bundler-audit 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +3 -0
- data/.gitmodules +3 -0
- data/.travis.yml +4 -0
- data/ChangeLog.md +13 -0
- data/Gemfile +12 -0
- data/README.md +3 -37
- data/Rakefile +20 -49
- data/bundler-audit.gemspec +7 -0
- data/data/ruby-advisory-db/.rspec +1 -0
- data/data/ruby-advisory-db/README.md +64 -0
- data/data/ruby-advisory-db/gems/actionpack/2012-1099.yml +23 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2012-3424.yml +10 -6
- data/data/ruby-advisory-db/gems/actionpack/2012-3463.yml +20 -0
- data/data/ruby-advisory-db/gems/actionpack/2012-3465.yml +20 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2013-0156.yml +5 -3
- data/data/ruby-advisory-db/gems/activerecord/2012-2660.yml +21 -0
- data/data/ruby-advisory-db/gems/activerecord/2012-2661.yml +19 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0155.yml +6 -4
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0276.yml +5 -3
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0277.yml +5 -3
- data/data/ruby-advisory-db/gems/activesupport/2012-1098.yml +20 -0
- data/data/ruby-advisory-db/gems/activesupport/2012-3464.yml +20 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activesupport}/2013-0333.yml +5 -3
- data/data/ruby-advisory-db/gems/devise/2013-0233.yml +18 -0
- data/data/ruby-advisory-db/gems/gtk2/2007-6183.yml +18 -0
- data/data/{bundler/audit → ruby-advisory-db/gems}/json/2013-0269.yml +4 -2
- data/data/ruby-advisory-db/gems/mail/2011-0739.yml +19 -0
- data/data/ruby-advisory-db/gems/mail/2012-2139.yml +11 -0
- data/data/ruby-advisory-db/gems/mail/2012-2140.yml +11 -0
- data/data/ruby-advisory-db/gems/multi_xml/2013-0175.yml +14 -0
- data/data/ruby-advisory-db/gems/newrelic_rpm/2013-0284.yml +15 -0
- data/data/ruby-advisory-db/gems/nori/2013-0285.yml +17 -0
- data/data/ruby-advisory-db/gems/omniauth-oauth2/2012-6134.yml +14 -0
- data/data/ruby-advisory-db/gems/rack-cache/2012-267.yml +16 -0
- data/data/{bundler/audit → ruby-advisory-db/gems}/rack/2013-0263.yml +9 -8
- data/data/ruby-advisory-db/gems/rdoc/2013-0256.yml +25 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +80 -0
- data/data/ruby-advisory-db/spec/gems_spec.rb +8 -0
- data/data/ruby-advisory-db/spec/spec_helper.rb +1 -0
- data/gemspec.yml +1 -6
- data/lib/bundler/audit/advisory.rb +13 -1
- data/lib/bundler/audit/cli.rb +17 -6
- data/lib/bundler/audit/database.rb +1 -30
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/advisory_spec.rb +1 -1
- data/spec/bundle/secure/Gemfile +38 -0
- data/spec/bundle/{Gemfile → vuln/Gemfile} +0 -0
- data/spec/database_spec.rb +1 -32
- data/spec/integration_spec.rb +63 -0
- data/spec/spec_helper.rb +14 -1
- metadata +68 -112
- data/data/bundler/audit/mail/2011-0739.yml +0 -17
- data/data/bundler/audit/mail/2012-2139.yml +0 -16
- data/data/bundler/audit/mail/2012-2140.yml +0 -13
- data/data/bundler/audit/rack-cache/2012-267.yml +0 -14
- data/data/bundler/audit/rails/2012-1098.yml +0 -19
- data/data/bundler/audit/rails/2012-1099.yml +0 -19
- data/data/bundler/audit/rails/2012-2660.yml +0 -17
- data/data/bundler/audit/rails/2012-2661.yml +0 -18
- data/data/bundler/audit/rails/2012-3463.yml +0 -19
- data/data/bundler/audit/rails/2012-3464.yml +0 -18
- data/data/bundler/audit/rails/2012-3465.yml +0 -19
- data/spec/bundle/Gemfile.lock +0 -92
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0155
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89025
|
|
3
|
-
title:
|
|
4
|
-
Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
|
5
|
+
title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
|
5
6
|
|
|
6
7
|
description: |
|
|
7
8
|
Ruby on Rails contains a flaw in the Active Record. The issue is due to an
|
|
@@ -13,7 +14,8 @@ description: |
|
|
|
13
14
|
|
|
14
15
|
cvss_v2: 10.0
|
|
15
16
|
|
|
16
|
-
patched_versions:
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 2.3.16
|
|
17
19
|
- ~> 3.0.19
|
|
18
20
|
- ~> 3.1.10
|
|
19
21
|
- ">= 3.2.11"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0276
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90072
|
|
3
|
-
title: Ruby on Rails Active Record attr_protected Method Bypass
|
|
5
|
+
title: Ruby on Rails Active Record attr_protected Method Bypass
|
|
4
6
|
|
|
5
7
|
description: |
|
|
6
8
|
Ruby on Rails contains a flaw in the attr_protected method of the
|
|
@@ -10,7 +12,7 @@ description: |
|
|
|
10
12
|
|
|
11
13
|
cvss_v2: 5.0
|
|
12
14
|
|
|
13
|
-
patched_versions:
|
|
15
|
+
patched_versions:
|
|
14
16
|
- ~> 2.3.17
|
|
15
17
|
- ~> 3.1.11
|
|
16
18
|
- ">= 3.2.12"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0277
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90073
|
|
3
|
-
title:
|
|
5
|
+
title:
|
|
4
6
|
Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
|
|
5
7
|
Code Execution
|
|
6
8
|
|
|
@@ -13,6 +15,6 @@ description: |
|
|
|
13
15
|
|
|
14
16
|
cvss_v2: 10.0
|
|
15
17
|
|
|
16
|
-
patched_versions:
|
|
18
|
+
patched_versions:
|
|
17
19
|
- ~> 2.3.17
|
|
18
20
|
- ">= 3.1.0"
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2012-1098
|
|
4
|
+
url: http://osvdb.org/79726
|
|
5
|
+
title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
|
9
|
+
attack. This flaw exists because athe application does not validate direct
|
|
10
|
+
manipulations of SafeBuffer objects via '[]' and other methods. This may
|
|
11
|
+
allow a user to create a specially crafted request that would execute
|
|
12
|
+
arbitrary script code in a user's browser within the trust relationship
|
|
13
|
+
between their browser and the server.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 4.3
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 3.0.12
|
|
19
|
+
- ~> 3.1.4
|
|
20
|
+
- ">= 3.2.2"
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2012-3464
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/84516
|
|
5
|
+
title: Ruby on Rails HTML Escaping Code XSS
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
|
9
|
+
attack. This flaw exists because the HTML escaping code functionality does
|
|
10
|
+
not properly escape a single quote character. This may allow a user to create
|
|
11
|
+
a specially crafted request that would execute arbitrary script code in a
|
|
12
|
+
user's browser within the trust relationship between their browser and the
|
|
13
|
+
server.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 4.3
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 3.0.17
|
|
19
|
+
- ~> 3.1.8
|
|
20
|
+
- ">= 3.2.8"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2013-0333
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89594
|
|
3
|
-
title:
|
|
5
|
+
title:
|
|
4
6
|
Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
|
|
5
7
|
Execution
|
|
6
8
|
|
|
@@ -15,6 +17,6 @@ description: |
|
|
|
15
17
|
|
|
16
18
|
cvss_v2: 9.3
|
|
17
19
|
|
|
18
|
-
patched_versions:
|
|
20
|
+
patched_versions:
|
|
19
21
|
- ~> 2.3.16
|
|
20
22
|
- ">= 3.0.20"
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: devise
|
|
3
|
+
cve: 2013-0233
|
|
4
|
+
url: http://osvdb.org/show/osvdb/89642
|
|
5
|
+
title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Devise contains a flaw that is triggered during when a type conversion error
|
|
9
|
+
occurs during the parsing of a malformed request. With a specially crafted
|
|
10
|
+
request, a remote attacker can bypass security restrictions.
|
|
11
|
+
|
|
12
|
+
cvss_v2: 10.0
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ~> 1.5.4
|
|
16
|
+
- ~> 2.0.5
|
|
17
|
+
- ~> 2.1.3
|
|
18
|
+
- ">= 2.2.3"
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: gtk2
|
|
3
|
+
cve: 2007-6183
|
|
4
|
+
url: http://osvdb.org/show/osvdb/40774
|
|
5
|
+
title:
|
|
6
|
+
Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
|
|
7
|
+
Format String
|
|
8
|
+
|
|
9
|
+
description: |
|
|
10
|
+
Format string vulnerability in the mdiag_initialize function in
|
|
11
|
+
gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
|
|
12
|
+
SVN versions before 20071127, allows context-dependent attackers to execute
|
|
13
|
+
arbitrary code via format string specifiers in the message parameter.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 6.8
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- "> 0.16.0"
|
|
@@ -1,4 +1,6 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: json
|
|
3
|
+
cve: 2013-0269
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90074
|
|
3
5
|
title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
|
|
4
6
|
|
|
@@ -13,7 +15,7 @@ description: |
|
|
|
13
15
|
|
|
14
16
|
cvss_v2: 9.0
|
|
15
17
|
|
|
16
|
-
patched_versions:
|
|
18
|
+
patched_versions:
|
|
17
19
|
- ~> 1.5.4
|
|
18
20
|
- ~> 1.6.7
|
|
19
21
|
- ">= 1.7.7"
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2011-0739
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/70667
|
|
5
|
+
title: >
|
|
6
|
+
Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
|
|
7
|
+
Address Arbitrary Shell Command Injection
|
|
8
|
+
|
|
9
|
+
description: |
|
|
10
|
+
Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
|
|
11
|
+
input passed from an email from address in the 'deliver()' function in
|
|
12
|
+
'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
|
|
13
|
+
command line argument. This may allow a remote attacker to inject arbitrary
|
|
14
|
+
shell commands.
|
|
15
|
+
|
|
16
|
+
cvss_v2: 6.8
|
|
17
|
+
|
|
18
|
+
patched_versions:
|
|
19
|
+
- ">= 2.2.15"
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2012-2139
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/81631
|
|
5
|
+
title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
|
|
6
|
+
description: |
|
|
7
|
+
Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
|
|
8
|
+
|
|
9
|
+
cvss_v2: 5.0
|
|
10
|
+
patched_versions:
|
|
11
|
+
- ">= 2.4.4"
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2012-2140
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/81632
|
|
5
|
+
title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
|
|
6
|
+
description: |
|
|
7
|
+
Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim delivery methods, which may allow an attacker to execute arbitrary shell commands..
|
|
8
|
+
|
|
9
|
+
cvss_v2: 7.5
|
|
10
|
+
patched_versions:
|
|
11
|
+
- ">= 2.4.4"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: multi_xml
|
|
3
|
+
cve: 2013-0175
|
|
4
|
+
url: http://osvdb.org/show/osvdb/89148
|
|
5
|
+
title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The multi_xml Gem for Ruby contains a flaw that is triggered when an error
|
|
9
|
+
occurs during the parsing of the 'XML' parameter. With a crafted request
|
|
10
|
+
containing arbitrary symbol and yaml types, a remote attacker can execute
|
|
11
|
+
arbitrary commands.
|
|
12
|
+
|
|
13
|
+
patched_versions:
|
|
14
|
+
- ">= 0.5.2"
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: newrelic_rpm
|
|
3
|
+
cve: 2013-0284
|
|
4
|
+
url: https://newrelic.com/docs/ruby/ruby-agent-security-notification
|
|
5
|
+
title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
A bug in the Ruby agent causes database connection information and raw SQL
|
|
9
|
+
statements to be transmitted to New Relic servers. The database connection
|
|
10
|
+
information includes the database IP address, username, and password
|
|
11
|
+
|
|
12
|
+
cvss_v2:
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ">= 3.5.3.25"
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: nori
|
|
3
|
+
cve: 2013-0285
|
|
4
|
+
url: https://github.com/savonrb/nori/commit/818f5263b1d597b603d46cbe1702cd2717259e32
|
|
5
|
+
title: Ruby Gem nori Parameter Parsing Remote Code Execution
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The Ruby Gem nori has a parameter parsing error that may allow an attacker
|
|
9
|
+
to execute arbitrary code. This vulnerability has to do with type casting
|
|
10
|
+
during parsing, and is related to CVE-2013-0156.
|
|
11
|
+
|
|
12
|
+
cvss_v2:
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ~> 1.0.3
|
|
16
|
+
- ~> 1.1.4
|
|
17
|
+
- ">= 2.0.2"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: omniauth-oauth2
|
|
3
|
+
cve: 2012-6134
|
|
4
|
+
url: https://github.com/intridea/omniauth-oauth2/pull/25
|
|
5
|
+
title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
|
|
9
|
+
inject values into a user's session through a CSRF attack.
|
|
10
|
+
|
|
11
|
+
cvss_v2:
|
|
12
|
+
|
|
13
|
+
patched_versions:
|
|
14
|
+
- ">= 1.1.1"
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: rack-cache
|
|
3
|
+
cve: 2012-267
|
|
4
|
+
url: http://osvdb.org/83077
|
|
5
|
+
title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
|
|
9
|
+
sensitive HTTP headers. This will result in a weakness that may make it
|
|
10
|
+
easier for an attacker to gain access to a user's session via a specially
|
|
11
|
+
crafted header.
|
|
12
|
+
|
|
13
|
+
cvss_v2: 7.5
|
|
14
|
+
|
|
15
|
+
patched_versions:
|
|
16
|
+
- ">= 1.2"
|
|
@@ -1,4 +1,6 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: rack
|
|
3
|
+
cve: 2013-0263
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89939
|
|
3
5
|
title: |
|
|
4
6
|
Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
|
|
@@ -11,10 +13,9 @@ description: |
|
|
|
11
13
|
latencies are sufficiently low to make the attack viable.
|
|
12
14
|
|
|
13
15
|
cvss_v2: 7.6
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
- ">= 1.5.2"
|
|
16
|
+
patched_versions:
|
|
17
|
+
- ~> 1.1.6
|
|
18
|
+
- ~> 1.2.8
|
|
19
|
+
- ~> 1.3.10
|
|
20
|
+
- ~> 1.4.5
|
|
21
|
+
- ">= 1.5.2"
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: rdoc
|
|
3
|
+
cve: 2013-0256
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/90004
|
|
5
|
+
title: RDoc 2.3.0 through 3.12 XSS Exploit
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
|
|
9
|
+
up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
|
|
10
|
+
may lead to cookie disclosure to third parties.
|
|
11
|
+
|
|
12
|
+
The exploit exists in darkfish.js which is copied from the RDoc install
|
|
13
|
+
location to the generated documentation.
|
|
14
|
+
|
|
15
|
+
RDoc is a static documentation generation tool. Patching the library itself
|
|
16
|
+
is insufficient to correct this exploit.
|
|
17
|
+
|
|
18
|
+
This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
|
|
19
|
+
|
|
20
|
+
cvss_v2: 4.3
|
|
21
|
+
|
|
22
|
+
patched_versions:
|
|
23
|
+
- ~> 3.9.5
|
|
24
|
+
- ~> 3.12.1
|
|
25
|
+
- ">= 4.0"
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'yaml'
|
|
3
|
+
|
|
4
|
+
shared_examples_for 'Advisory' do |path|
|
|
5
|
+
advisory = YAML.load_file(path)
|
|
6
|
+
|
|
7
|
+
describe path do
|
|
8
|
+
let(:gem) { File.basename(File.dirname(path)) }
|
|
9
|
+
let(:cve) { File.basename(path).chomp('.yml') }
|
|
10
|
+
|
|
11
|
+
describe "gem" do
|
|
12
|
+
subject { advisory['gem'] }
|
|
13
|
+
|
|
14
|
+
it { should be_kind_of(String) }
|
|
15
|
+
it { should == gem }
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
describe "cve" do
|
|
19
|
+
subject { advisory['cve'] }
|
|
20
|
+
|
|
21
|
+
it { should be_kind_of(String) }
|
|
22
|
+
it { should == cve }
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "url" do
|
|
26
|
+
subject { advisory['url'] }
|
|
27
|
+
|
|
28
|
+
it { should be_kind_of(String) }
|
|
29
|
+
it { should_not be_empty }
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
describe "title" do
|
|
33
|
+
subject { advisory['title'] }
|
|
34
|
+
|
|
35
|
+
it { should be_kind_of(String) }
|
|
36
|
+
it { should_not be_empty }
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
describe "description" do
|
|
40
|
+
subject { advisory['description'] }
|
|
41
|
+
|
|
42
|
+
it { should be_kind_of(String) }
|
|
43
|
+
it { should_not be_empty }
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe "cvss_v2" do
|
|
47
|
+
subject { advisory['cvss_v2'] }
|
|
48
|
+
|
|
49
|
+
it "may be nil or a Float" do
|
|
50
|
+
[NilClass, Float].should include(subject.class)
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
case advisory['cvss_v2']
|
|
54
|
+
when Float
|
|
55
|
+
context "when a Float" do
|
|
56
|
+
it { ((0.0)..(10.0)).should include(subject) }
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
describe "patched_versions" do
|
|
62
|
+
subject { advisory['patched_versions'] }
|
|
63
|
+
|
|
64
|
+
it { should be_kind_of(Array) }
|
|
65
|
+
it { should_not be_empty }
|
|
66
|
+
|
|
67
|
+
advisory['patched_versions'].each do |version|
|
|
68
|
+
describe version do
|
|
69
|
+
subject { version.split(', ') }
|
|
70
|
+
|
|
71
|
+
it "should contain valid RubyGem version requirements" do
|
|
72
|
+
lambda {
|
|
73
|
+
Gem::Requirement.new(version)
|
|
74
|
+
}.should_not raise_error(ArgumentError)
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|