mackuba / holepicker Goto Github PK

Basically does the same as holepicker but for all projects on your github repo, using bundler-audit

Last year I decided to leave the webdev world and concentrate only on Cocoa development. I still love Ruby as a language (especially as compared to ObjC - Swift is much better though), but it was just too much effort to try to keep up with Ruby, JS and Cocoa all the time, and I had to choose something.

I haven't been up to date with all the latest developments in the Ruby world since then, I'm not even sure which version of Ruby is the latest stable one now (2.1 I think?). I've been updating the Holepicker data file whenever I see tweets about a new Rails release with security fixes, and I've fixed the Rainbow bug, but I'm not willing to put any more effort than that into this project, since I have other projects to maintain too.

So I'm thinking that it would be better both for me and for users if this tool was taken over by someone who is still using Ruby daily and can take a better care of it. Anyone interested?

cc @cbeer @manuelvanrijn @xiazek @bct @TimPeters @pascalvanhecke @elhu @spk @ghost @lasseebert @AlexMC @adelevie

I'm trying to write a holepicker / nagios check. I now use the following grep rule:

~$ holepicker -f /etc/nginx/sites-enabled | grep -v -e OK -e Looking -e Fetching -e "No vulnerabilities" -e "✔"

But this is not always working, sometimes it gives other output and sometimes it just fails without errors.

Would it be possible to add an option (--silent for example) which would only give output when vulnerable gems are found?

Also, a --compact or --summary option which would only give the number of vulnerable gems (or 0 if none found) would be helpfull for integrating holepicker in nagios.

When I try to use holepicker recipe in "cap deploy" I get the following output:

"Can't download latest data file xpto: undefined method `version' for HolePicker:Module"

It's easy to bypass by including: "require 'holepicker/version'" in database.rb but probably this isn't the best way...

I am getting this error:

Can't download latest data file: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Hi,

I'm using HolePicker as a library, not as a CLI tool, and I came across a behaviour that seems a bit extreme.

If HolePicker can't download the data file, it prints out an error and exits. This behaviour is fine in the context of the command line tool, but isn't when using DatePicker as a library (DatePicker shouldn't cause my program to exit).

I think that if DatePicker::OnlineDatabase fails to download the data file, it should raise an exception, that could then either be handled in bin/holepicker for the CLI tool, or in the Capistrano recipe (probably with an option to decide whether to exit or not), or in any arbitrary code using HolePicker as a library.

If you think this feature could be useful, please let me know and I'll be happy to provide a pull-request!

Just installed and tried to run holepicker as per the README instructions got this error:

holepicker my_app
Fetching list of vulnerabilities...
Looking for gemfiles...
/home/sam/code/my_app/Gemfile.lock: /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/logger.rb:23:in `fail': undefined method `color' for "2 vulnerable gems found!":String (NoMethodError)
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:77:in `scan_gemfile'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:58:in `block in scan_path'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:58:in `each'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:58:in `scan_path'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:42:in `block in scan'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:42:in `each'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/lib/holepicker/scanner.rb:42:in `scan'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/gems/holepicker-0.3.1/bin/holepicker:64:in `<top (required)>'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/bin/holepicker:23:in `load'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/bin/holepicker:23:in `<main>'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/bin/ruby_executable_hooks:15:in `eval'
    from /home/sam/.rvm/gems/ruby-2.0.0-p353/bin/ruby_executable_hooks:15:in `<main>'

When I run holepicker against this minimal Gemfile.lock:

GEM
  remote: https://rubygems.org/
  specs:
    win32console (1.3.2-x86-mingw32)

PLATFORMS
  x86-mingw32

DEPENDENCIES
  win32console

I get:

/home/bct/src/test/Gemfile.lock: /home/bct/.rbenv/versions/1.9.3-p374/lib/ruby/1.9.1/rubygems/version.rb:187:in `initialize': Malformed version number string 1.3.2-x86-mingw32 (ArgumentError)
from /home/bct/.rbenv/versions/1.9.3-p374/lib/ruby/gems/1.9.1/gems/holepicker-0.1.1/lib/holepicker/gem.rb:14:in `new'

Is this possible? I tried HolePicker::Scanner.new('Gemfile.lock').scan, but this just prints a report (instead of returning a Ruby Hash/Object).

I watch bundle-audit and ruby-advisory-db projects. I think holepicker can use the ruby-advisory-db as bundle-audit do. It will usefull for both projects. @jsuder what do you think?