bundler-audit-ng 0.6.1

data/ChangeLog.md

@@ -0,0 +1,129 @@
+### 0.6.1 / 2019-01-17
+
+* Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
+
+### 0.6.0 / 2017-07-18
+
+* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
+* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
+  (@vassilevsky).
+
+### 0.5.0 / 2016-02-28
+
+* Added {Bundler::Audit::Task}.
+* Added {Bundler::Audit::Advisory#date}.
+* Added {Bundler::Audit::Advisory#cve_id}.
+* Added {Bundler::Audit::Advisory#osvdb_id}.
+* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
+  private network.
+
+#### CLI
+
+* Added the `--update` option to `bundle-audit check`.
+* `bundle-audit update` now returns a non-zero exit status on error.
+* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+  repository.
+
+### 0.4.0 / 2015-06-30
+
+* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
+* Added {Bundler::Audit::Advisory#osvdb}.
+* Resolve the IP addresses of gem sources and ignore intranet gem sources.
+  (PR #90)
+* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
+  (PR #92)
+
+#### CLI
+
+* Print the CVE or OSVDB id.
+* No longer print "Unpatched versions found!" when an insecure gem source
+  is detected. (PR #84)
+
+### 0.3.1 / 2014-04-20
+
+* Added thor ~> 0.18 as a dependency.
+* No longer rely on the vendored version of thor within bundler.
+* Store the timestamp of when `data/ruby-advisory-db` was last updated in
+  `data/ruby-advisory-db.ts`.
+* Use `data/ruby-advisory-db.ts` instead of the creation time of the
+  `dataruby-advisory-db` directory, which is always the install time
+  of the rubygem.
+
+### 0.3.0 / 2013-10-31
+
+* Added {Bundler::Audit::Database.update!} which uses `git` to download
+  [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
+* {Bundler::Audit::Database.path} now returns the path to either
+  `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
+  is more recent.
+
+#### CLI
+
+* Added the `bundle-audit update` sub-command.
+
+### 0.2.0 / 2013-03-05
+
+* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
+  parse approximate version requirements (`~> 1.2.3`).
+* Updated the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#unaffected_versions}.
+* Added {Bundler::Audit::Advisory#unaffected?}.
+* Added {Bundler::Audit::Advisory#patched?}.
+* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
+
+### 0.1.2 / 2013-02-17
+
+* Require [bundler] ~> 1.2.
+* Vendor a full copy of the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#path} for debugging purposes.
+* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
+
+#### CLI
+
+* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
+* Exit with non-zero status on failure (@grosser).
+
+### 0.1.1 / 2013-02-12
+
+* Fixed a Ruby 1.8 syntax error.
+
+### Advisories
+
+* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
+  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
+  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
+  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
+  * [CVE-2012-267](http://osvdb.org/83077)
+  * [CVE-2012-1098](http://osvdb.org/79726)
+  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
+  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
+  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
+  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
+  * [CVE-2012-3463](http://osvdb.org/84515)
+  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
+  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
+
+### CLI
+
+* If the advisory has no `patched_versions`, recommend removing or disabling
+  the gem until a patch is made available.
+
+### 0.1.0 / 2013-02-11
+
+* Initial release:
+  * Checks for vulnerable versions of gems in `Gemfile.lock`.
+  * Prints advisory information.
+  * Does not require a network connection.
+
+#### Advisories
+
+* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074)
+* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939)
+* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025)
+* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026)
+* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
+* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
+* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
+
+[bundler]: http://gembundler.com/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org/'
+
+gemspec
+
+group :development do
+  gem 'rake'
+  gem 'kramdown',       '~> 0.14'
+
+  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rspec',          '~> 3.0'
+  gem 'yard',           '~> 0.9'
+  gem 'simplecov',      '~> 0.7', :require => false
+end

data/README.md

@@ -0,0 +1,168 @@
+# bundler-audit
+[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
+[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
+
+* [Homepage](https://github.com/rubysec/bundler-audit#readme)
+* [Issues](https://github.com/rubysec/bundler-audit/issues)
+* [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
+* [Email](mailto:postmodern.mod3 at gmail.com)
+
+## Description
+
+Patch-level verification for [bundler].
+
+## Features
+
+* Checks for vulnerable versions of gems in `Gemfile.lock`.
+* Checks for insecure gem sources (`http://`).
+* Allows ignoring certain advisories that have been manually worked around.
+* Prints advisory information.
+* Does not require a network connection.
+
+## Synopsis
+
+Audit a project's `Gemfile.lock`:
+
+    $ bundle-audit
+    Name: actionpack
+    Version: 3.2.10
+    Advisory: OSVDB-91452
+    Criticality: Medium
+    URL: http://www.osvdb.org/show/osvdb/91452
+    Title: XSS vulnerability in sanitize_css in Action Pack
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+    Name: actionpack
+    Version: 3.2.10
+    Advisory: OSVDB-91454
+    Criticality: Medium
+    URL: http://osvdb.org/show/osvdb/91454
+    Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+    Name: actionpack
+    Version: 3.2.10
+    Advisory: OSVDB-89026
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89026
+    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+    Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+    Name: activerecord
+    Version: 3.2.10
+    Advisory: OSVDB-91453
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/91453
+    Title: Symbol DoS vulnerability in Active Record
+    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+    Name: activerecord
+    Version: 3.2.10
+    Advisory: OSVDB-90072
+    Criticality: Medium
+    URL: http://direct.osvdb.org/show/osvdb/90072
+    Title: Ruby on Rails Active Record attr_protected Method Bypass
+    Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+    Name: activerecord
+    Version: 3.2.10
+    Advisory: OSVDB-89025
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89025
+    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+    Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+    Name: activesupport
+    Version: 3.2.10
+    Advisory: OSVDB-91451
+    Criticality: High
+    URL: http://www.osvdb.org/show/osvdb/91451
+    Title: XML Parsing Vulnerability affecting JRuby users
+    Solution: upgrade to ~> 3.1.12, >= 3.2.13
+
+    Unpatched versions found!
+
+Update the [ruby-advisory-db] that `bundle audit` uses:
+
+    $ bundle-audit update
+    Updating ruby-advisory-db ...
+    remote: Counting objects: 44, done.
+    remote: Compressing objects: 100% (24/24), done.
+    remote: Total 39 (delta 19), reused 29 (delta 10)
+    Unpacking objects: 100% (39/39), done.
+    From https://github.com/rubysec/ruby-advisory-db
+     * branch            master     -> FETCH_HEAD
+    Updating 5f8225e..328ca86
+    Fast-forward
+     CONTRIBUTORS.md                    |  1 +
+     gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
+     gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
+     gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
+     gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
+     gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
+     6 files changed, 73 insertions(+)
+     create mode 100644 gems/actionmailer/OSVDB-98629.yml
+     create mode 100644 gems/cocaine/OSVDB-98835.yml
+     create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
+     create mode 100644 gems/sounder/OSVDB-96278.yml
+     create mode 100644 gems/wicked/OSVDB-98270.yml
+    ruby-advisory-db: 64 advisories
+
+Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
+
+    $ bundle-audit check --update
+
+Ignore specific advisories:
+
+    $ bundle-audit check --ignore OSVDB-108664
+
+Rake task:
+
+```ruby
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+
+task default: 'bundle:audit'
+```
+
+## Requirements
+
+* [ruby] >= 1.9.3
+* [rubygems] >= 1.8
+* [thor] ~> 0.18
+* [bundler] ~> 1.2
+
+## Install
+
+    $ gem install bundler-audit
+
+## Contributing
+
+1. Clone the repo
+1. `git submodule update --init` # To populate data/ruby-advisory-db
+1. `bundle exec rake`
+
+## License
+
+Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+
+bundler-audit is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+bundler-audit is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+
+[ruby]: https://ruby-lang.org
+[rubygems]: https://rubygems.org
+[thor]: http://whatisthor.com/
+[bundler]: https://github.com/carlhuda/bundler#readme
+
+[OSVDB]: http://osvdb.org/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -0,0 +1,57 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  abort e.message
+end
+
+require 'rake'
+require 'time'
+
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+namespace :db do
+  desc 'Updates data/ruby-advisory-db'
+  task :update do
+    timestamp = nil
+
+    chdir 'data/ruby-advisory-db' do
+      sh 'git', 'pull', 'origin', 'master'
+
+      File.open('../ruby-advisory-db.ts','w') do |file|
+        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+      end
+    end
+
+    sh 'git', 'commit', 'data/ruby-advisory-db',
+                        'data/ruby-advisory-db.ts',
+                        '-m', 'Updated ruby-advisory-db'
+  end
+end
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+namespace :spec do
+  task :bundle do
+    root = 'spec/bundle'
+
+    %w[secure unpatched_gems insecure_sources].each do |bundle|
+      chdir(File.join(root,bundle)) do
+        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
+      end
+    end
+  end
+end
+task :spec => 'spec:bundle'
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new  
+task :doc => :yard

data/bin/bundle-audit

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'bundler/audit/cli'
+
+Bundler::Audit::CLI.start

data/bin/bundler-audit

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+load File.expand_path('../bundle-audit', __FILE__)

data/bundler-audit.gemspec

@@ -0,0 +1,67 @@
+# encoding: utf-8
+
+require 'yaml'
+
+Gem::Specification.new do |gem|
+  gemspec = YAML.load_file('gemspec.yml')
+
+  gem.name    = gemspec.fetch('name')
+  gem.version = gemspec.fetch('version') do
+                  lib_dir = File.join(File.dirname(__FILE__),'lib')
+                  $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+                  require 'bundler/audit/version'
+                  Bundler::Audit::VERSION
+                end
+
+  gem.summary     = gemspec['summary']
+  gem.description = gemspec['description']
+  gem.licenses    = Array(gemspec['license'])
+  gem.authors     = Array(gemspec['authors'])
+  gem.email       = gemspec['email']
+  gem.homepage    = gemspec['homepage']
+
+  glob = lambda { |patterns| gem.files & Dir[*patterns] }
+
+  gem.files = `git ls-files`.split($/)
+  gem.files = glob[gemspec['files']] if gemspec['files']
+
+  # add paths from data/ruby-advisory-db/
+  gem.files += Dir.chdir('data/ruby-advisory-db') do
+    `git ls-files`.split($/).map do |sub_path|
+      File.join('data','ruby-advisory-db',sub_path)
+    end
+  end
+
+  gem.executables = gemspec.fetch('executables') do
+    glob['bin/*'].map { |path| File.basename(path) }
+  end
+  gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
+
+  gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
+  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
+
+  gem.require_paths = Array(gemspec.fetch('require_paths') {
+    %w[ext lib].select { |dir| File.directory?(dir) }
+  })
+
+  gem.requirements              = gemspec['requirements']
+  gem.required_ruby_version     = gemspec['required_ruby_version']
+  gem.required_rubygems_version = gemspec['required_rubygems_version']
+  gem.post_install_message      = gemspec['post_install_message']
+
+  split = lambda { |string| string.split(/,\s*/) }
+
+  if gemspec['dependencies']
+    gemspec['dependencies'].each do |name,versions|
+      gem.add_dependency(name,split[versions])
+    end
+  end
+
+  if gemspec['development_dependencies']
+    gemspec['development_dependencies'].each do |name,versions|
+      gem.add_development_dependency(name,split[versions])
+    end
+  end
+end