Add RustSec source

.circleci/config.yml

@@ -8,33 +8,30 @@ jobs:
     steps:
     - checkout
 
-    - name: Install Bundler Version
-      type: shell
-      command: gem install bundler -v 1.16
-
     - name: Prepare yavdb cache
       type: shell
       command: echo "$(date)" > /tmp/yavdb.cache.log
 
     - name: Restore gem cache
       type: cache-restore
       keys:
-      - 2-gem-yavdb-{{ checksum "Gemfile.lock" }}
-      - 2-gem-yavdb-
+      - gem-cache-1-{{ checksum "Gemfile.lock" }}
 
     - name: Restore yavdb cache
       type: cache-restore
       keys:
-      - 1-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
-      - 1-crawler-yavdb-cache-
+      - 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
+      - 2-crawler-yavdb-cache
 
     - name: Bundle Install
       type: shell
-      command: bundle install --path /tmp/vendor/bundle
+      command: |
+        sudo gem update --system
+        bundle install --path /tmp/vendor/bundle
 
     - name: Save bundler cache
       type: cache-save
-      key: 2-gem-yavdb-{{ checksum "Gemfile.lock" }}
+      key: gem-cache-1-{{ checksum "Gemfile.lock" }}
       paths:
       - /tmp/vendor/bundle
 
@@ -48,7 +45,7 @@ jobs:
 
     - name: Save yavdb cache
       type: cache-save
-      key: 1-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
+      key: 2-crawler-yavdb-cache-{{ checksum "/tmp/yavdb.cache.log" }}
       paths:
       - ~/.yavdb/cache
 

Gemfile.lock

@@ -1,20 +1,22 @@
 PATH
   remote: .
   specs:
-    yavdb (0.4.6)
+    yavdb (0.5.0)
       execjs (~> 2.7.0)
       json (~> 2.1)
       kramdown (~> 1.17)
       oga (~> 2.15)
       semantic_interval (~> 0.1)
       therubyracer (~> 0.12)
       thor (~> 0.20)
+      toml-rb (~> 1.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ansi (1.5.0)
     ast (2.4.0)
+    citrus (3.0.2)
     codacy-coverage (2.1.0)
       simplecov
     diff-lcs (1.3)
@@ -27,8 +29,8 @@ GEM
     oga (2.15)
       ast
       ruby-ll (~> 2.1)
-    parallel (1.12.1)
-    parser (2.5.3.0)
+    parallel (1.13.0)
+    parser (2.6.0.0)
       ast (~> 2.4.0)
     powerpack (0.1.2)
     rainbow (3.0.0)
@@ -49,15 +51,15 @@ GEM
     rspec-support (3.8.0)
     rspec_junit_formatter (0.4.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (0.62.0)
+    rubocop (0.64.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
       parser (>= 2.5, != 2.5.1.1)
       powerpack (~> 0.1)
       rainbow (>= 2.2.2, < 4.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (~> 1.4.0)
-    rubocop-rspec (1.31.0)
+    rubocop-rspec (1.32.0)
       rubocop (>= 0.60.0)
     ruby-ll (2.1.2)
       ansi
@@ -73,6 +75,8 @@ GEM
       libv8 (~> 3.16.14.15)
       ref
     thor (0.20.3)
+    toml-rb (1.1.2)
+      citrus (~> 3.0, > 3.0)
     unicode-display_width (1.4.1)
 
 PLATFORMS
@@ -89,4 +93,4 @@ DEPENDENCIES
   yavdb!
 
 BUNDLED WITH
-   1.16.0
+   1.17.3

README.md

@@ -12,10 +12,10 @@ developers identify and fix know vulnerabilities in their apps.
 The sources for this database include 
 [Rubysec](https://rubysec.com/),
 [snyk](https://snyk.io/),
-[OSSIndex (deprecated)](https://ossindex.net/),
 [Friends of PHP](https://github.com/FriendsOfPHP/security-advisories),
 [Magento Related Security Advisories](https://github.com/victims/victims-cve-db),
-[Victims CVE Database](https://github.com/victims/victims-cve-db)
+[Victims CVE Database](https://github.com/victims/victims-cve-db),
+[RustSec](https://github.com/RustSec/advisory-db)
 
 ## Prerequisites
 

lib/yavdb/constants.rb

@@ -28,7 +28,7 @@ module Constants
     DEFAULT_YAVDB_DATABASE_PATH = File.expand_path(File.join(DEFAULT_YAVDB_PATH, 'database')).freeze
     DEFAULT_CACHE_PATH          = File.expand_path(File.join(ENV['HOME'], '.yavdb', 'cache')).freeze
 
-    POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go'].freeze
+    POSSIBLE_PACKAGE_MANAGERS = ['npm', 'rubygems', 'maven', 'nuget', 'packagist', 'pypi', 'go', 'cargo'].freeze
 
     SEVERITIES = ['low', 'medium', 'high'].freeze
 

lib/yavdb/sources/rustsec.rb

@@ -0,0 +1,89 @@
+# yavdb - The Free and Open Source vulnerability database
+# Copyright (C) 2017-present Rodrigo Fernandes
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+require 'date'
+require 'toml-rb'
+
+require_relative '../dtos/advisory'
+require_relative '../source_types/git_repo'
+
+module YAVDB
+  module Sources
+    module RustSec
+      class Client
+
+        REPOSITORY_URL = 'https://github.com/RustSec/advisory-db'.freeze
+        PACKAGE_MANAGER = 'cargo'.freeze
+
+        def self.advisories
+          YAVDB::SourceTypes::GitRepo.search('crates/**/*.toml', REPOSITORY_URL).map do |repo_path, file_paths|
+            Dir.chdir(repo_path) do
+              file_paths.map do |file_path|
+                advisory_hash = TomlRB.load_file(file_path)
+                create(advisory_hash['advisory'])
+              end
+            end
+          end.flatten
+        end
+
+        class << self
+
+          private
+
+          def create(advisory_hash)
+            date = Date.strptime(advisory_hash['date'].to_s, '%Y-%m-%d')
+            severity = 'high' # since no value is provided will use highest
+            cve = advisory_hash['aliases']&.select { |a| a.start_with?('CVE') }
+            references = advisory_hash['url'] && [advisory_hash['url']]
+
+            vuln_id = "rustsec:cargo:#{advisory_hash['package']}:#{advisory_hash['id']}"
+
+            YAVDB::Advisory.new(
+              vuln_id,
+              advisory_hash['title'],
+              advisory_hash['description'],
+              advisory_hash['package'],
+              nil,
+              advisory_hash['unaffected_versions'],
+              advisory_hash['patched_versions'],
+              severity,
+              PACKAGE_MANAGER,
+              cve,
+              nil, #:cwe
+              nil,
+              nil, #:cvss_v2_vector
+              nil,
+              nil, #:cvss_v3_vector
+              nil,
+              date,
+              date,
+              date,
+              ['RustSec'],
+              references,
+              generate_url(advisory_hash)
+            )
+          end
+
+          def generate_url(advisory_hash)
+            "#{REPOSITORY_URL}/blob/master/crates/#{advisory_hash['package']}/#{advisory_hash['id']}.toml"
+          end
+
+        end
+
+      end
+    end
+  end
+end

lib/yavdb/version.rb

@@ -16,6 +16,6 @@
 
 module YAVDB
 
-  VERSION = '0.4.6'
+  VERSION = '0.5.0'
 
 end

yavdb.gemspec

@@ -42,4 +42,5 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'semantic_interval', ['~> 0.1']
   spec.add_runtime_dependency 'therubyracer', ['~> 0.12']
   spec.add_runtime_dependency 'thor', ['~> 0.20']
+  spec.add_runtime_dependency 'toml-rb', ['~> 1.1']
 end