bundler-audit 0.1.1 → 0.1.2

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'advisory_example'
+
+describe "gems" do
+  Dir.glob('gems/*/*.yml') do |path|
+    include_examples 'Advisory', path
+  end
+end

data/data/ruby-advisory-db/spec/spec_helper.rb

@@ -0,0 +1 @@
+require 'rspec'

data/gemspec.yml

@@ -7,9 +7,4 @@ email: postmodern.mod3@gmail.com
 homepage: https://github.com/postmodern/bundler-audit#readme
 
 dependencies:
-  bundler: ~> 1.0
-
-development_dependencies:
-  rspec: ~> 2.4
-  rubygems-tasks: ~> 0.2
-  yard: ~> 0.8
+  bundler: ~> 1.2

data/lib/bundler/audit/advisory.rb

@@ -19,7 +19,8 @@ require 'yaml'
 
 module Bundler
   module Audit
-    class Advisory < Struct.new(:cve,
+    class Advisory < Struct.new(:path,
+                                :cve,
                                 :url,
                                 :title,
                                 :description,
@@ -45,6 +46,7 @@ module Bundler
         end
 
         return new(
+          path,
           cve,
           data['url'],
           data['title'],
@@ -85,6 +87,16 @@ module Bundler
         end
       end
 
+      #
+      # Converts the advisory to a String.
+      #
+      # @return [String]
+      #   The CVE identifier.
+      #
+      def to_s
+        "CVE-#{cve}"
+      end
+
     end
   end
 end

data/lib/bundler/audit/cli.rb

@@ -32,19 +32,20 @@ module Bundler
       method_option :verbose, :type => :boolean, :aliases => '-v'
 
       def check
-        environment = Bundler.load
         database    = Database.new
         vulnerable  = false
+        lock_file   = load_gemfile_lock('Gemfile.lock')
 
-        database.check_bundle(environment) do |gem,advisory|
-          vulnerable = true
-
-          print_advisory gem, advisory
+        lock_file.specs.each do |gem|
+          database.check_gem(gem) do |advisory|
+            vulnerable = true
+            print_advisory gem, advisory
+          end
         end
 
         if vulnerable
           say "Unpatched versions found!", :red
-          return -1
+          exit 1
         else
           say "No unpatched versions found", :green
         end
@@ -59,6 +60,10 @@ module Bundler
 
       protected
 
+      def load_gemfile_lock(path)
+        Bundler::LockfileParser.new(File.read(path))
+      end
+
       def print_advisory(gem, advisory)
         say "Name: ", :red
         say gem.name
@@ -74,6 +79,7 @@ module Bundler
         when :low    then say "Low"
         when :medium then say "Medium", :yellow
         when :high   then say "High", [:red, :bold]
+        else              say "Unknown"
         end
 
         say "URL: ", :red
@@ -102,6 +108,11 @@ module Bundler
         say
       end
 
+      def say(string="", color=nil)
+        color = nil unless $stdout.tty?
+        super(string, color)
+      end
+
     end
   end
 end

data/lib/bundler/audit/database.rb

@@ -28,7 +28,7 @@ module Bundler
     class Database
 
       # directory containing advisories
-      PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','bundler','audit'))
+      PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db','gems'))
 
       # The path to the advisory database
       attr_reader :path
@@ -119,35 +119,6 @@ module Bundler
         end
       end
 
-      #
-      # Verifies whether the bundled gems are effected by any advisories.
-      #
-      # @param [Bundle::Environment] environment
-      #   The bundled gems.
-      #
-      # @yield [gem, advisory]
-      #   If a block is given, each advisory that effects a gem within the
-      #   bundle will be passed.
-      #
-      # @yieldparam [Gem::Specification] gem
-      #   The gem effected by the advisory.
-      #
-      # @yieldparam [Advisory] advisory
-      #   An advisory that effects a gem within the bundle.
-      #
-      # @return [Enumerator]
-      #   If no block is given, an Enumerator will be returned.
-      #
-      def check_bundle(environment)
-        return enum_for(__method__,environment) unless block_given?
-
-        environment.gems.each do |gem|
-          check_gem(gem) do |advisory|
-            yield gem, advisory
-          end
-        end
-      end
-
       #
       # The number of advisories within the database.
       #

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = "0.1.1"
+    VERSION = "0.1.2"
   end
 end

data/spec/advisory_spec.rb

@@ -4,7 +4,7 @@ require 'bundler/audit/advisory'
 
 describe Bundler::Audit::Advisory do
   let(:root) { Bundler::Audit::Database::PATH }
-  let(:gem)  { 'rails' }
+  let(:gem)  { 'actionpack' }
   let(:cve)  { '2013-0156' }
   let(:path) { File.join(root,gem,"#{cve}.yml") }
 

data/spec/bundle/secure/Gemfile

@@ -0,0 +1,38 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.12'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/database_spec.rb

@@ -1,7 +1,5 @@
 require 'spec_helper'
 require 'bundler/audit/database'
-
-require 'bundler'
 require 'tmpdir'
 
 describe Bundler::Audit::Database do
@@ -44,7 +42,7 @@ describe Bundler::Audit::Database do
   describe "#check_gem" do
     let(:gem) do
       Gem::Specification.new do |s|
-        s.name    = 'rails'
+        s.name    = 'actionpack'
         s.version = '3.1.9'
       end
     end
@@ -71,35 +69,6 @@ describe Bundler::Audit::Database do
     end
   end
 
-  describe "#check_bundle" do
-    let(:path) { File.join(File.dirname(__FILE__),'bundle') }
-    let(:bundle) do
-      Dir.chdir(path) { Bundler.load }
-    end
-
-    context "when given a block" do
-      it "should yield every advisory effecting the bundle" do
-        advisories = []
-
-        subject.check_bundle(bundle) do |gem,advisory|
-          advisories << [gem, advisory]
-        end
-
-        advisories.should_not be_empty
-        advisories.all? { |gem,advisory|
-          gem.kind_of?(Gem::Specification) &&
-            advisory.kind_of?(Bundler::Audit::Advisory)
-        }.should be_true
-      end
-    end
-
-    context "when given no block" do
-      it "should return an Enumerator" do
-        subject.check_bundle(bundle).should be_kind_of(Enumerable)
-      end
-    end
-  end
-
   describe "#size" do
     it { subject.size.should > 0 }
   end

data/spec/integration_spec.rb

@@ -0,0 +1,63 @@
+require 'spec_helper'
+
+describe "CLI" do
+  include Helpers
+
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit'))
+  end
+
+  context "when auditing a vulnerable bundle" do
+    let(:bundle)    { 'vuln' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print a warning" do
+      subject.should include("Unpatched versions found!")
+    end
+
+    it "should print advisory information for the vulnerable gems" do
+      subject.should include(%{
+Name: actionpack
+Version: 3.2.10
+CVE: 2013-0156
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89026
+Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activerecord
+Version: 3.2.10
+CVE: 2013-0276
+Criticality: Medium
+URL: http://direct.osvdb.org/show/osvdb/90072
+Title: Ruby on Rails Active Record attr_protected Method Bypass
+Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+Name: activerecord
+Version: 3.2.10
+CVE: 2013-0155
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89025
+Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+      }.strip)
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
+
+    it "should print nothing when everything is fine" do
+      subject.strip.should == "No unpatched versions found"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,5 +1,18 @@
-gem 'rspec', '~> 2.4'
 require 'rspec'
 require 'bundler/audit/version'
 
+module Helpers
+  def sh(command, options={})
+    Bundler.with_clean_env do
+      result = `#{command} 2>&1`
+      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
+      result
+    end
+  end
+
+  def decolorize(string)
+    string.gsub(/\e\[\d+m/, "")
+  end
+end
+
 include Bundler::Audit

metadata

@@ -1,122 +1,55 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: bundler-audit
-version: !ruby/object:Gem::Version 
-  hash: 25
+version: !ruby/object:Gem::Version
+  version: 0.1.2
   prerelease: 
-  segments: 
-  - 0
-  - 1
-  - 1
-  version: 0.1.1
 platform: ruby
-authors: 
+authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2013-02-12 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2013-02-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: bundler
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 1
-        - 0
-        version: "1.0"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: yard
-  prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 27
-        segments: 
-        - 0
-        - 8
-        version: "0.8"
-  type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: rubygems-tasks
-  prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 15
-        segments: 
-        - 0
-        - 2
-        version: "0.2"
-  type: :development
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: rspec
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: !ruby/object:Gem::Requirement
     none: false
-    requirements: 
+    requirements:
     - - ~>
-      - !ruby/object:Gem::Version 
-        hash: 11
-        segments: 
-        - 2
-        - 4
-        version: "2.4"
-  type: :development
-  version_requirements: *id004
+      - !ruby/object:Gem::Version
+        version: '1.2'
 description: bundler-audit provides patch-level verification for Bundled apps.
 email: postmodern.mod3@gmail.com
-executables: 
+executables:
 - bundle-audit
 extensions: []
-
-extra_rdoc_files: 
+extra_rdoc_files:
 - COPYING.txt
 - ChangeLog.md
 - README.md
-files: 
+files:
 - .document
 - .gitignore
+- .gitmodules
 - .rspec
+- .travis.yml
 - .yardopts
 - COPYING.txt
 - ChangeLog.md
+- Gemfile
 - README.md
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
-- data/bundler/audit/json/2013-0269.yml
-- data/bundler/audit/mail/2011-0739.yml
-- data/bundler/audit/mail/2012-2139.yml
-- data/bundler/audit/mail/2012-2140.yml
-- data/bundler/audit/rack-cache/2012-267.yml
-- data/bundler/audit/rack/2013-0263.yml
-- data/bundler/audit/rails/2012-1098.yml
-- data/bundler/audit/rails/2012-1099.yml
-- data/bundler/audit/rails/2012-2660.yml
-- data/bundler/audit/rails/2012-2661.yml
-- data/bundler/audit/rails/2012-3424.yml
-- data/bundler/audit/rails/2012-3463.yml
-- data/bundler/audit/rails/2012-3464.yml
-- data/bundler/audit/rails/2012-3465.yml
-- data/bundler/audit/rails/2013-0155.yml
-- data/bundler/audit/rails/2013-0156.yml
-- data/bundler/audit/rails/2013-0276.yml
-- data/bundler/audit/rails/2013-0277.yml
-- data/bundler/audit/rails/2013-0333.yml
 - gemspec.yml
 - lib/bundler/audit.rb
 - lib/bundler/audit/advisory.rb
@@ -125,42 +58,65 @@ files:
 - lib/bundler/audit/version.rb
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
-- spec/bundle/Gemfile
-- spec/bundle/Gemfile.lock
+- spec/bundle/secure/Gemfile
+- spec/bundle/vuln/Gemfile
 - spec/database_spec.rb
+- spec/integration_spec.rb
 - spec/spec_helper.rb
+- data/ruby-advisory-db/.rspec
+- data/ruby-advisory-db/README.md
+- data/ruby-advisory-db/gems/actionpack/2012-1099.yml
+- data/ruby-advisory-db/gems/actionpack/2012-3424.yml
+- data/ruby-advisory-db/gems/actionpack/2012-3463.yml
+- data/ruby-advisory-db/gems/actionpack/2012-3465.yml
+- data/ruby-advisory-db/gems/actionpack/2013-0156.yml
+- data/ruby-advisory-db/gems/activerecord/2012-2660.yml
+- data/ruby-advisory-db/gems/activerecord/2012-2661.yml
+- data/ruby-advisory-db/gems/activerecord/2013-0155.yml
+- data/ruby-advisory-db/gems/activerecord/2013-0276.yml
+- data/ruby-advisory-db/gems/activerecord/2013-0277.yml
+- data/ruby-advisory-db/gems/activesupport/2012-1098.yml
+- data/ruby-advisory-db/gems/activesupport/2012-3464.yml
+- data/ruby-advisory-db/gems/activesupport/2013-0333.yml
+- data/ruby-advisory-db/gems/devise/2013-0233.yml
+- data/ruby-advisory-db/gems/gtk2/2007-6183.yml
+- data/ruby-advisory-db/gems/json/2013-0269.yml
+- data/ruby-advisory-db/gems/mail/2011-0739.yml
+- data/ruby-advisory-db/gems/mail/2012-2139.yml
+- data/ruby-advisory-db/gems/mail/2012-2140.yml
+- data/ruby-advisory-db/gems/multi_xml/2013-0175.yml
+- data/ruby-advisory-db/gems/newrelic_rpm/2013-0284.yml
+- data/ruby-advisory-db/gems/nori/2013-0285.yml
+- data/ruby-advisory-db/gems/omniauth-oauth2/2012-6134.yml
+- data/ruby-advisory-db/gems/rack-cache/2012-267.yml
+- data/ruby-advisory-db/gems/rack/2013-0263.yml
+- data/ruby-advisory-db/gems/rdoc/2013-0256.yml
+- data/ruby-advisory-db/spec/advisory_example.rb
+- data/ruby-advisory-db/spec/gems_spec.rb
+- data/ruby-advisory-db/spec/spec_helper.rb
 homepage: https://github.com/postmodern/bundler-audit#readme
-licenses: 
+licenses:
 - GPLv3
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      hash: 3
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.25
 signing_key: 
 specification_version: 3
 summary: Patch-level verification for Bundler
 test_files: []
-