new file mode 100644 index 0000000..1290f7a --- /dev/null +++ b/docs/vulns.md @@ -0,0 +1,324 @@ +# Vulnerability Scanning + +git-pkgs can scan your dependencies for known vulnerabilities using the OSV (Open Source Vulnerabilities) database. Because git-pkgs already tracks the full history of every dependency change, it can provide context that static scanners can't: who introduced a vulnerability, when, and why. + +## Basic Usage + +Scan dependencies at HEAD: + +``` +$ git pkgs vulns +CRITICAL CVE-2024-1234 lodash 4.17.15 (fixed in 4.17.21) +HIGH GHSA-xxxx express 4.18.0 (fixed in 4.18.2) +``` + +Scan at a specific commit, tag, or branch: + +``` +$ git pkgs vulns v1.0.0 +$ git pkgs vulns abc1234 +$ git pkgs vulns HEAD~10 +$ git pkgs vulns main +``` + +## Options + +``` +-e, --ecosystem=NAME Filter by ecosystem (npm, rubygems, pypi, etc.) +-s, --severity=LEVEL Minimum severity (critical, high, medium, low) +-f, --format=FORMAT Output format (text, json, sarif) +-b, --branch=NAME Branch context for database queries + --stateless Parse manifests directly without database + --no-pager Do not pipe output into a pager +``` + +## Examples + +Show only critical and high severity: + +``` +$ git pkgs vulns -s high +``` + +Scan only npm packages: + +``` +$ git pkgs vulns -e npm +``` + +JSON output for CI/CD pipelines: + +``` +$ git pkgs vulns -f json +``` + +SARIF output for GitHub code scanning and other security tools: + +``` +$ git pkgs vulns -f sarif > results.sarif +``` + +SARIF (Static Analysis Results Interchange Format) is supported by GitHub Advanced Security, VS Code, and many CI/CD platforms. Upload to GitHub code scanning: + +```yaml +- run: git pkgs vulns --stateless -f sarif > results.sarif +- uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif +``` + +Compare vulnerabilities between releases: + +``` +$ git pkgs vulns v1.0.0 +$ git pkgs vulns v2.0.0 +``` + +## Subcommands + +### blame + +Show who introduced each vulnerability. When a commit was authored by a bot (like dependabot) but has a `Co-authored-by` trailer, the human co-author is shown instead: + +``` +$ git pkgs vulns blame +CRITICAL CVE-2024-1234 lodash 4.17.15 abc1234 2024-03-15 Alice "Add utility helpers" +HIGH GHSA-xxxx express 4.18.0 def5678 2024-02-01 Bob "Bump express" +``` + +Show all historical vulnerability introductions (including fixed ones): + +``` +$ git pkgs vulns blame --all-time +CRITICAL CVE-2024-1234 lodash 4.17.15 abc1234 2024-03-15 Alice "Add utility helpers" [fixed] +HIGH GHSA-xxxx express 4.18.0 def5678 2024-02-01 [bot] "Bump express" [ongoing] +``` + +Options: `-e`, `-s`, `-b`, `-f`, `--all-time` + +### praise + +Show who fixed vulnerabilities (the opposite of blame): + +``` +$ git pkgs vulns praise +CRITICAL CVE-2024-1234 lodash ghi9012 2024-04-01 Bob "Bump lodash" (12d after disclosure) +HIGH GHSA-yyyy express jkl3456 2024-03-10 Alice "Update express" (5d after disclosure) +``` + +Show author leaderboard: + +``` +$ git pkgs vulns praise --summary +Author Fixes Avg Days Critical High Medium Low +------------------------------------------------------------------------- +dependabot[bot] 104 175.4d 6 33 53 12 +Andrew Nesbitt 88 8.8d 9 25 45 9 +dependabot-preview[bot] 27 24.0d 3 12 11 1 +``` + +Options: `-e`, `-s`, `-b`, `-f`, `--summary` + +### exposure + +Calculate exposure windows and remediation metrics for CRA compliance: + +``` +$ git pkgs vulns exposure --summary ++----------------------------------+ +| Total vulnerabilities | 5 | +| Fixed | 3 | +| Ongoing | 2 | +| Median remediation | 8 days | +| Mean remediation | 14 days | +| Oldest unpatched | 45 days | +| Critical (avg) | 3.0 days | +| High (avg) | 12 days | ++----------------------------------+ +``` + +Full table output: + +``` +$ git pkgs vulns exposure +Package CVE Introduced Fixed Exposed Post-Disclosure +lodash CVE-2024-1234 2023-01-10 2024-04-01 447d 12d +express GHSA-xxxx 2024-02-01 - ongoing 45d (ongoing) + ++----------------------------------+ +| Total vulnerabilities | 2 | +... +``` + +Show all-time stats for all historical vulnerabilities: + +``` +$ git pkgs vulns exposure --all-time --summary ++----------------------------------+ +| Total vulnerabilities | 238 | +| Fixed | 234 | +| Ongoing | 4 | +| Median remediation | 0 days | +| Mean remediation | 2.5 days | +| Oldest unpatched | 94 days | +| Critical (avg) | 0.1 days | +| High (avg) | 2.2 days | ++----------------------------------+ +``` + +Options: `-e`, `-s`, `-b`, `-f`, `--summary`, `--all-time` + +### diff + +Compare vulnerability state between two commits: + +``` +$ git pkgs vulns diff main feature-branch ++CRITICAL CVE-2024-1234 lodash 4.17.15 (introduced in feature-branch) +-HIGH GHSA-yyyy express 4.17.0 (fixed in feature-branch) + +$ git pkgs vulns diff v1.0.0 v2.0.0 +$ git pkgs vulns diff HEAD~10 +``` + +Options: `-e`, `-s`, `-b`, `-f` + +### log + +Show commits that introduced or fixed vulnerabilities: + +``` +$ git pkgs vulns log +abc1234 2024-03-15 Alice "Add utility helpers" +CVE-2024-1234 +bcd2345 2024-02-20 Bob "Security: update async" -CVE-2023-9999 +def5678 2024-02-01 [bot] "Bump express" +GHSA-xxxx + +$ git pkgs vulns log --introduced # Only show introductions +$ git pkgs vulns log --fixed # Only show fixes +$ git pkgs vulns log --since="2024-01-01" +$ git pkgs vulns log --author=dependabot +``` + +Options: `-e`, `-s`, `-b`, `-f`, `--since`, `--until`, `--author`, `--introduced`, `--fixed` + +### history + +Show vulnerability timeline for a specific package or CVE: + +``` +$ git pkgs vulns history lodash +History for lodash + +2023-01-10 Added lodash 4.17.10 (vulnerable to CVE-2024-1234) abc1234 Alice +2023-06-15 Modified lodash 4.17.15 (vulnerable to CVE-2024-1234) def5678 [bot] +2024-03-20 CVE-2024-1234 published (critical severity) +2024-04-01 Modified lodash 4.17.21 ghi9012 Bob + +$ git pkgs vulns history CVE-2024-1234 +$ git pkgs vulns history --since="2023-01-01" +``` + +Options: `-e`, `-f`, `--since`, `--until` + +### show + +Show details about a specific CVE: + +``` +$ git pkgs vulns show CVE-2024-1234 +CVE-2024-1234 (critical severity) +Prototype Pollution in lodash + +Affected packages: + npm/lodash: >=0 <4.17.21 (fixed in 4.17.21) + +Published: 2024-03-20 + +References: + https://nvd.nist.gov/vuln/detail/CVE-2024-1234 + https://github.com/lodash/lodash/issues/4744 + +Your exposure: + lodash 4.17.15 in package-lock.json + Added: abc1234 2024-03-15 Alice "Add utility helpers" + Fixed: ghi9012 2024-04-01 Bob "Bump lodash for CVE-2024-1234" +``` + +Options: `-f`, `-b` + +## Syncing Vulnerability Data + +The vulns command automatically fetches vulnerability data from OSV for any packages that haven't been checked recently (within 24 hours). To manually sync or force a refresh: + +``` +$ git pkgs vulns sync # Sync stale packages +$ git pkgs vulns sync --refresh # Force refresh all packages (updates severity data too) +``` + +The sync command is useful when you want to update cached vulnerability data without running a scan. Use `--refresh` to re-fetch full vulnerability details, which updates severity levels and other metadata that may have changed since the initial fetch. + +## Supported Ecosystems + +The vulns command supports ecosystems that have lockfiles: + +| Ecosystem | Lockfile Examples | +|-------------|----------------------------------| +| npm | package-lock.json, yarn.lock | +| rubygems | Gemfile.lock | +| pypi | Pipfile.lock, poetry.lock | +| cargo | Cargo.lock | +| go | go.sum | +| maven | pom.xml (with versions) | +| nuget | packages.lock.json | +| packagist | composer.lock | +| hex | mix.lock | +| pub | pubspec.lock | + +## Data Source + +Vulnerability data comes from the [OSV database](https://osv.dev), which aggregates security advisories from: + +- GitHub Security Advisories (GHSA) +- National Vulnerability Database (CVE) +- RustSec (Rust) +- PyPI Advisory Database +- Go Vulnerability Database +- And many more + +## Stateless Mode + +By default, the vulns command uses the git-pkgs database for faster queries. If the database doesn't exist, it falls back to stateless mode automatically. + +Force stateless mode (useful in CI): + +``` +$ git pkgs vulns --stateless +``` + +Stateless mode parses manifest files directly from git, which works without running `git pkgs init` first but provides no historical context. + +## Caching + +Vulnerability data is cached in the pkgs.sqlite3 database to avoid repeated API calls. Each package tracks when its vulnerabilities were last fetched. Packages are automatically refreshed if their data is more than 24 hours old. + +The cache stores: +- **vulnerabilities**: Core CVE/GHSA data (severity, summary, published date) +- **vulnerability_packages**: Which packages are affected by each vulnerability +- **packages**: Metadata including when vulnerabilities were last synced + +## Exit Codes + +- 0: Scan completed (regardless of whether vulnerabilities were found) + +Use `--format=json` and parse the output for CI checks that need to fail on vulnerabilities. + +## How It Works + +1. Get dependencies at the specified commit (from database snapshots or by parsing manifests) +2. Filter to ecosystems with OSV support +3. Check which packages need vulnerability data refreshed (never synced or >24h old) +4. Query OSV API in batch for packages needing refresh +5. Store vulnerability data in the local cache +6. Match vulnerability version ranges against our versions using the `vers` gem +7. Exclude withdrawn vulnerabilities +8. Display results sorted by severity diff --git a/git-pkgs.gemspec b/git-pkgs.gemspec index b67f5c0..c48e5cb 100644 --- a/git-pkgs.gemspec +++ b/git-pkgs.gemspec @@ -35,4 +35,7 @@ Gem::Specification.new do |spec| spec.add_dependency "sequel", ">= 5.0" spec.add_dependency "sqlite3", ">= 2.0" spec.add_dependency "ecosystems-bibliothecary", "~> 15.2" + spec.add_dependency "vers", "~> 1.0" + spec.add_dependency "purl", "~> 1.7" + spec.add_dependency "sarif-ruby" end diff --git a/lib/git/pkgs.rb b/lib/git/pkgs.rb index f799371..e1cd17b 100644 --- a/lib/git/pkgs.rb +++ b/lib/git/pkgs.rb @@ -8,6 +8,8 @@ require_relative "pkgs/database" require_relative "pkgs/repository" require_relative "pkgs/analyzer" +require_relative "pkgs/ecosystems" +require_relative "pkgs/osv_client" require_relative "pkgs/models/branch" require_relative "pkgs/models/branch_commit" @@ -15,6 +17,9 @@ require_relative "pkgs/models/manifest" require_relative "pkgs/models/dependency_change" require_relative "pkgs/models/dependency_snapshot" +require_relative "pkgs/models/package" +require_relative "pkgs/models/vulnerability" +require_relative "pkgs/models/vulnerability_package" require_relative "pkgs/commands/init" require_relative "pkgs/commands/update" @@ -37,6 +42,7 @@ require_relative "pkgs/commands/schema" require_relative "pkgs/commands/diff_driver" require_relative "pkgs/commands/completions" +require_relative "pkgs/commands/vulns" module Git module Pkgs diff --git a/lib/git/pkgs/analyzer.rb b/lib/git/pkgs/analyzer.rb index bdf0e01..8774d2c 100644 --- a/lib/git/pkgs/analyzer.rb +++ b/lib/git/pkgs/analyzer.rb @@ -68,6 +68,10 @@ def initialize(repository) Config.configure_bibliothecary end + def generate_purl(ecosystem, name) + Ecosystems.generate_purl(ecosystem, name) + end + # Quick check if any paths might be manifests (fast regex check) def might_have_manifests?(paths) paths.any? { |p| p.match?(QUICK_MANIFEST_REGEX) } @@ -134,6 +138,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) ecosystem: result[:platform], kind: result[:kind], name: dep[:name], + purl: generate_purl(result[:platform], dep[:name]), change_type: "added", requirement: dep[:requirement], dependency_type: dep[:type] @@ -143,6 +148,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) new_snapshot[key] = { ecosystem: result[:platform], kind: result[:kind], + purl: generate_purl(result[:platform], dep[:name]), requirement: dep[:requirement], dependency_type: dep[:type] } @@ -170,6 +176,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) ecosystem: after_result[:platform], kind: after_result[:kind], name: name, + purl: generate_purl(after_result[:platform], name), change_type: "added", requirement: dep[:requirement], dependency_type: dep[:type] @@ -179,6 +186,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) new_snapshot[key] = { ecosystem: after_result[:platform], kind: after_result[:kind], + purl: generate_purl(after_result[:platform], name), requirement: dep[:requirement], dependency_type: dep[:type] } @@ -191,6 +199,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) ecosystem: before_result[:platform], kind: before_result[:kind], name: name, + purl: generate_purl(before_result[:platform], name), change_type: "removed", requirement: dep[:requirement], dependency_type: dep[:type] @@ -210,6 +219,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) ecosystem: after_result[:platform], kind: after_result[:kind], name: name, + purl: generate_purl(after_result[:platform], name), change_type: "modified", requirement: after_dep[:requirement], previous_requirement: before_dep[:requirement], @@ -220,6 +230,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) new_snapshot[key] = { ecosystem: after_result[:platform], kind: after_result[:kind], + purl: generate_purl(after_result[:platform], name), requirement: after_dep[:requirement], dependency_type: after_dep[:type] } @@ -238,6 +249,7 @@ def analyze_commit(rugged_commit, previous_snapshot = {}) ecosystem: result[:platform], kind: result[:kind], name: dep[:name], + purl: generate_purl(result[:platform], dep[:name]), change_type: "removed", requirement: dep[:requirement], dependency_type: dep[:type] @@ -311,9 +323,11 @@ def dependencies_at_commit(rugged_commit) result[:dependencies].each do |dep| deps << { manifest_path: path, + manifest_kind: result[:kind], name: dep[:name], ecosystem: result[:platform], kind: result[:kind], + purl: generate_purl(result[:platform], dep[:name]), requirement: dep[:requirement], dependency_type: dep[:type] } @@ -373,6 +387,39 @@ def find_manifest_paths_in_tree(tree, prefix = "") def lookup(oid) repository.lookup(oid) end + + # Pair manifest dependencies with their corresponding lockfile versions. + # Groups by directory + ecosystem + name, preferring lockfile over manifest. + # Can be called as instance method or class method. + def pair_manifests_with_lockfiles(deps) + self.class.pair_manifests_with_lockfiles(deps) + end + + def self.pair_manifests_with_lockfiles(deps) + # Group by (directory, ecosystem, name) + groups = {} + deps.each do |dep| + dir = File.dirname(dep[:manifest_path]) + dir = "" if dir == "." + key = [dir, dep[:ecosystem], dep[:name]] + groups[key] ||= [] + groups[key] << dep + end + + # For each group, pick the best entry (lockfile preferred) + groups.values.map do |group_deps| + lockfile_dep = group_deps.find { |d| d[:manifest_kind] == "lockfile" } + manifest_dep = group_deps.find { |d| d[:manifest_kind] == "manifest" } + + # Prefer lockfile version, fall back to manifest + lockfile_dep || manifest_dep || group_deps.first + end.compact + end + + # Filter to only lockfile dependencies + def self.lockfile_dependencies(deps) + deps.select { |d| d[:manifest_kind] == "lockfile" } + end end end end diff --git a/lib/git/pkgs/cli.rb b/lib/git/pkgs/cli.rb index 2453ae2..c551d48 100644 --- a/lib/git/pkgs/cli.rb +++ b/lib/git/pkgs/cli.rb @@ -34,6 +34,9 @@ class CLI "Analysis" => { "stats" => "Show dependency statistics", "stale" => "Show dependencies that haven't been updated" + }, + "Security" => { + "vulns" => "Scan for known vulnerabilities" } }.freeze @@ -99,13 +102,20 @@ def run_command(command) command = ALIASES.fetch(command, command) # Convert kebab-case or snake_case to PascalCase class_name = command.split(/[-_]/).map(&:capitalize).join - command_class = Commands.const_get(class_name) + + # Try with Command suffix first (e.g., VulnsCommand), then bare name + command_class = begin + Commands.const_get("#{class_name}Command") + rescue NameError + begin + Commands.const_get(class_name) + rescue NameError + $stderr.puts "Command '#{command}' not yet implemented" + exit 1 + end + end + command_class.new(@args).run - rescue NameError => e - # Only catch NameError for missing command class, not NoMethodError - raise unless e.is_a?(NameError) && !e.is_a?(NoMethodError) - $stderr.puts "Command '#{command}' not yet implemented" - exit 1 end def print_help diff --git a/lib/git/pkgs/commands/blame.rb b/lib/git/pkgs/commands/blame.rb index 10ec27c..745480b 100644 --- a/lib/git/pkgs/commands/blame.rb +++ b/lib/git/pkgs/commands/blame.rb @@ -113,24 +113,6 @@ def output_text(blame_data) end end - def best_author(commit) - authors = [commit.author_name] + parse_coauthors(commit.message) - - # Prefer human authors over bots - human = authors.find { |a| !bot_author?(a) } - human || authors.first - end - - def parse_coauthors(message) - return [] unless message - - message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip) - end - - def bot_author?(name) - name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i - end - def parse_options options = {} diff --git a/lib/git/pkgs/commands/diff_driver.rb b/lib/git/pkgs/commands/diff_driver.rb index 4dda6b7..6f3a4e7 100644 --- a/lib/git/pkgs/commands/diff_driver.rb +++ b/lib/git/pkgs/commands/diff_driver.rb @@ -80,10 +80,10 @@ def output_textconv(file_path) def install_driver # Set up git config for textconv - system("git", "config", "diff.pkgs.textconv", "git-pkgs diff-driver") + git_config("diff.pkgs.textconv", "git-pkgs diff-driver") # Add to .gitattributes - gitattributes_path = File.join(Dir.pwd, ".gitattributes") + gitattributes_path = File.join(work_tree, ".gitattributes") existing = File.exist?(gitattributes_path) ? File.read(gitattributes_path) : "" new_entries = [] @@ -109,9 +109,9 @@ def install_driver end def uninstall_driver - system("git", "config", "--unset", "diff.pkgs.textconv") + git_config_unset("diff.pkgs.textconv") - gitattributes_path = File.join(Dir.pwd, ".gitattributes") + gitattributes_path = File.join(work_tree, ".gitattributes") if File.exist?(gitattributes_path) lines = File.readlines(gitattributes_path) lines.reject! { |line| line.include?("diff=pkgs") || line.include?("# git-pkgs") } @@ -140,6 +140,26 @@ def parse_deps(path, content) {} end + def work_tree + Git::Pkgs.work_tree || Dir.pwd + end + + def git_cmd + if Git::Pkgs.git_dir + ["git", "-C", work_tree] + else + ["git"] + end + end + + def git_config(key, value) + system(*git_cmd, "config", key, value) + end + + def git_config_unset(key) + system(*git_cmd, "config", "--unset", key) + end + def parse_options options = {} diff --git a/lib/git/pkgs/commands/init.rb b/lib/git/pkgs/commands/init.rb index 4cbb104..bc40853 100644 --- a/lib/git/pkgs/commands/init.rb +++ b/lib/git/pkgs/commands/init.rb @@ -102,6 +102,7 @@ def bulk_process_commits(commits, branch, analyzer, total) manifest_id: manifest_ids[c[:manifest_path]], name: c[:name], ecosystem: c[:ecosystem], + purl: c[:purl], change_type: c[:change_type], requirement: c[:requirement], previous_requirement: c[:previous_requirement], @@ -121,6 +122,7 @@ def bulk_process_commits(commits, branch, analyzer, total) manifest_id: manifest_ids[s[:manifest_path]], name: s[:name], ecosystem: s[:ecosystem], + purl: s[:purl], requirement: s[:requirement], dependency_type: s[:dependency_type], created_at: now, @@ -185,6 +187,7 @@ def bulk_process_commits(commits, branch, analyzer, total) manifest_path: manifest_key, name: change[:name], ecosystem: change[:ecosystem], + purl: change[:purl], change_type: change[:change_type], requirement: change[:requirement], previous_requirement: change[:previous_requirement], @@ -202,6 +205,7 @@ def bulk_process_commits(commits, branch, analyzer, total) manifest_path: manifest_path, name: name, ecosystem: dep_info[:ecosystem], + purl: dep_info[:purl], requirement: dep_info[:requirement], dependency_type: dep_info[:dependency_type] } @@ -222,6 +226,7 @@ def bulk_process_commits(commits, branch, analyzer, total) manifest_path: manifest_path, name: name, ecosystem: dep_info[:ecosystem], + purl: dep_info[:purl], requirement: dep_info[:requirement], dependency_type: dep_info[:dependency_type] } diff --git a/lib/git/pkgs/commands/stale.rb b/lib/git/pkgs/commands/stale.rb index 4f3901e..2d2338f 100644 --- a/lib/git/pkgs/commands/stale.rb +++ b/lib/git/pkgs/commands/stale.rb @@ -26,10 +26,14 @@ def run return empty_result("No dependencies found") unless current_commit - snapshots = current_commit.dependency_snapshots_dataset.eager(:manifest) + # Only look at lockfile dependencies (actual resolved versions, not constraints) + snapshots = current_commit.dependency_snapshots_dataset + .eager(:manifest) + .join(:manifests, id: :manifest_id) + .where(Sequel[:manifests][:kind] => "lockfile") if @options[:ecosystem] - snapshots = snapshots.where(ecosystem: @options[:ecosystem]) + snapshots = snapshots.where(Sequel[:dependency_snapshots][:ecosystem] => @options[:ecosystem]) end snapshots = snapshots.all diff --git a/lib/git/pkgs/commands/update.rb b/lib/git/pkgs/commands/update.rb index 9bbe95d..b6917fc 100644 --- a/lib/git/pkgs/commands/update.rb +++ b/lib/git/pkgs/commands/update.rb @@ -41,6 +41,7 @@ def run key = [s.manifest.path, s.name] snapshot[key] = { ecosystem: s.ecosystem, + purl: s.purl, requirement: s.requirement, dependency_type: s.dependency_type } @@ -88,6 +89,7 @@ def run manifest: manifest, name: change[:name], ecosystem: change[:ecosystem], + purl: change[:purl], change_type: change[:change_type], requirement: change[:requirement], previous_requirement: change[:previous_requirement], @@ -105,6 +107,7 @@ def run name: name ) do |s| s.ecosystem = dep_info[:ecosystem] + s.purl = dep_info[:purl] s.requirement = dep_info[:requirement] s.dependency_type = dep_info[:dependency_type] end diff --git a/lib/git/pkgs/commands/vulns.rb b/lib/git/pkgs/commands/vulns.rb new file mode 100644 index 0000000..b7ea2f9 --- /dev/null +++ b/lib/git/pkgs/commands/vulns.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +require_relative "vulns/base" +require_relative "vulns/scan" +require_relative "vulns/sync" +require_relative "vulns/blame" +require_relative "vulns/praise" +require_relative "vulns/exposure" +require_relative "vulns/diff" +require_relative "vulns/log" +require_relative "vulns/history" +require_relative "vulns/show" + +module Git + module Pkgs + module Commands + class VulnsCommand + SUBCOMMANDS = %w[sync blame praise exposure diff log history show].freeze + + def initialize(args) + @args = args.dup + @subcommand = detect_subcommand + end + + def detect_subcommand + return nil if @args.empty? + return nil unless SUBCOMMANDS.include?(@args.first) + + @args.shift + end + + def run + handler_class = case @subcommand + when "sync" then Vulns::Sync + when "blame" then Vulns::Blame + when "praise" then Vulns::Praise + when "exposure" then Vulns::Exposure + when "diff" then Vulns::Diff + when "log" then Vulns::Log + when "history" then Vulns::History + when "show" then Vulns::Show + else Vulns::Scan + end + + handler_class.new(@args).run + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/base.rb b/lib/git/pkgs/commands/vulns/base.rb new file mode 100644 index 0000000..035834e --- /dev/null +++ b/lib/git/pkgs/commands/vulns/base.rb @@ -0,0 +1,354 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + module Base + include Output + + SEVERITY_ORDER = { "critical" => 0, "high" => 1, "medium" => 2, "low" => 3, nil => 4 }.freeze + + def compute_dependencies_at_commit(target_commit, repo) + branch_name = @options[:branch] || repo.default_branch + branch = Models::Branch.first(name: branch_name) + return [] unless branch + + snapshot_commit = branch.commits_dataset + .join(:dependency_snapshots, commit_id: :id) + .where { Sequel[:commits][:committed_at] <= target_commit.committed_at } + .order(Sequel.desc(Sequel[:commits][:committed_at])) + .distinct + .first + + deps = {} + if snapshot_commit + snapshot_commit.dependency_snapshots.each do |s| + key = [s.manifest.path, s.name] + deps[key] = { + manifest_path: s.manifest.path, + manifest_kind: s.manifest.kind, + name: s.name, + ecosystem: s.ecosystem, + requirement: s.requirement, + dependency_type: s.dependency_type + } + end + end + + if snapshot_commit && snapshot_commit.id != target_commit.id + commit_ids = branch.commits_dataset.select_map(Sequel[:commits][:id]) + changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(Sequel[:commits][:id] => commit_ids) + .where { Sequel[:commits][:committed_at] > snapshot_commit.committed_at } + .where { Sequel[:commits][:committed_at] <= target_commit.committed_at } + .order(Sequel[:commits][:committed_at]) + .eager(:manifest) + .all + + changes.each do |change| + key = [change.manifest.path, change.name] + case change.change_type + when "added", "modified" + deps[key] = { + manifest_path: change.manifest.path, + manifest_kind: change.manifest.kind, + name: change.name, + ecosystem: change.ecosystem, + requirement: change.requirement, + dependency_type: change.dependency_type + } + when "removed" + deps.delete(key) + end + end + end + + deps.values + end + + def scan_for_vulnerabilities(deps) + vulns = [] + + # Pair manifests with lockfiles by directory and ecosystem + # Prefer lockfile versions over manifest constraints + paired = Analyzer.pair_manifests_with_lockfiles(deps) + + # Deduplicate across directories by ecosystem+name + deduped = {} + paired.each do |dep| + osv_ecosystem = Ecosystems.to_osv(dep[:ecosystem]) + next unless osv_ecosystem + + key = [osv_ecosystem, dep[:name]] + existing = deduped[key] + + # Prefer more specific versions: actual version > constraint + if existing.nil? || more_specific_version?(dep[:requirement], existing[:version]) + deduped[key] = { + ecosystem: osv_ecosystem, + name: dep[:name], + version: dep[:requirement], + original: dep + } + end + end + + packages = deduped.values + + packages_needing_sync = packages.reject do |pkg| + package_synced?(pkg[:ecosystem], pkg[:name]) + end + + sync_packages(packages_needing_sync) if packages_needing_sync.any? + + packages.each do |pkg| + vuln_pkgs = Models::VulnerabilityPackage + .for_package(pkg[:ecosystem], pkg[:name]) + .eager(:vulnerability) + .all + + vuln_pkgs.each do |vp| + next unless vp.affects_version?(pkg[:version]) + next if vp.vulnerability&.withdrawn? + + vulns << { + id: vp.vulnerability_id, + severity: vp.vulnerability&.severity, + cvss_score: vp.vulnerability&.cvss_score, + package_name: pkg[:name], + package_version: pkg[:version], + ecosystem: pkg[:original][:ecosystem], + manifest_path: pkg[:original][:manifest_path], + summary: vp.vulnerability&.summary, + fixed_versions: vp.fixed_versions_list.first + } + end + end + + vulns + end + + def package_synced?(ecosystem, name) + purl = Ecosystems.generate_purl(Ecosystems.from_osv(ecosystem), name) + return false unless purl + + pkg = Models::Package.first(purl: purl) + pkg && !pkg.needs_vuln_sync? + end + + def sync_packages(packages) + return if packages.empty? + + client = OsvClient.new + results = begin + client.query_batch(packages.map { |p| p.slice(:ecosystem, :name, :version) }) + rescue OsvClient::ApiError => e + error "Failed to query OSV API: #{e.message}" + end + + fetch_vulnerability_details(client, results) + + packages.each do |pkg| + bib_ecosystem = Ecosystems.from_osv(pkg[:ecosystem]) + purl = Ecosystems.generate_purl(bib_ecosystem, pkg[:name]) + mark_package_synced(purl, bib_ecosystem, pkg[:name]) if purl + end + end + + def ensure_vulns_synced + packages = Models::DependencyChange + .select(:ecosystem, :name) + .select_group(:ecosystem, :name) + .all + + packages_to_sync = packages.select do |pkg| + next false unless Ecosystems.supported?(pkg.ecosystem) + + purl = Ecosystems.generate_purl(pkg.ecosystem, pkg.name) + next false unless purl + + db_pkg = Models::Package.first(purl: purl) + !db_pkg || db_pkg.needs_vuln_sync? + end + + return if packages_to_sync.empty? + + client = OsvClient.new + packages_to_sync.each_slice(100) do |batch| + queries = batch.map do |pkg| + osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem) + next unless osv_ecosystem + + { ecosystem: osv_ecosystem, name: pkg.name } + end.compact + + results = client.query_batch(queries) + fetch_vulnerability_details(client, results) + + batch.each do |pkg| + purl = Ecosystems.generate_purl(pkg.ecosystem, pkg.name) + mark_package_synced(purl, pkg.ecosystem, pkg.name) if purl + end + end + end + + def fetch_vulnerability_details(client, results) + vuln_ids = results.flatten.map { |v| v["id"] }.uniq + vuln_ids.each do |vuln_id| + next if Models::Vulnerability.first(id: vuln_id)&.vulnerability_packages&.any? + + begin + full_vuln = client.get_vulnerability(vuln_id) + Models::Vulnerability.from_osv(full_vuln) + rescue OsvClient::ApiError => e + $stderr.puts "Warning: Failed to fetch vulnerability #{vuln_id}: #{e.message}" unless Git::Pkgs.quiet + end + end + end + + def mark_package_synced(purl, ecosystem, name) + Models::Package.update_or_create( + { purl: purl }, + { ecosystem: ecosystem, name: name, vulns_synced_at: Time.now } + ) + end + + def format_commit_info(commit) + return nil unless commit + + { + sha: commit.sha[0, 7], + full_sha: commit.sha, + date: commit.committed_at&.strftime("%Y-%m-%d"), + author: best_author(commit), + message: commit.message&.lines&.first&.strip&.slice(0, 50) + } + end + + def parse_date(date_str) + Time.parse(date_str) + rescue ArgumentError + error "Invalid date format: #{date_str}" + end + + def find_introducing_change(ecosystem, package_name, vuln_pkg, up_to_commit) + changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: %w[added modified]) + .where { Sequel[:commits][:committed_at] <= up_to_commit.committed_at } + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .all + + changes.each do |change| + next unless vuln_pkg.affects_version?(change.requirement) + return change + end + + nil + end + + def find_fixing_change(ecosystem, package_name, vuln_pkg, up_to_commit, after_time) + return nil unless after_time + + changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: %w[modified removed]) + .where { Sequel[:commits][:committed_at] > after_time } + .where { Sequel[:commits][:committed_at] <= up_to_commit.committed_at } + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .all + + find_first_fixing_change(changes, vuln_pkg) + end + + def find_first_fixing_change(changes, vuln_pkg) + changes.each do |change| + if change.change_type == "removed" + return change + elsif !vuln_pkg.affects_version?(change.requirement) + return change + end + end + nil + end + + def find_vulnerability_window(ecosystem, package_name, vuln_pkg) + introducing_changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: %w[added modified]) + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .all + + introducing_change = introducing_changes.find { |c| vuln_pkg.affects_version?(c.requirement) } + return nil unless introducing_change + + introduced_at = introducing_change.commit.committed_at + + fix_changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: %w[modified removed]) + .where { Sequel[:commits][:committed_at] > introduced_at } + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .all + + fixing_change = find_first_fixing_change(fix_changes, vuln_pkg) + + { + introducing: introducing_change, + fixing: fixing_change, + status: fixing_change ? "fixed" : "ongoing" + } + end + + def get_dependencies_stateless(repo) + ref = @options[:ref] || "HEAD" + commit_sha = repo.rev_parse(ref) + rugged_commit = repo.lookup(commit_sha) + + error "Could not resolve '#{ref}'. Check that the ref exists." unless rugged_commit + + analyzer = Analyzer.new(repo) + analyzer.dependencies_at_commit(rugged_commit) + end + + def get_dependencies_with_database(repo) + ref = @options[:ref] || "HEAD" + commit_sha = repo.rev_parse(ref) + target_commit = Models::Commit.first(sha: commit_sha) + + # Fall back to stateless mode if commit not tracked + return get_dependencies_stateless(repo) unless target_commit + + compute_dependencies_at_commit(target_commit, repo) + end + + # Returns true if `new_version` is more specific than `old_version`. + # Actual version numbers are preferred over loose constraints like ">= 0". + def more_specific_version?(new_version, old_version) + return false if new_version.nil? || new_version.empty? + return true if old_version.nil? || old_version.empty? + + new_is_constraint = new_version.match?(/[<>=~^]/) + old_is_constraint = old_version.match?(/[<>=~^]/) + + # Prefer actual versions over constraints + return true if !new_is_constraint && old_is_constraint + + # If both are versions or both are constraints, prefer neither + false + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/blame.rb b/lib/git/pkgs/commands/vulns/blame.rb new file mode 100644 index 0000000..1688c25 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/blame.rb @@ -0,0 +1,276 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Blame + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns blame [ref] [options]" + opts.separator "" + opts.separator "Show who introduced each vulnerability." + opts.separator "" + opts.separator "Arguments:" + opts.separator " ref Git ref to analyze (default: HEAD)" + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-r", "--ref=REF", "Git ref to analyze (default: HEAD)") do |v| + options[:ref] = v + end + + opts.on("-b", "--branch=NAME", "Branch context for finding commits") do |v| + options[:branch] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("--all-time", "Show blame for all historical vulnerabilities") do + options[:all_time] = true + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options[:ref] ||= @args.shift unless @args.empty? + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. Blame requires commit history." + end + + Database.connect(repo.git_dir) + + if @options[:all_time] + run_all_time(repo) + else + run_at_ref(repo) + end + end + + def run_at_ref(repo) + ref = @options[:ref] || "HEAD" + commit_sha = repo.rev_parse(ref) + target_commit = Models::Commit.first(sha: commit_sha) + + unless target_commit + error "Commit #{commit_sha[0, 7]} not in database. Run 'git pkgs update' first." + end + + deps = compute_dependencies_at_commit(target_commit, repo) + + if deps.empty? + empty_result "No dependencies found" + return + end + + supported_deps = deps.select { |d| Ecosystems.supported?(d[:ecosystem]) } + vulns = scan_for_vulnerabilities(supported_deps) + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + vulns = vulns.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level } + end + + if vulns.empty? + puts "No known vulnerabilities found" + return + end + + blame_results = vulns.map do |vuln| + introducing = find_introducing_commit( + vuln[:ecosystem], + vuln[:package_name], + vuln[:id], + target_commit + ) + + vuln.merge(introducing_commit: introducing) + end + + output_results(blame_results) + end + + def run_all_time(repo) + branch_name = @options[:branch] || repo.default_branch + branch = Models::Branch.first(name: branch_name) + + unless branch&.last_analyzed_sha + error "No analysis found for branch '#{branch_name}'. Run 'git pkgs init' first." + end + + # Get all unique packages from dependency changes + packages = Models::DependencyChange + .select(:ecosystem, :name) + .select_group(:ecosystem, :name) + .all + + blame_results = [] + + packages.each do |pkg| + next unless Ecosystems.supported?(pkg.ecosystem) + + osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem) + next unless osv_ecosystem + + vuln_pkgs = Models::VulnerabilityPackage + .for_package(osv_ecosystem, pkg.name) + .eager(:vulnerability) + .all + + vuln_pkgs.each do |vp| + next if vp.vulnerability&.withdrawn? + + introducing = find_historical_introducing_commit(pkg.ecosystem, pkg.name, vp) + next unless introducing + + severity = vp.vulnerability&.severity + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + next unless (SEVERITY_ORDER[severity&.downcase] || 4) <= min_level + end + + blame_results << { + id: vp.vulnerability_id, + severity: severity, + package_name: pkg.name, + package_version: introducing[:version], + summary: vp.vulnerability&.summary, + introducing_commit: introducing[:commit_info], + status: introducing[:status] + } + end + end + + if blame_results.empty? + puts "No historical vulnerabilities found" + return + end + + output_results(blame_results) + end + + def find_historical_introducing_commit(ecosystem, package_name, vuln_pkg) + window = find_vulnerability_window(ecosystem, package_name, vuln_pkg) + return nil unless window + + { + commit_info: format_commit_info(window[:introducing].commit), + version: window[:introducing].requirement, + status: window[:status] + } + end + + def output_results(blame_results) + blame_results.sort_by! do |v| + [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]] + end + + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate(blame_results) + else + output_blame_text(blame_results) + end + end + + def find_introducing_commit(ecosystem, package_name, vuln_id, up_to_commit) + osv_ecosystem = Ecosystems.to_osv(ecosystem) + vuln_pkg = Models::VulnerabilityPackage.first( + vulnerability_id: vuln_id, + ecosystem: osv_ecosystem, + package_name: package_name + ) + + return nil unless vuln_pkg + + changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: %w[added modified]) + .where { Sequel[:commits][:committed_at] <= up_to_commit.committed_at } + .order(Sequel.desc(Sequel[:commits][:committed_at])) + .eager(:commit) + .all + + changes.each do |change| + next unless vuln_pkg.affects_version?(change.requirement) + return format_commit_info(change.commit) + end + + first_add = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: package_name) + .where(change_type: "added") + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .first + + return format_commit_info(first_add.commit) if first_add && vuln_pkg.affects_version?(first_add.requirement) + + nil + end + + def output_blame_text(results) + has_status = results.any? { |r| r[:status] } + max_severity = results.map { |v| (v[:severity] || "").length }.max || 8 + max_id = results.map { |v| v[:id].length }.max || 15 + max_pkg = results.map { |v| "#{v[:package_name]} #{v[:package_version]}".length }.max || 20 + + results.each do |result| + severity = (result[:severity] || "unknown").upcase.ljust(max_severity) + id = result[:id].ljust(max_id) + pkg = "#{result[:package_name]} #{result[:package_version]}".ljust(max_pkg) + + intro = result[:introducing_commit] + commit_info = if intro + "#{intro[:sha]} #{intro[:date]} #{intro[:author]} \"#{intro[:message]}\"" + else + "(unknown origin)" + end + + status_str = has_status ? " [#{result[:status]}]" : "" + line = "#{severity} #{id} #{pkg} #{commit_info}#{status_str}" + colored_line = case result[:severity]&.downcase + when "critical", "high" then Color.red(line) + when "medium" then Color.yellow(line) + when "low" then Color.cyan(line) + else line + end + puts colored_line + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/diff.rb b/lib/git/pkgs/commands/vulns/diff.rb new file mode 100644 index 0000000..c3d51eb --- /dev/null +++ b/lib/git/pkgs/commands/vulns/diff.rb @@ -0,0 +1,172 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Diff + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns diff [ref1] [ref2] [options]" + opts.separator "" + opts.separator "Compare vulnerability state between two commits." + opts.separator "" + opts.separator "Arguments:" + opts.separator " ref1 First git ref (default: HEAD~1)" + opts.separator " ref2 Second git ref (default: HEAD)" + opts.separator "" + opts.separator "Examples:" + opts.separator " git pkgs vulns diff main feature-branch" + opts.separator " git pkgs vulns diff v1.0.0 v2.0.0" + opts.separator " git pkgs vulns diff HEAD~10" + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-b", "--branch=NAME", "Branch context for finding commits") do |v| + options[:branch] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. Diff requires commit history." + end + + Database.connect(repo.git_dir) + + ref1, ref2 = parse_diff_refs(repo) + commit1_sha = repo.rev_parse(ref1) + commit2_sha = repo.rev_parse(ref2) + + commit1 = Models::Commit.first(sha: commit1_sha) + commit2 = Models::Commit.first(sha: commit2_sha) + + error "Commit #{commit1_sha[0, 7]} not in database. Run 'git pkgs update' first." unless commit1 + error "Commit #{commit2_sha[0, 7]} not in database. Run 'git pkgs update' first." unless commit2 + + deps1 = compute_dependencies_at_commit(commit1, repo) + deps2 = compute_dependencies_at_commit(commit2, repo) + + supported_deps1 = deps1.select { |d| Ecosystems.supported?(d[:ecosystem]) } + supported_deps2 = deps2.select { |d| Ecosystems.supported?(d[:ecosystem]) } + + vulns1 = scan_for_vulnerabilities(supported_deps1) + vulns2 = scan_for_vulnerabilities(supported_deps2) + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + vulns1 = vulns1.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level } + vulns2 = vulns2.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level } + end + + vulns1_ids = vulns1.map { |v| v[:id] }.to_set + vulns2_ids = vulns2.map { |v| v[:id] }.to_set + + added = vulns2.reject { |v| vulns1_ids.include?(v[:id]) } + removed = vulns1.reject { |v| vulns2_ids.include?(v[:id]) } + + if added.empty? && removed.empty? + puts "No vulnerability changes between #{ref1} and #{ref2}" + return + end + + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate({ + from: ref1, + to: ref2, + added: added, + removed: removed + }) + else + output_diff_text(added, removed, ref1, ref2) + end + end + + def parse_diff_refs(repo) + args = @args.dup + ref1 = args.shift + ref2 = args.shift + + if ref1.nil? + ref1 = "HEAD~1" + ref2 = "HEAD" + elsif ref2.nil? + ref2 = ref1 + ref1 = "HEAD" + end + + if ref1.include?("...") + parts = ref1.split("...") + ref1 = parts[0] + ref2 = parts[1] + elsif ref1.include?("..") + parts = ref1.split("..") + ref1 = parts[0] + ref2 = parts[1] + end + + [ref1, ref2] + end + + def output_diff_text(added, removed, ref1, ref2) + all_vulns = added.map { |v| v.merge(diff_type: :added) } + + removed.map { |v| v.merge(diff_type: :removed) } + + all_vulns.sort_by! do |v| + [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]] + end + + max_severity = all_vulns.map { |v| (v[:severity] || "").length }.max || 8 + max_id = all_vulns.map { |v| v[:id].length }.max || 15 + max_pkg = all_vulns.map { |v| "#{v[:package_name]} #{v[:package_version]}".length }.max || 20 + + all_vulns.each do |vuln| + prefix = vuln[:diff_type] == :added ? "+" : "-" + severity = (vuln[:severity] || "unknown").upcase.ljust(max_severity) + id = vuln[:id].ljust(max_id) + pkg = "#{vuln[:package_name]} #{vuln[:package_version]}".ljust(max_pkg) + note = vuln[:diff_type] == :added ? "(introduced in #{ref2})" : "(fixed in #{ref2})" + + color = vuln[:diff_type] == :added ? :red : :green + line = "#{prefix}#{severity} #{id} #{pkg} #{note}" + puts Color.send(color, line) + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/exposure.rb b/lib/git/pkgs/commands/vulns/exposure.rb new file mode 100644 index 0000000..b0a3de7 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/exposure.rb @@ -0,0 +1,418 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Exposure + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns exposure [ref] [options]" + opts.separator "" + opts.separator "Calculate exposure windows and remediation metrics." + opts.separator "" + opts.separator "Arguments:" + opts.separator " ref Git ref to analyze (default: HEAD)" + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-r", "--ref=REF", "Git ref to analyze (default: HEAD)") do |v| + options[:ref] = v + end + + opts.on("-b", "--branch=NAME", "Branch context for finding commits") do |v| + options[:branch] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("--summary", "Show aggregate metrics only") do + options[:summary] = true + end + + opts.on("--all-time", "Show stats for all historical vulnerabilities") do + options[:all_time] = true + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options[:ref] ||= @args.shift unless @args.empty? + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. Exposure analysis requires commit history." + end + + Database.connect(repo.git_dir) + + if @options[:all_time] + run_all_time(repo) + else + run_at_ref(repo) + end + end + + def run_at_ref(repo) + ref = @options[:ref] || "HEAD" + commit_sha = repo.rev_parse(ref) + target_commit = Models::Commit.first(sha: commit_sha) + + unless target_commit + error "Commit #{commit_sha[0, 7]} not in database. Run 'git pkgs update' first." + end + + deps = compute_dependencies_at_commit(target_commit, repo) + + if deps.empty? + empty_result "No dependencies found" + return + end + + supported_deps = deps.select { |d| Ecosystems.supported?(d[:ecosystem]) } + vulns = scan_for_vulnerabilities(supported_deps) + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + vulns = vulns.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level } + end + + if vulns.empty? + puts "No known vulnerabilities found" + return + end + + exposure_data = vulns.map do |vuln| + calculate_exposure(vuln, target_commit) + end.compact + + output_results(exposure_data) + end + + def run_all_time(repo) + branch_name = @options[:branch] || repo.default_branch + branch = Models::Branch.first(name: branch_name) + + unless branch&.last_analyzed_sha + error "No analysis found for branch '#{branch_name}'. Run 'git pkgs init' first." + end + + last_commit = Models::Commit.first(sha: branch.last_analyzed_sha) + + # Get all unique packages from dependency changes + packages = Models::DependencyChange + .select(:ecosystem, :name) + .select_group(:ecosystem, :name) + .all + + exposure_data = [] + + packages.each do |pkg| + next unless Ecosystems.supported?(pkg.ecosystem) + + osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem) + next unless osv_ecosystem + + vuln_pkgs = Models::VulnerabilityPackage + .for_package(osv_ecosystem, pkg.name) + .eager(:vulnerability) + .all + + vuln_pkgs.each do |vp| + next if vp.vulnerability&.withdrawn? + + exposure = calculate_historical_exposure(pkg.ecosystem, pkg.name, vp, last_commit) + next unless exposure + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + next unless (SEVERITY_ORDER[exposure[:severity]&.downcase] || 4) <= min_level + end + + exposure_data << exposure + end + end + + if exposure_data.empty? + puts "No historical vulnerabilities found" + return + end + + output_results(exposure_data) + end + + def calculate_historical_exposure(ecosystem, package_name, vuln_pkg, last_commit) + window = find_vulnerability_window(ecosystem, package_name, vuln_pkg) + return nil unless window + + introducing_change = window[:introducing] + fixing_change = window[:fixing] + + introduced_at = introducing_change.commit.committed_at + fixed_at = fixing_change&.commit&.committed_at + published_at = vuln_pkg.vulnerability&.published_at + now = Time.now + + total_exposure_days = if introduced_at + end_time = fixed_at || now + ((end_time - introduced_at) / 86400).round + end + + post_disclosure_days = if published_at + start_time = [introduced_at, published_at].compact.max + end_time = fixed_at || now + if start_time && end_time > start_time + ((end_time - start_time) / 86400).round + else + 0 + end + end + + { + id: vuln_pkg.vulnerability_id, + severity: vuln_pkg.vulnerability&.severity, + package_name: package_name, + package_version: introducing_change.requirement, + published_at: published_at&.strftime("%Y-%m-%d"), + introduced_at: introduced_at&.strftime("%Y-%m-%d"), + introduced_by: format_commit_info(introducing_change.commit), + fixed_at: fixed_at&.strftime("%Y-%m-%d"), + fixed_by: fixing_change ? format_commit_info(fixing_change.commit) : nil, + status: window[:status], + total_exposure_days: total_exposure_days, + post_disclosure_days: post_disclosure_days + } + end + + def output_results(exposure_data) + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate({ + vulnerabilities: exposure_data, + summary: compute_exposure_summary(exposure_data) + }) + elsif @options[:summary] + output_exposure_summary(exposure_data) + else + output_exposure_table(exposure_data) + end + end + + def calculate_exposure(vuln, up_to_commit) + osv_ecosystem = Ecosystems.to_osv(vuln[:ecosystem]) + vuln_pkg = Models::VulnerabilityPackage.first( + vulnerability_id: vuln[:id], + ecosystem: osv_ecosystem, + package_name: vuln[:package_name] + ) + + return nil unless vuln_pkg + + vulnerability = vuln_pkg.vulnerability + published_at = vulnerability&.published_at + + introduced_change = find_introducing_change( + vuln[:ecosystem], + vuln[:package_name], + vuln_pkg, + up_to_commit + ) + + introduced_at = introduced_change&.commit&.committed_at + + fixed_change = find_fixing_change( + vuln[:ecosystem], + vuln[:package_name], + vuln_pkg, + up_to_commit, + introduced_at + ) + + fixed_at = fixed_change&.commit&.committed_at + now = Time.now + + total_exposure_days = if introduced_at + end_time = fixed_at || now + ((end_time - introduced_at) / 86400).round + end + + post_disclosure_days = if published_at + start_time = [introduced_at, published_at].compact.max + end_time = fixed_at || now + if start_time && end_time > start_time + ((end_time - start_time) / 86400).round + else + 0 + end + end + + { + id: vuln[:id], + severity: vuln[:severity], + package_name: vuln[:package_name], + package_version: vuln[:package_version], + published_at: published_at&.strftime("%Y-%m-%d"), + introduced_at: introduced_at&.strftime("%Y-%m-%d"), + introduced_by: introduced_change ? format_commit_info(introduced_change.commit) : nil, + fixed_at: fixed_at&.strftime("%Y-%m-%d"), + fixed_by: fixed_change ? format_commit_info(fixed_change.commit) : nil, + status: fixed_at ? "fixed" : "ongoing", + total_exposure_days: total_exposure_days, + post_disclosure_days: post_disclosure_days + } + end + + def compute_exposure_summary(data) + return {} if data.empty? + + fixed = data.select { |d| d[:status] == "fixed" } + ongoing = data.select { |d| d[:status] == "ongoing" } + + post_disclosure_times = fixed.map { |d| d[:post_disclosure_days] }.compact + mean_remediation = post_disclosure_times.empty? ? nil : (post_disclosure_times.sum.to_f / post_disclosure_times.size).round(1) + median_remediation = median(post_disclosure_times) + + oldest_ongoing = ongoing.map { |d| d[:post_disclosure_days] }.compact.max + + by_severity = {} + %w[critical high medium low].each do |sev| + sev_fixed = fixed.select { |d| d[:severity]&.downcase == sev } + sev_times = sev_fixed.map { |d| d[:post_disclosure_days] }.compact + next if sev_times.empty? + + by_severity[sev] = (sev_times.sum.to_f / sev_times.size).round(1) + end + + { + total_vulnerabilities: data.size, + fixed_count: fixed.size, + ongoing_count: ongoing.size, + mean_remediation_days: mean_remediation, + median_remediation_days: median_remediation, + oldest_ongoing_days: oldest_ongoing, + by_severity: by_severity + } + end + + def output_exposure_summary(data) + summary = compute_exposure_summary(data) + + # Build stats rows + rows = [] + rows << ["Total vulnerabilities", summary[:total_vulnerabilities].to_s] + rows << ["Fixed", summary[:fixed_count].to_s] + rows << ["Ongoing", summary[:ongoing_count].to_s] + + if summary[:fixed_count].positive? + rows << ["Median remediation", "#{summary[:median_remediation_days] || 'N/A'} days"] + rows << ["Mean remediation", "#{summary[:mean_remediation_days] || 'N/A'} days"] + end + + if summary[:oldest_ongoing_days] + rows << ["Oldest unpatched", "#{summary[:oldest_ongoing_days]} days"] + end + + # Add severity breakdown + summary[:by_severity].each do |sev, avg| + rows << ["#{sev.capitalize} (avg)", "#{avg} days"] + end + + output_stats_table(rows) + end + + def output_stats_table(rows) + return if rows.empty? + + max_label = rows.map { |r| r[0].length }.max || 20 + max_value = rows.map { |r| r[1].length }.max || 10 + + width = max_label + max_value + 7 + border = "+" + ("-" * (width - 2)) + "+" + + puts border + rows.each do |label, value| + puts "| #{label.ljust(max_label)} | #{value.rjust(max_value)} |" + end + puts border + end + + def output_exposure_table(data) + max_pkg = data.map { |d| d[:package_name].length }.max || 10 + max_id = data.map { |d| d[:id].length }.max || 15 + + header = "#{"Package".ljust(max_pkg)} #{"CVE".ljust(max_id)} Introduced Fixed Exposed Post-Disclosure" + puts header + puts "-" * header.length + + data.sort_by { |d| [SEVERITY_ORDER[d[:severity]&.downcase] || 4, d[:package_name]] }.each do |row| + pkg = row[:package_name].ljust(max_pkg) + id = row[:id].ljust(max_id) + introduced = (row[:introduced_at] || "unknown").ljust(10) + fixed = row[:status] == "fixed" ? row[:fixed_at].ljust(10) : "-".ljust(10) + exposed = row[:total_exposure_days] ? "#{row[:total_exposure_days]}d".ljust(7) : "?".ljust(7) + + post = if row[:status] == "ongoing" && row[:post_disclosure_days] + "#{row[:post_disclosure_days]}d (ongoing)" + elsif row[:post_disclosure_days] + "#{row[:post_disclosure_days]}d" + else + "?" + end + + line = "#{pkg} #{id} #{introduced} #{fixed} #{exposed} #{post}" + colored_line = case row[:severity]&.downcase + when "critical", "high" then Color.red(line) + when "medium" then Color.yellow(line) + when "low" then Color.cyan(line) + else line + end + puts colored_line + end + + puts "" + output_exposure_summary(data) + end + + def median(values) + return nil if values.empty? + + sorted = values.sort + mid = sorted.size / 2 + if sorted.size.odd? + sorted[mid] + else + ((sorted[mid - 1] + sorted[mid]) / 2.0).round(1) + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/history.rb b/lib/git/pkgs/commands/vulns/history.rb new file mode 100644 index 0000000..fc3b8a6 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/history.rb @@ -0,0 +1,345 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class History + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns history [options]" + opts.separator "" + opts.separator "Show vulnerability timeline for a specific package or CVE." + opts.separator "" + opts.separator "Arguments:" + opts.separator " package|cve Package name or CVE/GHSA ID" + opts.separator "" + opts.separator "Examples:" + opts.separator " git pkgs vulns history lodash" + opts.separator " git pkgs vulns history CVE-2024-1234" + opts.separator " git pkgs vulns history GHSA-xxxx-yyyy" + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("--since=DATE", "Show events after date") do |v| + options[:since] = v + end + + opts.on("--until=DATE", "Show events before date") do |v| + options[:until] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options[:target] = @args.shift + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. History requires commit history." + end + + Database.connect(repo.git_dir) + + target = @options[:target] + error "Usage: git pkgs vulns history " unless target + + if target.match?(/^(CVE-|GHSA-)/i) + run_cve_history(target.upcase, repo) + else + run_package_history(target, repo) + end + end + + def run_cve_history(cve_id, repo) + ensure_vulns_synced + + vuln = Models::Vulnerability.first(id: cve_id) + unless vuln + error "Vulnerability #{cve_id} not found. Run 'git pkgs vulns sync' first." + end + + vuln_pkgs = Models::VulnerabilityPackage.where(vulnerability_id: cve_id).all + + if vuln_pkgs.empty? + puts "No affected packages found for #{cve_id}" + return + end + + timeline = [] + + if vuln.published_at + timeline << { + date: vuln.published_at, + event_type: :cve_published, + description: "#{cve_id} published", + severity: vuln.severity + } + end + + vuln_pkgs.each do |vp| + ecosystem = Ecosystems.from_osv(vp.ecosystem) || vp.ecosystem.downcase + changes = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(ecosystem: ecosystem, name: vp.package_name) + .order(Sequel[:commits][:committed_at]) + .eager(:commit) + .all + + changes.each do |change| + current_affected = change.requirement && vp.affects_version?(change.requirement) + previous_affected = change.previous_requirement && vp.affects_version?(change.previous_requirement) + + event = nil + case change.change_type + when "added" + if current_affected + event = { + date: change.commit.committed_at, + event_type: :vulnerable_added, + description: "#{vp.package_name} #{change.requirement} added (vulnerable)", + commit: format_commit_info(change.commit) + } + end + when "modified" + if current_affected && !previous_affected + event = { + date: change.commit.committed_at, + event_type: :became_vulnerable, + description: "#{vp.package_name} updated to #{change.requirement} (vulnerable)", + commit: format_commit_info(change.commit) + } + elsif !current_affected && previous_affected + event = { + date: change.commit.committed_at, + event_type: :fixed, + description: "#{vp.package_name} updated to #{change.requirement} (fixed)", + commit: format_commit_info(change.commit) + } + end + when "removed" + if previous_affected + event = { + date: change.commit.committed_at, + event_type: :removed, + description: "#{vp.package_name} removed", + commit: format_commit_info(change.commit) + } + end + end + + timeline << event if event + end + end + + timeline = filter_timeline_by_date(timeline) + timeline.sort_by! { |e| e[:date] } + + if timeline.empty? + puts "No history found for #{cve_id}" + return + end + + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate({ + cve: cve_id, + severity: vuln.severity, + summary: vuln.summary, + published_at: vuln.published_at&.strftime("%Y-%m-%d"), + timeline: timeline.map { |e| e.merge(date: e[:date].strftime("%Y-%m-%d")) } + }) + else + output_cve_timeline(cve_id, vuln, timeline) + end + end + + def run_package_history(package_name, repo) + ensure_vulns_synced + + ecosystem = @options[:ecosystem] + + changes_query = Models::DependencyChange + .join(:commits, id: :commit_id) + .where(Sequel.ilike(:name, package_name)) + .order(Sequel[:commits][:committed_at]) + .eager(:commit, :manifest) + + changes_query = changes_query.where(ecosystem: ecosystem) if ecosystem + + changes = changes_query.all + + if changes.empty? + puts "No history found for package '#{package_name}'" + return + end + + osv_ecosystem = ecosystem ? Ecosystems.to_osv(ecosystem) : nil + vuln_query = Models::VulnerabilityPackage.where(Sequel.ilike(:package_name, package_name)) + vuln_query = vuln_query.where(ecosystem: osv_ecosystem) if osv_ecosystem + + vuln_pkgs = vuln_query.eager(:vulnerability).all + + timeline = [] + + changes.each do |change| + affected_vulns = vuln_pkgs.select do |vp| + change.requirement && vp.affects_version?(change.requirement) + end + + active_vulns = affected_vulns.reject { |vp| vp.vulnerability&.withdrawn? } + withdrawn_vulns = affected_vulns.select { |vp| vp.vulnerability&.withdrawn? } + + vuln_parts = [] + vuln_parts << "vulnerable to #{active_vulns.map(&:vulnerability_id).join(", ")}" if active_vulns.any? + vuln_parts << "#{withdrawn_vulns.map(&:vulnerability_id).join(", ")} withdrawn" if withdrawn_vulns.any? + vuln_info = vuln_parts.any? ? "(#{vuln_parts.join("; ")})" : "" + + event = { + date: change.commit.committed_at, + event_type: change.change_type.to_sym, + description: "#{change.change_type.capitalize} #{package_name} #{change.requirement} #{vuln_info}".strip, + version: change.requirement, + commit: format_commit_info(change.commit), + affected_vulns: active_vulns.map(&:vulnerability_id), + withdrawn_vulns: withdrawn_vulns.map(&:vulnerability_id) + } + + timeline << event + end + + vuln_pkgs.each do |vp| + vuln = vp.vulnerability + next unless vuln&.published_at + + withdrawn_note = vuln.withdrawn? ? " [withdrawn]" : "" + timeline << { + date: vuln.published_at, + event_type: :cve_published, + description: "#{vp.vulnerability_id} published (#{vuln.severity || "unknown"} severity)#{withdrawn_note}" + } + + if vuln.withdrawn? && vuln.withdrawn_at + timeline << { + date: vuln.withdrawn_at, + event_type: :cve_withdrawn, + description: "#{vp.vulnerability_id} withdrawn" + } + end + end + + timeline = filter_timeline_by_date(timeline) + timeline.sort_by! { |e| e[:date] } + + if timeline.empty? + puts "No history found for package '#{package_name}'" + return + end + + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate({ + package: package_name, + timeline: timeline.map { |e| e.merge(date: e[:date].strftime("%Y-%m-%d")) } + }) + else + output_package_timeline(package_name, timeline) + end + end + + def filter_timeline_by_date(timeline) + if @options[:since] + since_time = parse_date(@options[:since]) + timeline = timeline.select { |e| e[:date] >= since_time } if since_time + end + + if @options[:until] + until_time = parse_date(@options[:until]) + timeline = timeline.select { |e| e[:date] <= until_time } if until_time + end + + timeline + end + + def output_cve_timeline(cve_id, vuln, timeline) + puts "#{cve_id} (#{vuln.severity || "unknown"} severity)" + puts vuln.summary if vuln.summary + puts "" + + timeline.each do |event| + date = event[:date].strftime("%Y-%m-%d") + desc = event[:description] + + line = if event[:commit] + "#{date} #{desc} #{event[:commit][:sha]} #{event[:commit][:author]}" + else + "#{date} #{desc}" + end + + colored_line = case event[:event_type] + when :cve_published then Color.yellow(line) + when :vulnerable_added, :became_vulnerable then Color.red(line) + when :fixed, :removed then Color.green(line) + else line + end + puts colored_line + end + end + + def output_package_timeline(package_name, timeline) + puts "History for #{package_name}" + puts "" + + timeline.each do |event| + date = event[:date].strftime("%Y-%m-%d") + desc = event[:description] + + line = if event[:commit] + "#{date} #{desc} #{event[:commit][:sha]} #{event[:commit][:author]}" + else + "#{date} #{desc}" + end + + colored_line = case event[:event_type] + when :cve_published then Color.yellow(line) + when :cve_withdrawn then Color.cyan(line) + when :added + event[:affected_vulns]&.any? ? Color.red(line) : line + when :modified + event[:affected_vulns]&.any? ? Color.red(line) : Color.green(line) + when :removed then Color.cyan(line) + else line + end + puts colored_line + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/log.rb b/lib/git/pkgs/commands/vulns/log.rb new file mode 100644 index 0000000..4d9cad9 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/log.rb @@ -0,0 +1,218 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Log + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns log [options]" + opts.separator "" + opts.separator "Show commits that introduced or fixed vulnerabilities." + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-b", "--branch=NAME", "Branch to analyze") do |v| + options[:branch] = v + end + + opts.on("--since=DATE", "Show commits after date") do |v| + options[:since] = v + end + + opts.on("--until=DATE", "Show commits before date") do |v| + options[:until] = v + end + + opts.on("--author=NAME", "Filter by author") do |v| + options[:author] = v + end + + opts.on("--introduced", "Show only commits that introduced vulnerabilities") do + options[:introduced] = true + end + + opts.on("--fixed", "Show only commits that fixed vulnerabilities") do + options[:fixed] = true + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. Log requires commit history." + end + + Database.connect(repo.git_dir) + + commits_with_vulns = find_commits_with_vuln_changes(repo) + + if commits_with_vulns.empty? + puts "No commits with vulnerability changes found" + return + end + + if @options[:format] == "json" + require "json" + puts JSON.pretty_generate(commits_with_vulns) + else + output_vuln_log(commits_with_vulns) + end + end + + def find_commits_with_vuln_changes(repo) + branch_name = @options[:branch] || repo.default_branch + branch = Models::Branch.first(name: branch_name) + return [] unless branch + + commits_query = Models::Commit + .join(:branch_commits, commit_id: :id) + .where(Sequel[:branch_commits][:branch_id] => branch.id) + .where(has_dependency_changes: true) + .order(Sequel.desc(Sequel[:commits][:committed_at])) + + if @options[:since] + since_time = parse_date(@options[:since]) + commits_query = commits_query.where { Sequel[:commits][:committed_at] >= since_time } + end + + if @options[:until] + until_time = parse_date(@options[:until]) + commits_query = commits_query.where { Sequel[:commits][:committed_at] <= until_time } + end + + if @options[:author] + commits_query = commits_query.where(Sequel.ilike(:author_name, "%#{@options[:author]}%")) + end + + commits = commits_query.all + results = [] + + ensure_vulns_synced + + commits.each do |commit| + changes = commit.dependency_changes.to_a + vuln_changes = [] + + changes.each do |change| + next unless Ecosystems.supported?(change.ecosystem) + + osv_ecosystem = Ecosystems.to_osv(change.ecosystem) + next unless osv_ecosystem + + vuln_pkgs = Models::VulnerabilityPackage + .where(ecosystem: osv_ecosystem, package_name: change.name) + .eager(:vulnerability) + .all + + vuln_pkgs.each do |vp| + next if vp.vulnerability&.withdrawn? + + current_affected = change.requirement && vp.affects_version?(change.requirement) + previous_affected = change.previous_requirement && vp.affects_version?(change.previous_requirement) + + case change.change_type + when "added" + if current_affected + vuln_changes << { type: :introduced, vuln_id: vp.vulnerability_id, severity: vp.vulnerability&.severity } + end + when "modified" + if current_affected && !previous_affected + vuln_changes << { type: :introduced, vuln_id: vp.vulnerability_id, severity: vp.vulnerability&.severity } + elsif !current_affected && previous_affected + vuln_changes << { type: :fixed, vuln_id: vp.vulnerability_id, severity: vp.vulnerability&.severity } + end + when "removed" + if previous_affected + vuln_changes << { type: :fixed, vuln_id: vp.vulnerability_id, severity: vp.vulnerability&.severity } + end + end + end + end + + next if vuln_changes.empty? + + if @options[:introduced] + vuln_changes = vuln_changes.select { |vc| vc[:type] == :introduced } + elsif @options[:fixed] + vuln_changes = vuln_changes.select { |vc| vc[:type] == :fixed } + end + + next if vuln_changes.empty? + + results << { + sha: commit.sha[0, 7], + full_sha: commit.sha, + date: commit.committed_at&.strftime("%Y-%m-%d"), + author: commit.author_name, + message: commit.message&.lines&.first&.strip&.slice(0, 40), + vuln_changes: vuln_changes + } + end + + results + end + + def output_vuln_log(results) + results.each do |result| + sha = result[:sha] + date = result[:date] + author = result[:author] + message = result[:message] + + vuln_summary = result[:vuln_changes].map do |vc| + prefix = vc[:type] == :introduced ? "+" : "-" + "#{prefix}#{vc[:vuln_id]}" + end.join(" ") + + introduced_count = result[:vuln_changes].count { |vc| vc[:type] == :introduced } + fixed_count = result[:vuln_changes].count { |vc| vc[:type] == :fixed } + + line = "#{sha} #{date} #{author.to_s.ljust(15)[0, 15]} \"#{message}\" #{vuln_summary}" + colored_line = if introduced_count > fixed_count + Color.red(line) + elsif fixed_count > introduced_count + Color.green(line) + else + line + end + puts colored_line + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/praise.rb b/lib/git/pkgs/commands/vulns/praise.rb new file mode 100644 index 0000000..67b459b --- /dev/null +++ b/lib/git/pkgs/commands/vulns/praise.rb @@ -0,0 +1,238 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Praise + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns praise [options]" + opts.separator "" + opts.separator "Show who fixed vulnerabilities (opposite of blame)." + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-b", "--branch=NAME", "Branch to analyze") do |v| + options[:branch] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("--summary", "Show author leaderboard") do + options[:summary] = true + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first. Praise requires commit history." + end + + Database.connect(repo.git_dir) + + branch_name = @options[:branch] || repo.default_branch + branch = Models::Branch.first(name: branch_name) + + unless branch&.last_analyzed_sha + error "No analysis found for branch '#{branch_name}'. Run 'git pkgs init' first." + end + + # Get all unique packages from dependency changes + packages = Models::DependencyChange + .select(:ecosystem, :name) + .select_group(:ecosystem, :name) + .all + + praise_results = [] + + packages.each do |pkg| + next unless Ecosystems.supported?(pkg.ecosystem) + + osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem) + next unless osv_ecosystem + + vuln_pkgs = Models::VulnerabilityPackage + .for_package(osv_ecosystem, pkg.name) + .eager(:vulnerability) + .all + + vuln_pkgs.each do |vp| + next if vp.vulnerability&.withdrawn? + + fix_info = find_fixing_commit_info(pkg.ecosystem, pkg.name, vp) + next unless fix_info + + severity = vp.vulnerability&.severity + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + next unless (SEVERITY_ORDER[severity&.downcase] || 4) <= min_level + end + + praise_results << { + id: vp.vulnerability_id, + severity: severity, + package_name: pkg.name, + from_version: fix_info[:from_version], + to_version: fix_info[:to_version], + summary: vp.vulnerability&.summary, + fixing_commit: fix_info[:commit_info], + days_exposed: fix_info[:days_exposed], + days_after_disclosure: fix_info[:days_after_disclosure] + } + end + end + + if praise_results.empty? + puts "No fixed vulnerabilities found" + return + end + + praise_results.sort_by! do |v| + [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]] + end + + if @options[:format] == "json" + require "json" + if @options[:summary] + puts JSON.pretty_generate(compute_author_summary(praise_results)) + else + puts JSON.pretty_generate(praise_results) + end + elsif @options[:summary] + output_author_summary(praise_results) + else + output_praise_text(praise_results) + end + end + + def compute_author_summary(results) + by_author = results.group_by { |r| r[:fixing_commit][:author] } + + summaries = by_author.map do |author, fixes| + times = fixes.map { |f| f[:days_after_disclosure] }.compact + avg_time = times.empty? ? nil : (times.sum.to_f / times.size).round(1) + + by_sev = {} + %w[critical high medium low].each do |sev| + count = fixes.count { |f| f[:severity]&.downcase == sev } + by_sev[sev] = count if count > 0 + end + + { + author: author, + total_fixes: fixes.size, + avg_days_to_fix: avg_time, + by_severity: by_sev + } + end + + summaries.sort_by { |s| -s[:total_fixes] } + end + + def output_author_summary(results) + summaries = compute_author_summary(results) + + max_author = summaries.map { |s| s[:author].length }.max || 20 + max_fixes = summaries.map { |s| s[:total_fixes].to_s.length }.max || 3 + + puts "Author".ljust(max_author) + " Fixes Avg Days Critical High Medium Low" + puts "-" * (max_author + 50) + + summaries.each do |s| + author = s[:author].ljust(max_author) + fixes = s[:total_fixes].to_s.rjust(max_fixes) + avg = s[:avg_days_to_fix] ? "#{s[:avg_days_to_fix]}d".rjust(8) : "N/A".rjust(8) + crit = (s[:by_severity]["critical"] || 0).to_s.rjust(8) + high = (s[:by_severity]["high"] || 0).to_s.rjust(4) + med = (s[:by_severity]["medium"] || 0).to_s.rjust(6) + low = (s[:by_severity]["low"] || 0).to_s.rjust(4) + + puts "#{author} #{fixes} #{avg} #{crit} #{high} #{med} #{low}" + end + end + + def find_fixing_commit_info(ecosystem, package_name, vuln_pkg) + window = find_vulnerability_window(ecosystem, package_name, vuln_pkg) + return nil unless window && window[:fixing] + + introducing_change = window[:introducing] + fixing_change = window[:fixing] + + introduced_at = introducing_change.commit.committed_at + fixed_at = fixing_change.commit.committed_at + published_at = vuln_pkg.vulnerability&.published_at + + days_exposed = ((fixed_at - introduced_at) / 86400).round + days_after_disclosure = if published_at && fixed_at > published_at + ((fixed_at - published_at) / 86400).round + end + + { + commit_info: format_commit_info(fixing_change.commit), + from_version: introducing_change.requirement, + to_version: fixing_change.change_type == "removed" ? "(removed)" : fixing_change.requirement, + days_exposed: days_exposed, + days_after_disclosure: days_after_disclosure + } + end + + def output_praise_text(results) + max_severity = results.map { |v| (v[:severity] || "").length }.max || 8 + max_id = results.map { |v| v[:id].length }.max || 15 + max_pkg = results.map { |v| v[:package_name].length }.max || 20 + + results.each do |result| + severity = (result[:severity] || "unknown").upcase.ljust(max_severity) + id = result[:id].ljust(max_id) + pkg = result[:package_name].ljust(max_pkg) + + fix = result[:fixing_commit] + commit_info = "#{fix[:sha]} #{fix[:date]} #{fix[:author]} \"#{fix[:message]}\"" + + days_info = if result[:days_after_disclosure] + "(#{result[:days_after_disclosure]}d after disclosure)" + else + "(#{result[:days_exposed]}d total)" + end + + line = "#{severity} #{id} #{pkg} #{commit_info} #{days_info}" + puts Color.green(line) + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/scan.rb b/lib/git/pkgs/commands/vulns/scan.rb new file mode 100644 index 0000000..a4e47e0 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/scan.rb @@ -0,0 +1,231 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Scan + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns [ref] [options]" + opts.separator "" + opts.separator "Scan dependencies for known vulnerabilities." + opts.separator "" + opts.separator "Arguments:" + opts.separator " ref Git ref to scan (default: HEAD)" + opts.separator "" + opts.separator "Subcommands:" + opts.separator " sync Sync vulnerability data from OSV" + opts.separator " blame Show who introduced each vulnerability" + opts.separator " praise Show who fixed vulnerabilities" + opts.separator " exposure Calculate exposure windows and remediation metrics" + opts.separator " diff Compare vulnerability state between commits" + opts.separator " log Show commits that introduced or fixed vulns" + opts.separator " history Show vulnerability timeline for a package or CVE" + opts.separator " show Show details about a specific CVE" + opts.separator "" + opts.separator "Options:" + + opts.on("-e", "--ecosystem=NAME", "Filter by ecosystem") do |v| + options[:ecosystem] = v + end + + opts.on("-s", "--severity=LEVEL", "Minimum severity (critical, high, medium, low)") do |v| + options[:severity] = v + end + + opts.on("-r", "--ref=REF", "Git ref to scan (default: HEAD)") do |v| + options[:ref] = v + end + + opts.on("-b", "--branch=NAME", "Branch context for finding snapshots") do |v| + options[:branch] = v + end + + opts.on("-f", "--format=FORMAT", "Output format (text, json, sarif)") do |v| + options[:format] = v + end + + opts.on("--no-pager", "Do not pipe output into a pager") do + options[:no_pager] = true + end + + opts.on("--stateless", "Parse manifests directly without database") do + options[:stateless] = true + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options[:ref] ||= @args.shift unless @args.empty? + options + end + + def run + repo = Repository.new + use_stateless = @options[:stateless] || !Database.exists?(repo.git_dir) + + if use_stateless + # Use in-memory database for vuln caching in stateless mode + Database.connect_memory + deps = get_dependencies_stateless(repo) + else + Database.connect(repo.git_dir) + deps = get_dependencies_with_database(repo) + end + + if deps.empty? + empty_result "No dependencies found" + return + end + + supported_deps = deps.select { |d| Ecosystems.supported?(d[:ecosystem]) } + + if supported_deps.empty? + empty_result "No dependencies from supported ecosystems (#{Ecosystems.supported_ecosystems.join(", ")})" + return + end + + vulns = scan_for_vulnerabilities(supported_deps) + + if @options[:severity] + min_level = SEVERITY_ORDER[@options[:severity].downcase] || 4 + vulns = vulns.select { |v| (SEVERITY_ORDER[v[:severity]&.downcase] || 4) <= min_level } + end + + if vulns.empty? + puts "No known vulnerabilities found" + return + end + + vulns.sort_by! { |v| [SEVERITY_ORDER[v[:severity]&.downcase] || 4, v[:package_name]] } + + case @options[:format] + when "json" + require "json" + puts JSON.pretty_generate(vulns) + when "sarif" + output_sarif(vulns, deps) + else + output_text(vulns) + end + end + + def output_sarif(vulns, deps) + require "sarif" + + rules = vulns.map do |vuln| + Sarif::ReportingDescriptor.new( + id: vuln[:id], + name: vuln[:id], + short_description: Sarif::MultiformatMessageString.new(text: vuln[:summary] || vuln[:id]), + help_uri: "https://osv.dev/vulnerability/#{vuln[:id]}", + properties: { + security_severity: severity_score(vuln[:cvss_score], vuln[:severity]) + }.compact + ) + end.uniq(&:id) + + results = vulns.map do |vuln| + locations = deps + .select { |d| d[:name].downcase == vuln[:package_name].downcase && d[:ecosystem] == vuln[:ecosystem] } + .map do |dep| + Sarif::Location.new( + physical_location: Sarif::PhysicalLocation.new( + artifact_location: Sarif::ArtifactLocation.new(uri: dep[:manifest_path]) + ), + message: Sarif::Message.new(text: "#{dep[:name]} #{dep[:requirement]}") + ) + end + + Sarif::Result.new( + rule_id: vuln[:id], + level: severity_to_sarif_level(vuln[:severity]), + message: Sarif::Message.new( + text: "#{vuln[:package_name]} #{vuln[:package_version]} has a known vulnerability: #{vuln[:summary] || vuln[:id]}" + ), + locations: locations.empty? ? nil : locations + ) + end + + log = Sarif::Log.new( + version: "2.1.0", + runs: [ + Sarif::Run.new( + tool: Sarif::Tool.new( + driver: Sarif::ToolComponent.new( + name: "git-pkgs", + version: Git::Pkgs::VERSION, + information_uri: "https://github.com/andrew/git-pkgs", + rules: rules + ) + ), + results: results + ) + ] + ) + + puts log.to_json + end + + def severity_to_sarif_level(severity) + case severity&.downcase + when "critical", "high" then "error" + when "medium" then "warning" + when "low" then "note" + else "warning" + end + end + + def severity_score(cvss_score, severity) + return cvss_score.to_s if cvss_score + + case severity&.downcase + when "critical" then "9.0" + when "high" then "7.0" + when "medium" then "4.0" + when "low" then "1.0" + end + end + + def output_text(vulns) + max_severity = vulns.map { |v| (v[:severity] || "").length }.max || 8 + max_id = vulns.map { |v| v[:id].length }.max || 15 + max_pkg = vulns.map { |v| v[:package_name].length }.max || 20 + + vulns.each do |vuln| + severity = (vuln[:severity] || "unknown").upcase.ljust(max_severity) + id = vuln[:id].ljust(max_id) + pkg = "#{vuln[:package_name]} #{vuln[:package_version]}".ljust(max_pkg + 10) + fixed = vuln[:fixed_versions] ? "(fixed in #{vuln[:fixed_versions]})" : "" + + line = "#{severity} #{id} #{pkg} #{fixed}" + + colored_line = case vuln[:severity]&.downcase + when "critical", "high" then Color.red(line) + when "medium" then Color.yellow(line) + when "low" then Color.cyan(line) + else line + end + + puts colored_line + end + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/show.rb b/lib/git/pkgs/commands/vulns/show.rb new file mode 100644 index 0000000..159143c --- /dev/null +++ b/lib/git/pkgs/commands/vulns/show.rb @@ -0,0 +1,216 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Show + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns show [options]" + opts.separator "" + opts.separator "Show details about a specific CVE." + opts.separator "" + opts.separator "Arguments:" + opts.separator " cve CVE or GHSA ID (e.g., CVE-2024-1234)" + opts.separator "" + opts.separator "Options:" + + opts.on("-f", "--format=FORMAT", "Output format (text, json)") do |v| + options[:format] = v + end + + opts.on("-r", "--ref=REF", "Git ref for exposure analysis (default: HEAD)") do |v| + options[:ref] = v + end + + opts.on("-b", "--branch=NAME", "Branch context for finding snapshots") do |v| + options[:branch] = v + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options[:target] = @args.shift + options + end + + def run + repo = Repository.new + + cve_id = @options[:target] + error "Usage: git pkgs vulns show " unless cve_id + cve_id = cve_id.upcase + + has_db = Database.exists?(repo.git_dir) + Database.connect(repo.git_dir) if has_db + + ensure_vulns_synced if has_db + + vuln = Models::Vulnerability.first(id: cve_id) + unless vuln + error "Vulnerability #{cve_id} not found. Try 'git pkgs vulns sync' first." + end + + vuln_pkgs = Models::VulnerabilityPackage.where(vulnerability_id: cve_id).eager(:vulnerability).all + + if @options[:format] == "json" + require "json" + output = build_show_json(vuln, vuln_pkgs, repo, has_db) + puts JSON.pretty_generate(output) + else + output_show_text(vuln, vuln_pkgs, repo, has_db) + end + end + + def build_show_json(vuln, vuln_pkgs, repo, has_db) + output = { + id: vuln.id, + severity: vuln.severity, + summary: vuln.summary, + details: vuln.details, + published_at: vuln.published_at&.strftime("%Y-%m-%d"), + affected_packages: vuln_pkgs.map do |vp| + { + ecosystem: vp.ecosystem, + package: vp.package_name, + affected_versions: vp.affected_versions, + fixed_versions: vp.fixed_versions + } + end + } + + if has_db + output[:your_exposure] = find_exposure_for_vuln(vuln, vuln_pkgs, repo) + end + + output + end + + def output_show_text(vuln, vuln_pkgs, repo, has_db) + header = "#{vuln.id} (#{vuln.severity || "unknown"} severity)" + colored_header = case vuln.severity&.downcase + when "critical", "high" then Color.red(header) + when "medium" then Color.yellow(header) + when "low" then Color.cyan(header) + else header + end + puts colored_header + puts vuln.summary if vuln.summary + puts "" + + puts "Affected packages:" + vuln_pkgs.each do |vp| + fixed_info = vp.fixed_versions.to_s.empty? ? "" : " (fixed in #{vp.fixed_versions})" + puts " #{vp.ecosystem}/#{vp.package_name}: #{vp.affected_versions}#{fixed_info}" + end + + puts "" + puts "Published: #{vuln.published_at&.strftime("%Y-%m-%d") || "unknown"}" + + if vuln.references && !vuln.references.empty? + puts "" + puts "References:" + refs = begin + JSON.parse(vuln.references) + rescue JSON::ParserError => e + $stderr.puts "Warning: Could not parse references for #{vuln.id}: #{e.message}" unless Git::Pkgs.quiet + [] + end + refs.each do |ref| + puts " #{ref["url"]}" if ref["url"] + end + end + + return unless has_db + + exposures = find_exposure_for_vuln(vuln, vuln_pkgs, repo) + return if exposures.empty? + + puts "" + puts "Your exposure:" + exposures.each do |exposure| + pkg_line = " #{exposure[:package]} #{exposure[:version]} in #{exposure[:manifest_path]}" + puts Color.send(:red, pkg_line) + + if exposure[:introduced_by] + intro = exposure[:introduced_by] + puts " Added: #{intro[:sha]} #{intro[:date]} #{intro[:author]} \"#{intro[:message]}\"" + end + + if exposure[:fixed_by] + fix = exposure[:fixed_by] + puts Color.send(:green, " Fixed: #{fix[:sha]} #{fix[:date]} #{fix[:author]} \"#{fix[:message]}\"") + elsif exposure[:status] == "ongoing" + puts Color.send(:yellow, " Status: Still vulnerable") + end + end + end + + def find_exposure_for_vuln(vuln, vuln_pkgs, repo) + exposures = [] + ref = @options[:ref] || "HEAD" + + begin + commit_sha = repo.rev_parse(ref) + target_commit = Models::Commit.first(sha: commit_sha) + rescue Rugged::ReferenceError + return exposures + end + + return exposures unless target_commit + + deps = compute_dependencies_at_commit(target_commit, repo) + + vuln_pkgs.each do |vp| + ecosystem = Ecosystems.from_osv(vp.ecosystem) || vp.ecosystem.downcase + + matching_deps = deps.select do |dep| + dep[:ecosystem] == ecosystem && + dep[:name].downcase == vp.package_name.downcase && + vp.affects_version?(dep[:requirement]) + end + + matching_deps.each do |dep| + exposure = { + package: dep[:name], + version: dep[:requirement], + ecosystem: dep[:ecosystem], + manifest_path: dep[:manifest_path] + } + + intro_change = find_introducing_change(dep[:ecosystem], dep[:name], vp, target_commit) + exposure[:introduced_by] = format_commit_info(intro_change&.commit) if intro_change + + fix_change = find_fixing_change(dep[:ecosystem], dep[:name], vp, target_commit, intro_change&.commit&.committed_at) + if fix_change + exposure[:fixed_by] = format_commit_info(fix_change.commit) + exposure[:status] = "fixed" + else + exposure[:status] = "ongoing" + end + + exposures << exposure + end + end + + exposures + end + end + end + end + end +end diff --git a/lib/git/pkgs/commands/vulns/sync.rb b/lib/git/pkgs/commands/vulns/sync.rb new file mode 100644 index 0000000..a2ce4d4 --- /dev/null +++ b/lib/git/pkgs/commands/vulns/sync.rb @@ -0,0 +1,108 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Commands + module Vulns + class Sync + include Base + + def initialize(args) + @args = args.dup + @options = parse_options + end + + def parse_options + options = {} + + parser = OptionParser.new do |opts| + opts.banner = "Usage: git pkgs vulns sync [options]" + opts.separator "" + opts.separator "Sync vulnerability data from OSV." + opts.separator "" + opts.separator "Options:" + + opts.on("--refresh", "Force refresh even if cache is recent") do + options[:refresh] = true + end + + opts.on("-h", "--help", "Show this help") do + puts opts + exit + end + end + + parser.parse!(@args) + options + end + + def run + repo = Repository.new + + unless Database.exists?(repo.git_dir) + error "No database found. Run 'git pkgs init' first." + end + + Database.connect(repo.git_dir) + + packages = Models::Package.all + if packages.empty? + info "No packages to sync. Run 'git pkgs vulns' first to populate packages." + return + end + + stale_packages = packages.select(&:needs_vuln_sync?) + + if stale_packages.empty? && !@options[:refresh] + info "All packages up to date. Use --refresh to force update." + return + end + + packages_to_sync = @options[:refresh] ? packages : stale_packages + + info "Syncing vulnerabilities for #{packages_to_sync.count} packages..." + + client = OsvClient.new + synced = 0 + vuln_count = 0 + + packages_to_sync.each_slice(100) do |batch| + queries = batch.map do |pkg| + osv_ecosystem = Ecosystems.to_osv(pkg.ecosystem) + next unless osv_ecosystem + + { ecosystem: osv_ecosystem, name: pkg.name } + end.compact + + results = client.query_batch(queries) + + # Collect all unique vuln IDs from this batch to fetch full details + vuln_ids = results.flatten.map { |v| v["id"] }.uniq + + # Fetch full vulnerability details and create records + vuln_ids.each do |vuln_id| + existing = Models::Vulnerability.first(id: vuln_id) + next if existing&.vulnerability_packages&.any? && !@options[:refresh] + + begin + full_vuln = client.get_vulnerability(vuln_id) + Models::Vulnerability.from_osv(full_vuln) + vuln_count += 1 + rescue OsvClient::ApiError + # Skip vulnerabilities we can't fetch + end + end + + batch.each do |pkg| + pkg.mark_vulns_synced + synced += 1 + end + end + + info "Synced #{synced} packages, found #{vuln_count} vulnerability records." + end + end + end + end + end +end diff --git a/lib/git/pkgs/config.rb b/lib/git/pkgs/config.rb index b17af65..405c32f 100644 --- a/lib/git/pkgs/config.rb +++ b/lib/git/pkgs/config.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true require "bibliothecary" +require "open3" module Git module Pkgs @@ -52,7 +53,13 @@ def self.reset! end def self.read_config_list(key) - `git config --get-all #{key} 2>/dev/null`.split("\n").map(&:strip).reject(&:empty?) + args = if Git::Pkgs.work_tree + ["git", "-C", Git::Pkgs.work_tree.to_s, "config", "--get-all", key.to_s] + else + ["git", "config", "--get-all", key.to_s] + end + stdout, _stderr, _status = Open3.capture3(*args) + stdout.split("\n").map(&:strip).reject(&:empty?) end end end diff --git a/lib/git/pkgs/database.rb b/lib/git/pkgs/database.rb index bfebc17..de9982c 100644 --- a/lib/git/pkgs/database.rb +++ b/lib/git/pkgs/database.rb @@ -15,7 +15,7 @@ module Git module Pkgs class Database DB_FILE = "pkgs.sqlite3" - SCHEMA_VERSION = 1 + SCHEMA_VERSION = 2 class << self attr_accessor :db @@ -82,7 +82,10 @@ def self.refresh_models Git::Pkgs::Models::Commit, Git::Pkgs::Models::Manifest, Git::Pkgs::Models::DependencyChange, - Git::Pkgs::Models::DependencySnapshot + Git::Pkgs::Models::DependencySnapshot, + Git::Pkgs::Models::Package, + Git::Pkgs::Models::Vulnerability, + Git::Pkgs::Models::VulnerabilityPackage ].each do |model| model.dataset = @db[model.table_name] # Clear all cached association data that may reference old db @@ -157,6 +160,7 @@ def self.create_schema(with_indexes: true) foreign_key :manifest_id, :manifests String :name, null: false String :ecosystem + String :purl String :change_type, null: false String :requirement String :previous_requirement @@ -171,12 +175,63 @@ def self.create_schema(with_indexes: true) foreign_key :manifest_id, :manifests String :name, null: false String :ecosystem + String :purl String :requirement String :dependency_type DateTime :created_at DateTime :updated_at end + @db.create_table?(:packages) do + primary_key :id + String :purl, null: false + String :ecosystem, null: false + String :name, null: false + String :latest_version + String :license + String :description, text: true + String :homepage + String :repository_url + String :source + DateTime :enriched_at + DateTime :vulns_synced_at + DateTime :created_at + DateTime :updated_at + index :purl, unique: true + index [:ecosystem, :name] + end + + # Core vulnerability data (one row per CVE/GHSA) + @db.create_table?(:vulnerabilities) do + String :id, primary_key: true # CVE-2024-1234, GHSA-xxxx, etc. + String :aliases, text: true # comma-separated other IDs for same vuln + String :severity # critical, high, medium, low + Float :cvss_score + String :cvss_vector + String :references, text: true # JSON array of {type, url} objects + String :summary, text: true + String :details, text: true + DateTime :published_at # when vuln was disclosed + DateTime :withdrawn_at # when vuln was retracted (if ever) + DateTime :modified_at # when OSV record was last modified + DateTime :fetched_at, null: false # when we last fetched from OSV + end + + # Which packages are affected by each vulnerability + # One vuln can affect multiple packages, each with different version ranges + @db.create_table?(:vulnerability_packages) do + primary_key :id + String :vulnerability_id, null: false + String :ecosystem, null: false # OSV ecosystem name + String :package_name, null: false + String :affected_versions, text: true # version range expression + String :fixed_versions, text: true # comma-separated list + foreign_key [:vulnerability_id], :vulnerabilities + index [:ecosystem, :package_name] + index [:vulnerability_id] + unique [:vulnerability_id, :ecosystem, :package_name] + end + set_version create_bulk_indexes if with_indexes refresh_models @@ -186,6 +241,7 @@ def self.create_bulk_indexes @db.alter_table(:dependency_changes) do add_index :name, if_not_exists: true add_index :ecosystem, if_not_exists: true + add_index :purl, if_not_exists: true add_index [:commit_id, :name], if_not_exists: true end @@ -193,6 +249,7 @@ def self.create_bulk_indexes add_index [:commit_id, :manifest_id, :name], unique: true, name: "idx_snapshots_unique", if_not_exists: true add_index :name, if_not_exists: true add_index :ecosystem, if_not_exists: true + add_index :purl, if_not_exists: true end end @@ -218,10 +275,83 @@ def self.needs_upgrade? def self.check_version! return unless needs_upgrade? + migrate! + end + + def self.migrate! stored = stored_version || 0 - $stderr.puts "Database schema is outdated (version #{stored}, current is #{SCHEMA_VERSION})." - $stderr.puts "Run 'git pkgs upgrade' to update." - exit 1 + + # Migration from v1 to v2: add vuln tables + if stored < 2 + migrate_to_v2! + end + + set_version + refresh_models + end + + def self.migrate_to_v2! + @db.create_table?(:packages) do + primary_key :id + String :purl, null: false + String :ecosystem, null: false + String :name, null: false + String :latest_version + String :license + String :description, text: true + String :homepage + String :repository_url + String :source + DateTime :enriched_at + DateTime :vulns_synced_at + DateTime :created_at + DateTime :updated_at + index :purl, unique: true + index [:ecosystem, :name] + end + + @db.create_table?(:vulnerabilities) do + String :id, primary_key: true + String :aliases, text: true + String :severity + Float :cvss_score + String :cvss_vector + String :references, text: true + String :summary, text: true + String :details, text: true + DateTime :published_at + DateTime :withdrawn_at + DateTime :modified_at + DateTime :fetched_at, null: false + end + + @db.create_table?(:vulnerability_packages) do + primary_key :id + String :vulnerability_id, null: false + String :ecosystem, null: false + String :package_name, null: false + String :affected_versions, text: true + String :fixed_versions, text: true + foreign_key [:vulnerability_id], :vulnerabilities + index [:ecosystem, :package_name] + index [:vulnerability_id] + unique [:vulnerability_id, :ecosystem, :package_name] + end + + # Add purl column to existing tables if missing + unless @db.schema(:dependency_changes).any? { |col, _| col == :purl } + @db.alter_table(:dependency_changes) do + add_column :purl, String + add_index :purl, if_not_exists: true + end + end + + unless @db.schema(:dependency_snapshots).any? { |col, _| col == :purl } + @db.alter_table(:dependency_snapshots) do + add_column :purl, String + add_index :purl, if_not_exists: true + end + end end def self.optimize_for_bulk_writes diff --git a/lib/git/pkgs/ecosystems.rb b/lib/git/pkgs/ecosystems.rb new file mode 100644 index 0000000..7b6ac97 --- /dev/null +++ b/lib/git/pkgs/ecosystems.rb @@ -0,0 +1,83 @@ +# frozen_string_literal: true + +module Git + module Pkgs + # Maps ecosystem names between bibliothecary, purl, and OSV formats. + # Bibliothecary uses lowercase names internally. + # Purl uses its own type names. + # OSV uses mixed case names that differ from both. + module Ecosystems + # Mapping from bibliothecary ecosystem names to OSV and purl equivalents + MAPPINGS = { + "npm" => { osv: "npm", purl: "npm" }, + "rubygems" => { osv: "RubyGems", purl: "gem" }, + "pypi" => { osv: "PyPI", purl: "pypi" }, + "cargo" => { osv: "crates.io", purl: "cargo" }, + "maven" => { osv: "Maven", purl: "maven" }, + "nuget" => { osv: "NuGet", purl: "nuget" }, + "packagist" => { osv: "Packagist", purl: "composer" }, + "go" => { osv: "Go", purl: "golang" }, + "hex" => { osv: "Hex", purl: "hex" }, + "pub" => { osv: "Pub", purl: "pub" } + }.freeze + + # Reverse mappings for lookups from OSV/purl to bibliothecary + OSV_TO_BIBLIOTHECARY = MAPPINGS.transform_values { |v| v[:osv] }.invert.freeze + PURL_TO_BIBLIOTHECARY = MAPPINGS.transform_values { |v| v[:purl] }.invert.freeze + + class << self + # Convert bibliothecary ecosystem name to OSV format + # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems") + # @return [String, nil] OSV ecosystem name (e.g., "RubyGems") or nil if not mapped + def to_osv(ecosystem) + MAPPINGS.dig(ecosystem.to_s.downcase, :osv) + end + + # Convert bibliothecary ecosystem name to purl type + # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems") + # @return [String, nil] purl type (e.g., "gem") or nil if not mapped + def to_purl(ecosystem) + MAPPINGS.dig(ecosystem.to_s.downcase, :purl) + end + + # Convert OSV ecosystem name to bibliothecary format + # @param osv_ecosystem [String] OSV ecosystem name (e.g., "RubyGems") + # @return [String, nil] bibliothecary ecosystem name (e.g., "rubygems") or nil if not mapped + def from_osv(osv_ecosystem) + OSV_TO_BIBLIOTHECARY[osv_ecosystem] + end + + # Convert purl type to bibliothecary ecosystem name + # @param purl_type [String] purl type (e.g., "gem") + # @return [String, nil] bibliothecary ecosystem name (e.g., "rubygems") or nil if not mapped + def from_purl(purl_type) + PURL_TO_BIBLIOTHECARY[purl_type] + end + + # Check if an ecosystem is supported for vulnerability scanning + # @param ecosystem [String] bibliothecary ecosystem name + # @return [Boolean] + def supported?(ecosystem) + MAPPINGS.key?(ecosystem.to_s.downcase) + end + + # List all supported bibliothecary ecosystem names + # @return [Array] + def supported_ecosystems + MAPPINGS.keys + end + + # Generate a purl (package URL) for a given ecosystem and package name + # @param ecosystem [String] bibliothecary ecosystem name (e.g., "rubygems") + # @param name [String] package name + # @return [String, nil] purl string (e.g., "pkg:gem/rails") or nil if ecosystem not supported + def generate_purl(ecosystem, name) + purl_type = to_purl(ecosystem) + return nil unless purl_type + + "pkg:#{purl_type}/#{name}" + end + end + end + end +end diff --git a/lib/git/pkgs/models/package.rb b/lib/git/pkgs/models/package.rb new file mode 100644 index 0000000..6f48d75 --- /dev/null +++ b/lib/git/pkgs/models/package.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +module Git + module Pkgs + module Models + class Package < Sequel::Model + STALE_THRESHOLD = 86400 # 24 hours + + dataset_module do + def by_ecosystem(ecosystem) + where(ecosystem: ecosystem) + end + + def needs_vuln_sync + where(vulns_synced_at: nil).or { vulns_synced_at < Time.now - STALE_THRESHOLD } + end + + def synced + where { vulns_synced_at >= Time.now - STALE_THRESHOLD } + end + end + + def needs_vuln_sync? + vulns_synced_at.nil? || vulns_synced_at < Time.now - STALE_THRESHOLD + end + + def mark_vulns_synced + update(vulns_synced_at: Time.now) + end + + def vulnerabilities + osv_ecosystem = Ecosystems.to_osv(ecosystem) + return [] unless osv_ecosystem + + VulnerabilityPackage + .where(ecosystem: osv_ecosystem, package_name: name) + .map(&:vulnerability) + .compact + end + + def self.find_or_create_by_purl(purl:, ecosystem: nil, name: nil) + existing = first(purl: purl) + return existing if existing + + create(purl: purl, ecosystem: ecosystem, name: name) + end + + def self.generate_purl(ecosystem, name) + Ecosystems.generate_purl(ecosystem, name) + end + end + end + end +end diff --git a/lib/git/pkgs/models/vulnerability.rb b/lib/git/pkgs/models/vulnerability.rb new file mode 100644 index 0000000..030de8a --- /dev/null +++ b/lib/git/pkgs/models/vulnerability.rb @@ -0,0 +1,300 @@ +# frozen_string_literal: true + +require "time" + +module Git + module Pkgs + module Models + class Vulnerability < Sequel::Model + one_to_many :vulnerability_packages, key: :vulnerability_id + + dataset_module do + def by_severity(severity) + where(severity: severity) + end + + def critical + by_severity("critical") + end + + def high + by_severity("high") + end + + def medium + by_severity("medium") + end + + def low + by_severity("low") + end + + def not_withdrawn + where(withdrawn_at: nil) + end + + def stale(max_age_seconds = 86400) + threshold = Time.now - max_age_seconds + where { fetched_at < threshold } + end + + def fresh(max_age_seconds = 86400) + threshold = Time.now - max_age_seconds + where { fetched_at >= threshold } + end + end + + def severity_level + case severity&.downcase + when "critical" then 4 + when "high" then 3 + when "medium" then 2 + when "low" then 1 + else 0 + end + end + + def severity_display + severity&.upcase || "UNKNOWN" + end + + def withdrawn? + !withdrawn_at.nil? + end + + def aliases_list + return [] if aliases.nil? || aliases.empty? + + aliases.split(",").map(&:strip) + end + + # Create or update from OSV API response data. + # Creates both the Vulnerability record and VulnerabilityPackage records + # for each affected package. + def self.from_osv(osv_data) + vuln_id = osv_data["id"] + severity_info = extract_severity(osv_data) + + vuln = update_or_create( + { id: vuln_id }, + { + aliases: extract_aliases(osv_data), + severity: severity_info[:severity], + cvss_score: severity_info[:score], + cvss_vector: severity_info[:vector], + summary: osv_data["summary"], + details: osv_data["details"], + published_at: parse_timestamp(osv_data["published"]), + modified_at: parse_timestamp(osv_data["modified"]), + withdrawn_at: parse_timestamp(osv_data["withdrawn"]), + fetched_at: Time.now + } + ) + + # Create VulnerabilityPackage records for each affected package + (osv_data["affected"] || []).each do |affected| + pkg = affected["package"] + next unless pkg + + ecosystem = pkg["ecosystem"] + name = pkg["name"] + + affected_range = build_affected_range(affected) + fixed = extract_fixed_versions(affected) + + VulnerabilityPackage.update_or_create( + { vulnerability_id: vuln_id, ecosystem: ecosystem, package_name: name }, + { + affected_versions: affected_range, + fixed_versions: fixed&.join(",") + } + ) + end + + vuln + end + + def self.extract_aliases(osv_data) + aliases = osv_data["aliases"] || [] + aliases.any? ? aliases.join(",") : nil + end + + def self.extract_severity(osv_data) + result = { severity: nil, score: nil, vector: nil } + + if osv_data["severity"]&.any? + sev = osv_data["severity"].first + result[:vector] = sev["score"] + + if sev["score"]&.include?("CVSS") + result[:score] = parse_cvss_score(sev["score"]) + result[:severity] = score_to_severity(result[:score]) + end + end + + # Check root-level database_specific (GHSA format) + if osv_data["database_specific"]&.dig("severity") + result[:severity] ||= normalize_severity(osv_data["database_specific"]["severity"]) + end + + # Check affected entries for database_specific severity + osv_data["affected"]&.each do |affected| + db_specific = affected["database_specific"] + if db_specific && db_specific["severity"] + result[:severity] ||= normalize_severity(db_specific["severity"]) + end + end + + result + end + + def self.normalize_severity(severity) + return nil unless severity + + case severity.downcase + when "critical" then "critical" + when "high" then "high" + when "moderate", "medium" then "medium" + when "low" then "low" + end + end + + def self.parse_cvss_score(vector) + return nil unless vector + + if vector.match?(/\A\d+(\.\d+)?\z/) + return vector.to_f + end + + return nil unless vector.include?("CVSS:") + + metrics = parse_cvss_metrics(vector) + return nil if metrics.empty? + + estimate_cvss_score(metrics) + end + + def self.parse_cvss_metrics(vector) + metrics = {} + vector.split("/").each do |part| + key, value = part.split(":") + metrics[key] = value if key && value + end + metrics + end + + def self.estimate_cvss_score(metrics) + impact_values = { "N" => 0, "L" => 1, "H" => 2 } + c = impact_values[metrics["C"]] || 0 + i = impact_values[metrics["I"]] || 0 + a = impact_values[metrics["A"]] || 0 + max_impact = [c, i, a].max + + ac_easy = metrics["AC"] == "L" + av_network = metrics["AV"] == "N" + pr_none = metrics["PR"] == "N" + ui_none = metrics["UI"] == "N" + + if max_impact == 2 && av_network && ac_easy && pr_none && ui_none + 9.8 + elsif max_impact == 2 && av_network && ac_easy + 8.1 + elsif max_impact == 2 + 7.0 + elsif max_impact == 1 && av_network + 5.3 + elsif max_impact == 1 + 4.0 + elsif max_impact == 0 + 0.0 + else + 5.0 + end + end + + def self.score_to_severity(score) + return nil unless score + + case score + when 9.0..10.0 then "critical" + when 7.0...9.0 then "high" + when 4.0...7.0 then "medium" + when 0.0...4.0 then "low" + end + end + + def self.build_affected_range(affected) + return nil unless affected + + ranges = affected["ranges"] || [] + versions = affected["versions"] || [] + + return versions.join(",") if versions.any? && ranges.empty? + + range_parts = ranges.flat_map do |range| + events = range["events"] || [] + build_range_from_events(events) + end + + range_parts.compact.join(" || ") + end + + def self.build_range_from_events(events) + ranges = [] + current_introduced = nil + + events.each do |event| + if event["introduced"] + current_introduced = event["introduced"] + elsif event["fixed"] && current_introduced + if current_introduced == "0" + ranges << "<#{event["fixed"]}" + else + ranges << ">=#{current_introduced} <#{event["fixed"]}" + end + current_introduced = nil + elsif event["last_affected"] && current_introduced + if current_introduced == "0" + ranges << "<=#{event["last_affected"]}" + else + ranges << ">=#{current_introduced} <=#{event["last_affected"]}" + end + current_introduced = nil + end + end + + if current_introduced + ranges << if current_introduced == "0" + ">=0" + else + ">=#{current_introduced}" + end + end + + ranges + end + + def self.extract_fixed_versions(affected) + return nil unless affected + + fixed = [] + (affected["ranges"] || []).each do |range| + (range["events"] || []).each do |event| + fixed << event["fixed"] if event["fixed"] + end + end + + fixed.uniq.empty? ? nil : fixed.uniq + end + + def self.parse_timestamp(str) + return nil unless str + + Time.parse(str) + rescue ArgumentError + nil + end + end + end + end +end diff --git a/lib/git/pkgs/models/vulnerability_package.rb b/lib/git/pkgs/models/vulnerability_package.rb new file mode 100644 index 0000000..23194c6 --- /dev/null +++ b/lib/git/pkgs/models/vulnerability_package.rb @@ -0,0 +1,59 @@ +# frozen_string_literal: true + +require "vers" + +module Git + module Pkgs + module Models + class VulnerabilityPackage < Sequel::Model + many_to_one :vulnerability, key: :vulnerability_id + + dataset_module do + def for_package(ecosystem, name) + where(ecosystem: ecosystem, package_name: name) + end + end + + def affects_version?(version) + return false if affected_versions.nil? || affected_versions.empty? + return false if version.nil? || version.empty? + + # Convert OSV ecosystem to purl type for Vers + bib_ecosystem = Ecosystems.from_osv(ecosystem) || ecosystem.downcase + purl_type = Ecosystems.to_purl(bib_ecosystem) || bib_ecosystem + + # Handle || separator (OR conditions between different ranges) + # Each part separated by || is an independent range (OR) + # Within each part, space-separated constraints are AND conditions + affected_versions.split(" || ").any? do |range_part| + range_matches?(version, range_part, purl_type) + end + rescue ArgumentError, Vers::Error + # If we can't parse the version or range, be conservative and assume affected + true + end + + def range_matches?(version, range_part, purl_type) + # Extract individual constraints (e.g., ">=7.1.0 <7.1.3.1" -> [">=7.1.0", "<7.1.3.1"]) + constraints = range_part.scan(/[<>=!~^]+[^\s]+/) + return false if constraints.empty? + + # All constraints must be satisfied (AND logic) + constraints.all? do |constraint| + Vers.satisfies?(version, constraint, purl_type) + end + end + + def fixed_versions_list + return [] if fixed_versions.nil? || fixed_versions.empty? + + fixed_versions.split(",").map(&:strip) + end + + def purl + Models::Package.generate_purl(ecosystem, package_name) + end + end + end + end +end diff --git a/lib/git/pkgs/osv_client.rb b/lib/git/pkgs/osv_client.rb new file mode 100644 index 0000000..6069c62 --- /dev/null +++ b/lib/git/pkgs/osv_client.rb @@ -0,0 +1,151 @@ +# frozen_string_literal: true + +require "net/http" +require "json" +require "uri" + +module Git + module Pkgs + # Client for the OSV (Open Source Vulnerabilities) API. + # https://google.github.io/osv.dev/api/ + class OsvClient + API_BASE = "https://api.osv.dev/v1" + BATCH_SIZE = 1000 # Max queries per batch request + + class Error < StandardError; end + class ApiError < Error; end + + def initialize + @http_clients = {} + end + + # Query vulnerabilities for a single package version. + # + # @param ecosystem [String] OSV ecosystem name (e.g., "RubyGems") + # @param name [String] package name + # @param version [String] package version + # @return [Array] array of vulnerability hashes + def query(ecosystem:, name:, version:) + payload = { + package: { + name: name, + ecosystem: ecosystem + }, + version: version + } + + response = post("/query", payload) + fetch_all_pages(response, payload) + end + + # Batch query vulnerabilities for multiple packages. + # More efficient than individual queries for large dependency sets. + # + # @param packages [Array] array of {ecosystem:, name:, version:} hashes + # @return [Array>] array of vulnerability arrays, one per input package + def query_batch(packages) + return [] if packages.empty? + + results = Array.new(packages.size) { [] } + + packages.each_slice(BATCH_SIZE).with_index do |batch, batch_idx| + queries = batch.map do |pkg| + { + package: { + name: pkg[:name], + ecosystem: pkg[:ecosystem] + }, + version: pkg[:version] + } + end + + response = post("/querybatch", { queries: queries }) + batch_results = response["results"] || [] + + batch_results.each_with_index do |result, idx| + global_idx = batch_idx * BATCH_SIZE + idx + results[global_idx] = result["vulns"] || [] + end + end + + results + end + + # Fetch full details for a specific vulnerability by ID. + # + # @param vuln_id [String] vulnerability ID (e.g., "CVE-2024-1234", "GHSA-xxxx") + # @return [Hash] full vulnerability data + def get_vulnerability(vuln_id) + get("/vulns/#{URI.encode_uri_component(vuln_id)}") + end + + private + + def post(path, payload) + uri = URI("#{API_BASE}#{path}") + request = Net::HTTP::Post.new(uri) + request["Content-Type"] = "application/json" + request.body = JSON.generate(payload) + + execute_request(uri, request) + end + + def get(path) + uri = URI("#{API_BASE}#{path}") + request = Net::HTTP::Get.new(uri) + request["Content-Type"] = "application/json" + + execute_request(uri, request) + end + + def execute_request(uri, request) + http = http_client(uri) + response = http.request(request) + + case response + when Net::HTTPSuccess + JSON.parse(response.body) + else + raise ApiError, "OSV API error: #{response.code} #{response.message}" + end + rescue JSON::ParserError => e + raise ApiError, "Invalid JSON response from OSV API: #{e.message}" + rescue Net::OpenTimeout, Net::ReadTimeout => e + raise ApiError, "OSV API timeout: #{e.message}" + rescue SocketError, Errno::ECONNREFUSED => e + raise ApiError, "OSV API connection error: #{e.message}" + rescue OpenSSL::SSL::SSLError => e + raise ApiError, "OSV API SSL error: #{e.message}" + end + + def http_client(uri) + key = "#{uri.host}:#{uri.port}" + @http_clients[key] ||= begin + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = uri.scheme == "https" + http.open_timeout = 10 + http.read_timeout = 30 + http + end + end + + MAX_PAGES = 100 + + def fetch_all_pages(response, original_payload) + vulns = response["vulns"] || [] + page_token = response["next_page_token"] + pages_fetched = 0 + + while page_token && pages_fetched < MAX_PAGES + payload = original_payload.merge(page_token: page_token) + response = post("/query", payload) + vulns.concat(response["vulns"] || []) + page_token = response["next_page_token"] + pages_fetched += 1 + end + + vulns + end + end + end +end diff --git a/lib/git/pkgs/output.rb b/lib/git/pkgs/output.rb index 36812bf..2b5e8d6 100644 --- a/lib/git/pkgs/output.rb +++ b/lib/git/pkgs/output.rb @@ -52,6 +52,28 @@ def require_database(repo) error "Database not initialized. Run 'git pkgs init' first." end + + # Pick best author from commit, preferring humans over bots + def best_author(commit) + author_name = commit.respond_to?(:author_name) ? commit.author_name : commit[:author_name] + message = commit.respond_to?(:message) ? commit.message : commit[:message] + + authors = [author_name] + parse_coauthors(message) + + # Prefer human authors over bots + human = authors.find { |a| !bot_author?(a) } + human || authors.first + end + + def parse_coauthors(message) + return [] unless message + + message.scan(/^Co-authored-by:([^<]+)<[^>]+>/i).flatten.map(&:strip) + end + + def bot_author?(name) + name =~ /\[bot\]$|^dependabot|^renovate|^github-actions/i + end end end end diff --git a/test/fixtures/sarif-schema-2.1.0.json b/test/fixtures/sarif-schema-2.1.0.json new file mode 100644 index 0000000..0f58372 --- /dev/null +++ b/test/fixtures/sarif-schema-2.1.0.json @@ -0,0 +1,3389 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "title": "Static Analysis Results Format (SARIF) Version 2.1.0 JSON Schema", + "id": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json", + "description": "Static Analysis Results Format (SARIF) Version 2.1.0 JSON Schema: a standard format for the output of static analysis tools.", + "additionalProperties": false, + "type": "object", + "properties": { + + "$schema": { + "description": "The URI of the JSON schema corresponding to the version.", + "type": "string", + "format": "uri" + }, + + "version": { + "description": "The SARIF format version of this log file.", + "enum": [ "2.1.0" ], + "type": "string" + }, + + "runs": { + "description": "The set of runs contained in this log file.", + "type": [ "array", "null" ], + "minItems": 0, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/run" + } + }, + + "inlineExternalProperties": { + "description": "References to external property files that share data between runs.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/externalProperties" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the log file.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "version", "runs" ], + + "definitions": { + + "address": { + "description": "A physical or virtual address, or a range of addresses, in an 'addressable region' (memory or a binary file).", + "additionalProperties": false, + "type": "object", + "properties": { + + "absoluteAddress": { + "description": "The address expressed as a byte offset from the start of the addressable region.", + "type": "integer", + "minimum": -1, + "default": -1 + + }, + + "relativeAddress": { + "description": "The address expressed as a byte offset from the absolute address of the top-most parent object.", + "type": "integer" + + }, + + "length": { + "description": "The number of bytes in this range of addresses.", + "type": "integer" + }, + + "kind": { + "description": "An open-ended string that identifies the address kind. 'data', 'function', 'header','instruction', 'module', 'page', 'section', 'segment', 'stack', 'stackFrame', 'table' are well-known values.", + "type": "string" + }, + + "name": { + "description": "A name that is associated with the address, e.g., '.text'.", + "type": "string" + }, + + "fullyQualifiedName": { + "description": "A human-readable fully qualified name that is associated with the address.", + "type": "string" + }, + + "offsetFromParent": { + "description": "The byte offset of this address from the absolute or relative address of the parent object.", + "type": "integer" + }, + + "index": { + "description": "The index within run.addresses of the cached object for this address.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "parentIndex": { + "description": "The index within run.addresses of the parent object.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the address.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "artifact": { + "description": "A single artifact. In some cases, this artifact might be nested within another artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "description": { + "description": "A short description of the artifact.", + "$ref": "#/definitions/message" + }, + + "location": { + "description": "The location of the artifact.", + "$ref": "#/definitions/artifactLocation" + }, + + "parentIndex": { + "description": "Identifies the index of the immediate parent of the artifact, if this artifact is nested.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "offset": { + "description": "The offset in bytes of the artifact within its containing artifact.", + "type": "integer", + "minimum": 0 + }, + + "length": { + "description": "The length of the artifact in bytes.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "roles": { + "description": "The role or roles played by the artifact in the analysis.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "enum": [ + "analysisTarget", + "attachment", + "responseFile", + "resultFile", + "standardStream", + "tracedFile", + "unmodified", + "modified", + "added", + "deleted", + "renamed", + "uncontrolled", + "driver", + "extension", + "translation", + "taxonomy", + "policy", + "referencedOnCommandLine", + "memoryContents", + "directory", + "userSpecifiedConfiguration", + "toolSpecifiedConfiguration", + "debugOutputFile" + ], + "type": "string" + } + }, + + "mimeType": { + "description": "The MIME type (RFC 2045) of the artifact.", + "type": "string", + "pattern": "[^/]+/.+" + }, + + "contents": { + "description": "The contents of the artifact.", + "$ref": "#/definitions/artifactContent" + }, + + "encoding": { + "description": "Specifies the encoding for an artifact object that refers to a text file.", + "type": "string" + }, + + "sourceLanguage": { + "description": "Specifies the source language for any artifact object that refers to a text file that contains source code.", + "type": "string" + }, + + "hashes": { + "description": "A dictionary, each of whose keys is the name of a hash function and each of whose values is the hashed value of the artifact produced by the specified hash function.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "lastModifiedTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the artifact was most recently modified. See \"Date/time properties\" in the SARIF spec for the required format.", + "type": "string", + "format": "date-time" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the artifact.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "artifactChange": { + "description": "A change to a single artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "artifactLocation": { + "description": "The location of the artifact to change.", + "$ref": "#/definitions/artifactLocation" + }, + + "replacements": { + "description": "An array of replacement objects, each of which represents the replacement of a single region in a single artifact specified by 'artifactLocation'.", + "type": "array", + "minItems": 1, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/replacement" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the change.", + "$ref": "#/definitions/propertyBag" + } + + }, + + "required": [ "artifactLocation", "replacements" ] + }, + + "artifactContent": { + "description": "Represents the contents of an artifact.", + "type": "object", + "additionalProperties": false, + "properties": { + + "text": { + "description": "UTF-8-encoded content from a text artifact.", + "type": "string" + }, + + "binary": { + "description": "MIME Base64-encoded content from a binary artifact, or from a text artifact in its original encoding.", + "type": "string" + }, + + "rendered": { + "description": "An alternate rendered representation of the artifact (e.g., a decompiled representation of a binary region).", + "$ref": "#/definitions/multiformatMessageString" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the artifact content.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "artifactLocation": { + "description": "Specifies the location of an artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "uri": { + "description": "A string containing a valid relative or absolute URI.", + "type": "string", + "format": "uri-reference" + }, + + "uriBaseId": { + "description": "A string which indirectly specifies the absolute URI with respect to which a relative URI in the \"uri\" property is interpreted.", + "type": "string" + }, + + "index": { + "description": "The index within the run artifacts array of the artifact object associated with the artifact location.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "description": { + "description": "A short description of the artifact location.", + "$ref": "#/definitions/message" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the artifact location.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "attachment": { + "description": "An artifact relevant to a result.", + "type": "object", + "additionalProperties": false, + "properties": { + + "description": { + "description": "A message describing the role played by the attachment.", + "$ref": "#/definitions/message" + }, + + "artifactLocation": { + "description": "The location of the attachment.", + "$ref": "#/definitions/artifactLocation" + }, + + "regions": { + "description": "An array of regions of interest within the attachment.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/region" + } + }, + + "rectangles": { + "description": "An array of rectangles specifying areas of interest within the image.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/rectangle" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the attachment.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "artifactLocation" ] + }, + + "codeFlow": { + "description": "A set of threadFlows which together describe a pattern of code execution relevant to detecting a result.", + "additionalProperties": false, + "type": "object", + "properties": { + + "message": { + "description": "A message relevant to the code flow.", + "$ref": "#/definitions/message" + }, + + "threadFlows": { + "description": "An array of one or more unique threadFlow objects, each of which describes the progress of a program through a thread of execution.", + "type": "array", + "minItems": 1, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/threadFlow" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the code flow.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "threadFlows" ] + }, + + "configurationOverride": { + "description": "Information about how a specific rule or notification was reconfigured at runtime.", + "type": "object", + "additionalProperties": false, + "properties": { + + "configuration": { + "description": "Specifies how the rule or notification was configured during the scan.", + "$ref": "#/definitions/reportingConfiguration" + }, + + "descriptor": { + "description": "A reference used to locate the descriptor whose configuration was overridden.", + "$ref": "#/definitions/reportingDescriptorReference" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the configuration override.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "configuration", "descriptor" ] + }, + + "conversion": { + "description": "Describes how a converter transformed the output of a static analysis tool from the analysis tool's native output format into the SARIF format.", + "additionalProperties": false, + "type": "object", + "properties": { + + "tool": { + "description": "A tool object that describes the converter.", + "$ref": "#/definitions/tool" + }, + + "invocation": { + "description": "An invocation object that describes the invocation of the converter.", + "$ref": "#/definitions/invocation" + }, + + "analysisToolLogFiles": { + "description": "The locations of the analysis tool's per-run log files.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/artifactLocation" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the conversion.", + "$ref": "#/definitions/propertyBag" + } + + }, + + "required": [ "tool" ] + }, + + "edge": { + "description": "Represents a directed edge in a graph.", + "type": "object", + "additionalProperties": false, + "properties": { + + "id": { + "description": "A string that uniquely identifies the edge within its graph.", + "type": "string" + }, + + "label": { + "description": "A short description of the edge.", + "$ref": "#/definitions/message" + }, + + "sourceNodeId": { + "description": "Identifies the source node (the node at which the edge starts).", + "type": "string" + }, + + "targetNodeId": { + "description": "Identifies the target node (the node at which the edge ends).", + "type": "string" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the edge.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "id", "sourceNodeId", "targetNodeId" ] + }, + + "edgeTraversal": { + "description": "Represents the traversal of a single edge during a graph traversal.", + "type": "object", + "additionalProperties": false, + "properties": { + + "edgeId": { + "description": "Identifies the edge being traversed.", + "type": "string" + }, + + "message": { + "description": "A message to display to the user as the edge is traversed.", + "$ref": "#/definitions/message" + }, + + "finalState": { + "description": "The values of relevant expressions after the edge has been traversed.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "stepOverEdgeCount": { + "description": "The number of edge traversals necessary to return from a nested graph.", + "type": "integer", + "minimum": 0 + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the edge traversal.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "edgeId" ] + }, + + "exception": { + "description": "Describes a runtime exception encountered during the execution of an analysis tool.", + "type": "object", + "additionalProperties": false, + "properties": { + + "kind": { + "type": "string", + "description": "A string that identifies the kind of exception, for example, the fully qualified type name of an object that was thrown, or the symbolic name of a signal." + }, + + "message": { + "description": "A message that describes the exception.", + "type": "string" + }, + + "stack": { + "description": "The sequence of function calls leading to the exception.", + "$ref": "#/definitions/stack" + }, + + "innerExceptions": { + "description": "An array of exception objects each of which is considered a cause of this exception.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/exception" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the exception.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "externalProperties": { + "description": "The top-level element of an external property file.", + "type": "object", + "additionalProperties": false, + "properties": { + + "schema": { + "description": "The URI of the JSON schema corresponding to the version of the external property file format.", + "type": "string", + "format": "uri" + }, + + "version": { + "description": "The SARIF format version of this external properties object.", + "enum": [ "2.1.0" ], + "type": "string" + }, + + "guid": { + "description": "A stable, unique identifier for this external properties object, in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "runGuid": { + "description": "A stable, unique identifier for the run associated with this external properties object, in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "conversion": { + "description": "A conversion object that will be merged with a separate run.", + "$ref": "#/definitions/conversion" + }, + + "graphs": { + "description": "An array of graph objects that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "default": [], + "uniqueItems": true, + "items": { + "$ref": "#/definitions/graph" + } + }, + + "externalizedProperties": { + "description": "Key/value pairs that provide additional information that will be merged with a separate run.", + "$ref": "#/definitions/propertyBag" + }, + + "artifacts": { + "description": "An array of artifact objects that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/artifact" + } + }, + + "invocations": { + "description": "Describes the invocation of the analysis tool that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/invocation" + } + }, + + "logicalLocations": { + "description": "An array of logical locations such as namespaces, types or functions that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/logicalLocation" + } + }, + + "threadFlowLocations": { + "description": "An array of threadFlowLocation objects that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/threadFlowLocation" + } + }, + + "results": { + "description": "An array of result objects that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/result" + } + }, + + "taxonomies": { + "description": "Tool taxonomies that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "driver": { + "description": "The analysis tool object that will be merged with a separate run.", + "$ref": "#/definitions/toolComponent" + }, + + "extensions": { + "description": "Tool extensions that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "policies": { + "description": "Tool policies that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "translations": { + "description": "Tool translations that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "addresses": { + "description": "Addresses that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/address" + } + }, + + "webRequests": { + "description": "Requests that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/webRequest" + } + }, + + "webResponses": { + "description": "Responses that will be merged with a separate run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/webResponse" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the external properties.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "externalPropertyFileReference": { + "description": "Contains information that enables a SARIF consumer to locate the external property file that contains the value of an externalized property associated with the run.", + "type": "object", + "additionalProperties": false, + "properties": { + + "location": { + "description": "The location of the external property file.", + "$ref": "#/definitions/artifactLocation" + }, + + "guid": { + "description": "A stable, unique identifier for the external property file in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "itemCount": { + "description": "A non-negative integer specifying the number of items contained in the external property file.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the external property file.", + "$ref": "#/definitions/propertyBag" + } + }, + "anyOf": [ + { "required": [ "location" ] }, + { "required": [ "guid" ] } + ] + }, + + "externalPropertyFileReferences": { + "description": "References to external property files that should be inlined with the content of a root log file.", + "additionalProperties": false, + "type": "object", + "properties": { + + "conversion": { + "description": "An external property file containing a run.conversion object to be merged with the root log file.", + "$ref": "#/definitions/externalPropertyFileReference" + }, + + "graphs": { + "description": "An array of external property files containing a run.graphs object to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "externalizedProperties": { + "description": "An external property file containing a run.properties object to be merged with the root log file.", + "$ref": "#/definitions/externalPropertyFileReference" + }, + + "artifacts": { + "description": "An array of external property files containing run.artifacts arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "invocations": { + "description": "An array of external property files containing run.invocations arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "logicalLocations": { + "description": "An array of external property files containing run.logicalLocations arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "threadFlowLocations": { + "description": "An array of external property files containing run.threadFlowLocations arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "results": { + "description": "An array of external property files containing run.results arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "taxonomies": { + "description": "An array of external property files containing run.taxonomies arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "addresses": { + "description": "An array of external property files containing run.addresses arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "driver": { + "description": "An external property file containing a run.driver object to be merged with the root log file.", + "$ref": "#/definitions/externalPropertyFileReference" + }, + + "extensions": { + "description": "An array of external property files containing run.extensions arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "policies": { + "description": "An array of external property files containing run.policies arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "translations": { + "description": "An array of external property files containing run.translations arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "webRequests": { + "description": "An array of external property files containing run.requests arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "webResponses": { + "description": "An array of external property files containing run.responses arrays to be merged with the root log file.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/externalPropertyFileReference" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the external property files.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "fix": { + "description": "A proposed fix for the problem represented by a result object. A fix specifies a set of artifacts to modify. For each artifact, it specifies a set of bytes to remove, and provides a set of new bytes to replace them.", + "additionalProperties": false, + "type": "object", + "properties": { + + "description": { + "description": "A message that describes the proposed fix, enabling viewers to present the proposed change to an end user.", + "$ref": "#/definitions/message" + }, + + "artifactChanges": { + "description": "One or more artifact changes that comprise a fix for a result.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/artifactChange" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the fix.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "artifactChanges" ] + }, + + "graph": { + "description": "A network of nodes and directed edges that describes some aspect of the structure of the code (for example, a call graph).", + "type": "object", + "additionalProperties": false, + "properties": { + + "description": { + "description": "A description of the graph.", + "$ref": "#/definitions/message" + }, + + "nodes": { + "description": "An array of node objects representing the nodes of the graph.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/node" + } + }, + + "edges": { + "description": "An array of edge objects representing the edges of the graph.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/edge" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the graph.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "graphTraversal": { + "description": "Represents a path through a graph.", + "type": "object", + "additionalProperties": false, + "properties": { + + "runGraphIndex": { + "description": "The index within the run.graphs to be associated with the result.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "resultGraphIndex": { + "description": "The index within the result.graphs to be associated with the result.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "description": { + "description": "A description of this graph traversal.", + "$ref": "#/definitions/message" + }, + + "initialState": { + "description": "Values of relevant expressions at the start of the graph traversal that may change during graph traversal.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "immutableState": { + "description": "Values of relevant expressions at the start of the graph traversal that remain constant for the graph traversal.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "edgeTraversals": { + "description": "The sequences of edges traversed by this graph traversal.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/edgeTraversal" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the graph traversal.", + "$ref": "#/definitions/propertyBag" + } + }, + "oneOf": [ + { "required": [ "runGraphIndex" ] }, + { "required": [ "resultGraphIndex" ] } + ] + }, + + "invocation": { + "description": "The runtime environment of the analysis tool run.", + "additionalProperties": false, + "type": "object", + "properties": { + + "commandLine": { + "description": "The command line used to invoke the tool.", + "type": "string" + }, + + "arguments": { + "description": "An array of strings, containing in order the command line arguments passed to the tool from the operating system.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "items": { + "type": "string" + } + }, + + "responseFiles": { + "description": "The locations of any response files specified on the tool's command line.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/artifactLocation" + } + }, + + "startTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the invocation started. See \"Date/time properties\" in the SARIF spec for the required format.", + "type": "string", + "format": "date-time" + }, + + "endTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the invocation ended. See \"Date/time properties\" in the SARIF spec for the required format.", + "type": "string", + "format": "date-time" + }, + + "exitCode": { + "description": "The process exit code.", + "type": "integer" + }, + + "ruleConfigurationOverrides": { + "description": "An array of configurationOverride objects that describe rules related runtime overrides.", + "type": "array", + "minItems": 0, + "default": [], + "uniqueItems": true, + "items": { + "$ref": "#/definitions/configurationOverride" + } + }, + + "notificationConfigurationOverrides": { + "description": "An array of configurationOverride objects that describe notifications related runtime overrides.", + "type": "array", + "minItems": 0, + "default": [], + "uniqueItems": true, + "items": { + "$ref": "#/definitions/configurationOverride" + } + }, + + "toolExecutionNotifications": { + "description": "A list of runtime conditions detected by the tool during the analysis.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/notification" + } + }, + + "toolConfigurationNotifications": { + "description": "A list of conditions detected by the tool that are relevant to the tool's configuration.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/notification" + } + }, + + "exitCodeDescription": { + "description": "The reason for the process exit.", + "type": "string" + }, + + "exitSignalName": { + "description": "The name of the signal that caused the process to exit.", + "type": "string" + }, + + "exitSignalNumber": { + "description": "The numeric value of the signal that caused the process to exit.", + "type": "integer" + }, + + "processStartFailureMessage": { + "description": "The reason given by the operating system that the process failed to start.", + "type": "string" + }, + + "executionSuccessful": { + "description": "Specifies whether the tool's execution completed successfully.", + "type": "boolean" + }, + + "machine": { + "description": "The machine on which the invocation occurred.", + "type": "string" + }, + + "account": { + "description": "The account under which the invocation occurred.", + "type": "string" + }, + + "processId": { + "description": "The id of the process in which the invocation occurred.", + "type": "integer" + }, + + "executableLocation": { + "description": "An absolute URI specifying the location of the executable that was invoked.", + "$ref": "#/definitions/artifactLocation" + }, + + "workingDirectory": { + "description": "The working directory for the invocation.", + "$ref": "#/definitions/artifactLocation" + }, + + "environmentVariables": { + "description": "The environment variables associated with the analysis tool process, expressed as key/value pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "stdin": { + "description": "A file containing the standard input stream to the process that was invoked.", + "$ref": "#/definitions/artifactLocation" + }, + + "stdout": { + "description": "A file containing the standard output stream from the process that was invoked.", + "$ref": "#/definitions/artifactLocation" + }, + + "stderr": { + "description": "A file containing the standard error stream from the process that was invoked.", + "$ref": "#/definitions/artifactLocation" + }, + + "stdoutStderr": { + "description": "A file containing the interleaved standard output and standard error stream from the process that was invoked.", + "$ref": "#/definitions/artifactLocation" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the invocation.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "executionSuccessful" ] + }, + + "location": { + "description": "A location within a programming artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "id": { + "description": "Value that distinguishes this location from all other locations within a single result object.", + "type": "integer", + "minimum": -1, + "default": -1 + }, + + "physicalLocation": { + "description": "Identifies the artifact and region.", + "$ref": "#/definitions/physicalLocation" + }, + + "logicalLocations": { + "description": "The logical locations associated with the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/logicalLocation" + } + }, + + "message": { + "description": "A message relevant to the location.", + "$ref": "#/definitions/message" + }, + + "annotations": { + "description": "A set of regions relevant to the location.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/region" + } + }, + + "relationships": { + "description": "An array of objects that describe relationships between this location and others.", + "type": "array", + "default": [], + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/locationRelationship" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the location.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "locationRelationship": { + "description": "Information about the relation of one location to another.", + "type": "object", + "additionalProperties": false, + "properties": { + + "target": { + "description": "A reference to the related location.", + "type": "integer", + "minimum": 0 + }, + + "kinds": { + "description": "A set of distinct strings that categorize the relationship. Well-known kinds include 'includes', 'isIncludedBy' and 'relevant'.", + "type": "array", + "default": [ "relevant" ], + "uniqueItems": true, + "items": { + "type": "string" + } + }, + + "description": { + "description": "A description of the location relationship.", + "$ref": "#/definitions/message" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the location relationship.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "target" ] + }, + + "logicalLocation": { + "description": "A logical location of a construct that produced a result.", + "additionalProperties": false, + "type": "object", + "properties": { + + "name": { + "description": "Identifies the construct in which the result occurred. For example, this property might contain the name of a class or a method.", + "type": "string" + }, + + "index": { + "description": "The index within the logical locations array.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "fullyQualifiedName": { + "description": "The human-readable fully qualified name of the logical location.", + "type": "string" + }, + + "decoratedName": { + "description": "The machine-readable name for the logical location, such as a mangled function name provided by a C++ compiler that encodes calling convention, return type and other details along with the function name.", + "type": "string" + }, + + "parentIndex": { + "description": "Identifies the index of the immediate parent of the construct in which the result was detected. For example, this property might point to a logical location that represents the namespace that holds a type.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "kind": { + "description": "The type of construct this logical location component refers to. Should be one of 'function', 'member', 'module', 'namespace', 'parameter', 'resource', 'returnType', 'type', 'variable', 'object', 'array', 'property', 'value', 'element', 'text', 'attribute', 'comment', 'declaration', 'dtd' or 'processingInstruction', if any of those accurately describe the construct.", + "type": "string" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the logical location.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "message": { + "description": "Encapsulates a message intended to be read by the end user.", + "type": "object", + "additionalProperties": false, + + "properties": { + + "text": { + "description": "A plain text message string.", + "type": "string" + }, + + "markdown": { + "description": "A Markdown message string.", + "type": "string" + }, + + "id": { + "description": "The identifier for this message.", + "type": "string" + }, + + "arguments": { + "description": "An array of strings to substitute into the message string.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "type": "string" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the message.", + "$ref": "#/definitions/propertyBag" + } + }, + "anyOf": [ + { "required": [ "text" ] }, + { "required": [ "id" ] } + ] + }, + + "multiformatMessageString": { + "description": "A message string or message format string rendered in multiple formats.", + "type": "object", + "additionalProperties": false, + + "properties": { + + "text": { + "description": "A plain text message string or format string.", + "type": "string" + }, + + "markdown": { + "description": "A Markdown message string or format string.", + "type": "string" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the message.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "text" ] + }, + + "node": { + "description": "Represents a node in a graph.", + "type": "object", + "additionalProperties": false, + + "properties": { + + "id": { + "description": "A string that uniquely identifies the node within its graph.", + "type": "string" + }, + + "label": { + "description": "A short description of the node.", + "$ref": "#/definitions/message" + }, + + "location": { + "description": "A code location associated with the node.", + "$ref": "#/definitions/location" + }, + + "children": { + "description": "Array of child nodes.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/node" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the node.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "id" ] + }, + + "notification": { + "description": "Describes a condition relevant to the tool itself, as opposed to being relevant to a target being analyzed by the tool.", + "type": "object", + "additionalProperties": false, + "properties": { + + "locations": { + "description": "The locations relevant to this notification.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/location" + } + }, + + "message": { + "description": "A message that describes the condition that was encountered.", + "$ref": "#/definitions/message" + }, + + "level": { + "description": "A value specifying the severity level of the notification.", + "default": "warning", + "enum": [ "none", "note", "warning", "error" ], + "type": "string" + }, + + "threadId": { + "description": "The thread identifier of the code that generated the notification.", + "type": "integer" + }, + + "timeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the analysis tool generated the notification.", + "type": "string", + "format": "date-time" + }, + + "exception": { + "description": "The runtime exception, if any, relevant to this notification.", + "$ref": "#/definitions/exception" + }, + + "descriptor": { + "description": "A reference used to locate the descriptor relevant to this notification.", + "$ref": "#/definitions/reportingDescriptorReference" + }, + + "associatedRule": { + "description": "A reference used to locate the rule descriptor associated with this notification.", + "$ref": "#/definitions/reportingDescriptorReference" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the notification.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "message" ] + }, + + "physicalLocation": { + "description": "A physical location relevant to a result. Specifies a reference to a programming artifact together with a range of bytes or characters within that artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "address": { + "description": "The address of the location.", + "$ref": "#/definitions/address" + }, + + "artifactLocation": { + "description": "The location of the artifact.", + "$ref": "#/definitions/artifactLocation" + }, + + "region": { + "description": "Specifies a portion of the artifact.", + "$ref": "#/definitions/region" + }, + + "contextRegion": { + "description": "Specifies a portion of the artifact that encloses the region. Allows a viewer to display additional context around the region.", + "$ref": "#/definitions/region" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the physical location.", + "$ref": "#/definitions/propertyBag" + } + }, + + "anyOf": [ + { + "required": [ "address" ] + }, + { + "required": [ "artifactLocation" ] + } + ] + }, + + "propertyBag": { + "description": "Key/value pairs that provide additional information about the object.", + "type": "object", + "additionalProperties": true, + "properties": { + "tags": { + + "description": "A set of distinct strings that provide additional information.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "type": "string" + } + } + } + }, + + "rectangle": { + "description": "An area within an image.", + "additionalProperties": false, + "type": "object", + "properties": { + + "top": { + "description": "The Y coordinate of the top edge of the rectangle, measured in the image's natural units.", + "type": "number" + }, + + "left": { + "description": "The X coordinate of the left edge of the rectangle, measured in the image's natural units.", + "type": "number" + }, + + "bottom": { + "description": "The Y coordinate of the bottom edge of the rectangle, measured in the image's natural units.", + "type": "number" + }, + + "right": { + "description": "The X coordinate of the right edge of the rectangle, measured in the image's natural units.", + "type": "number" + }, + + "message": { + "description": "A message relevant to the rectangle.", + "$ref": "#/definitions/message" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the rectangle.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "region": { + "description": "A region within an artifact where a result was detected.", + "additionalProperties": false, + "type": "object", + "properties": { + + "startLine": { + "description": "The line number of the first character in the region.", + "type": "integer", + "minimum": 1 + }, + + "startColumn": { + "description": "The column number of the first character in the region.", + "type": "integer", + "minimum": 1 + }, + + "endLine": { + "description": "The line number of the last character in the region.", + "type": "integer", + "minimum": 1 + }, + + "endColumn": { + "description": "The column number of the character following the end of the region.", + "type": "integer", + "minimum": 1 + }, + + "charOffset": { + "description": "The zero-based offset from the beginning of the artifact of the first character in the region.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "charLength": { + "description": "The length of the region in characters.", + "type": "integer", + "minimum": 0 + }, + + "byteOffset": { + "description": "The zero-based offset from the beginning of the artifact of the first byte in the region.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "byteLength": { + "description": "The length of the region in bytes.", + "type": "integer", + "minimum": 0 + }, + + "snippet": { + "description": "The portion of the artifact contents within the specified region.", + "$ref": "#/definitions/artifactContent" + }, + + "message": { + "description": "A message relevant to the region.", + "$ref": "#/definitions/message" + }, + + "sourceLanguage": { + "description": "Specifies the source language, if any, of the portion of the artifact specified by the region object.", + "type": "string" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the region.", + "$ref": "#/definitions/propertyBag" + } + }, + + "anyOf": [ + { "required": [ "startLine" ] }, + { "required": [ "charOffset" ] }, + { "required": [ "byteOffset" ] } + ] + }, + + "replacement": { + "description": "The replacement of a single region of an artifact.", + "additionalProperties": false, + "type": "object", + "properties": { + + "deletedRegion": { + "description": "The region of the artifact to delete.", + "$ref": "#/definitions/region" + }, + + "insertedContent": { + "description": "The content to insert at the location specified by the 'deletedRegion' property.", + "$ref": "#/definitions/artifactContent" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the replacement.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "deletedRegion" ] + }, + + "reportingDescriptor": { + "description": "Metadata that describes a specific report produced by the tool, as part of the analysis it provides or its runtime reporting.", + "additionalProperties": false, + "type": "object", + "properties": { + + "id": { + "description": "A stable, opaque identifier for the report.", + "type": "string" + }, + + "deprecatedIds": { + "description": "An array of stable, opaque identifiers by which this report was known in some previous version of the analysis tool.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "type": "string" + } + }, + + "guid": { + "description": "A unique identifier for the reporting descriptor in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "deprecatedGuids": { + "description": "An array of unique identifies in the form of a GUID by which this report was known in some previous version of the analysis tool.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + } + }, + + "name": { + "description": "A report identifier that is understandable to an end user.", + "type": "string" + }, + + "deprecatedNames": { + "description": "An array of readable identifiers by which this report was known in some previous version of the analysis tool.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "type": "string" + } + }, + + "shortDescription": { + "description": "A concise description of the report. Should be a single sentence that is understandable when visible space is limited to a single line of text.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "fullDescription": { + "description": "A description of the report. Should, as far as possible, provide details sufficient to enable resolution of any problem indicated by the result.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "messageStrings": { + "description": "A set of name/value pairs with arbitrary names. Each value is a multiformatMessageString object, which holds message strings in plain text and (optionally) Markdown format. The strings can include placeholders, which can be used to construct a message in combination with an arbitrary number of additional string arguments.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "defaultConfiguration": { + "description": "Default reporting configuration information.", + "$ref": "#/definitions/reportingConfiguration" + }, + + "helpUri": { + "description": "A URI where the primary documentation for the report can be found.", + "type": "string", + "format": "uri" + }, + + "help": { + "description": "Provides the primary documentation for the report, useful when there is no online documentation.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "relationships": { + "description": "An array of objects that describe relationships between this reporting descriptor and others.", + "type": "array", + "default": [], + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/reportingDescriptorRelationship" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the report.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "id" ] + }, + + "reportingConfiguration": { + "description": "Information about a rule or notification that can be configured at runtime.", + "type": "object", + "additionalProperties": false, + "properties": { + + "enabled": { + "description": "Specifies whether the report may be produced during the scan.", + "type": "boolean", + "default": true + }, + + "level": { + "description": "Specifies the failure level for the report.", + "default": "warning", + "enum": [ "none", "note", "warning", "error" ], + "type": "string" + }, + + "rank": { + "description": "Specifies the relative priority of the report. Used for analysis output only.", + "type": "number", + "default": -1.0, + "minimum": -1.0, + "maximum": 100.0 + }, + + "parameters": { + "description": "Contains configuration information specific to a report.", + "$ref": "#/definitions/propertyBag" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the reporting configuration.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "reportingDescriptorReference": { + "description": "Information about how to locate a relevant reporting descriptor.", + "type": "object", + "additionalProperties": false, + "properties": { + + "id": { + "description": "The id of the descriptor.", + "type": "string" + }, + + "index": { + "description": "The index into an array of descriptors in toolComponent.ruleDescriptors, toolComponent.notificationDescriptors, or toolComponent.taxonomyDescriptors, depending on context.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "guid": { + "description": "A guid that uniquely identifies the descriptor.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "toolComponent": { + "description": "A reference used to locate the toolComponent associated with the descriptor.", + "$ref": "#/definitions/toolComponentReference" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the reporting descriptor reference.", + "$ref": "#/definitions/propertyBag" + } + }, + "anyOf": [ + { "required": [ "index" ] }, + { "required": [ "guid" ] }, + { "required": [ "id" ] } + ] + }, + + "reportingDescriptorRelationship": { + "description": "Information about the relation of one reporting descriptor to another.", + "type": "object", + "additionalProperties": false, + "properties": { + + "target": { + "description": "A reference to the related reporting descriptor.", + "$ref": "#/definitions/reportingDescriptorReference" + }, + + "kinds": { + "description": "A set of distinct strings that categorize the relationship. Well-known kinds include 'canPrecede', 'canFollow', 'willPrecede', 'willFollow', 'superset', 'subset', 'equal', 'disjoint', 'relevant', and 'incomparable'.", + "type": "array", + "default": [ "relevant" ], + "uniqueItems": true, + "items": { + "type": "string" + } + }, + + "description": { + "description": "A description of the reporting descriptor relationship.", + "$ref": "#/definitions/message" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the reporting descriptor reference.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "target" ] + }, + + "result": { + "description": "A result produced by an analysis tool.", + "additionalProperties": false, + "type": "object", + "properties": { + + "ruleId": { + "description": "The stable, unique identifier of the rule, if any, to which this result is relevant.", + "type": "string" + }, + + "ruleIndex": { + "description": "The index within the tool component rules array of the rule object associated with this result.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "rule": { + "description": "A reference used to locate the rule descriptor relevant to this result.", + "$ref": "#/definitions/reportingDescriptorReference" + }, + + "kind": { + "description": "A value that categorizes results by evaluation state.", + "default": "fail", + "enum": [ "notApplicable", "pass", "fail", "review", "open", "informational" ], + "type": "string" + }, + + "level": { + "description": "A value specifying the severity level of the result.", + "default": "warning", + "enum": [ "none", "note", "warning", "error" ], + "type": "string" + }, + + "message": { + "description": "A message that describes the result. The first sentence of the message only will be displayed when visible space is limited.", + "$ref": "#/definitions/message" + }, + + "analysisTarget": { + "description": "Identifies the artifact that the analysis tool was instructed to scan. This need not be the same as the artifact where the result actually occurred.", + "$ref": "#/definitions/artifactLocation" + }, + + "locations": { + "description": "The set of locations where the result was detected. Specify only one location unless the problem indicated by the result can only be corrected by making a change at every specified location.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/location" + } + }, + + "guid": { + "description": "A stable, unique identifier for the result in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "correlationGuid": { + "description": "A stable, unique identifier for the equivalence class of logically identical results to which this result belongs, in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "occurrenceCount": { + "description": "A positive integer specifying the number of times this logically unique result was observed in this run.", + "type": "integer", + "minimum": 1 + }, + + "partialFingerprints": { + "description": "A set of strings that contribute to the stable, unique identity of the result.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "fingerprints": { + "description": "A set of strings each of which individually defines a stable, unique identity for the result.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "stacks": { + "description": "An array of 'stack' objects relevant to the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/stack" + } + }, + + "codeFlows": { + "description": "An array of 'codeFlow' objects relevant to the result.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/codeFlow" + } + }, + + "graphs": { + "description": "An array of zero or more unique graph objects associated with the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/graph" + } + }, + + "graphTraversals": { + "description": "An array of one or more unique 'graphTraversal' objects.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/graphTraversal" + } + }, + + "relatedLocations": { + "description": "A set of locations relevant to this result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/location" + } + }, + + "suppressions": { + "description": "A set of suppressions relevant to this result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/suppression" + } + }, + + "baselineState": { + "description": "The state of a result relative to a baseline of a previous run.", + "enum": [ + "new", + "unchanged", + "updated", + "absent" + ], + "type": "string" + }, + + "rank": { + "description": "A number representing the priority or importance of the result.", + "type": "number", + "default": -1.0, + "minimum": -1.0, + "maximum": 100.0 + }, + + "attachments": { + "description": "A set of artifacts relevant to the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/attachment" + } + }, + + "hostedViewerUri": { + "description": "An absolute URI at which the result can be viewed.", + "type": "string", + "format": "uri" + }, + + "workItemUris": { + "description": "The URIs of the work items associated with this result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "type": "string", + "format": "uri" + } + }, + + "provenance": { + "description": "Information about how and when the result was detected.", + "$ref": "#/definitions/resultProvenance" + }, + + "fixes": { + "description": "An array of 'fix' objects, each of which represents a proposed fix to the problem indicated by the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/fix" + } + }, + + "taxa": { + "description": "An array of references to taxonomy reporting descriptors that are applicable to the result.", + "type": "array", + "default": [], + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/reportingDescriptorReference" + } + }, + + "webRequest": { + "description": "A web request associated with this result.", + "$ref": "#/definitions/webRequest" + }, + + "webResponse": { + "description": "A web response associated with this result.", + "$ref": "#/definitions/webResponse" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the result.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "message" ] + }, + + "resultProvenance": { + "description": "Contains information about how and when a result was detected.", + "additionalProperties": false, + "type": "object", + "properties": { + + "firstDetectionTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the result was first detected. See \"Date/time properties\" in the SARIF spec for the required format.", + "type": "string", + "format": "date-time" + }, + + "lastDetectionTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which the result was most recently detected. See \"Date/time properties\" in the SARIF spec for the required format.", + "type": "string", + "format": "date-time" + }, + + "firstDetectionRunGuid": { + "description": "A GUID-valued string equal to the automationDetails.guid property of the run in which the result was first detected.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "lastDetectionRunGuid": { + "description": "A GUID-valued string equal to the automationDetails.guid property of the run in which the result was most recently detected.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "invocationIndex": { + "description": "The index within the run.invocations array of the invocation object which describes the tool invocation that detected the result.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "conversionSources": { + "description": "An array of physicalLocation objects which specify the portions of an analysis tool's output that a converter transformed into the result.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/physicalLocation" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the result.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "run": { + "description": "Describes a single run of an analysis tool, and contains the reported output of that run.", + "additionalProperties": false, + "type": "object", + "properties": { + + "tool": { + "description": "Information about the tool or tool pipeline that generated the results in this run. A run can only contain results produced by a single tool or tool pipeline. A run can aggregate results from multiple log files, as long as context around the tool run (tool command-line arguments and the like) is identical for all aggregated files.", + "$ref": "#/definitions/tool" + }, + + "invocations": { + "description": "Describes the invocation of the analysis tool.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/invocation" + } + }, + + "conversion": { + "description": "A conversion object that describes how a converter transformed an analysis tool's native reporting format into the SARIF format.", + "$ref": "#/definitions/conversion" + }, + + "language": { + "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase culture code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).", + "type": "string", + "default": "en-US", + "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$" + }, + + "versionControlProvenance": { + "description": "Specifies the revision in version control of the artifacts that were scanned.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/versionControlDetails" + } + }, + + "originalUriBaseIds": { + "description": "The artifact location specified by each uriBaseId symbol on the machine where the tool originally ran.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/artifactLocation" + } + }, + + "artifacts": { + "description": "An array of artifact objects relevant to the run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/artifact" + } + }, + + "logicalLocations": { + "description": "An array of logical locations such as namespaces, types or functions.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/logicalLocation" + } + }, + + "graphs": { + "description": "An array of zero or more unique graph objects associated with the run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/graph" + } + }, + + "results": { + "description": "The set of results contained in an SARIF log. The results array can be omitted when a run is solely exporting rules metadata. It must be present (but may be empty) if a log file represents an actual scan.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/result" + } + }, + + "automationDetails": { + "description": "Automation details that describe this run.", + "$ref": "#/definitions/runAutomationDetails" + }, + + "runAggregates": { + "description": "Automation details that describe the aggregate of runs to which this run belongs.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/runAutomationDetails" + } + }, + + "baselineGuid": { + "description": "The 'guid' property of a previous SARIF 'run' that comprises the baseline that was used to compute result 'baselineState' properties for the run.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "redactionTokens": { + "description": "An array of strings used to replace sensitive information in a redaction-aware property.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "type": "string" + } + }, + + "defaultEncoding": { + "description": "Specifies the default encoding for any artifact object that refers to a text file.", + "type": "string" + }, + + "defaultSourceLanguage": { + "description": "Specifies the default source language for any artifact object that refers to a text file that contains source code.", + "type": "string" + }, + + "newlineSequences": { + "description": "An ordered list of character sequences that were treated as line breaks when computing region information for the run.", + "type": "array", + "minItems": 1, + "uniqueItems": true, + "default": [ "\r\n", "\n" ], + "items": { + "type": "string" + } + }, + + "columnKind": { + "description": "Specifies the unit in which the tool measures columns.", + "enum": [ "utf16CodeUnits", "unicodeCodePoints" ], + "type": "string" + }, + + "externalPropertyFileReferences": { + "description": "References to external property files that should be inlined with the content of a root log file.", + "$ref": "#/definitions/externalPropertyFileReferences" + }, + + "threadFlowLocations": { + "description": "An array of threadFlowLocation objects cached at run level.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/threadFlowLocation" + } + }, + + "taxonomies": { + "description": "An array of toolComponent objects relevant to a taxonomy in which results are categorized.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "addresses": { + "description": "Addresses associated with this run instance, if any.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "$ref": "#/definitions/address" + } + }, + + "translations": { + "description": "The set of available translations of the localized data provided by the tool.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "policies": { + "description": "Contains configurations that may potentially override both reportingDescriptor.defaultConfiguration (the tool's default severities) and invocation.configurationOverrides (severities established at run-time from the command line).", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "webRequests": { + "description": "An array of request objects cached at run level.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/webRequest" + } + }, + + "webResponses": { + "description": "An array of response objects cached at run level.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/webResponse" + } + }, + + "specialLocations": { + "description": "A specialLocations object that defines locations of special significance to SARIF consumers.", + "$ref": "#/definitions/specialLocations" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the run.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "tool" ] + }, + + "runAutomationDetails": { + "description": "Information that describes a run's identity and role within an engineering system process.", + "additionalProperties": false, + "type": "object", + "properties": { + + "description": { + "description": "A description of the identity and role played within the engineering system by this object's containing run object.", + "$ref": "#/definitions/message" + }, + + "id": { + "description": "A hierarchical string that uniquely identifies this object's containing run object.", + "type": "string" + }, + + "guid": { + "description": "A stable, unique identifier for this object's containing run object in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "correlationGuid": { + "description": "A stable, unique identifier for the equivalence class of runs to which this object's containing run object belongs in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the run automation details.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "specialLocations": { + "description": "Defines locations of special significance to SARIF consumers.", + "type": "object", + "additionalProperties": false, + "properties": { + + "displayBase": { + "description": "Provides a suggestion to SARIF consumers to display file paths relative to the specified location.", + "$ref": "#/definitions/artifactLocation" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the special locations.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "stack": { + "description": "A call stack that is relevant to a result.", + "additionalProperties": false, + "type": "object", + "properties": { + + "message": { + "description": "A message relevant to this call stack.", + "$ref": "#/definitions/message" + }, + + "frames": { + "description": "An array of stack frames that represents a sequence of calls, rendered in reverse chronological order, that comprise the call stack.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/stackFrame" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the stack.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "frames" ] + }, + + "stackFrame": { + "description": "A function call within a stack trace.", + "additionalProperties": false, + "type": "object", + "properties": { + + "location": { + "description": "The location to which this stack frame refers.", + "$ref": "#/definitions/location" + }, + + "module": { + "description": "The name of the module that contains the code of this stack frame.", + "type": "string" + }, + + "threadId": { + "description": "The thread identifier of the stack frame.", + "type": "integer" + }, + + "parameters": { + "description": "The parameters of the call that is executing.", + "type": "array", + "minItems": 0, + "uniqueItems": false, + "default": [], + "items": { + "type": "string", + "default": [] + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the stack frame.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "suppression": { + "description": "A suppression that is relevant to a result.", + "additionalProperties": false, + "type": "object", + "properties": { + + "guid": { + "description": "A stable, unique identifier for the suprression in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "kind": { + "description": "A string that indicates where the suppression is persisted.", + "enum": [ + "inSource", + "external" + ], + "type": "string" + }, + + "status": { + "description": "A string that indicates the review status of the suppression.", + "enum": [ + "accepted", + "underReview", + "rejected" + ], + "type": "string" + }, + + "justification": { + "description": "A string representing the justification for the suppression.", + "type": "string" + }, + + "location": { + "description": "Identifies the location associated with the suppression.", + "$ref": "#/definitions/location" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the suppression.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "kind" ] + }, + + "threadFlow": { + "description": "Describes a sequence of code locations that specify a path through a single thread of execution such as an operating system or fiber.", + "type": "object", + "additionalProperties": false, + "properties": { + + "id": { + "description": "An string that uniquely identifies the threadFlow within the codeFlow in which it occurs.", + "type": "string" + }, + + "message": { + "description": "A message relevant to the thread flow.", + "$ref": "#/definitions/message" + }, + + + "initialState": { + "description": "Values of relevant expressions at the start of the thread flow that may change during thread flow execution.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "immutableState": { + "description": "Values of relevant expressions at the start of the thread flow that remain constant.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "locations": { + "description": "A temporally ordered array of 'threadFlowLocation' objects, each of which describes a location visited by the tool while producing the result.", + "type": "array", + "minItems": 1, + "uniqueItems": false, + "items": { + "$ref": "#/definitions/threadFlowLocation" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the thread flow.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "locations" ] + }, + + "threadFlowLocation": { + "description": "A location visited by an analysis tool while simulating or monitoring the execution of a program.", + "additionalProperties": false, + "type": "object", + "properties": { + + "index": { + "description": "The index within the run threadFlowLocations array.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "location": { + "description": "The code location.", + "$ref": "#/definitions/location" + }, + + "stack": { + "description": "The call stack leading to this location.", + "$ref": "#/definitions/stack" + }, + + "kinds": { + "description": "A set of distinct strings that categorize the thread flow location. Well-known kinds include 'acquire', 'release', 'enter', 'exit', 'call', 'return', 'branch', 'implicit', 'false', 'true', 'caution', 'danger', 'unknown', 'unreachable', 'taint', 'function', 'handler', 'lock', 'memory', 'resource', 'scope' and 'value'.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "type": "string" + } + }, + + "taxa": { + "description": "An array of references to rule or taxonomy reporting descriptors that are applicable to the thread flow location.", + "type": "array", + "default": [], + "minItems": 0, + "uniqueItems": true, + "items": { + "$ref": "#/definitions/reportingDescriptorReference" + } + }, + + "module": { + "description": "The name of the module that contains the code that is executing.", + "type": "string" + }, + + "state": { + "description": "A dictionary, each of whose keys specifies a variable or expression, the associated value of which represents the variable or expression value. For an annotation of kind 'continuation', for example, this dictionary might hold the current assumed values of a set of global variables.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "nestingLevel": { + "description": "An integer representing a containment hierarchy within the thread flow.", + "type": "integer", + "minimum": 0 + }, + + "executionOrder": { + "description": "An integer representing the temporal order in which execution reached this location.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "executionTimeUtc": { + "description": "The Coordinated Universal Time (UTC) date and time at which this location was executed.", + "type": "string", + "format": "date-time" + }, + + "importance": { + "description": "Specifies the importance of this location in understanding the code flow in which it occurs. The order from most to least important is \"essential\", \"important\", \"unimportant\". Default: \"important\".", + "enum": [ "important", "essential", "unimportant" ], + "default": "important", + "type": "string" + }, + + "webRequest": { + "description": "A web request associated with this thread flow location.", + "$ref": "#/definitions/webRequest" + }, + + "webResponse": { + "description": "A web response associated with this thread flow location.", + "$ref": "#/definitions/webResponse" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the threadflow location.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "tool": { + "description": "The analysis tool that was run.", + "additionalProperties": false, + "type": "object", + "properties": { + + "driver": { + "description": "The analysis tool that was run.", + "$ref": "#/definitions/toolComponent" + }, + + "extensions": { + "description": "Tool extensions that contributed to or reconfigured the analysis tool that was run.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponent" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the tool.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "driver" ] + }, + + "toolComponent": { + "description": "A component, such as a plug-in or the driver, of the analysis tool that was run.", + "additionalProperties": false, + "type": "object", + "properties": { + + "guid": { + "description": "A unique identifier for the tool component in the form of a GUID.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "name": { + "description": "The name of the tool component.", + "type": "string" + }, + + "organization": { + "description": "The organization or company that produced the tool component.", + "type": "string" + }, + + "product": { + "description": "A product suite to which the tool component belongs.", + "type": "string" + }, + + "productSuite": { + "description": "A localizable string containing the name of the suite of products to which the tool component belongs.", + "type": "string" + }, + + "shortDescription": { + "description": "A brief description of the tool component.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "fullDescription": { + "description": "A comprehensive description of the tool component.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "fullName": { + "description": "The name of the tool component along with its version and any other useful identifying information, such as its locale.", + "type": "string" + }, + + "version": { + "description": "The tool component version, in whatever format the component natively provides.", + "type": "string" + }, + + "semanticVersion": { + "description": "The tool component version in the format specified by Semantic Versioning 2.0.", + "type": "string" + }, + + "dottedQuadFileVersion": { + "description": "The binary version of the tool component's primary executable file expressed as four non-negative integers separated by a period (for operating systems that express file versions in this way).", + "type": "string", + "pattern": "[0-9]+(\\.[0-9]+){3}" + }, + + "releaseDateUtc": { + "description": "A string specifying the UTC date (and optionally, the time) of the component's release.", + "type": "string" + }, + + "downloadUri": { + "description": "The absolute URI from which the tool component can be downloaded.", + "type": "string", + "format": "uri" + }, + + "informationUri": { + "description": "The absolute URI at which information about this version of the tool component can be found.", + "type": "string", + "format": "uri" + }, + + "globalMessageStrings": { + "description": "A dictionary, each of whose keys is a resource identifier and each of whose values is a multiformatMessageString object, which holds message strings in plain text and (optionally) Markdown format. The strings can include placeholders, which can be used to construct a message in combination with an arbitrary number of additional string arguments.", + "type": "object", + "additionalProperties": { + "$ref": "#/definitions/multiformatMessageString" + } + }, + + "notifications": { + "description": "An array of reportingDescriptor objects relevant to the notifications related to the configuration and runtime execution of the tool component.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/reportingDescriptor" + } + }, + + "rules": { + "description": "An array of reportingDescriptor objects relevant to the analysis performed by the tool component.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/reportingDescriptor" + } + }, + + "taxa": { + "description": "An array of reportingDescriptor objects relevant to the definitions of both standalone and tool-defined taxonomies.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/reportingDescriptor" + } + }, + + "locations": { + "description": "An array of the artifactLocation objects associated with the tool component.", + "type": "array", + "minItems": 0, + "default": [], + "items": { + "$ref": "#/definitions/artifactLocation" + } + }, + + "language": { + "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase language code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).", + "type": "string", + "default": "en-US", + "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$" + }, + + "contents": { + "description": "The kinds of data contained in this object.", + "type": "array", + "uniqueItems": true, + "default": [ "localizedData", "nonLocalizedData" ], + "items": { + "enum": [ + "localizedData", + "nonLocalizedData" + ], + "type": "string" + } + }, + + "isComprehensive": { + "description": "Specifies whether this object contains a complete definition of the localizable and/or non-localizable data for this component, as opposed to including only data that is relevant to the results persisted to this log file.", + "type": "boolean", + "default": false + }, + + "localizedDataSemanticVersion": { + "description": "The semantic version of the localized strings defined in this component; maintained by components that provide translations.", + "type": "string" + }, + + "minimumRequiredLocalizedDataSemanticVersion": { + "description": "The minimum value of localizedDataSemanticVersion required in translations consumed by this component; used by components that consume translations.", + "type": "string" + }, + + "associatedComponent": { + "description": "The component which is strongly associated with this component. For a translation, this refers to the component which has been translated. For an extension, this is the driver that provides the extension's plugin model.", + "$ref": "#/definitions/toolComponentReference" + }, + + "translationMetadata": { + "description": "Translation metadata, required for a translation, not populated by other component types.", + "$ref": "#/definitions/translationMetadata" + }, + + "supportedTaxonomies": { + "description": "An array of toolComponentReference objects to declare the taxonomies supported by the tool component.", + "type": "array", + "minItems": 0, + "uniqueItems": true, + "default": [], + "items": { + "$ref": "#/definitions/toolComponentReference" + } + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the tool component.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "name" ] + }, + + "toolComponentReference": { + "description": "Identifies a particular toolComponent object, either the driver or an extension.", + "type": "object", + "additionalProperties": false, + "properties": { + + "name": { + "description": "The 'name' property of the referenced toolComponent.", + "type": "string" + }, + + "index": { + "description": "An index into the referenced toolComponent in tool.extensions.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "guid": { + "description": "The 'guid' property of the referenced toolComponent.", + "type": "string", + "pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the toolComponentReference.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "translationMetadata": { + "description": "Provides additional metadata related to translation.", + "type": "object", + "additionalProperties": false, + "properties": { + + "name": { + "description": "The name associated with the translation metadata.", + "type": "string" + }, + + "fullName": { + "description": "The full name associated with the translation metadata.", + "type": "string" + }, + + "shortDescription": { + "description": "A brief description of the translation metadata.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "fullDescription": { + "description": "A comprehensive description of the translation metadata.", + "$ref": "#/definitions/multiformatMessageString" + }, + + "downloadUri": { + "description": "The absolute URI from which the translation metadata can be downloaded.", + "type": "string", + "format": "uri" + }, + + "informationUri": { + "description": "The absolute URI from which information related to the translation metadata can be downloaded.", + "type": "string", + "format": "uri" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the translation metadata.", + "$ref": "#/definitions/propertyBag" + } + }, + "required": [ "name" ] + }, + + "versionControlDetails": { + "description": "Specifies the information necessary to retrieve a desired revision from a version control system.", + "type": "object", + "additionalProperties": false, + "properties": { + + "repositoryUri": { + "description": "The absolute URI of the repository.", + "type": "string", + "format": "uri" + }, + + "revisionId": { + "description": "A string that uniquely and permanently identifies the revision within the repository.", + "type": "string" + }, + + "branch": { + "description": "The name of a branch containing the revision.", + "type": "string" + }, + + "revisionTag": { + "description": "A tag that has been applied to the revision.", + "type": "string" + }, + + "asOfTimeUtc": { + "description": "A Coordinated Universal Time (UTC) date and time that can be used to synchronize an enlistment to the state of the repository at that time.", + "type": "string", + "format": "date-time" + }, + + "mappedTo": { + "description": "The location in the local file system to which the root of the repository was mapped at the time of the analysis.", + "$ref": "#/definitions/artifactLocation" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the version control details.", + "$ref": "#/definitions/propertyBag" + } + }, + + "required": [ "repositoryUri" ] + }, + + "webRequest": { + "description": "Describes an HTTP request.", + "type": "object", + "additionalProperties": false, + "properties": { + + "index": { + "description": "The index within the run.webRequests array of the request object associated with this result.", + "type": "integer", + "default": -1, + "minimum": -1 + + }, + + "protocol": { + "description": "The request protocol. Example: 'http'.", + "type": "string" + }, + + "version": { + "description": "The request version. Example: '1.1'.", + "type": "string" + }, + + "target": { + "description": "The target of the request.", + "type": "string" + }, + + "method": { + "description": "The HTTP method. Well-known values are 'GET', 'PUT', 'POST', 'DELETE', 'PATCH', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT'.", + "type": "string" + }, + + "headers": { + "description": "The request headers.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "parameters": { + "description": "The request parameters.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "body": { + "description": "The body of the request.", + "$ref": "#/definitions/artifactContent" + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the request.", + "$ref": "#/definitions/propertyBag" + } + } + }, + + "webResponse": { + "description": "Describes the response to an HTTP request.", + "type": "object", + "additionalProperties": false, + "properties": { + + "index": { + "description": "The index within the run.webResponses array of the response object associated with this result.", + "type": "integer", + "default": -1, + "minimum": -1 + }, + + "protocol": { + "description": "The response protocol. Example: 'http'.", + "type": "string" + }, + + "version": { + "description": "The response version. Example: '1.1'.", + "type": "string" + }, + + "statusCode": { + "description": "The response status code. Example: 451.", + "type": "integer" + }, + + "reasonPhrase": { + "description": "The response reason. Example: 'Not found'.", + "type": "string" + }, + + "headers": { + "description": "The response headers.", + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + + "body": { + "description": "The body of the response.", + "$ref": "#/definitions/artifactContent" + }, + + "noResponseReceived": { + "description": "Specifies whether a response was received from the server.", + "type": "boolean", + "default": false + }, + + "properties": { + "description": "Key/value pairs that provide additional information about the response.", + "$ref": "#/definitions/propertyBag" + } + } + } + } +} diff --git a/test/git/pkgs/test_cli.rb b/test/git/pkgs/test_cli.rb index 85d6424..fe3b86c 100644 --- a/test/git/pkgs/test_cli.rb +++ b/test/git/pkgs/test_cli.rb @@ -1751,7 +1751,7 @@ def teardown cleanup_test_repo end - def create_commit_with_changes(author, changes, message: "Test commit", committed_at: Time.now) + def create_commit_with_changes(author, changes, message: "Test commit", committed_at: Time.now, manifest_kind: "manifest") sha = SecureRandom.hex(20) commit = Git::Pkgs::Models::Commit.create( sha: sha, @@ -1762,10 +1762,11 @@ def create_commit_with_changes(author, changes, message: "Test commit", committe has_dependency_changes: changes.any? ) + manifest_path = manifest_kind == "lockfile" ? "Gemfile.lock" : "Gemfile" manifest = Git::Pkgs::Models::Manifest.find_or_create( - path: "Gemfile", + path: manifest_path, ecosystem: "rubygems", - kind: "manifest" + kind: manifest_kind ) changes.each do |change| @@ -1783,14 +1784,15 @@ def create_commit_with_changes(author, changes, message: "Test commit", committe commit end - def create_branch_with_snapshot(branch_name, commit, dependencies) + def create_branch_with_snapshot(branch_name, commit, dependencies, manifest_kind: "manifest") branch = Git::Pkgs::Models::Branch.create(name: branch_name, last_analyzed_sha: commit.sha) Git::Pkgs::Models::BranchCommit.create(branch: branch, commit: commit, position: 1) + manifest_path = manifest_kind == "lockfile" ? "Gemfile.lock" : "Gemfile" manifest = Git::Pkgs::Models::Manifest.find_or_create( - path: "Gemfile", + path: manifest_path, ecosystem: "rubygems", - kind: "manifest" + kind: manifest_kind ) dependencies.each do |dep| @@ -2160,11 +2162,11 @@ class Git::Pkgs::TestStaleCommand < Git::Pkgs::CommandTestBase def test_stale_shows_dependencies_by_last_update old_time = Time.now - (100 * 24 * 60 * 60) # 100 days ago commit = create_commit_with_changes("alice", [ - { name: "rails", change_type: "added", requirement: "~> 7.0" } - ], committed_at: old_time) + { name: "rails", change_type: "added", requirement: "7.0.0" } + ], committed_at: old_time, manifest_kind: "lockfile") create_branch_with_snapshot("main", commit, [ - { name: "rails", requirement: "~> 7.0" } - ]) + { name: "rails", requirement: "7.0.0" } + ], manifest_kind: "lockfile") output = capture_stdout do Dir.chdir(@test_dir) do @@ -2180,8 +2182,8 @@ def test_stale_filters_by_days recent_time = Time.now - (5 * 24 * 60 * 60) # 5 days ago commit = create_commit_with_changes("alice", [ { name: "rails", change_type: "added" } - ], committed_at: recent_time) - create_branch_with_snapshot("main", commit, [{ name: "rails" }]) + ], committed_at: recent_time, manifest_kind: "lockfile") + create_branch_with_snapshot("main", commit, [{ name: "rails" }], manifest_kind: "lockfile") output = capture_stdout do Dir.chdir(@test_dir) do @@ -2195,11 +2197,11 @@ def test_stale_filters_by_days def test_stale_json_format old_time = Time.now - (100 * 24 * 60 * 60) # 100 days ago commit = create_commit_with_changes("alice", [ - { name: "rails", change_type: "added", requirement: "~> 7.0" } - ], committed_at: old_time) + { name: "rails", change_type: "added", requirement: "7.0.0" } + ], committed_at: old_time, manifest_kind: "lockfile") create_branch_with_snapshot("main", commit, [ - { name: "rails", requirement: "~> 7.0" } - ]) + { name: "rails", requirement: "7.0.0" } + ], manifest_kind: "lockfile") output = capture_stdout do Dir.chdir(@test_dir) do @@ -2211,7 +2213,7 @@ def test_stale_json_format assert_equal 1, data.length assert_equal "rails", data.first["name"] assert_equal "rubygems", data.first["ecosystem"] - assert_equal "~> 7.0", data.first["requirement"] + assert_equal "7.0.0", data.first["requirement"] assert data.first["days_ago"] >= 99 assert data.first.key?("last_updated") end @@ -2220,8 +2222,8 @@ def test_stale_json_format_empty recent_time = Time.now - (5 * 24 * 60 * 60) # 5 days ago commit = create_commit_with_changes("alice", [ { name: "rails", change_type: "added" } - ], committed_at: recent_time) - create_branch_with_snapshot("main", commit, [{ name: "rails" }]) + ], committed_at: recent_time, manifest_kind: "lockfile") + create_branch_with_snapshot("main", commit, [{ name: "rails" }], manifest_kind: "lockfile") output = capture_stdout do Dir.chdir(@test_dir) do @@ -2237,10 +2239,10 @@ def test_stale_filters_by_ecosystem old_time = Time.now - (100 * 24 * 60 * 60) commit = create_commit_with_changes("alice", [ { name: "rails", change_type: "added", ecosystem: "rubygems" } - ], committed_at: old_time) + ], committed_at: old_time, manifest_kind: "lockfile") create_branch_with_snapshot("main", commit, [ { name: "rails", ecosystem: "rubygems" } - ]) + ], manifest_kind: "lockfile") output = capture_stdout do Dir.chdir(@test_dir) do @@ -2287,16 +2289,16 @@ def test_stale_text_output_formatting recent_time = Time.now - (10 * 24 * 60 * 60) # 10 days ago commit1 = create_commit_with_changes("alice", [ - { name: "rails", change_type: "added", requirement: "~> 7.0" } - ], committed_at: old_time) + { name: "rails", change_type: "added", requirement: "7.0.0" } + ], committed_at: old_time, manifest_kind: "lockfile") commit2 = create_commit_with_changes("bob", [ - { name: "puma", change_type: "added", requirement: "~> 6.0" } - ], committed_at: recent_time) + { name: "puma", change_type: "added", requirement: "6.0.0" } + ], committed_at: recent_time, manifest_kind: "lockfile") create_branch_with_snapshot("main", commit2, [ - { name: "rails", requirement: "~> 7.0" }, - { name: "puma", requirement: "~> 6.0" } - ]) + { name: "rails", requirement: "7.0.0" }, + { name: "puma", requirement: "6.0.0" } + ], manifest_kind: "lockfile") # Re-associate rails change with older commit rails_change = Git::Pkgs::Models::DependencyChange.first(name: "rails") @@ -2314,6 +2316,28 @@ def test_stale_text_output_formatting # Rails should appear first (older) assert output.index("rails") < output.index("puma") end + + def test_stale_only_shows_lockfile_deps + # Stale command should only show lockfile dependencies, not manifest constraints + old_time = Time.now - (100 * 24 * 60 * 60) + commit = create_commit_with_changes("alice", [ + { name: "rails", change_type: "added", requirement: ">= 0" } + ], committed_at: old_time) + + # Create manifest entry (should be ignored) + create_branch_with_snapshot("main", commit, [ + { name: "rails", requirement: ">= 0" } + ], manifest_kind: "manifest") + + output = capture_stdout do + Dir.chdir(@test_dir) do + Git::Pkgs::Commands::Stale.new([]).run + end + end + + # Should not find manifest-only dependencies + assert_includes output, "No dependencies found" + end end class Git::Pkgs::TestTreeCommand < Git::Pkgs::CommandTestBase diff --git a/test/git/pkgs/test_config.rb b/test/git/pkgs/test_config.rb index f491e20..922d90c 100644 --- a/test/git/pkgs/test_config.rb +++ b/test/git/pkgs/test_config.rb @@ -13,57 +13,59 @@ def setup def teardown cleanup_test_repo Git::Pkgs::Config.reset! + Git::Pkgs.work_tree = nil + Git::Pkgs.git_dir = nil end def test_ignored_dirs_returns_empty_array_when_not_configured - Dir.chdir(@test_dir) do + with_pkgs_dir do assert_equal [], Git::Pkgs::Config.ignored_dirs end end def test_ignored_dirs_returns_configured_values - Dir.chdir(@test_dir) do - system("git config --add pkgs.ignoredDirs third_party", out: File::NULL) - system("git config --add pkgs.ignoredDirs external", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ignoredDirs third_party") + git("config --add pkgs.ignoredDirs external") + with_pkgs_dir do + Git::Pkgs::Config.reset! assert_equal ["third_party", "external"], Git::Pkgs::Config.ignored_dirs end end def test_ignored_files_returns_empty_array_when_not_configured - Dir.chdir(@test_dir) do + with_pkgs_dir do assert_equal [], Git::Pkgs::Config.ignored_files end end def test_ignored_files_returns_configured_values - Dir.chdir(@test_dir) do - system("git config --add pkgs.ignoredFiles test/fixtures/package.json", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ignoredFiles test/fixtures/package.json") + with_pkgs_dir do + Git::Pkgs::Config.reset! assert_equal ["test/fixtures/package.json"], Git::Pkgs::Config.ignored_files end end def test_ecosystems_returns_empty_array_when_not_configured - Dir.chdir(@test_dir) do + with_pkgs_dir do assert_equal [], Git::Pkgs::Config.ecosystems end end def test_ecosystems_returns_configured_values - Dir.chdir(@test_dir) do - system("git config --add pkgs.ecosystems rubygems", out: File::NULL) - system("git config --add pkgs.ecosystems npm", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ecosystems rubygems") + git("config --add pkgs.ecosystems npm") + with_pkgs_dir do + Git::Pkgs::Config.reset! assert_equal ["rubygems", "npm"], Git::Pkgs::Config.ecosystems end end def test_filter_ecosystem_returns_false_when_no_ecosystems_configured - Dir.chdir(@test_dir) do + with_pkgs_dir do refute Git::Pkgs::Config.filter_ecosystem?("rubygems") refute Git::Pkgs::Config.filter_ecosystem?("npm") refute Git::Pkgs::Config.filter_ecosystem?("carthage") @@ -72,41 +74,41 @@ def test_filter_ecosystem_returns_false_when_no_ecosystems_configured end def test_filter_ecosystem_returns_false_for_included_ecosystem - Dir.chdir(@test_dir) do - system("git config --add pkgs.ecosystems rubygems", out: File::NULL) - system("git config --add pkgs.ecosystems npm", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ecosystems rubygems") + git("config --add pkgs.ecosystems npm") + with_pkgs_dir do + Git::Pkgs::Config.reset! refute Git::Pkgs::Config.filter_ecosystem?("rubygems") refute Git::Pkgs::Config.filter_ecosystem?("npm") end end def test_filter_ecosystem_returns_true_for_excluded_ecosystem - Dir.chdir(@test_dir) do - system("git config --add pkgs.ecosystems rubygems", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ecosystems rubygems") + with_pkgs_dir do + Git::Pkgs::Config.reset! assert Git::Pkgs::Config.filter_ecosystem?("npm") assert Git::Pkgs::Config.filter_ecosystem?("pypi") end end def test_filter_ecosystem_is_case_insensitive - Dir.chdir(@test_dir) do - system("git config --add pkgs.ecosystems RubyGems", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ecosystems RubyGems") + with_pkgs_dir do + Git::Pkgs::Config.reset! refute Git::Pkgs::Config.filter_ecosystem?("rubygems") refute Git::Pkgs::Config.filter_ecosystem?("RUBYGEMS") end end def test_configure_bibliothecary_adds_ignored_dirs - Dir.chdir(@test_dir) do - system("git config --add pkgs.ignoredDirs my_vendor", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ignoredDirs my_vendor") + with_pkgs_dir do + Git::Pkgs::Config.reset! original_dirs = Bibliothecary.configuration.ignored_dirs.dup Git::Pkgs::Config.configure_bibliothecary @@ -118,10 +120,10 @@ def test_configure_bibliothecary_adds_ignored_dirs end def test_configure_bibliothecary_adds_ignored_files - Dir.chdir(@test_dir) do - system("git config --add pkgs.ignoredFiles fixtures/Gemfile", out: File::NULL) - Git::Pkgs::Config.reset! + git("config --add pkgs.ignoredFiles fixtures/Gemfile") + with_pkgs_dir do + Git::Pkgs::Config.reset! original_files = Bibliothecary.configuration.ignored_files.dup Git::Pkgs::Config.configure_bibliothecary @@ -131,4 +133,15 @@ def test_configure_bibliothecary_adds_ignored_files Bibliothecary.configuration.ignored_files = original_files end end + + def with_pkgs_dir + old_git_dir = Git::Pkgs.git_dir + old_work_tree = Git::Pkgs.work_tree + Git::Pkgs.git_dir = File.join(@test_dir, ".git") + Git::Pkgs.work_tree = @test_dir + yield + ensure + Git::Pkgs.git_dir = old_git_dir + Git::Pkgs.work_tree = old_work_tree + end end diff --git a/test/git/pkgs/test_database.rb b/test/git/pkgs/test_database.rb index a7a710f..072ab5f 100644 --- a/test/git/pkgs/test_database.rb +++ b/test/git/pkgs/test_database.rb @@ -52,4 +52,82 @@ def test_drop_removes_database Git::Pkgs::Database.drop(@git_dir) refute Git::Pkgs::Database.exists?(@git_dir) end + + def test_create_schema_sets_version + Git::Pkgs::Database.connect(@git_dir, check_version: false) + Git::Pkgs::Database.create_schema + + assert_equal Git::Pkgs::Database::SCHEMA_VERSION, Git::Pkgs::Database.stored_version + end + + def test_needs_upgrade_returns_true_for_old_schema + Git::Pkgs::Database.connect(@git_dir, check_version: false) + Git::Pkgs::Database.create_schema + Git::Pkgs::Database.set_version(1) + + assert Git::Pkgs::Database.needs_upgrade? + end + + def test_needs_upgrade_returns_false_for_current_schema + Git::Pkgs::Database.connect(@git_dir, check_version: false) + Git::Pkgs::Database.create_schema + + refute Git::Pkgs::Database.needs_upgrade? + end + + def test_check_version_migrates_old_schema + Git::Pkgs::Database.connect(@git_dir, check_version: false) + Git::Pkgs::Database.create_schema + Git::Pkgs::Database.set_version(1) + + assert Git::Pkgs::Database.needs_upgrade? + Git::Pkgs::Database.check_version! + refute Git::Pkgs::Database.needs_upgrade? + assert_equal Git::Pkgs::Database::SCHEMA_VERSION, Git::Pkgs::Database.stored_version + end + + def test_migrate_to_v2_adds_vuln_tables + Git::Pkgs::Database.connect(@git_dir, check_version: false) + + # Create only v1 tables manually + db = Git::Pkgs::Database.db + db.create_table(:schema_info) { Integer :version } + db.create_table(:branches) { primary_key :id; String :name } + db.create_table(:commits) { primary_key :id; String :sha } + db.create_table(:branch_commits) { primary_key :id } + db.create_table(:manifests) { primary_key :id; String :path } + db.create_table(:dependency_changes) { primary_key :id; String :name } + db.create_table(:dependency_snapshots) { primary_key :id; String :name } + Git::Pkgs::Database.set_version(1) + + refute db.table_exists?(:packages) + refute db.table_exists?(:vulnerabilities) + + Git::Pkgs::Database.migrate! + + assert db.table_exists?(:packages) + assert db.table_exists?(:vulnerabilities) + assert db.table_exists?(:vulnerability_packages) + assert_equal Git::Pkgs::Database::SCHEMA_VERSION, Git::Pkgs::Database.stored_version + end + + def test_create_schema_creates_vuln_tables + Git::Pkgs::Database.connect(@git_dir, check_version: false) + Git::Pkgs::Database.create_schema + + db = Git::Pkgs::Database.db + assert db.table_exists?(:packages) + assert db.table_exists?(:vulnerabilities) + assert db.table_exists?(:vulnerability_packages) + end + + def test_connect_memory_creates_full_schema + Git::Pkgs::Database.connect_memory + + db = Git::Pkgs::Database.db + assert db.table_exists?(:commits) + assert db.table_exists?(:packages) + assert db.table_exists?(:vulnerabilities) + assert db.table_exists?(:vulnerability_packages) + end end diff --git a/test/git/pkgs/test_diff_driver.rb b/test/git/pkgs/test_diff_driver.rb index 8a6c247..1df45f5 100644 --- a/test/git/pkgs/test_diff_driver.rb +++ b/test/git/pkgs/test_diff_driver.rb @@ -134,67 +134,63 @@ def teardown end def test_install_creates_gitattributes_for_lockfiles - Dir.chdir(@test_dir) do + with_pkgs_dir do capture_stdout do - driver = Git::Pkgs::Commands::DiffDriver.new(["--install"]) - driver.run + Git::Pkgs::Commands::DiffDriver.new(["--install"]).run end - - assert File.exist?(".gitattributes") - content = File.read(".gitattributes") - assert_includes content, "Gemfile.lock diff=pkgs" - assert_includes content, "package-lock.json diff=pkgs" - assert_includes content, "yarn.lock diff=pkgs" - # Should NOT include manifests - refute_includes content, "Gemfile diff=pkgs" - refute_includes content, "package.json diff=pkgs" end + + gitattributes = File.join(@test_dir, ".gitattributes") + assert File.exist?(gitattributes) + content = File.read(gitattributes) + assert_includes content, "Gemfile.lock diff=pkgs" + assert_includes content, "package-lock.json diff=pkgs" + assert_includes content, "yarn.lock diff=pkgs" + # Should NOT include manifests + refute_includes content, "Gemfile diff=pkgs" + refute_includes content, "package.json diff=pkgs" end def test_install_sets_textconv_config - Dir.chdir(@test_dir) do + with_pkgs_dir do capture_stdout do - driver = Git::Pkgs::Commands::DiffDriver.new(["--install"]) - driver.run + Git::Pkgs::Commands::DiffDriver.new(["--install"]).run end - - config = `git config --get diff.pkgs.textconv`.chomp - assert_equal "git-pkgs diff-driver", config end + + config = `git -C #{@test_dir} config --get diff.pkgs.textconv`.chomp + assert_equal "git-pkgs diff-driver", config end def test_uninstall_removes_config - Dir.chdir(@test_dir) do - # First install - capture_stdout do - Git::Pkgs::Commands::DiffDriver.new(["--install"]).run - end - - # Then uninstall - capture_stdout do - Git::Pkgs::Commands::DiffDriver.new(["--uninstall"]).run - end - - config = `git config --get diff.pkgs.textconv 2>&1`.chomp - refute_equal "git-pkgs diff-driver", config + with_pkgs_dir do + capture_stdout { Git::Pkgs::Commands::DiffDriver.new(["--install"]).run } + capture_stdout { Git::Pkgs::Commands::DiffDriver.new(["--uninstall"]).run } end + + config = `git -C #{@test_dir} config --get diff.pkgs.textconv 2>&1`.chomp + refute_equal "git-pkgs diff-driver", config end def test_uninstall_cleans_gitattributes - Dir.chdir(@test_dir) do - # First install - capture_stdout do - Git::Pkgs::Commands::DiffDriver.new(["--install"]).run - end + with_pkgs_dir do + capture_stdout { Git::Pkgs::Commands::DiffDriver.new(["--install"]).run } + capture_stdout { Git::Pkgs::Commands::DiffDriver.new(["--uninstall"]).run } + end - # Then uninstall - capture_stdout do - Git::Pkgs::Commands::DiffDriver.new(["--uninstall"]).run - end + content = File.read(File.join(@test_dir, ".gitattributes")) + refute_includes content, "diff=pkgs" + end - content = File.read(".gitattributes") - refute_includes content, "diff=pkgs" - end + def with_pkgs_dir + old_git_dir = Git::Pkgs.git_dir + old_work_tree = Git::Pkgs.work_tree + Git::Pkgs.git_dir = File.join(@test_dir, ".git") + Git::Pkgs.work_tree = @test_dir + yield + ensure + Git::Pkgs.git_dir = old_git_dir + Git::Pkgs.work_tree = old_work_tree end def capture_stdout diff --git a/test/git/pkgs/test_ecosystems.rb b/test/git/pkgs/test_ecosystems.rb new file mode 100644 index 0000000..b114779 --- /dev/null +++ b/test/git/pkgs/test_ecosystems.rb @@ -0,0 +1,111 @@ +# frozen_string_literal: true + +require "test_helper" + +class Git::Pkgs::TestEcosystems < Minitest::Test + def test_to_osv_npm + assert_equal "npm", Git::Pkgs::Ecosystems.to_osv("npm") + end + + def test_to_osv_rubygems + assert_equal "RubyGems", Git::Pkgs::Ecosystems.to_osv("rubygems") + end + + def test_to_osv_pypi + assert_equal "PyPI", Git::Pkgs::Ecosystems.to_osv("pypi") + end + + def test_to_osv_cargo + assert_equal "crates.io", Git::Pkgs::Ecosystems.to_osv("cargo") + end + + def test_to_osv_go + assert_equal "Go", Git::Pkgs::Ecosystems.to_osv("go") + end + + def test_to_osv_packagist + assert_equal "Packagist", Git::Pkgs::Ecosystems.to_osv("packagist") + end + + def test_to_osv_case_insensitive + assert_equal "RubyGems", Git::Pkgs::Ecosystems.to_osv("RubyGems") + assert_equal "RubyGems", Git::Pkgs::Ecosystems.to_osv("RUBYGEMS") + end + + def test_to_osv_unknown_returns_nil + assert_nil Git::Pkgs::Ecosystems.to_osv("unknown") + end + + def test_to_purl_rubygems + assert_equal "gem", Git::Pkgs::Ecosystems.to_purl("rubygems") + end + + def test_to_purl_packagist + assert_equal "composer", Git::Pkgs::Ecosystems.to_purl("packagist") + end + + def test_to_purl_go + assert_equal "golang", Git::Pkgs::Ecosystems.to_purl("go") + end + + def test_from_osv_rubygems + assert_equal "rubygems", Git::Pkgs::Ecosystems.from_osv("RubyGems") + end + + def test_from_osv_crates + assert_equal "cargo", Git::Pkgs::Ecosystems.from_osv("crates.io") + end + + def test_from_purl_gem + assert_equal "rubygems", Git::Pkgs::Ecosystems.from_purl("gem") + end + + def test_from_purl_golang + assert_equal "go", Git::Pkgs::Ecosystems.from_purl("golang") + end + + def test_supported_rubygems + assert Git::Pkgs::Ecosystems.supported?("rubygems") + end + + def test_supported_npm + assert Git::Pkgs::Ecosystems.supported?("npm") + end + + def test_supported_unknown + refute Git::Pkgs::Ecosystems.supported?("unknown") + end + + def test_supported_ecosystems_list + ecosystems = Git::Pkgs::Ecosystems.supported_ecosystems + assert_includes ecosystems, "npm" + assert_includes ecosystems, "rubygems" + assert_includes ecosystems, "pypi" + assert_includes ecosystems, "cargo" + assert_includes ecosystems, "maven" + end + + def test_generate_purl_npm + assert_equal "pkg:npm/lodash", Git::Pkgs::Ecosystems.generate_purl("npm", "lodash") + end + + def test_generate_purl_rubygems + assert_equal "pkg:gem/rails", Git::Pkgs::Ecosystems.generate_purl("rubygems", "rails") + end + + def test_generate_purl_pypi + assert_equal "pkg:pypi/requests", Git::Pkgs::Ecosystems.generate_purl("pypi", "requests") + end + + def test_generate_purl_cargo + assert_equal "pkg:cargo/serde", Git::Pkgs::Ecosystems.generate_purl("cargo", "serde") + end + + def test_generate_purl_go + assert_equal "pkg:golang/github.com/gin-gonic/gin", Git::Pkgs::Ecosystems.generate_purl("go", "github.com/gin-gonic/gin") + end + + def test_generate_purl_unknown_ecosystem + assert_nil Git::Pkgs::Ecosystems.generate_purl("unknown", "package") + end +end diff --git a/test/git/pkgs/test_osv_client.rb b/test/git/pkgs/test_osv_client.rb new file mode 100644 index 0000000..b3fb57e --- /dev/null +++ b/test/git/pkgs/test_osv_client.rb @@ -0,0 +1,155 @@ +# frozen_string_literal: true + +require "test_helper" +require "webmock/minitest" + +class Git::Pkgs::TestOsvClient < Minitest::Test + def setup + @client = Git::Pkgs::OsvClient.new + WebMock.disable_net_connect! + end + + def teardown + WebMock.allow_net_connect! + end + + def test_query_returns_vulnerabilities + stub_request(:post, "https://api.osv.dev/v1/query") + .with(body: { + package: { name: "lodash", ecosystem: "npm" }, + version: "4.17.15" + }.to_json) + .to_return( + status: 200, + body: { + vulns: [ + { id: "GHSA-1234", summary: "Test vulnerability" } + ] + }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + vulns = @client.query(ecosystem: "npm", name: "lodash", version: "4.17.15") + + assert_equal 1, vulns.size + assert_equal "GHSA-1234", vulns.first["id"] + end + + def test_query_handles_pagination + stub_request(:post, "https://api.osv.dev/v1/query") + .with(body: { + package: { name: "lodash", ecosystem: "npm" }, + version: "4.17.15" + }.to_json) + .to_return( + status: 200, + body: { + vulns: [{ id: "GHSA-1" }], + next_page_token: "token123" + }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + stub_request(:post, "https://api.osv.dev/v1/query") + .with(body: { + package: { name: "lodash", ecosystem: "npm" }, + version: "4.17.15", + page_token: "token123" + }.to_json) + .to_return( + status: 200, + body: { + vulns: [{ id: "GHSA-2" }] + }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + vulns = @client.query(ecosystem: "npm", name: "lodash", version: "4.17.15") + + assert_equal 2, vulns.size + assert_equal "GHSA-1", vulns[0]["id"] + assert_equal "GHSA-2", vulns[1]["id"] + end + + def test_query_returns_empty_array_when_no_vulns + stub_request(:post, "https://api.osv.dev/v1/query") + .to_return( + status: 200, + body: { vulns: nil }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + vulns = @client.query(ecosystem: "npm", name: "safe-package", version: "1.0.0") + + assert_equal [], vulns + end + + def test_query_batch_returns_results_per_package + stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return( + status: 200, + body: { + results: [ + { vulns: [{ id: "CVE-1" }] }, + { vulns: [] }, + { vulns: [{ id: "CVE-2" }, { id: "CVE-3" }] } + ] + }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + packages = [ + { ecosystem: "npm", name: "lodash", version: "4.17.15" }, + { ecosystem: "npm", name: "safe", version: "1.0.0" }, + { ecosystem: "RubyGems", name: "nokogiri", version: "1.10.0" } + ] + + results = @client.query_batch(packages) + + assert_equal 3, results.size + assert_equal 1, results[0].size + assert_equal 0, results[1].size + assert_equal 2, results[2].size + end + + def test_query_batch_empty_input + results = @client.query_batch([]) + assert_equal [], results + end + + def test_get_vulnerability_by_id + stub_request(:get, "https://api.osv.dev/v1/vulns/CVE-2024-1234") + .to_return( + status: 200, + body: { + id: "CVE-2024-1234", + summary: "Test CVE", + details: "Detailed description" + }.to_json, + headers: { "Content-Type" => "application/json" } + ) + + vuln = @client.get_vulnerability("CVE-2024-1234") + + assert_equal "CVE-2024-1234", vuln["id"] + assert_equal "Test CVE", vuln["summary"] + end + + def test_api_error_on_failure + stub_request(:post, "https://api.osv.dev/v1/query") + .to_return(status: 500, body: "Internal Server Error") + + assert_raises(Git::Pkgs::OsvClient::ApiError) do + @client.query(ecosystem: "npm", name: "lodash", version: "1.0.0") + end + end + + def test_api_error_on_timeout + stub_request(:post, "https://api.osv.dev/v1/query") + .to_timeout + + assert_raises(Git::Pkgs::OsvClient::ApiError) do + @client.query(ecosystem: "npm", name: "lodash", version: "1.0.0") + end + end +end diff --git a/test/git/pkgs/test_package.rb b/test/git/pkgs/test_package.rb new file mode 100644 index 0000000..274d7ca --- /dev/null +++ b/test/git/pkgs/test_package.rb @@ -0,0 +1,187 @@ +# frozen_string_literal: true + +require "test_helper" + +class Git::Pkgs::TestPackage < Minitest::Test + include TestHelpers + + def setup + create_test_repo + add_file("README.md", "# Test") + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def test_create_package + pkg = Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + assert_equal "pkg:npm/lodash", pkg.purl + assert_equal "npm", pkg.ecosystem + assert_equal "lodash", pkg.name + end + + def test_unique_purl_constraint + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + assert_raises(Sequel::UniqueConstraintViolation) do + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + end + end + + def test_generate_purl + assert_equal "pkg:npm/lodash", Git::Pkgs::Models::Package.generate_purl("npm", "lodash") + assert_equal "pkg:gem/rails", Git::Pkgs::Models::Package.generate_purl("rubygems", "rails") + assert_equal "pkg:pypi/requests", Git::Pkgs::Models::Package.generate_purl("pypi", "requests") + assert_equal "pkg:cargo/serde", Git::Pkgs::Models::Package.generate_purl("cargo", "serde") + end + + def test_generate_purl_unsupported_ecosystem + assert_nil Git::Pkgs::Models::Package.generate_purl("unknown", "package") + end + + def test_find_or_create_by_purl + pkg1 = Git::Pkgs::Models::Package.find_or_create_by_purl( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + pkg2 = Git::Pkgs::Models::Package.find_or_create_by_purl( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + assert_equal pkg1.id, pkg2.id + assert_equal 1, Git::Pkgs::Models::Package.count + end + + def test_needs_vuln_sync_when_never_synced + pkg = Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash", + vulns_synced_at: nil + ) + + assert pkg.needs_vuln_sync? + end + + def test_needs_vuln_sync_when_stale + pkg = Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash", + vulns_synced_at: Time.now - 100_000 + ) + + assert pkg.needs_vuln_sync? + end + + def test_needs_vuln_sync_when_fresh + pkg = Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash", + vulns_synced_at: Time.now + ) + + refute pkg.needs_vuln_sync? + end + + def test_mark_vulns_synced + pkg = Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash", + vulns_synced_at: nil + ) + + assert pkg.needs_vuln_sync? + pkg.mark_vulns_synced + pkg.refresh + + refute pkg.needs_vuln_sync? + assert_in_delta Time.now, pkg.vulns_synced_at, 1 + end + + def test_needs_vuln_sync_scope + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/stale", + ecosystem: "npm", + name: "stale", + vulns_synced_at: Time.now - 100_000 + ) + + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/fresh", + ecosystem: "npm", + name: "fresh", + vulns_synced_at: Time.now + ) + + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/never", + ecosystem: "npm", + name: "never", + vulns_synced_at: nil + ) + + needs_sync = Git::Pkgs::Models::Package.needs_vuln_sync + assert_equal 2, needs_sync.count + purls = needs_sync.map(&:purl).sort + assert_equal ["pkg:npm/never", "pkg:npm/stale"], purls + end + + def test_synced_scope + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/stale", + ecosystem: "npm", + name: "stale", + vulns_synced_at: Time.now - 100_000 + ) + + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/fresh", + ecosystem: "npm", + name: "fresh", + vulns_synced_at: Time.now + ) + + synced = Git::Pkgs::Models::Package.synced + assert_equal 1, synced.count + assert_equal "pkg:npm/fresh", synced.first.purl + end + + def test_by_ecosystem_scope + Git::Pkgs::Models::Package.create(purl: "pkg:npm/lodash", ecosystem: "npm", name: "lodash") + Git::Pkgs::Models::Package.create(purl: "pkg:gem/rails", ecosystem: "rubygems", name: "rails") + Git::Pkgs::Models::Package.create(purl: "pkg:npm/express", ecosystem: "npm", name: "express") + + npm_pkgs = Git::Pkgs::Models::Package.by_ecosystem("npm") + assert_equal 2, npm_pkgs.count + + gem_pkgs = Git::Pkgs::Models::Package.by_ecosystem("rubygems") + assert_equal 1, gem_pkgs.count + assert_equal "rails", gem_pkgs.first.name + end +end diff --git a/test/git/pkgs/test_vulnerability.rb b/test/git/pkgs/test_vulnerability.rb new file mode 100644 index 0000000..7c303ec --- /dev/null +++ b/test/git/pkgs/test_vulnerability.rb @@ -0,0 +1,578 @@ +# frozen_string_literal: true + +require "test_helper" +require "webmock/minitest" + +class Git::Pkgs::TestVulnerability < Minitest::Test + include TestHelpers + + def setup + create_test_repo + add_file("README.md", "# Test") + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def test_create_vulnerability + vuln = Git::Pkgs::Models::Vulnerability.create( + id: "CVE-2024-1234", + severity: "high", + summary: "Prototype pollution", + fetched_at: Time.now + ) + + assert_equal "CVE-2024-1234", vuln.id + assert_equal "high", vuln.severity + end + + def test_severity_scopes + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", severity: "critical", fetched_at: Time.now) + Git::Pkgs::Models::Vulnerability.create(id: "CVE-2", severity: "high", fetched_at: Time.now) + Git::Pkgs::Models::Vulnerability.create(id: "CVE-3", severity: "medium", fetched_at: Time.now) + Git::Pkgs::Models::Vulnerability.create(id: "CVE-4", severity: "low", fetched_at: Time.now) + + assert_equal 1, Git::Pkgs::Models::Vulnerability.critical.count + assert_equal 1, Git::Pkgs::Models::Vulnerability.high.count + assert_equal 1, Git::Pkgs::Models::Vulnerability.medium.count + assert_equal 1, Git::Pkgs::Models::Vulnerability.low.count + end + + def test_not_withdrawn_scope + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now, withdrawn_at: nil) + Git::Pkgs::Models::Vulnerability.create(id: "CVE-2", fetched_at: Time.now, withdrawn_at: Time.now) + + assert_equal 1, Git::Pkgs::Models::Vulnerability.not_withdrawn.count + assert_equal "CVE-1", Git::Pkgs::Models::Vulnerability.not_withdrawn.first.id + end + + def test_severity_level + critical = Git::Pkgs::Models::Vulnerability.new(severity: "critical") + high = Git::Pkgs::Models::Vulnerability.new(severity: "high") + medium = Git::Pkgs::Models::Vulnerability.new(severity: "medium") + low = Git::Pkgs::Models::Vulnerability.new(severity: "low") + unknown = Git::Pkgs::Models::Vulnerability.new(severity: nil) + + assert_equal 4, critical.severity_level + assert_equal 3, high.severity_level + assert_equal 2, medium.severity_level + assert_equal 1, low.severity_level + assert_equal 0, unknown.severity_level + end + + def test_severity_display + vuln = Git::Pkgs::Models::Vulnerability.new(severity: "high") + assert_equal "HIGH", vuln.severity_display + + vuln_nil = Git::Pkgs::Models::Vulnerability.new(severity: nil) + assert_equal "UNKNOWN", vuln_nil.severity_display + end + + def test_withdrawn + vuln = Git::Pkgs::Models::Vulnerability.new(withdrawn_at: nil) + refute vuln.withdrawn? + + vuln_withdrawn = Git::Pkgs::Models::Vulnerability.new(withdrawn_at: Time.now) + assert vuln_withdrawn.withdrawn? + end + + def test_aliases_list + vuln = Git::Pkgs::Models::Vulnerability.new(aliases: "CVE-2024-1234, GHSA-xxxx") + assert_equal ["CVE-2024-1234", "GHSA-xxxx"], vuln.aliases_list + + vuln_nil = Git::Pkgs::Models::Vulnerability.new(aliases: nil) + assert_equal [], vuln_nil.aliases_list + end + + def test_stale_scope + old_time = Time.now - 100_000 + Git::Pkgs::Models::Vulnerability.create( + id: "CVE-OLD", + fetched_at: old_time + ) + + Git::Pkgs::Models::Vulnerability.create( + id: "CVE-NEW", + fetched_at: Time.now + ) + + stale = Git::Pkgs::Models::Vulnerability.stale(86400) + assert_equal 1, stale.count + assert_equal "CVE-OLD", stale.first.id + end + + def test_from_osv_creates_vulnerability_and_packages + osv_data = { + "id" => "GHSA-test", + "summary" => "Test vulnerability", + "details" => "Detailed description", + "published" => "2024-01-15T00:00:00Z", + "modified" => "2024-01-16T00:00:00Z", + "aliases" => ["CVE-2024-1234"], + "affected" => [ + { + "package" => { + "name" => "lodash", + "ecosystem" => "npm" + }, + "ranges" => [ + { + "type" => "ECOSYSTEM", + "events" => [ + { "introduced" => "0" }, + { "fixed" => "4.17.21" } + ] + } + ], + "database_specific" => { + "severity" => "HIGH" + } + } + ] + } + + vuln = Git::Pkgs::Models::Vulnerability.from_osv(osv_data) + + assert_equal "GHSA-test", vuln.id + assert_equal "high", vuln.severity + assert_equal "Test vulnerability", vuln.summary + assert_equal "CVE-2024-1234", vuln.aliases + + vuln_pkgs = Git::Pkgs::Models::VulnerabilityPackage.where(vulnerability_id: "GHSA-test") + assert_equal 1, vuln_pkgs.count + + vp = vuln_pkgs.first + assert_equal "npm", vp.ecosystem + assert_equal "lodash", vp.package_name + assert_includes vp.affected_versions, "<4.17.21" + assert_equal "4.17.21", vp.fixed_versions + end + + def test_from_osv_creates_multiple_package_entries + osv_data = { + "id" => "GHSA-multi", + "summary" => "Affects multiple packages", + "affected" => [ + { + "package" => { "name" => "lodash", "ecosystem" => "npm" }, + "ranges" => [{ "events" => [{ "introduced" => "0" }, { "fixed" => "4.17.21" }] }] + }, + { + "package" => { "name" => "lodash-es", "ecosystem" => "npm" }, + "ranges" => [{ "events" => [{ "introduced" => "0" }, { "fixed" => "4.17.21" }] }] + } + ] + } + + Git::Pkgs::Models::Vulnerability.from_osv(osv_data) + + vuln_pkgs = Git::Pkgs::Models::VulnerabilityPackage.where(vulnerability_id: "GHSA-multi") + assert_equal 2, vuln_pkgs.count + + package_names = vuln_pkgs.map(&:package_name).sort + assert_equal ["lodash", "lodash-es"], package_names + end + + def test_from_osv_updates_existing + Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-test", + summary: "Old summary", + fetched_at: Time.now - 86400 + ) + + osv_data = { + "id" => "GHSA-test", + "summary" => "New summary", + "affected" => [ + { + "package" => { "name" => "lodash", "ecosystem" => "npm" }, + "database_specific" => { "severity" => "CRITICAL" } + } + ] + } + + vuln = Git::Pkgs::Models::Vulnerability.from_osv(osv_data) + + assert_equal 1, Git::Pkgs::Models::Vulnerability.count + assert_equal "New summary", vuln.summary + assert_equal "critical", vuln.severity + end + + def test_from_osv_handles_withdrawn + osv_data = { + "id" => "GHSA-withdrawn", + "summary" => "Withdrawn vulnerability", + "withdrawn" => "2024-02-01T00:00:00Z", + "affected" => [] + } + + vuln = Git::Pkgs::Models::Vulnerability.from_osv(osv_data) + + assert vuln.withdrawn? + assert_equal 2024, vuln.withdrawn_at.year + end + + def test_build_range_from_events_introduced_and_fixed + events = [ + { "introduced" => "1.0.0" }, + { "fixed" => "1.2.3" } + ] + + ranges = Git::Pkgs::Models::Vulnerability.build_range_from_events(events) + assert_equal [">=1.0.0 <1.2.3"], ranges + end + + def test_build_range_from_events_zero_introduced + events = [ + { "introduced" => "0" }, + { "fixed" => "2.0.0" } + ] + + ranges = Git::Pkgs::Models::Vulnerability.build_range_from_events(events) + assert_equal ["<2.0.0"], ranges + end + + def test_build_range_from_events_open_ended + events = [ + { "introduced" => "3.0.0" } + ] + + ranges = Git::Pkgs::Models::Vulnerability.build_range_from_events(events) + assert_equal [">=3.0.0"], ranges + end + + def test_build_range_from_events_last_affected + events = [ + { "introduced" => "1.0.0" }, + { "last_affected" => "1.5.0" } + ] + + ranges = Git::Pkgs::Models::Vulnerability.build_range_from_events(events) + assert_equal [">=1.0.0 <=1.5.0"], ranges + end + + def test_parse_cvss_score_with_numeric_string + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score("8.8") + assert_equal 8.8, score + end + + def test_parse_cvss_score_with_critical_vector + # CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = Critical (9.8) + vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score(vector) + assert_equal 9.8, score + end + + def test_parse_cvss_score_with_high_vector + # AV:N, AC:L, but requires privileges or user interaction + vector = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score(vector) + assert_equal 8.1, score + end + + def test_parse_cvss_score_with_medium_vector + # Low impact metrics + vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score(vector) + assert_equal 5.3, score + end + + def test_parse_cvss_score_with_nil + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score(nil) + assert_nil score + end + + def test_parse_cvss_score_with_non_cvss_string + score = Git::Pkgs::Models::Vulnerability.parse_cvss_score("invalid") + assert_nil score + end + + def test_parse_cvss_metrics + vector = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + metrics = Git::Pkgs::Models::Vulnerability.parse_cvss_metrics(vector) + + assert_equal "N", metrics["AV"] + assert_equal "L", metrics["AC"] + assert_equal "N", metrics["PR"] + assert_equal "H", metrics["C"] + assert_equal "H", metrics["I"] + assert_equal "H", metrics["A"] + end + + def test_from_osv_extracts_cvss_score + osv_data = { + "id" => "GHSA-cvss", + "summary" => "Test with CVSS", + "severity" => [ + { + "type" => "CVSS_V3", + "score" => "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected" => [] + } + + vuln = Git::Pkgs::Models::Vulnerability.from_osv(osv_data) + + assert_equal "GHSA-cvss", vuln.id + assert_equal 9.8, vuln.cvss_score + assert_equal "critical", vuln.severity + end +end + +class Git::Pkgs::TestVulnerabilityPackage < Minitest::Test + include TestHelpers + + def setup + create_test_repo + add_file("README.md", "# Test") + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def test_create_vulnerability_package + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now) + + vp = Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "npm", + package_name: "lodash", + affected_versions: "<4.17.21", + fixed_versions: "4.17.21" + ) + + assert_equal "CVE-1", vp.vulnerability_id + assert_equal "npm", vp.ecosystem + assert_equal "lodash", vp.package_name + end + + def test_for_package_scope + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now) + Git::Pkgs::Models::Vulnerability.create(id: "CVE-2", fetched_at: Time.now) + + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "npm", + package_name: "lodash" + ) + + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-2", + ecosystem: "npm", + package_name: "express" + ) + + vulns = Git::Pkgs::Models::VulnerabilityPackage.for_package("npm", "lodash") + assert_equal 1, vulns.count + assert_equal "CVE-1", vulns.first.vulnerability_id + end + + def test_fixed_versions_list + vp = Git::Pkgs::Models::VulnerabilityPackage.new(fixed_versions: "1.2.3, 2.0.0, 2.1.0") + assert_equal ["1.2.3", "2.0.0", "2.1.0"], vp.fixed_versions_list + + vp_nil = Git::Pkgs::Models::VulnerabilityPackage.new(fixed_versions: nil) + assert_equal [], vp_nil.fixed_versions_list + end + + def test_affects_version_simple_range + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now) + + vp = Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "npm", + package_name: "lodash", + affected_versions: "<4.17.21" + ) + + assert vp.affects_version?("4.17.15") + assert vp.affects_version?("4.17.20") + refute vp.affects_version?("4.17.21") + refute vp.affects_version?("5.0.0") + end + + def test_affects_version_nil_range + vp = Git::Pkgs::Models::VulnerabilityPackage.new(affected_versions: nil) + refute vp.affects_version?("1.0.0") + + vp_empty = Git::Pkgs::Models::VulnerabilityPackage.new(affected_versions: "") + refute vp_empty.affects_version?("1.0.0") + end + + def test_affects_version_handles_invalid_range + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now) + + vp = Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "npm", + package_name: "lodash", + affected_versions: ">= 0" # Invalid semver range + ) + + # Should return true (assume affected) when range is unparseable + assert vp.affects_version?("4.17.0") + end + + def test_affects_version_handles_nil_version + vp = Git::Pkgs::Models::VulnerabilityPackage.new( + ecosystem: "npm", + package_name: "lodash", + affected_versions: "<4.17.21" + ) + + refute vp.affects_version?(nil) + refute vp.affects_version?("") + end + + def test_affects_version_correctly_handles_bounded_range + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", fetched_at: Time.now) + + vp = Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "RubyGems", + package_name: "actionpack", + affected_versions: ">=7.1.0 <7.1.3.1" + ) + + # 8.1.1 is NOT in the range >=7.1.0 <7.1.3.1 + refute vp.affects_version?("8.1.1"), "8.1.1 should NOT be affected by >=7.1.0 <7.1.3.1" + + # 7.1.2 IS in the range + assert vp.affects_version?("7.1.2"), "7.1.2 should be affected by >=7.1.0 <7.1.3.1" + + # 7.1.3.1 is NOT in the range (fixed version) + refute vp.affects_version?("7.1.3.1"), "7.1.3.1 should NOT be affected (it's the fixed version)" + end + + def test_vulnerability_association + Git::Pkgs::Models::Vulnerability.create(id: "CVE-1", severity: "high", fetched_at: Time.now) + + vp = Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "CVE-1", + ecosystem: "npm", + package_name: "lodash" + ) + + assert_equal "CVE-1", vp.vulnerability.id + assert_equal "high", vp.vulnerability.severity + end + + def test_ensure_vulns_synced_with_distinct_query + # This tests that ensure_vulns_synced works with SQLite which doesn't support DISTINCT ON + # Create some dependency changes with duplicate ecosystem/name pairs + manifest = Git::Pkgs::Models::Manifest.create(path: "package.json", ecosystem: "npm") + commit1 = Git::Pkgs::Models::Commit.create(sha: "abc123", committed_at: Time.now) + commit2 = Git::Pkgs::Models::Commit.create(sha: "def456", committed_at: Time.now) + + Git::Pkgs::Models::DependencyChange.create( + commit_id: commit1.id, + manifest_id: manifest.id, + name: "lodash", + ecosystem: "npm", + change_type: "added", + requirement: "4.17.0" + ) + + Git::Pkgs::Models::DependencyChange.create( + commit_id: commit2.id, + manifest_id: manifest.id, + name: "lodash", + ecosystem: "npm", + change_type: "modified", + requirement: "4.17.21" + ) + + # Create a mock class that includes Vulns::Base to test ensure_vulns_synced + test_class = Class.new do + include Git::Pkgs::Commands::Vulns::Base + def initialize + @options = {} + end + end + + handler = test_class.new + + # This should not raise an error about DISTINCT ON + # It will try to sync but we stub the API call + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return(status: 200, body: '{"results": [{"vulns": []}]}') + + # This will raise Sequel::InvalidOperation if DISTINCT ON is used on SQLite + handler.ensure_vulns_synced + + # If we get here without raising, the test passes + assert true + end + + def test_vulns_diff_parses_two_refs_correctly + # Test that vulns diff passes both refs to the handler correctly + vulns = Git::Pkgs::Commands::VulnsCommand.new(["diff", "abc123", "def456"]) + + # Access the parsed args that would be passed to VulnsDiff + # The @args should contain both refs after parse_options + args = vulns.instance_variable_get(:@args) + + # Both refs should be in args, not consumed by options[:ref] + assert_includes args, "abc123" + assert_includes args, "def456" + end + + def test_compute_dependencies_at_commit_with_branch_join + # Tests that commit_ids query properly qualifies column names + # when joining commits and branch_commits tables + branch = Git::Pkgs::Models::Branch.create(name: "main") + commit1 = Git::Pkgs::Models::Commit.create(sha: "abc123", committed_at: Time.now - 86400) + commit2 = Git::Pkgs::Models::Commit.create(sha: "def456", committed_at: Time.now) + branch.add_commit(commit1) + branch.add_commit(commit2) + + manifest = Git::Pkgs::Models::Manifest.create(path: "package.json", ecosystem: "npm") + + Git::Pkgs::Models::DependencySnapshot.create( + commit_id: commit1.id, + manifest_id: manifest.id, + name: "lodash", + ecosystem: "npm", + requirement: "4.17.0", + dependency_type: "runtime" + ) + + Git::Pkgs::Models::DependencyChange.create( + commit_id: commit2.id, + manifest_id: manifest.id, + name: "lodash", + ecosystem: "npm", + change_type: "modified", + requirement: "4.17.21" + ) + + test_class = Class.new do + include Git::Pkgs::Commands::Vulns::Base + def initialize(branch_name) + @options = { branch: branch_name } + end + end + + handler = test_class.new("main") + + # This should not raise "ambiguous column name: id" error + deps = handler.compute_dependencies_at_commit(commit2, nil) + + assert_equal 1, deps.size + assert_equal "lodash", deps.first[:name] + assert_equal "4.17.21", deps.first[:requirement] + end +end diff --git a/test/git/pkgs/test_vulns_commands.rb b/test/git/pkgs/test_vulns_commands.rb new file mode 100644 index 0000000..2873ffb --- /dev/null +++ b/test/git/pkgs/test_vulns_commands.rb @@ -0,0 +1,689 @@ +# frozen_string_literal: true + +require "test_helper" +require "webmock/minitest" +require "stringio" + +class Git::Pkgs::TestVulnsCommand < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_vulns_command_initializes + # Test that Vulns command class can be instantiated + vulns = Git::Pkgs::Commands::VulnsCommand.new([]) + + assert_instance_of Git::Pkgs::Commands::VulnsCommand, vulns + end + + def test_cli_runs_vulns_command + stub_osv_api + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::CLI.run(["vulns", "--stateless"]) + end + + # Should not output "not yet implemented" + refute_includes output, "not yet implemented" + ensure + Git::Pkgs.git_dir = nil + end + + def test_vulns_command_runs_scan_by_default + stub_osv_api + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::Commands::VulnsCommand.new(["--stateless"]).run + end + + # Should either show vulnerabilities or no vulnerabilities found + assert output.include?("No known vulnerabilities found") || output.include?("GHSA") + ensure + Git::Pkgs.git_dir = nil + end + + def test_vulns_subcommand_sync + stub_osv_api + + Git::Pkgs.git_dir = @git_dir + + # First add a package to the database + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + output = capture_stdout do + Git::Pkgs::Commands::VulnsCommand.new(["sync"]).run + end + + assert_includes output, "Syncing vulnerabilities" + ensure + Git::Pkgs.git_dir = nil + end + + def test_vulns_subcommand_diff_parses_both_refs + vulns = Git::Pkgs::Commands::VulnsCommand.new(["diff", "abc123", "def456"]) + args = vulns.instance_variable_get(:@args) + + # Both refs should be available in args for VulnsDiff to consume + assert_includes args, "abc123" + assert_includes args, "def456" + end + + def test_vulns_subcommand_log_detected + vulns = Git::Pkgs::Commands::VulnsCommand.new(["log"]) + subcommand = vulns.instance_variable_get(:@subcommand) + + assert_equal "log", subcommand + end + + def stub_osv_api + # Stub the batch query endpoint + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return( + status: 200, + body: '{"results": [{"vulns": [{"id": "GHSA-test", "modified": "2024-01-01"}]}]}' + ) + + # Stub the individual vulnerability endpoint + WebMock.stub_request(:get, %r{https://api\.osv\.dev/v1/vulns/.*}) + .to_return( + status: 200, + body: JSON.generate({ + id: "GHSA-test", + summary: "Test vulnerability", + affected: [{ + package: { name: "lodash", ecosystem: "npm" }, + ranges: [{ events: [{ introduced: "0" }, { fixed: "4.17.21" }] }] + }] + }) + ) + end +end + +class Git::Pkgs::TestVulnsExposure < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + + # Initialize database with commits + Git::Pkgs.git_dir = @git_dir + capture_stdout { Git::Pkgs::Commands::Init.new(["--no-hooks", "--force"]).run } + Git::Pkgs.git_dir = nil + end + + def teardown + Git::Pkgs.git_dir = nil + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_exposure_output_does_not_use_invalid_color + stub_osv_api + + # Create a vulnerability that affects our package + Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-test", + severity: nil, # Unknown severity triggers the :default color bug + fetched_at: Time.now + ) + + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: "GHSA-test", + ecosystem: "npm", + package_name: "lodash", + affected_versions: "<4.17.21" + ) + + Git::Pkgs.git_dir = @git_dir + # This should not raise NoMethodError for Color.default + output = capture_stdout do + Git::Pkgs::Commands::Vulns::Exposure.new([]).run + end + + assert output + ensure + Git::Pkgs.git_dir = nil + end + + def stub_osv_api + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return(status: 200, body: '{"results": [{"vulns": []}]}') + end +end + +class Git::Pkgs::TestVulnsBase < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + add_file("README.md", "# Test") + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def test_more_specific_version_prefers_actual_versions + test_class = Class.new do + include Git::Pkgs::Commands::Vulns::Base + def initialize + @options = {} + end + end + + handler = test_class.new + + # Actual version preferred over constraint + assert handler.more_specific_version?("1.2.3", ">= 0") + assert handler.more_specific_version?("4.17.21", ">= 1.0") + + # Constraint not preferred over actual version + refute handler.more_specific_version?(">= 0", "1.2.3") + refute handler.more_specific_version?(">= 1.0", "4.17.21") + + # Two actual versions - neither preferred + refute handler.more_specific_version?("1.2.3", "1.2.4") + + # Two constraints - neither preferred + refute handler.more_specific_version?(">= 1.0", ">= 0") + end +end + +class Git::Pkgs::TestVulnsScan < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_scan_stateless_mode + stub_osv_api + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::Commands::Vulns::Scan.new(["--stateless"]).run + end + + # Should complete without error + assert output + ensure + Git::Pkgs.git_dir = nil + end + + def test_scan_with_vulnerabilities_found + stub_osv_with_matching_vuln + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::Commands::Vulns::Scan.new(["--stateless"]).run + end + + assert_includes output, "GHSA-test" + ensure + Git::Pkgs.git_dir = nil + end + + def stub_osv_api + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return(status: 200, body: '{"results": [{"vulns": []}]}') + end + + def stub_osv_with_matching_vuln + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return( + status: 200, + body: '{"results": [{"vulns": [{"id": "GHSA-test", "modified": "2024-01-01"}]}]}' + ) + + WebMock.stub_request(:get, "https://api.osv.dev/v1/vulns/GHSA-test") + .to_return( + status: 200, + body: JSON.generate({ + id: "GHSA-test", + summary: "Prototype pollution in lodash", + severity: [{ type: "CVSS_V3", score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }], + affected: [{ + package: { name: "lodash", ecosystem: "npm" }, + ranges: [{ events: [{ introduced: "0" }, { fixed: "4.17.21" }] }], + database_specific: { severity: "HIGH" } + }] + }) + ) + end + + def test_scan_sarif_output_format + stub_osv_with_matching_vuln + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::Commands::Vulns::Scan.new(["--stateless", "-f", "sarif"]).run + end + + sarif = JSON.parse(output) + assert_equal "2.1.0", sarif["version"] + assert_equal 1, sarif["runs"].length + + run = sarif["runs"][0] + assert_equal "git-pkgs", run["tool"]["driver"]["name"] + assert run["tool"]["driver"]["rules"].any? { |r| r["id"] == "GHSA-test" } + assert run["results"].any? { |r| r["ruleId"] == "GHSA-test" } + assert_equal "error", run["results"][0]["level"] + + # Validate against SARIF 2.1.0 schema + require "json_schemer" + schema_path = File.join(File.dirname(__FILE__), "../../fixtures/sarif-schema-2.1.0.json") + schema_content = JSON.parse(File.read(schema_path)) + schema = JSONSchemer.schema(schema_content, ref_resolver: proc { |uri| schema_content }) + errors = schema.validate(sarif).to_a + assert_empty errors, "SARIF schema validation failed: #{errors.map { |e| e["error"] }.join(", ")}" + ensure + Git::Pkgs.git_dir = nil + end +end + +class Git::Pkgs::TestVulnsDiff < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Initial commit") + @first_sha = `cd #{@test_dir} && git rev-parse HEAD`.strip + + add_file("package.json", '{"dependencies": {"lodash": "4.17.21"}}') + commit("Update lodash") + @second_sha = `cd #{@test_dir} && git rev-parse HEAD`.strip + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + + # Initialize database with commits + Git::Pkgs.git_dir = @git_dir + capture_stdout { Git::Pkgs::Commands::Init.new(["--no-hooks", "--force"]).run } + Git::Pkgs.git_dir = nil + end + + def teardown + Git::Pkgs.git_dir = nil + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_diff_receives_both_refs + stub_osv_api + + Git::Pkgs.git_dir = @git_dir + output = capture_stdout do + Git::Pkgs::Commands::Vulns::Diff.new([@first_sha[0, 7], @second_sha[0, 7]]).run + end + + # Should complete without error (may show no changes) + assert output + ensure + Git::Pkgs.git_dir = nil + end + + def stub_osv_api + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return(status: 200, body: '{"results": [{"vulns": []}]}') + end +end + +class Git::Pkgs::TestVulnsSync < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Initial commit") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + end + + def teardown + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_sync_fetches_full_vulnerability_details + # Create a package that needs sync + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash" + ) + + # Stub batch query to return minimal data (just id) + WebMock.stub_request(:post, "https://api.osv.dev/v1/querybatch") + .to_return( + status: 200, + body: '{"results": [{"vulns": [{"id": "GHSA-test", "modified": "2024-01-01"}]}]}' + ) + + # Stub individual vuln fetch to return full data with affected packages + WebMock.stub_request(:get, "https://api.osv.dev/v1/vulns/GHSA-test") + .to_return( + status: 200, + body: JSON.generate({ + id: "GHSA-test", + summary: "Test vulnerability", + affected: [{ + package: { name: "lodash", ecosystem: "npm" }, + ranges: [{ events: [{ introduced: "0" }, { fixed: "4.17.21" }] }] + }] + }) + ) + + Git::Pkgs.git_dir = @git_dir + capture_stdout do + Git::Pkgs::Commands::Vulns::Sync.new([]).run + end + + # Verify that VulnerabilityPackage records were created + vuln_pkgs = Git::Pkgs::Models::VulnerabilityPackage.where(vulnerability_id: "GHSA-test") + assert_equal 1, vuln_pkgs.count + assert_equal "lodash", vuln_pkgs.first.package_name + ensure + Git::Pkgs.git_dir = nil + end +end + +class Git::Pkgs::TestManifestLockfilePairing < Minitest::Test + def test_pair_manifests_with_lockfiles_prefers_lockfile + deps = [ + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: ">= 0" }, + { manifest_path: "Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "rails", requirement: "7.0.0" } + ] + + result = Git::Pkgs::Analyzer.pair_manifests_with_lockfiles(deps) + + assert_equal 1, result.size + assert_equal "7.0.0", result.first[:requirement] + assert_equal "lockfile", result.first[:manifest_kind] + end + + def test_pair_manifests_with_lockfiles_falls_back_to_manifest + deps = [ + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: "~> 7.0" } + ] + + result = Git::Pkgs::Analyzer.pair_manifests_with_lockfiles(deps) + + assert_equal 1, result.size + assert_equal "~> 7.0", result.first[:requirement] + assert_equal "manifest", result.first[:manifest_kind] + end + + def test_pair_manifests_with_lockfiles_groups_by_directory + deps = [ + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: ">= 0" }, + { manifest_path: "Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "rails", requirement: "7.0.0" }, + { manifest_path: "vendor/Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: ">= 6.0" }, + { manifest_path: "vendor/Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "rails", requirement: "6.1.0" } + ] + + result = Git::Pkgs::Analyzer.pair_manifests_with_lockfiles(deps) + + assert_equal 2, result.size + versions = result.map { |d| d[:requirement] }.sort + assert_equal ["6.1.0", "7.0.0"], versions + end + + def test_pair_manifests_with_lockfiles_handles_multiple_packages + deps = [ + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: ">= 0" }, + { manifest_path: "Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "rails", requirement: "7.0.0" }, + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "puma", requirement: ">= 0" }, + { manifest_path: "Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "puma", requirement: "6.0.0" } + ] + + result = Git::Pkgs::Analyzer.pair_manifests_with_lockfiles(deps) + + assert_equal 2, result.size + by_name = result.group_by { |d| d[:name] } + assert_equal "7.0.0", by_name["rails"].first[:requirement] + assert_equal "6.0.0", by_name["puma"].first[:requirement] + end + + def test_lockfile_dependencies_filter + deps = [ + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "rails", requirement: ">= 0" }, + { manifest_path: "Gemfile.lock", manifest_kind: "lockfile", ecosystem: "rubygems", name: "rails", requirement: "7.0.0" }, + { manifest_path: "Gemfile", manifest_kind: "manifest", ecosystem: "rubygems", name: "puma", requirement: "~> 6.0" } + ] + + result = Git::Pkgs::Analyzer.lockfile_dependencies(deps) + + assert_equal 1, result.size + assert_equal "rails", result.first[:name] + assert_equal "7.0.0", result.first[:requirement] + end +end + +class Git::Pkgs::TestVulnsHistory < Minitest::Test + include TestHelpers + + def setup + Git::Pkgs::Database.disconnect + create_test_repo + + add_file("package.json", '{"dependencies": {"lodash": "4.17.0"}}') + commit("Add lodash") + + @git_dir = File.join(@test_dir, ".git") + Git::Pkgs::Database.connect(@git_dir) + Git::Pkgs::Database.create_schema + + Git::Pkgs.git_dir = @git_dir + capture_stdout { Git::Pkgs::Commands::Init.new(["--no-hooks", "--force"]).run } + + # Mark package as synced to avoid OSV API calls + Git::Pkgs::Models::Package.create( + purl: "pkg:npm/lodash", + ecosystem: "npm", + name: "lodash", + vulns_synced_at: Time.now + ) + end + + def teardown + Git::Pkgs.git_dir = nil + cleanup_test_repo + end + + def capture_stdout + original = $stdout + $stdout = StringIO.new + yield + $stdout.string + ensure + $stdout = original + end + + def test_history_shows_withdrawn_vulns_in_timeline + # Create an active vulnerability + active_vuln = Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-active", + summary: "Active vulnerability", + severity: "high", + published_at: Time.now - 86400, + fetched_at: Time.now + ) + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: active_vuln.id, + ecosystem: "npm", + package_name: "lodash", + affected_versions: "< 4.17.21" + ) + + # Create a withdrawn vulnerability + withdrawn_vuln = Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-withdrawn", + summary: "Withdrawn vulnerability", + severity: "medium", + published_at: Time.now - 172800, + withdrawn_at: Time.now - 86400, + fetched_at: Time.now + ) + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: withdrawn_vuln.id, + ecosystem: "npm", + package_name: "lodash", + affected_versions: "< 4.17.21" + ) + + output = capture_stdout do + Git::Pkgs::Commands::Vulns::History.new(["lodash"]).run + end + + assert_includes output, "GHSA-active" + assert_includes output, "GHSA-withdrawn" + assert_includes output, "withdrawn" + end + + def test_history_json_includes_withdrawn_vulns + withdrawn_vuln = Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-withdrawn-json", + summary: "Withdrawn vulnerability", + severity: "low", + published_at: Time.now - 172800, + withdrawn_at: Time.now - 86400, + fetched_at: Time.now + ) + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: withdrawn_vuln.id, + ecosystem: "npm", + package_name: "lodash", + affected_versions: "< 4.17.21" + ) + + output = capture_stdout do + Git::Pkgs::Commands::Vulns::History.new(["lodash", "-f", "json"]).run + end + + json = JSON.parse(output) + assert_equal "lodash", json["package"] + + events = json["timeline"] + withdrawn_events = events.select { |e| e["event_type"] == "cve_withdrawn" } + assert withdrawn_events.any?, "Expected withdrawn event in timeline" + + published_events = events.select { |e| e["description"]&.include?("[withdrawn]") } + assert published_events.any?, "Expected [withdrawn] annotation on published event" + end + + def test_history_shows_withdrawn_event_with_date + withdrawn_time = Time.now - 86400 + withdrawn_vuln = Git::Pkgs::Models::Vulnerability.create( + id: "GHSA-with-date", + summary: "Withdrawn with date", + severity: "high", + published_at: Time.now - 172800, + withdrawn_at: withdrawn_time, + fetched_at: Time.now + ) + Git::Pkgs::Models::VulnerabilityPackage.create( + vulnerability_id: withdrawn_vuln.id, + ecosystem: "npm", + package_name: "lodash", + affected_versions: "< 4.17.21" + ) + + output = capture_stdout do + Git::Pkgs::Commands::Vulns::History.new(["lodash"]).run + end + + assert_includes output, "GHSA-with-date withdrawn" + end +end diff --git a/test/test_helper.rb b/test/test_helper.rb index 082514a..061e71e 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -18,18 +18,23 @@ $VERBOSE = original_verbose require "minitest/autorun" + +# Parallel test execution is opt-in per test class. +# Add `parallelize_me!` to test classes that: +# 1. Don't use Dir.chdir +# 2. Don't capture $stdout +# 3. Don't modify global singletons (Bibliothecary.configuration, etc.) + require "fileutils" require "tmpdir" module TestHelpers def create_test_repo @test_dir = Dir.mktmpdir("git-pkgs-test") - Dir.chdir(@test_dir) do - system("git init --initial-branch=main", out: File::NULL, err: File::NULL) - system("git config user.email 'test@example.com'", out: File::NULL) - system("git config user.name 'Test User'", out: File::NULL) - system("git config commit.gpgsign false", out: File::NULL) - end + git("init --initial-branch=main") + git("config user.email 'test@example.com'") + git("config user.name 'Test User'") + git("config commit.gpgsign false") @test_dir end @@ -42,15 +47,26 @@ def add_file(path, content) full_path = File.join(@test_dir, path) FileUtils.mkdir_p(File.dirname(full_path)) File.write(full_path, content) - Dir.chdir(@test_dir) do - system("git add #{path}", out: File::NULL, err: File::NULL) - end + git("add #{path}") end def commit(message) - Dir.chdir(@test_dir) do - system("git commit -m '#{message}'", out: File::NULL, err: File::NULL) - end + git("commit -m '#{message}'") + end + + def git(cmd) + system("git -C #{@test_dir} #{cmd}", out: File::NULL, err: File::NULL) + end + + def run_cli(*args) + old_git_dir = Git::Pkgs.git_dir + old_work_tree = Git::Pkgs.work_tree + Git::Pkgs.git_dir = File.join(@test_dir, ".git") + Git::Pkgs.work_tree = @test_dir + capture_stdout { Git::Pkgs::CLI.run(args.flatten) } + ensure + Git::Pkgs.git_dir = old_git_dir + Git::Pkgs.work_tree = old_work_tree end def sample_gemfile(gems = {})