From 6741db145b952e26b9d63c8aa9b1ffada6ed6adc Mon Sep 17 00:00:00 2001 From: bwireman Date: Sat, 1 Jun 2024 14:49:35 -0500 Subject: [PATCH 1/3] case insensitve and flag/condig --- scripts/test.sh | 11 +++++++++++ src/go_over.gleam | 6 ++++++ src/go_over/advisories.gleam | 24 +++++++++++------------- src/go_over/config.gleam | 4 ++-- test/config_test.gleam | 9 +++++++++ 5 files changed, 39 insertions(+), 15 deletions(-) create mode 100755 scripts/test.sh diff --git a/scripts/test.sh b/scripts/test.sh new file mode 100755 index 0000000..7b30333 --- /dev/null +++ b/scripts/test.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +cd "$(dirname $0)/.." + +gleam update +gleam format +gleam test +rm -rf .go-over/ +gleam run +gleam run -- --skip --force +gleam run -- --fake +gleam run \ No newline at end of file diff --git a/src/go_over.gleam b/src/go_over.gleam index 800f51c..8dbd1d0 100644 --- a/src/go_over.gleam +++ b/src/go_over.gleam @@ -98,9 +98,15 @@ fn print_warnings(vulns: List(Warning)) -> Nil { pub fn main() { let flags = spin_up() let conf = config.read_config("./gleam.toml") + iffnil(!conf.cache && flags.skip, fn() { + print.warning("Cannot specify both `--skip` & `cache=false`") + shellout.exit(1) + }) + throwaway(flags.force || !conf.cache, fn() { simplifile.delete(constants.go_over_path()) }) + let pkgs = packages.read_manifest("./manifest.toml") |> config.filter_packages(conf, _) diff --git a/src/go_over/advisories.gleam b/src/go_over/advisories.gleam index 652d1bf..fecaab7 100644 --- a/src/go_over/advisories.gleam +++ b/src/go_over/advisories.gleam @@ -80,7 +80,11 @@ fn is_vulnerable(p: packages.Package, advs: List(Advisory)) -> List(Advisory) { |> option.values } -fn clone() -> Nil { +fn delete_and_clone() -> Nil { + // ? File may or may not exist + let p = path() + + let _ = simplifile.delete(p) print.progress("Cloning: " <> constants.advisories_repo <> "...") let assert Ok(Nil) = @@ -99,18 +103,12 @@ fn clone() -> Nil { opt: [], ) - Nil -} - -fn delete_and_clone() -> Nil { - // ? File may or may not exist - let p = path() - - let _ = simplifile.delete(p) - clone() - let assert Ok(Nil) = simplifile.delete(filepath.join(p, ".git")) - - Nil + [ + ".git", ".gitignore", ".github", "config", "lib", ".formatter.exs", + ".credo.exs", "Makefile", "mix.exs", "mix.lock", + ] + |> list.map(filepath.join(p, _)) + |> list.each(simplifile.delete) } pub fn check_for_advisories( diff --git a/src/go_over/config.gleam b/src/go_over/config.gleam index 9f439d8..4e0fc00 100644 --- a/src/go_over/config.gleam +++ b/src/go_over/config.gleam @@ -1,6 +1,7 @@ import gleam/dict import gleam/list import gleam/result.{unwrap} +import gleam/string import go_over/advisories.{type Advisory} import go_over/packages.{type Package} import go_over/warning.{type Warning} @@ -29,7 +30,6 @@ pub fn read_config(path: String) -> Config { let ignore = tom.get_table(go_over, ["ignore"]) |> unwrap(dict.new()) - let packages = tom.get_array(ignore, ["packages"]) |> unwrap([]) @@ -58,7 +58,7 @@ pub fn filter_advisory_ids(conf: Config, advs: List(Advisory)) -> List(Advisory) pub fn filter_severity(conf: Config, warnings: List(Warning)) -> List(Warning) { list.filter(warnings, fn(w) { - !list.contains(conf.ignore_severity, w.severity) + !list.contains(conf.ignore_severity, string.lowercase(w.severity)) }) } diff --git a/test/config_test.gleam b/test/config_test.gleam index 8c8e220..61b9a6a 100644 --- a/test/config_test.gleam +++ b/test/config_test.gleam @@ -59,10 +59,19 @@ pub fn filter_severity_test() { let a = Warning("", "", "", warning.Vulnerable, "a", warning.Direct) let b = Warning("", "", "", warning.Vulnerable, "b", warning.Direct) let c = Warning("", "", "", warning.Vulnerable, "c", warning.Direct) + let aa = Warning("", "", "", warning.Vulnerable, "A", warning.Direct) + let bb = Warning("", "", "", warning.Vulnerable, "B", warning.Direct) + let cc = Warning("", "", "", warning.Vulnerable, "C", warning.Direct) should.equal(filter_severity(full, []), []) should.equal(filter_severity(full, [a]), []) should.equal(filter_severity(full, [a, b]), []) should.equal(filter_severity(full, [b, c]), [c]) should.equal(filter_severity(full, [a, b, c]), [c]) + + should.equal(filter_severity(full, []), []) + should.equal(filter_severity(full, [aa]), []) + should.equal(filter_severity(full, [aa, bb]), []) + should.equal(filter_severity(full, [bb, cc]), [cc]) + should.equal(filter_severity(full, [aa, bb, cc]), [cc]) } From 792a27397fb719c719ac4a2af7f87c36dfdb72b5 Mon Sep 17 00:00:00 2001 From: bwireman Date: Sat, 1 Jun 2024 15:22:59 -0500 Subject: [PATCH 2/3] more explicit docs and readme --- README.md | 12 ++++++++---- gleam.toml | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 424f786..acb473c 100644 --- a/README.md +++ b/README.md @@ -39,15 +39,19 @@ Optional settings that can be added to your project's gleam.toml ```toml [go-over] -# disables caching (default: true) +# disables caching if false (default: true) cache = true [go-over.ignore] -# list of package names to skip when checking for advisories & warnings (default: []) +# list of package names to skip when checking for advisories & warnings +# default: [] packages = ["example_package"] -# list of warning severities to skip when checking for advisories & warnings (case insensitive) (default: []) +# list of warning severities to skip when checking for advisories & warnings +# default: [] +# (case insensitive) severity = ["example_moderate"] -# list of advisory IDs to skip when checking for advisories & warnings (default: []) +# list of advisory IDs to skip when checking for advisories & warnings +# default: [] ids = ["GHSA-xxxx-yyyy-zzzz"] ``` diff --git a/gleam.toml b/gleam.toml index 5414cec..fc7977a 100644 --- a/gleam.toml +++ b/gleam.toml @@ -1,5 +1,5 @@ name = "go_over" -version = "0.3.0" +version = "0.3.1" licences = ["MIT"] repository = { type = "github", user = "bwireman", repo = "go-over" } description = "A tool to audit Erlang & Elixir dependency advisories as well as retired hex packages, to make sure your gleam projects really sparkle! ✨" @@ -9,7 +9,7 @@ internal_modules = [ "go_over/*", ] -# links = [{ title = "Website", href = "https://gleam.run" }] +links = [{ title = "AdvisoriesSource", href = "https://github.com/mirego/elixir-security-advisories" }] [dependencies] gleam_stdlib = ">= 0.34.0 and < 2.0.0" From 864d0d6112a9805f32f2ea19e82020f27ff0643d Mon Sep 17 00:00:00 2001 From: bwireman Date: Sat, 1 Jun 2024 15:35:26 -0500 Subject: [PATCH 3/3] remove gleam_erlang and start yamerl directly --- gleam.toml | 6 +++--- manifest.toml | 2 -- src/go_over.gleam | 2 -- src/go_over/yaml.gleam | 6 ------ 4 files changed, 3 insertions(+), 13 deletions(-) diff --git a/gleam.toml b/gleam.toml index fc7977a..98a5a05 100644 --- a/gleam.toml +++ b/gleam.toml @@ -4,12 +4,13 @@ licences = ["MIT"] repository = { type = "github", user = "bwireman", repo = "go-over" } description = "A tool to audit Erlang & Elixir dependency advisories as well as retired hex packages, to make sure your gleam projects really sparkle! ✨" gleam = ">= 0.34.1" +links = [{ title = "AdvisoriesSource", href = "https://github.com/mirego/elixir-security-advisories" }] internal_modules = [ "go_over/*", ] -links = [{ title = "AdvisoriesSource", href = "https://github.com/mirego/elixir-security-advisories" }] +extra_applications = ["yamerl"] [dependencies] gleam_stdlib = ">= 0.34.0 and < 2.0.0" @@ -18,7 +19,6 @@ simplifile = ">= 1.7.0 and < 2.0.0" filepath = ">= 1.0.0 and < 2.0.0" tom = ">= 1.0.0 and < 2.0.0" yamerl = ">= 0.10.0 and < 1.0.0" -gleam_erlang = ">= 0.25.0 and < 1.0.0" gleam_hexpm = ">= 1.0.0 and < 2.0.0" gleam_hackney = ">= 1.2.0 and < 2.0.0" gleam_http = ">= 3.6.0 and < 4.0.0" @@ -35,4 +35,4 @@ cache = true [go-over.ignore] packages = [] severity = [] -ids = [] \ No newline at end of file +ids = [] diff --git a/manifest.toml b/manifest.toml index 0519b0f..bcc3d72 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,6 @@ packages = [ { name = "birl", version = "1.7.0", build_tools = ["gleam"], requirements = ["gleam_stdlib", "ranger"], otp_app = "birl", source = "hex", outer_checksum = "B1FA529E7BE3FF12CADF32814AB8EC7294E74CEDEE8CC734505707B929A98985" }, { name = "certifi", version = "2.12.0", build_tools = ["rebar3"], requirements = [], otp_app = "certifi", source = "hex", outer_checksum = "EE68D85DF22E554040CDB4BE100F33873AC6051387BAF6A8F6CE82272340FF1C" }, { name = "filepath", version = "1.0.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "filepath", source = "hex", outer_checksum = "EFB6FF65C98B2A16378ABC3EE2B14124168C0CE5201553DE652E2644DCFDB594" }, - { name = "gleam_erlang", version = "0.25.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "gleam_erlang", source = "hex", outer_checksum = "054D571A7092D2A9727B3E5D183B7507DAB0DA41556EC9133606F09C15497373" }, { name = "gleam_hackney", version = "1.2.0", build_tools = ["gleam"], requirements = ["gleam_http", "gleam_stdlib", "hackney"], otp_app = "gleam_hackney", source = "hex", outer_checksum = "066B1A55D37DBD61CC72A1C4EDE43C6015B1797FAF3818C16FE476534C7B6505" }, { name = "gleam_hexpm", version = "1.0.0", build_tools = ["gleam"], requirements = ["birl", "gleam_stdlib"], otp_app = "gleam_hexpm", source = "hex", outer_checksum = "A5DF5D32BFDE84003B2C2183700D98E106A969C6C6EDE0363A50BB421AFF50B7" }, { name = "gleam_http", version = "3.6.0", build_tools = ["gleam"], requirements = ["gleam_stdlib"], otp_app = "gleam_http", source = "hex", outer_checksum = "8C07DF9DF8CC7F054C650839A51C30A7D3C26482AC241C899C1CEA86B22DBE51" }, @@ -31,7 +30,6 @@ packages = [ [requirements] birl = { version = ">= 1.7.0 and < 2.0.0" } filepath = { version = ">= 1.0.0 and < 2.0.0" } -gleam_erlang = { version = ">= 0.25.0 and < 1.0.0" } gleam_hackney = { version = ">= 1.2.0 and < 2.0.0" } gleam_hexpm = { version = ">= 1.0.0 and < 2.0.0" } gleam_http = { version = ">= 3.6.0 and < 4.0.0" } diff --git a/src/go_over.gleam b/src/go_over.gleam index 8dbd1d0..146d2f6 100644 --- a/src/go_over.gleam +++ b/src/go_over.gleam @@ -11,7 +11,6 @@ import go_over/print import go_over/retired import go_over/util.{iffnil, throwaway} import go_over/warning.{type Warning, Warning} -import go_over/yaml import shellout import simplifile @@ -20,7 +19,6 @@ type Flags { } fn spin_up() -> Flags { - let assert Ok(_) = yaml.start() let args = shellout.arguments() let flags = Flags( diff --git a/src/go_over/yaml.gleam b/src/go_over/yaml.gleam index 1a66f58..c62de09 100644 --- a/src/go_over/yaml.gleam +++ b/src/go_over/yaml.gleam @@ -1,12 +1,6 @@ -import gleam/erlang.{type EnsureAllStartedError} -import gleam/erlang/atom.{type Atom} import gleam/list import gleam/string -pub fn start() -> Result(List(Atom), EnsureAllStartedError) { - erlang.ensure_all_started(atom.create_from_string("yamerl")) -} - @external(erlang, "yamll", "parse") fn read( path: String,