bundler-audit-ng 0.6.1

data/spec/audit_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'bundler/audit'
+
+describe Bundler::Audit do
+  it "should have a VERSION constant" do
+    expect(subject.const_get('VERSION')).not_to be_empty
+  end
+end

data/spec/bundle/insecure_sources/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+gem 'rails'
+gem 'jquery-rails', git: 'git://github.com/rails/jquery-rails.git'

data/spec/bundle/secure/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~> 5.2'

data/spec/bundle/unpatched_gems/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gem 'activerecord', '3.2.10'

data/spec/cli_spec.rb

@@ -0,0 +1,99 @@
+require 'spec_helper'
+require 'bundler/audit/cli'
+
+describe Bundler::Audit::CLI do
+  describe "#update" do
+    context "not --quiet (the default)" do
+      context "when update succeeds" do
+
+        before { expect(Bundler::Audit::Database).to receive(:update!).and_return(true) }
+
+        it "prints updated message" do
+          expect { subject.update }.to output(/Updated ruby-advisory-db/).to_stdout
+        end
+
+        it "prints total advisory count" do
+          database = double
+          expect(database).to receive(:size).and_return(1234)
+          expect(Bundler::Audit::Database).to receive(:new).and_return(database)
+
+          expect { subject.update }.to output(/ruby-advisory-db: 1234 advisories/).to_stdout
+        end
+      end
+
+      context "when update fails" do
+
+        before { expect(Bundler::Audit::Database).to receive(:update!).and_return(false) }
+
+        it "prints failure message" do
+          expect do
+            begin
+              subject.update
+            rescue SystemExit
+            end
+          end.to output(/Failed updating ruby-advisory-db!/).to_stdout
+        end
+
+        it "exits with error status code" do
+          expect {
+            # Capture output of `update` only to keep spec output clean.
+            # The test regarding specific output is above.
+            expect { subject.update }.to output.to_stdout
+          }.to raise_error(SystemExit) do |error|
+            expect(error.success?).to eq(false)
+            expect(error.status).to eq(1)
+          end
+        end
+
+      end
+    end
+
+    context "--quiet" do
+      before do
+        allow(subject).to receive(:options).and_return(double("Options", quiet?: true))
+      end
+
+      context "when update succeeds" do
+
+        before do
+          expect(Bundler::Audit::Database).to(
+            receive(:update!).with(quiet: true).and_return(true)
+          )
+        end
+
+        it "does not print any output" do
+          expect { subject.update }.to_not output.to_stdout
+        end
+      end
+
+      context "when update fails" do
+
+        before do
+          expect(Bundler::Audit::Database).to(
+            receive(:update!).with(quiet: true).and_return(false)
+          )
+        end
+
+        it "prints failure message" do
+          expect do
+            begin
+              subject.update
+            rescue SystemExit
+            end
+          end.to output(/Failed updating ruby-advisory-db!/).to_stdout
+        end
+
+        it "exits with error status code" do
+          expect {
+            # Capture output of `update` only to keep spec output clean.
+            # The test regarding specific output is above.
+            expect { subject.update }.to output.to_stdout
+          }.to raise_error(SystemExit) do |error|
+            expect(error.success?).to eq(false)
+            expect(error.status).to eq(1)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/database_spec.rb

@@ -0,0 +1,138 @@
+require 'spec_helper'
+require 'bundler/audit/database'
+require 'tmpdir'
+
+describe Bundler::Audit::Database do
+  let(:vendored_advisories) do
+    Dir[File.join(Bundler::Audit::Database::VENDORED_PATH, 'gems/*/*.yml')].sort
+  end
+
+  describe "path" do
+    subject { described_class.path }
+
+    it "it should be a directory" do
+      expect(File.directory?(subject)).to be_truthy
+    end
+
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Audit::Database.update!(quiet: false)
+
+      Dir.chdir(Bundler::Audit::Database::USER_PATH) do
+        puts "Timestamp:"
+        system 'git log --pretty="%cd" -1'
+      end
+
+      # As up to date...
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      roll_user_repo_back(20)
+      expect(Bundler::Audit::Database.path).to eq Bundler::Audit::Database::VENDORED_PATH
+    end
+  end
+
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Audit::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Audit::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+
+      expect_update_to_update_repo!
+      Bundler::Audit::Database.update!(quiet: false)
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+  end
+
+  describe "#initialize" do
+    context "when given no arguments" do
+      subject { described_class.new }
+
+      it "should default path to path" do
+        expect(subject.path).to eq(described_class.path)
+      end
+    end
+
+    context "when given a directory" do
+      let(:path ) { Dir.tmpdir }
+
+      subject { described_class.new(path) }
+
+      it "should set #path" do
+        expect(subject.path).to eq(path)
+      end
+    end
+
+    context "when given an invalid directory" do
+      it "should raise an ArgumentError" do
+        expect {
+          described_class.new('/foo/bar/baz')
+        }.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  describe "#check_gem" do
+    let(:gem) do
+      Gem::Specification.new do |s|
+        s.name    = 'actionpack'
+        s.version = '3.1.9'
+      end
+    end
+
+    context "when given a block" do
+      it "should yield every advisory effecting the gem" do
+        advisories = []
+
+        subject.check_gem(gem) do |advisory|
+          advisories << advisory
+        end
+
+        expect(advisories).not_to be_empty
+        expect(advisories.all? { |advisory|
+          advisory.kind_of?(Bundler::Audit::Advisory)
+        }).to be_truthy
+      end
+    end
+
+    context "when given no block" do
+      it "should return an Enumerator" do
+        expect(subject.check_gem(gem)).to be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  describe "#size" do
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Audit::Database.new.
+        advisories.
+        map(&:path).
+        sort
+
+      expect(actual_advisories).to eq vendored_advisories
+    end
+  end
+
+  describe "#to_s" do
+    it "should return the Database path" do
+      expect(subject.to_s).to eq(subject.path)
+    end
+  end
+
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
+    end
+  end
+end

data/spec/fixtures/not_a_hash.yml

@@ -0,0 +1,2 @@
+---
+"Just a string."

data/spec/integration_spec.rb

@@ -0,0 +1,103 @@
+require 'spec_helper'
+
+describe "CLI" do
+  include Helpers
+
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit'))
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print a warning" do
+      expect(subject).to include("Vulnerabilities found!")
+    end
+
+    it "should print advisory information for the vulnerable gems" do
+      advisory_pattern = %r{(Name: [^\n]+
+Version: \d+\.\d+\.\d+(\.\d+)?
+Advisory: CVE-[0-9]{4}-[0-9]{4}
+Criticality: (High|Medium|Low|Unknown)
+URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
+Title: [^\n]*?
+Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}
+
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Vulnerabilities found!")
+    end
+  end
+
+  context "when auditing a bundle with ignored gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -i OSVDB-89026'))
+    end
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should not print advisory information for ignored gem" do
+      expect(subject).not_to include("OSVDB-89026")
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print warnings about insecure sources" do
+      expect(subject).to include(%{
+Insecure Source URI found: git://github.com/rails/jquery-rails.git
+Insecure Source URI found: http://rubygems.org/
+      }.strip)
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
+
+    it "should print nothing when everything is fine" do
+      expect(subject.strip).to eq("No vulnerabilities found")
+    end
+  end
+
+  describe "update" do
+
+    let(:update_command) { "#{command} update" }
+    let(:bundle)         { 'secure' }
+    let(:directory)      { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(update_command) }
+    end
+
+    context "when advisories update successfully" do
+      it "should print status" do
+        expect(subject).not_to include("Fail")
+        expect(subject).to include("Updating ruby-advisory-db ...\n")
+        expect(subject).to include("Updated ruby-advisory-db\n")
+        expect(subject.lines.to_a.last).to match(/ruby-advisory-db: [1-9]\d+ advisories/)
+      end
+    end
+
+  end
+
+end

data/spec/scanner_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+require 'bundler/audit/scanner'
+
+describe Scanner do
+  describe "#scan" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject { described_class.new(directory) }
+
+    it "should yield results" do
+      results = []
+
+      subject.scan { |result| results << result }
+
+      expect(results).not_to be_empty
+    end
+
+    context "when not called with a block" do
+      it "should return an Enumerator" do
+        expect(subject.scan).to be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)  { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      ids = subject.map { |result| result.advisory.id }
+      expect(ids).to include('OSVDB-89025')
+      expect(subject.all? { |result|
+        result.advisory.vulnerable?(result.gem.version)
+      }).to be_truthy
+    end
+
+    context "when the :ignore option is given" do
+      subject { scanner.scan(:ignore => ['OSVDB-89025']) }
+
+      it "should ignore the specified advisories" do
+        ids = subject.map { |result| result.advisory.id }
+        expect(ids).not_to include('OSVDB-89025')
+      end
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      expect(subject[0].source).to eq('git://github.com/rails/jquery-rails.git')
+      expect(subject[1].source).to eq('http://rubygems.org/')
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should print nothing when everything is fine" do
+      expect(subject).to be_empty
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,62 @@
+require 'simplecov'
+SimpleCov.start
+
+require 'rspec'
+require 'bundler/audit/version'
+require 'bundler/audit/database'
+
+module Helpers
+  def sh(command, options={})
+    Bundler.with_clean_env do
+      result = `#{command} 2>&1`
+      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
+      result
+    end
+  end
+
+  def decolorize(string)
+    string.gsub(/\e\[\d+m/, "")
+  end
+
+  def mocked_user_path
+    File.expand_path('../../tmp/ruby-advisory-db', __FILE__)
+  end
+
+  def expect_update_to_clone_repo!
+    expect(Bundler::Audit::Database).
+      to receive(:system).
+      with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+
+  def expect_update_to_update_repo!
+    expect(Bundler::Audit::Database).
+      to receive(:system).
+      with('git', 'pull', '--no-rebase', 'origin', 'master').
+      and_call_original
+  end
+
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
+    end
+  end
+end
+
+include Bundler::Audit
+
+RSpec.configure do |config|
+  include Helpers
+
+  config.before(:each) do
+    stub_const("Bundler::Audit::Database::URL", Bundler::Audit::Database::VENDORED_PATH)
+    stub_const("Bundler::Audit::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf(mocked_user_path) if File.exist?(mocked_user_path)
+  end
+end