bundler-audit 0.1.0 → 0.2.0

data/lib/bundler/audit/advisory.rb

@@ -19,11 +19,13 @@ require 'yaml'
 
 module Bundler
   module Audit
-    class Advisory < Struct.new(:cve,
+    class Advisory < Struct.new(:path,
+                                :id,
                                 :url,
                                 :title,
                                 :description,
                                 :cvss_v2,
+                                :unaffected_versions,
                                 :patched_versions)
 
       #
@@ -37,22 +39,28 @@ module Bundler
       # @api semipublic
       #
       def self.load(path)
-        cve  = File.basename(path).chomp('.yml')
+        id   = File.basename(path).chomp('.yml')
         data = YAML.load_file(path)
 
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
         end
 
+        parse_versions = lambda { |versions|
+          Array(versions).map do |version|
+            Gem::Requirement.new(*version.split(', '))
+          end
+        }
+
         return new(
-          cve,
+          path,
+          id,
           data['url'],
           data['title'],
           data['description'],
           data['cvss_v2'],
-          Array(data['patched_versions']).map { |version|
-            Gem::Requirement.new(*version.split(', '))
-          },
+          parse_versions[data['unaffected_versions']],
+          parse_versions[data['patched_versions']]
         )
       end
 
@@ -70,6 +78,40 @@ module Bundler
         end
       end
 
+      #
+      # Checks whether the version is not affected by the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#unaffected_version}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is not affected by the advisory.
+      #
+      # @since 0.2.0
+      #
+      def unaffected?(version)
+        unaffected_versions.any? do |unaffected_version|
+          unaffected_version === version
+        end
+      end
+
+      #
+      # Checks whether the version is patched against the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#patched_version}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is patched against the advisory.
+      #
+      # @since 0.2.0
+      #
+      def patched?(version)
+        patched_versions.any? do |patched_version|
+          patched_version === version
+        end
+      end
+
       #
       # Checks whether the version is vulnerable to the advisory.
       #
@@ -80,11 +122,11 @@ module Bundler
       #   Specifies whether the version is vulnerable to the advisory or not.
       #
       def vulnerable?(version)
-        !patched_versions.any? do |patched_version|
-          patched_version === version
-        end
+        !patched?(version) && !unaffected?(version)
       end
 
+      alias to_s id
+
     end
   end
 end

data/lib/bundler/audit/cli.rb

@@ -15,11 +15,11 @@
 # along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-require 'bundler/audit/database'
+require 'bundler/audit/scanner'
 require 'bundler/audit/version'
 
-require 'bundler/vendored_thor'
 require 'bundler'
+require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
@@ -30,21 +30,26 @@ module Bundler
 
       desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
       method_option :verbose, :type => :boolean, :aliases => '-v'
+      method_option :ignore, :type => :array, :aliases => '-i'
 
       def check
-        environment = Bundler.load
-        database    = Database.new
-        vulnerable  = false
+        scanner    = Scanner.new
+        vulnerable = false
 
-        database.check_bundle(environment) do |gem,advisory|
+        scanner.scan(:ignore => options.ignore) do |result|
           vulnerable = true
 
-          print_advisory gem, advisory
+          case result
+          when Scanner::InsecureSource
+            print_warning "Insecure Source URI found: #{result.source}"
+          when Scanner::UnpatchedGem
+            print_advisory result.gem, result.advisory
+          end
         end
 
         if vulnerable
           say "Unpatched versions found!", :red
-          return -1
+          exit 1
         else
           say "No unpatched versions found", :green
         end
@@ -59,6 +64,15 @@ module Bundler
 
       protected
 
+      def say(string="", color=nil)
+        color = nil unless $stdout.tty?
+        super(string, color)
+      end
+
+      def print_warning(message)
+        say message, :yellow
+      end
+
       def print_advisory(gem, advisory)
         say "Name: ", :red
         say gem.name
@@ -66,14 +80,15 @@ module Bundler
         say "Version: ", :red
         say gem.version
 
-        say "CVE: ", :red
-        say advisory.cve
+        say "Advisory: ", :red
+        say advisory.id
 
         say "Criticality: ", :red
         case advisory.criticality
         when :low    then say "Low"
         when :medium then say "Medium", :yellow
         when :high   then say "High", [:red, :bold]
+        else              say "Unknown"
         end
 
         say "URL: ", :red
@@ -91,8 +106,14 @@ module Bundler
           say advisory.title
         end
 
-        say "Patched Versions: ", :red
-        say advisory.patched_versions.join(', ')
+        unless advisory.patched_versions.empty?
+          say "Solution: upgrade to ", :red
+          say advisory.patched_versions.join(', ')
+        else
+          say "Solution: ", :red
+          say "remove or disable this gem until a patch is available!", [:red, :bold]
+        end
+
         say
       end
 

data/lib/bundler/audit/database.rb

@@ -28,7 +28,7 @@ module Bundler
     class Database
 
       # directory containing advisories
-      PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','bundler','audit'))
+      PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db','gems'))
 
       # The path to the advisory database
       attr_reader :path
@@ -119,35 +119,6 @@ module Bundler
         end
       end
 
-      #
-      # Verifies whether the bundled gems are effected by any advisories.
-      #
-      # @param [Bundle::Environment] environment
-      #   The bundled gems.
-      #
-      # @yield [gem, advisory]
-      #   If a block is given, each advisory that effects a gem within the
-      #   bundle will be passed.
-      #
-      # @yieldparam [Gem::Specification] gem
-      #   The gem effected by the advisory.
-      #
-      # @yieldparam [Advisory] advisory
-      #   An advisory that effects a gem within the bundle.
-      #
-      # @return [Enumerator]
-      #   If no block is given, an Enumerator will be returned.
-      #
-      def check_bundle(environment)
-        return enum_for(__method__,environment) unless block_given?
-
-        environment.gems.each do |gem|
-          check_gem(gem) do |advisory|
-            yield gem, advisory
-          end
-        end
-      end
-
       #
       # The number of advisories within the database.
       #

data/lib/bundler/audit/scanner.rb

@@ -0,0 +1,97 @@
+require 'bundler'
+require 'bundler/audit/database'
+require 'bundler/lockfile_parser'
+
+require 'set'
+
+module Bundler
+  module Audit
+    class Scanner
+
+      # Represents a plain-text source
+      InsecureSource = Struct.new(:source)
+
+      # Represents a gem that is covered by an Advisory
+      UnpatchedGem = Struct.new(:gem, :advisory)
+
+      # The advisory database
+      #
+      # @return [Database]
+      attr_reader :database
+
+      # Project root directory
+      attr_reader :root
+
+      # The parsed `Gemfile.lock` from the project
+      #
+      # @return [Bundler::LockfileParser]
+      attr_reader :lockfile
+
+      #
+      # Initializes a scanner.
+      #
+      # @param [String] root
+      #   The path to the project root.
+      #
+      def initialize(root=Dir.pwd)
+        @root     = File.expand_path(root)
+        @database = Database.new
+        @lockfile = LockfileParser.new(
+          File.read(File.join(@root,'Gemfile.lock'))
+        )
+      end
+
+      #
+      # Scans the project for issues.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource, UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def scan(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        @lockfile.sources.map do |source|
+          case source
+          when Source::Git
+            case source.uri
+            when /^git:/, /^http:/
+              yield InsecureSource.new(source.uri)
+            end
+          when Source::Rubygems
+            source.remotes.each do |uri|
+              if uri.scheme == 'http'
+                yield InsecureSource.new(uri.to_s)
+              end
+            end
+          end
+        end
+
+        @lockfile.specs.each do |gem|
+          @database.check_gem(gem) do |advisory|
+            unless ignore.include?(advisory.id)
+              yield UnpatchedGem.new(gem,advisory)
+            end
+          end
+        end
+
+        return self
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = "0.1.0"
+    VERSION = '0.2.0'
   end
 end

data/spec/advisory_spec.rb

@@ -4,16 +4,16 @@ require 'bundler/audit/advisory'
 
 describe Bundler::Audit::Advisory do
   let(:root) { Bundler::Audit::Database::PATH }
-  let(:gem)  { 'rails' }
-  let(:cve)  { '2013-0156' }
-  let(:path) { File.join(root,gem,"#{cve}.yml") }
+  let(:gem)  { 'actionpack' }
+  let(:id)   { 'OSVDB-84243' }
+  let(:path) { File.join(root,gem,"#{id}.yml") }
 
   describe "load" do
     let(:data) { YAML.load_file(path) }
 
     subject { described_class.load(path) }
 
-    its(:cve)         { should == cve                 }
+    its(:id)          { should == id                  }
     its(:url)         { should == data['url']         }
     its(:title)       { should == data['title']       }
     its(:cvss_v2)     { should == data['cvss_v2']     }
@@ -54,10 +54,50 @@ describe Bundler::Audit::Advisory do
     end
   end
 
+  describe "#unaffected?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one unaffected version" do
+      let(:version) { Gem::Version.new('2.3.10') }
+
+      it "should return true" do
+        subject.unaffected?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no unaffected version" do
+      let(:version) { Gem::Version.new('3.0.9') }
+
+      it "should return false" do
+        subject.unaffected?(version).should be_false
+      end
+    end
+  end
+
+  describe "#patched?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return true" do
+        subject.patched?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return false" do
+        subject.patched?(version).should be_false
+      end
+    end
+  end
+
   describe "#vulnerable?" do
     subject { described_class.load(path) }
 
-    context "when passed a version that matches one patched_version" do
+    context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return false" do
@@ -65,12 +105,32 @@ describe Bundler::Audit::Advisory do
       end
     end
 
-    context "when passed a version that matches no patched_version" do
-      let(:version) { Gem::Version.new('3.1.9') }
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
         subject.vulnerable?(version).should be_true
       end
+
+      context "when unaffected_versions is not empty" do
+        subject { described_class.load(path) }
+     
+        context "when passed a version that matches one unaffected version" do
+          let(:version) { Gem::Version.new('2.3.12') }
+
+          it "should return false" do
+            subject.vulnerable?(version).should be_false
+          end
+        end
+
+        context "when passed a version that matches no unaffected version" do
+          let(:version) { Gem::Version.new('1.2.3') }
+
+          it "should return true" do
+            subject.vulnerable?(version).should be_true
+          end
+        end
+      end
     end
   end
 end

data/spec/bundle/insecure_sources/Gemfile

@@ -0,0 +1,39 @@
+source 'http://rubygems.org'
+
+gem 'rails', '3.2.12'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
+                    :tag => 'v2.2.1'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/bundle/secure/Gemfile

@@ -0,0 +1,38 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.14'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/database_spec.rb

@@ -1,7 +1,5 @@
 require 'spec_helper'
 require 'bundler/audit/database'
-
-require 'bundler'
 require 'tmpdir'
 
 describe Bundler::Audit::Database do
@@ -44,7 +42,7 @@ describe Bundler::Audit::Database do
   describe "#check_gem" do
     let(:gem) do
       Gem::Specification.new do |s|
-        s.name    = 'rails'
+        s.name    = 'actionpack'
         s.version = '3.1.9'
       end
     end
@@ -71,35 +69,6 @@ describe Bundler::Audit::Database do
     end
   end
 
-  describe "#check_bundle" do
-    let(:path) { File.join(File.dirname(__FILE__),'bundle') }
-    let(:bundle) do
-      Dir.chdir(path) { Bundler.load }
-    end
-
-    context "when given a block" do
-      it "should yield every advisory effecting the bundle" do
-        advisories = []
-
-        subject.check_bundle(bundle) do |gem,advisory|
-          advisories << [gem, advisory]
-        end
-
-        advisories.should_not be_empty
-        advisories.all? { |gem,advisory|
-          gem.kind_of?(Gem::Specification) &&
-            advisory.kind_of?(Bundler::Audit::Advisory)
-        }.should be_true
-      end
-    end
-
-    context "when given no block" do
-      it "should return an Enumerator" do
-        subject.check_bundle(bundle).should be_kind_of(Enumerable)
-      end
-    end
-  end
-
   describe "#size" do
     it { subject.size.should > 0 }
   end