bundler-audit 0.1.0 → 0.2.0

data/spec/integration_spec.rb

@@ -0,0 +1,132 @@
+require 'spec_helper'
+
+describe "CLI" do
+  include Helpers
+
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit'))
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print a warning" do
+      subject.should include("Unpatched versions found!")
+    end
+
+    it "should print advisory information for the vulnerable gems" do
+      expect = %{
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91452
+Criticality: Medium
+URL: http://www.osvdb.org/show/osvdb/91452
+Title: XSS vulnerability in sanitize_css in Action Pack
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91454
+Criticality: Medium
+URL: http://osvdb.org/show/osvdb/91454
+Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-89026
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89026
+Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-91453
+Criticality: High
+URL: http://osvdb.org/show/osvdb/91453
+Title: Symbol DoS vulnerability in Active Record
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-90072
+Criticality: Medium
+URL: http://direct.osvdb.org/show/osvdb/90072
+Title: Ruby on Rails Active Record attr_protected Method Bypass
+Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-89025
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89025
+Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activesupport
+Version: 3.2.10
+Advisory: OSVDB-91451
+Criticality: High
+URL: http://www.osvdb.org/show/osvdb/91451
+Title: XML Parsing Vulnerability affecting JRuby users
+Solution: upgrade to ~> 3.1.12, >= 3.2.13
+
+Unpatched versions found!
+      }.strip.split "\n\n"
+
+      subject.strip.split("\n\n").should =~ expect
+    end
+  end
+
+  context "when auditing a bundle with ignored gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i OSVDB-89026'))
+    end
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should not print advisory information for ignored gem" do
+      subject.should_not include("OSVDB-89026")
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print warnings about insecure sources" do
+      subject.should include(%{
+Insecure Source URI found: git://github.com/rails/jquery-rails.git
+Insecure Source URI found: http://rubygems.org/
+      }.strip)
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
+
+    it "should print nothing when everything is fine" do
+      subject.strip.should == "No unpatched versions found"
+    end
+  end
+end

data/spec/scanner_spec.rb

@@ -0,0 +1,74 @@
+require 'spec_helper'
+require 'bundler/audit/scanner'
+
+describe Scanner do
+  describe "#scan" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject { described_class.new(directory) }
+
+    it "should yield results" do
+      results = []
+
+      subject.scan { |result| results << result }
+
+      results.should_not be_empty
+    end
+
+    context "when not called with a block" do
+      it "should return an Enumerator" do
+        subject.scan.should be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)  { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      subject.all? { |result|
+        result.advisory.vulnerable?(result.gem.version)
+      }.should be_true
+    end
+
+    context "when the :ignore option is given" do
+      subject { scanner.scan(:ignore => ['OSVDB-89026']) }
+
+      it "should ignore the specified advisories" do
+        ids = subject.map { |result| result.advisory.id }
+        
+        ids.should_not include('OSVDB-89026')
+      end
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      subject[0].source.should == 'git://github.com/rails/jquery-rails.git'
+      subject[1].source.should == 'http://rubygems.org/'
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should print nothing when everything is fine" do
+      subject.should be_empty
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,5 +1,18 @@
-gem 'rspec', '~> 2.4'
 require 'rspec'
 require 'bundler/audit/version'
 
+module Helpers
+  def sh(command, options={})
+    Bundler.with_clean_env do
+      result = `#{command} 2>&1`
+      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
+      result
+    end
+  end
+
+  def decolorize(string)
+    string.gsub(/\e\[\d+m/, "")
+  end
+end
+
 include Bundler::Audit

metadata

@@ -1,80 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
-  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-12 00:00:00.000000000 Z
+date: 2013-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.4'
-- !ruby/object:Gem::Dependency
-  name: rubygems-tasks
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.2'
-- !ruby/object:Gem::Dependency
-  name: yard
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.8'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '1.2'
 description: bundler-audit provides patch-level verification for Bundled apps.
 email: postmodern.mod3@gmail.com
 executables:
@@ -83,62 +32,128 @@ extensions: []
 extra_rdoc_files:
 - COPYING.txt
 - ChangeLog.md
-- LICENSE.txt
 - README.md
 files:
 - .document
 - .gitignore
+- .gitmodules
 - .rspec
+- .travis.yml
 - .yardopts
 - COPYING.txt
 - ChangeLog.md
-- LICENSE.txt
+- Gemfile
 - README.md
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
-- data/bundler/audit/json/2013-0269.yml
-- data/bundler/audit/rack/2013-0263.yml
-- data/bundler/audit/rails/2013-0155.yml
-- data/bundler/audit/rails/2013-0156.yml
-- data/bundler/audit/rails/2013-0276.yml
-- data/bundler/audit/rails/2013-0277.yml
-- data/bundler/audit/rails/2013-0333.yml
 - gemspec.yml
 - lib/bundler/audit.rb
 - lib/bundler/audit/advisory.rb
 - lib/bundler/audit/cli.rb
 - lib/bundler/audit/database.rb
+- lib/bundler/audit/scanner.rb
 - lib/bundler/audit/version.rb
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
-- spec/bundle/Gemfile
-- spec/bundle/Gemfile.lock
+- spec/bundle/insecure_sources/Gemfile
+- spec/bundle/secure/Gemfile
+- spec/bundle/unpatched_gems/Gemfile
 - spec/database_spec.rb
+- spec/integration_spec.rb
+- spec/scanner_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/postmodern/bundler-audit#readme
+- data/ruby-advisory-db/.rspec
+- data/ruby-advisory-db/CONTRIBUTING.md
+- data/ruby-advisory-db/CONTRIBUTORS.md
+- data/ruby-advisory-db/Gemfile
+- data/ruby-advisory-db/LICENSE.txt
+- data/ruby-advisory-db/README.md
+- data/ruby-advisory-db/Rakefile
+- data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
+- data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
+- data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml
+- data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
+- data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
+- data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
+- data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
+- data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml
+- data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
+- data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
+- data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/json/OSVDB-90074.yml
+- data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
+- data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
+- data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml
+- data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-70667.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81631.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81632.yml
+- data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml
+- data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
+- data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
+- data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
+- data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
+- data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
+- data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
+- data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/lib/scrape.rb
+- data/ruby-advisory-db/spec/advisory_example.rb
+- data/ruby-advisory-db/spec/gems_spec.rb
+- data/ruby-advisory-db/spec/spec_helper.rb
+homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPLv3
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.8.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 2.0.5
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Patch-level verification for Bundler
 test_files: []

data/LICENSE.txt

@@ -1,20 +0,0 @@
-Copyright (c) 2013 Hal Brodigan
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/spec/bundle/Gemfile.lock

@@ -1,92 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actionmailer (3.2.10)
-      actionpack (= 3.2.10)
-      mail (~> 2.4.4)
-    actionpack (3.2.10)
-      activemodel (= 3.2.10)
-      activesupport (= 3.2.10)
-      builder (~> 3.0.0)
-      erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.0)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.10)
-      activesupport (= 3.2.10)
-      builder (~> 3.0.0)
-    activerecord (3.2.10)
-      activemodel (= 3.2.10)
-      activesupport (= 3.2.10)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.10)
-      activemodel (= 3.2.10)
-      activesupport (= 3.2.10)
-    activesupport (3.2.10)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    arel (3.0.2)
-    builder (3.0.4)
-    erubis (2.7.0)
-    hike (1.2.1)
-    i18n (0.6.1)
-    journey (1.0.4)
-    jquery-rails (2.2.0)
-      railties (>= 3.0, < 5.0)
-      thor (>= 0.14, < 2.0)
-    json (1.7.6)
-    mail (2.4.4)
-      i18n (>= 0.4.0)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mime-types (1.20.1)
-    multi_json (1.5.0)
-    polyglot (0.3.3)
-    rack (1.4.4)
-    rack-cache (1.2)
-      rack (>= 0.4)
-    rack-ssl (1.3.3)
-      rack
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rails (3.2.10)
-      actionmailer (= 3.2.10)
-      actionpack (= 3.2.10)
-      activerecord (= 3.2.10)
-      activeresource (= 3.2.10)
-      activesupport (= 3.2.10)
-      bundler (~> 1.0)
-      railties (= 3.2.10)
-    railties (3.2.10)
-      actionpack (= 3.2.10)
-      activesupport (= 3.2.10)
-      rack-ssl (~> 1.3.2)
-      rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
-    rake (10.0.3)
-    rdoc (3.12.1)
-      json (~> 1.4)
-    sprockets (2.2.2)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.7)
-    thor (0.17.0)
-    tilt (1.3.3)
-    treetop (1.4.12)
-      polyglot
-      polyglot (>= 0.3.1)
-    tzinfo (0.3.35)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  jquery-rails
-  rails (= 3.2.10)
-  sqlite3