Last active
December 2, 2015 01:18
-
-
Save oreoshake/b3c3ea54e4f6d883d435 to your computer and use it in GitHub Desktop.
Audit an organization for known vulnerable gems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'rubygems' | |
| require 'octokit' | |
| require 'bundler/audit/cli' | |
| require 'bundler/audit/database' | |
| require 'parallel' | |
| Bundler::Audit::CLI.new.update | |
| ORG = ARGV[0] || "github" | |
| Octokit.configure do |c| | |
| c.auto_paginate = true # bad? | |
| c.access_token = ENV['GITHUB_AUTH_TOKEN'] | |
| end | |
| database = Bundler::Audit::Database.new | |
| repos = Octokit.organization_repositories(ORG, type: :private) | |
| results = {} | |
| Parallel.each(repos, :in_threads=> 32) do |repo_resource| | |
| full_name = repo_resource.full_name | |
| maybe_lock_file = begin | |
| Octokit.contents(full_name, path: "Gemfile.lock") | |
| rescue Octokit::NotFound => e | |
| next | |
| end | |
| gemfile_dot_lock = Base64.decode64(maybe_lock_file.content) | |
| vulnerable_gems = [] | |
| results[full_name] = vulnerable_gems | |
| Bundler::LockfileParser.new(gemfile_dot_lock).specs.each do |gem| | |
| database.check_gem(gem) do |advisory| | |
| vulnerable_gems << { | |
| title: advisory.title, | |
| patched_versions: advisory.patched_versions, | |
| description: advisory.description | |
| } | |
| end | |
| end | |
| if vulnerable_gems.any? | |
| puts ":sadface: found #{vulnerable_gems.count} vulnerable gems in #{full_name}" | |
| else | |
| puts "√ Yay no known vulns in #{full_name}" | |
| end | |
| end | |
| puts "*" * 20 | |
| puts "There are #{results.count} vulnerable repos with a combined #{results.reduce(0) {|memo, (_, value)| memo + value.count}} vulnerable gems" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment