bundler-audit 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.gitignore +3 -0
- data/.gitmodules +3 -0
- data/.travis.yml +4 -0
- data/ChangeLog.md +13 -0
- data/Gemfile +12 -0
- data/README.md +3 -37
- data/Rakefile +20 -49
- data/bundler-audit.gemspec +7 -0
- data/data/ruby-advisory-db/.rspec +1 -0
- data/data/ruby-advisory-db/README.md +64 -0
- data/data/ruby-advisory-db/gems/actionpack/2012-1099.yml +23 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2012-3424.yml +10 -6
- data/data/ruby-advisory-db/gems/actionpack/2012-3463.yml +20 -0
- data/data/ruby-advisory-db/gems/actionpack/2012-3465.yml +20 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/actionpack}/2013-0156.yml +5 -3
- data/data/ruby-advisory-db/gems/activerecord/2012-2660.yml +21 -0
- data/data/ruby-advisory-db/gems/activerecord/2012-2661.yml +19 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0155.yml +6 -4
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0276.yml +5 -3
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activerecord}/2013-0277.yml +5 -3
- data/data/ruby-advisory-db/gems/activesupport/2012-1098.yml +20 -0
- data/data/ruby-advisory-db/gems/activesupport/2012-3464.yml +20 -0
- data/data/{bundler/audit/rails → ruby-advisory-db/gems/activesupport}/2013-0333.yml +5 -3
- data/data/ruby-advisory-db/gems/devise/2013-0233.yml +18 -0
- data/data/ruby-advisory-db/gems/gtk2/2007-6183.yml +18 -0
- data/data/{bundler/audit → ruby-advisory-db/gems}/json/2013-0269.yml +4 -2
- data/data/ruby-advisory-db/gems/mail/2011-0739.yml +19 -0
- data/data/ruby-advisory-db/gems/mail/2012-2139.yml +11 -0
- data/data/ruby-advisory-db/gems/mail/2012-2140.yml +11 -0
- data/data/ruby-advisory-db/gems/multi_xml/2013-0175.yml +14 -0
- data/data/ruby-advisory-db/gems/newrelic_rpm/2013-0284.yml +15 -0
- data/data/ruby-advisory-db/gems/nori/2013-0285.yml +17 -0
- data/data/ruby-advisory-db/gems/omniauth-oauth2/2012-6134.yml +14 -0
- data/data/ruby-advisory-db/gems/rack-cache/2012-267.yml +16 -0
- data/data/{bundler/audit → ruby-advisory-db/gems}/rack/2013-0263.yml +9 -8
- data/data/ruby-advisory-db/gems/rdoc/2013-0256.yml +25 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +80 -0
- data/data/ruby-advisory-db/spec/gems_spec.rb +8 -0
- data/data/ruby-advisory-db/spec/spec_helper.rb +1 -0
- data/gemspec.yml +1 -6
- data/lib/bundler/audit/advisory.rb +13 -1
- data/lib/bundler/audit/cli.rb +17 -6
- data/lib/bundler/audit/database.rb +1 -30
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/advisory_spec.rb +1 -1
- data/spec/bundle/secure/Gemfile +38 -0
- data/spec/bundle/{Gemfile → vuln/Gemfile} +0 -0
- data/spec/database_spec.rb +1 -32
- data/spec/integration_spec.rb +63 -0
- data/spec/spec_helper.rb +14 -1
- metadata +68 -112
- data/data/bundler/audit/mail/2011-0739.yml +0 -17
- data/data/bundler/audit/mail/2012-2139.yml +0 -16
- data/data/bundler/audit/mail/2012-2140.yml +0 -13
- data/data/bundler/audit/rack-cache/2012-267.yml +0 -14
- data/data/bundler/audit/rails/2012-1098.yml +0 -19
- data/data/bundler/audit/rails/2012-1099.yml +0 -19
- data/data/bundler/audit/rails/2012-2660.yml +0 -17
- data/data/bundler/audit/rails/2012-2661.yml +0 -18
- data/data/bundler/audit/rails/2012-3463.yml +0 -19
- data/data/bundler/audit/rails/2012-3464.yml +0 -18
- data/data/bundler/audit/rails/2012-3465.yml +0 -19
- data/spec/bundle/Gemfile.lock +0 -92
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0155
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89025
|
|
3
|
-
title:
|
|
4
|
-
Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
|
5
|
+
title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
|
5
6
|
|
|
6
7
|
description: |
|
|
7
8
|
Ruby on Rails contains a flaw in the Active Record. The issue is due to an
|
|
@@ -13,7 +14,8 @@ description: |
|
|
|
13
14
|
|
|
14
15
|
cvss_v2: 10.0
|
|
15
16
|
|
|
16
|
-
patched_versions:
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 2.3.16
|
|
17
19
|
- ~> 3.0.19
|
|
18
20
|
- ~> 3.1.10
|
|
19
21
|
- ">= 3.2.11"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0276
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90072
|
|
3
|
-
title: Ruby on Rails Active Record attr_protected Method Bypass
|
|
5
|
+
title: Ruby on Rails Active Record attr_protected Method Bypass
|
|
4
6
|
|
|
5
7
|
description: |
|
|
6
8
|
Ruby on Rails contains a flaw in the attr_protected method of the
|
|
@@ -10,7 +12,7 @@ description: |
|
|
|
10
12
|
|
|
11
13
|
cvss_v2: 5.0
|
|
12
14
|
|
|
13
|
-
patched_versions:
|
|
15
|
+
patched_versions:
|
|
14
16
|
- ~> 2.3.17
|
|
15
17
|
- ~> 3.1.11
|
|
16
18
|
- ">= 3.2.12"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
cve: 2013-0277
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90073
|
|
3
|
-
title:
|
|
5
|
+
title:
|
|
4
6
|
Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
|
|
5
7
|
Code Execution
|
|
6
8
|
|
|
@@ -13,6 +15,6 @@ description: |
|
|
|
13
15
|
|
|
14
16
|
cvss_v2: 10.0
|
|
15
17
|
|
|
16
|
-
patched_versions:
|
|
18
|
+
patched_versions:
|
|
17
19
|
- ~> 2.3.17
|
|
18
20
|
- ">= 3.1.0"
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2012-1098
|
|
4
|
+
url: http://osvdb.org/79726
|
|
5
|
+
title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
|
9
|
+
attack. This flaw exists because athe application does not validate direct
|
|
10
|
+
manipulations of SafeBuffer objects via '[]' and other methods. This may
|
|
11
|
+
allow a user to create a specially crafted request that would execute
|
|
12
|
+
arbitrary script code in a user's browser within the trust relationship
|
|
13
|
+
between their browser and the server.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 4.3
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 3.0.12
|
|
19
|
+
- ~> 3.1.4
|
|
20
|
+
- ">= 3.2.2"
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2012-3464
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/84516
|
|
5
|
+
title: Ruby on Rails HTML Escaping Code XSS
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
|
|
9
|
+
attack. This flaw exists because the HTML escaping code functionality does
|
|
10
|
+
not properly escape a single quote character. This may allow a user to create
|
|
11
|
+
a specially crafted request that would execute arbitrary script code in a
|
|
12
|
+
user's browser within the trust relationship between their browser and the
|
|
13
|
+
server.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 4.3
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- ~> 3.0.17
|
|
19
|
+
- ~> 3.1.8
|
|
20
|
+
- ">= 3.2.8"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: activesupport
|
|
3
|
+
cve: 2013-0333
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89594
|
|
3
|
-
title:
|
|
5
|
+
title:
|
|
4
6
|
Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
|
|
5
7
|
Execution
|
|
6
8
|
|
|
@@ -15,6 +17,6 @@ description: |
|
|
|
15
17
|
|
|
16
18
|
cvss_v2: 9.3
|
|
17
19
|
|
|
18
|
-
patched_versions:
|
|
20
|
+
patched_versions:
|
|
19
21
|
- ~> 2.3.16
|
|
20
22
|
- ">= 3.0.20"
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: devise
|
|
3
|
+
cve: 2013-0233
|
|
4
|
+
url: http://osvdb.org/show/osvdb/89642
|
|
5
|
+
title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Devise contains a flaw that is triggered during when a type conversion error
|
|
9
|
+
occurs during the parsing of a malformed request. With a specially crafted
|
|
10
|
+
request, a remote attacker can bypass security restrictions.
|
|
11
|
+
|
|
12
|
+
cvss_v2: 10.0
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ~> 1.5.4
|
|
16
|
+
- ~> 2.0.5
|
|
17
|
+
- ~> 2.1.3
|
|
18
|
+
- ">= 2.2.3"
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: gtk2
|
|
3
|
+
cve: 2007-6183
|
|
4
|
+
url: http://osvdb.org/show/osvdb/40774
|
|
5
|
+
title:
|
|
6
|
+
Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
|
|
7
|
+
Format String
|
|
8
|
+
|
|
9
|
+
description: |
|
|
10
|
+
Format string vulnerability in the mdiag_initialize function in
|
|
11
|
+
gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
|
|
12
|
+
SVN versions before 20071127, allows context-dependent attackers to execute
|
|
13
|
+
arbitrary code via format string specifiers in the message parameter.
|
|
14
|
+
|
|
15
|
+
cvss_v2: 6.8
|
|
16
|
+
|
|
17
|
+
patched_versions:
|
|
18
|
+
- "> 0.16.0"
|
|
@@ -1,4 +1,6 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: json
|
|
3
|
+
cve: 2013-0269
|
|
2
4
|
url: http://direct.osvdb.org/show/osvdb/90074
|
|
3
5
|
title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
|
|
4
6
|
|
|
@@ -13,7 +15,7 @@ description: |
|
|
|
13
15
|
|
|
14
16
|
cvss_v2: 9.0
|
|
15
17
|
|
|
16
|
-
patched_versions:
|
|
18
|
+
patched_versions:
|
|
17
19
|
- ~> 1.5.4
|
|
18
20
|
- ~> 1.6.7
|
|
19
21
|
- ">= 1.7.7"
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2011-0739
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/70667
|
|
5
|
+
title: >
|
|
6
|
+
Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
|
|
7
|
+
Address Arbitrary Shell Command Injection
|
|
8
|
+
|
|
9
|
+
description: |
|
|
10
|
+
Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
|
|
11
|
+
input passed from an email from address in the 'deliver()' function in
|
|
12
|
+
'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
|
|
13
|
+
command line argument. This may allow a remote attacker to inject arbitrary
|
|
14
|
+
shell commands.
|
|
15
|
+
|
|
16
|
+
cvss_v2: 6.8
|
|
17
|
+
|
|
18
|
+
patched_versions:
|
|
19
|
+
- ">= 2.2.15"
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2012-2139
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/81631
|
|
5
|
+
title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
|
|
6
|
+
description: |
|
|
7
|
+
Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
|
|
8
|
+
|
|
9
|
+
cvss_v2: 5.0
|
|
10
|
+
patched_versions:
|
|
11
|
+
- ">= 2.4.4"
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: mail
|
|
3
|
+
cve: 2012-2140
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/81632
|
|
5
|
+
title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Executio
|
|
6
|
+
description: |
|
|
7
|
+
Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim delivery methods, which may allow an attacker to execute arbitrary shell commands..
|
|
8
|
+
|
|
9
|
+
cvss_v2: 7.5
|
|
10
|
+
patched_versions:
|
|
11
|
+
- ">= 2.4.4"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: multi_xml
|
|
3
|
+
cve: 2013-0175
|
|
4
|
+
url: http://osvdb.org/show/osvdb/89148
|
|
5
|
+
title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The multi_xml Gem for Ruby contains a flaw that is triggered when an error
|
|
9
|
+
occurs during the parsing of the 'XML' parameter. With a crafted request
|
|
10
|
+
containing arbitrary symbol and yaml types, a remote attacker can execute
|
|
11
|
+
arbitrary commands.
|
|
12
|
+
|
|
13
|
+
patched_versions:
|
|
14
|
+
- ">= 0.5.2"
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: newrelic_rpm
|
|
3
|
+
cve: 2013-0284
|
|
4
|
+
url: https://newrelic.com/docs/ruby/ruby-agent-security-notification
|
|
5
|
+
title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
A bug in the Ruby agent causes database connection information and raw SQL
|
|
9
|
+
statements to be transmitted to New Relic servers. The database connection
|
|
10
|
+
information includes the database IP address, username, and password
|
|
11
|
+
|
|
12
|
+
cvss_v2:
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ">= 3.5.3.25"
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: nori
|
|
3
|
+
cve: 2013-0285
|
|
4
|
+
url: https://github.com/savonrb/nori/commit/818f5263b1d597b603d46cbe1702cd2717259e32
|
|
5
|
+
title: Ruby Gem nori Parameter Parsing Remote Code Execution
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The Ruby Gem nori has a parameter parsing error that may allow an attacker
|
|
9
|
+
to execute arbitrary code. This vulnerability has to do with type casting
|
|
10
|
+
during parsing, and is related to CVE-2013-0156.
|
|
11
|
+
|
|
12
|
+
cvss_v2:
|
|
13
|
+
|
|
14
|
+
patched_versions:
|
|
15
|
+
- ~> 1.0.3
|
|
16
|
+
- ~> 1.1.4
|
|
17
|
+
- ">= 2.0.2"
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: omniauth-oauth2
|
|
3
|
+
cve: 2012-6134
|
|
4
|
+
url: https://github.com/intridea/omniauth-oauth2/pull/25
|
|
5
|
+
title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
|
|
9
|
+
inject values into a user's session through a CSRF attack.
|
|
10
|
+
|
|
11
|
+
cvss_v2:
|
|
12
|
+
|
|
13
|
+
patched_versions:
|
|
14
|
+
- ">= 1.1.1"
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: rack-cache
|
|
3
|
+
cve: 2012-267
|
|
4
|
+
url: http://osvdb.org/83077
|
|
5
|
+
title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
|
|
9
|
+
sensitive HTTP headers. This will result in a weakness that may make it
|
|
10
|
+
easier for an attacker to gain access to a user's session via a specially
|
|
11
|
+
crafted header.
|
|
12
|
+
|
|
13
|
+
cvss_v2: 7.5
|
|
14
|
+
|
|
15
|
+
patched_versions:
|
|
16
|
+
- ">= 1.2"
|
|
@@ -1,4 +1,6 @@
|
|
|
1
|
-
---
|
|
1
|
+
---
|
|
2
|
+
gem: rack
|
|
3
|
+
cve: 2013-0263
|
|
2
4
|
url: http://osvdb.org/show/osvdb/89939
|
|
3
5
|
title: |
|
|
4
6
|
Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
|
|
@@ -11,10 +13,9 @@ description: |
|
|
|
11
13
|
latencies are sufficiently low to make the attack viable.
|
|
12
14
|
|
|
13
15
|
cvss_v2: 7.6
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
- ">= 1.5.2"
|
|
16
|
+
patched_versions:
|
|
17
|
+
- ~> 1.1.6
|
|
18
|
+
- ~> 1.2.8
|
|
19
|
+
- ~> 1.3.10
|
|
20
|
+
- ~> 1.4.5
|
|
21
|
+
- ">= 1.5.2"
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: rdoc
|
|
3
|
+
cve: 2013-0256
|
|
4
|
+
url: http://www.osvdb.org/show/osvdb/90004
|
|
5
|
+
title: RDoc 2.3.0 through 3.12 XSS Exploit
|
|
6
|
+
|
|
7
|
+
description: |
|
|
8
|
+
Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
|
|
9
|
+
up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
|
|
10
|
+
may lead to cookie disclosure to third parties.
|
|
11
|
+
|
|
12
|
+
The exploit exists in darkfish.js which is copied from the RDoc install
|
|
13
|
+
location to the generated documentation.
|
|
14
|
+
|
|
15
|
+
RDoc is a static documentation generation tool. Patching the library itself
|
|
16
|
+
is insufficient to correct this exploit.
|
|
17
|
+
|
|
18
|
+
This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
|
|
19
|
+
|
|
20
|
+
cvss_v2: 4.3
|
|
21
|
+
|
|
22
|
+
patched_versions:
|
|
23
|
+
- ~> 3.9.5
|
|
24
|
+
- ~> 3.12.1
|
|
25
|
+
- ">= 4.0"
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'yaml'
|
|
3
|
+
|
|
4
|
+
shared_examples_for 'Advisory' do |path|
|
|
5
|
+
advisory = YAML.load_file(path)
|
|
6
|
+
|
|
7
|
+
describe path do
|
|
8
|
+
let(:gem) { File.basename(File.dirname(path)) }
|
|
9
|
+
let(:cve) { File.basename(path).chomp('.yml') }
|
|
10
|
+
|
|
11
|
+
describe "gem" do
|
|
12
|
+
subject { advisory['gem'] }
|
|
13
|
+
|
|
14
|
+
it { should be_kind_of(String) }
|
|
15
|
+
it { should == gem }
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
describe "cve" do
|
|
19
|
+
subject { advisory['cve'] }
|
|
20
|
+
|
|
21
|
+
it { should be_kind_of(String) }
|
|
22
|
+
it { should == cve }
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
describe "url" do
|
|
26
|
+
subject { advisory['url'] }
|
|
27
|
+
|
|
28
|
+
it { should be_kind_of(String) }
|
|
29
|
+
it { should_not be_empty }
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
describe "title" do
|
|
33
|
+
subject { advisory['title'] }
|
|
34
|
+
|
|
35
|
+
it { should be_kind_of(String) }
|
|
36
|
+
it { should_not be_empty }
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
describe "description" do
|
|
40
|
+
subject { advisory['description'] }
|
|
41
|
+
|
|
42
|
+
it { should be_kind_of(String) }
|
|
43
|
+
it { should_not be_empty }
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
describe "cvss_v2" do
|
|
47
|
+
subject { advisory['cvss_v2'] }
|
|
48
|
+
|
|
49
|
+
it "may be nil or a Float" do
|
|
50
|
+
[NilClass, Float].should include(subject.class)
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
case advisory['cvss_v2']
|
|
54
|
+
when Float
|
|
55
|
+
context "when a Float" do
|
|
56
|
+
it { ((0.0)..(10.0)).should include(subject) }
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
describe "patched_versions" do
|
|
62
|
+
subject { advisory['patched_versions'] }
|
|
63
|
+
|
|
64
|
+
it { should be_kind_of(Array) }
|
|
65
|
+
it { should_not be_empty }
|
|
66
|
+
|
|
67
|
+
advisory['patched_versions'].each do |version|
|
|
68
|
+
describe version do
|
|
69
|
+
subject { version.split(', ') }
|
|
70
|
+
|
|
71
|
+
it "should contain valid RubyGem version requirements" do
|
|
72
|
+
lambda {
|
|
73
|
+
Gem::Requirement.new(version)
|
|
74
|
+
}.should_not raise_error(ArgumentError)
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
80
|
+
end
|