bundler-audit-ng 0.6.1

data/lib/bundler/audit/scanner.rb

@@ -0,0 +1,213 @@
+require 'bundler'
+require 'bundler/audit/database'
+require 'bundler/lockfile_parser'
+
+require 'ipaddr'
+require 'resolv'
+require 'set'
+require 'uri'
+
+module Bundler
+  module Audit
+    class Scanner
+
+      # Represents a plain-text source
+      InsecureSource = Struct.new(:source)
+
+      # Represents a gem that is covered by an Advisory
+      UnpatchedGem = Struct.new(:gem, :advisory)
+
+      # The advisory database
+      #
+      # @return [Database]
+      attr_reader :database
+
+      # Project root directory
+      attr_reader :root
+
+      # The parsed `Gemfile.lock` from the project
+      #
+      # @return [Bundler::LockfileParser]
+      attr_reader :lockfile
+
+      #
+      # Initializes a scanner.
+      #
+      # @param [String] root
+      #   The path to the project root.
+      #
+      # @param [String] gemfile_lock
+      #   Alternative name for the `Gemfile.lock` file.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
+        @root     = File.expand_path(root)
+        @database = Database.new
+        @lockfile = LockfileParser.new(
+          File.read(File.join(@root,gemfile_lock))
+        )
+      end
+
+      #
+      # Scans the project for issues.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource, UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def scan(options={},&block)
+        return enum_for(__method__,options) unless block
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        scan_sources(options,&block)
+        scan_specs(options,&block)
+
+        return self
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_sources(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        @lockfile.sources.map do |source|
+          case source
+          when Source::Git
+            case source.uri
+            when /^git:/, /^http:/
+              unless internal_source?(source.uri)
+                yield InsecureSource.new(source.uri)
+              end
+            end
+          when Source::Rubygems
+            source.remotes.each do |uri|
+              if (uri.scheme == 'http' && !internal_source?(uri))
+                yield InsecureSource.new(uri.to_s)
+              end
+            end
+          end
+        end
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_specs(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        @lockfile.specs.each do |gem|
+          @database.check_gem(gem) do |advisory|
+            is_ignored = ignore.intersect?(advisory.identifiers.to_set)
+            next if is_ignored
+
+            yield UnpatchedGem.new(gem,advisory)
+          end
+        end
+      end
+
+      private
+
+      #
+      # Determines whether a source is internal.
+      #
+      # @param [URI, String] uri
+      #   The URI.
+      #
+      # @return [Boolean]
+      #
+      def internal_source?(uri)
+        uri = URI(uri)
+
+        internal_host?(uri.host) if uri.host
+      end
+
+      #
+      # Determines whether a host is internal.
+      #
+      # @param [String] host
+      #   The hostname.
+      #
+      # @return [Boolean]
+      #
+      def internal_host?(host)
+        Resolv.getaddresses(host).all? { |ip| internal_ip?(ip) }
+      rescue URI::Error
+        false
+      end
+
+      # List of internal IP address ranges.
+      #
+      # @see https://tools.ietf.org/html/rfc1918#section-3
+      # @see https://tools.ietf.org/html/rfc4193#section-8
+      INTERNAL_SUBNETS = %w[
+        10.0.0.0/8
+        172.16.0.0/12
+        192.168.0.0/16
+        fc00::/7
+      ].map(&IPAddr.method(:new))
+
+      #
+      # Determines whether an IP is internal.
+      #
+      # @param [String] ip
+      #   The IPv4/IPv6 address.
+      #
+      # @return [Boolean]
+      #
+      def internal_ip?(ip)
+        INTERNAL_SUBNETS.any? { |subnet| subnet.include?(ip) }
+      end
+    end
+  end
+end

data/lib/bundler/audit/task.rb

@@ -0,0 +1,31 @@
+require 'rake/tasklib'
+
+module Bundler
+  module Audit
+    class Task < Rake::TaskLib
+      #
+      # Initializes the task.
+      #
+      def initialize
+        define
+      end
+
+      protected
+
+      #
+      # Defines the `bundle:audit` task.
+      #
+      def define
+        namespace :bundle do
+          desc 'Updates the ruby-advisory-db then runs bundle-audit'
+          task :audit do
+            require 'bundler/audit/cli'
+            %w(update check).each do |command|
+              Bundler::Audit::CLI.start [command]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -0,0 +1,23 @@
+#
+# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+module Bundler
+  module Audit
+    # bundler-audit version
+    VERSION = '0.6.1'
+  end
+end

data/spec/advisory_spec.rb

@@ -0,0 +1,282 @@
+require 'spec_helper'
+require 'bundler/audit/database'
+require 'bundler/audit/advisory'
+
+describe Bundler::Audit::Advisory do
+  let(:root) { Bundler::Audit::Database::VENDORED_PATH }
+  let(:gem)  { 'actionpack' }
+  let(:id)   { 'OSVDB-84243' }
+  let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
+  let(:an_unaffected_version) do
+    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
+
+  subject { described_class.load(path) }
+
+  describe "load" do
+    let(:data) { YAML.load_file(path) }
+
+    describe '#id' do
+      subject { super().id }
+      it { is_expected.to eq(id)                  }
+    end
+
+    describe '#url' do
+      subject { super().url }
+      it { is_expected.to eq(data['url'])         }
+    end
+
+    describe '#title' do
+      subject { super().title }
+      it { is_expected.to eq(data['title'])       }
+    end
+
+    describe '#date' do
+      subject { super().date }
+      it { is_expected.to eq(data['date'])        }
+    end
+
+    describe '#cvss_v2' do
+      subject { super().cvss_v2 }
+      it { is_expected.to eq(data['cvss_v2'])     }
+    end
+
+    describe '#description' do
+      subject { super().description }
+      it { is_expected.to eq(data['description']) }
+    end
+
+    context "YAML data not representing a hash" do
+      it "should raise an exception" do
+        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
+        expect {
+          Advisory.load(path)
+        }.to raise_exception("advisory data in #{path.dump} was not a Hash")
+      end
+    end
+
+    describe "#patched_versions" do
+      subject { described_class.load(path).patched_versions }
+
+      it "should all be Gem::Requirement objects" do
+        expect(subject.all? { |version|
+          expect(version).to be_kind_of(Gem::Requirement)
+        }).to be_truthy
+      end
+
+      it "should parse the versions" do
+        expect(subject.map(&:to_s)).to eq(data['patched_versions'])
+      end
+    end
+  end
+
+  describe "#cve_id" do
+    let(:cve) { "2015-1234" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.cve = cve
+      end
+    end
+
+    it "should prepend CVE- to the CVE id" do
+      expect(subject.cve_id).to be == "CVE-#{cve}"
+    end
+
+    context "when cve is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.cve_id).to be_nil }
+    end
+  end
+
+  describe "#osvdb_id" do
+    let(:osvdb) { "123456" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.osvdb = osvdb
+      end
+    end
+
+    it "should prepend OSVDB- to the OSVDB id" do
+      expect(subject.osvdb_id).to be == "OSVDB-#{osvdb}"
+    end
+
+    context "when cve is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.osvdb_id).to be_nil }
+    end
+  end
+
+  describe "#ghsa_id" do
+    let(:ghsa) { "xfhh-rx56-rxcr" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.ghsa = ghsa
+      end
+    end
+
+    it "should prepend GHSA- to the GHSA id" do
+      expect(subject.ghsa_id).to be == "GHSA-#{ghsa}"
+    end
+
+    context "when ghsa is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.ghsa_id).to be_nil }
+    end
+  end
+
+  describe "#identifiers" do
+    it "should include all identifiers if defined" do
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+        advisory.osvdb = "2019-2345"
+        advisory.ghsa = "2020-3456"
+      end
+
+      expect(advisory.identifiers).to eq([
+        "CVE-2018-1234",
+        "OSVDB-2019-2345",
+        "GHSA-2020-3456"
+      ])
+    end
+
+    it "should exclude nil identifiers" do
+      advisory = described_class.new
+      expect(advisory.identifiers).to eq([])
+
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+      end
+      expect(advisory.identifiers).to eq(["CVE-2018-1234"])
+
+      advisory = described_class.new.tap do |advisory|
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq(["GHSA-2020-3456"])
+    end
+  end
+
+  describe "#criticality" do
+    context "when cvss_v2 is between 0.0 and 3.3" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 3.3
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:low) }
+    end
+
+    context "when cvss_v2 is between 3.3 and 6.6" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 6.6
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:medium) }
+    end
+
+    context "when cvss_v2 is between 6.6 and 10.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 10.0
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:high) }
+    end
+  end
+
+  describe "#unaffected?" do
+    context "when passed a version that matches one unaffected version" do
+      let(:version) { Gem::Version.new(an_unaffected_version) }
+
+      it "should return true" do
+        expect(subject.unaffected?(version)).to be_truthy
+      end
+    end
+
+    context "when passed a version that matches no unaffected version" do
+      let(:version) { Gem::Version.new('3.0.9') }
+
+      it "should return false" do
+        expect(subject.unaffected?(version)).to be_falsey
+      end
+    end
+  end
+
+  describe "#patched?" do
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return true" do
+        expect(subject.patched?(version)).to be_truthy
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return false" do
+        expect(subject.patched?(version)).to be_falsey
+      end
+    end
+  end
+
+  describe "#vulnerable?" do
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return false" do
+        expect(subject.vulnerable?(version)).to be_falsey
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return true" do
+        expect(subject.vulnerable?(version)).to be_truthy
+      end
+
+      context "when unaffected_versions is not empty" do
+        subject { described_class.load(path) }
+
+        context "when passed a version that matches one unaffected version" do
+          let(:version) { Gem::Version.new(an_unaffected_version) }
+
+          it "should return false" do
+            expect(subject.vulnerable?(version)).to be_falsey
+          end
+        end
+
+        context "when passed a version that matches no unaffected version" do
+          let(:version) { Gem::Version.new('1.2.3') }
+
+          it "should return true" do
+            expect(subject.vulnerable?(version)).to be_truthy
+          end
+        end
+      end
+    end
+  end
+end