bundler-audit 0.1.2 → 0.2.0

data/gemspec.yml

@@ -4,7 +4,9 @@ description: bundler-audit provides patch-level verification for Bundled apps.
 license: GPLv3
 authors: Postmodern
 email: postmodern.mod3@gmail.com
-homepage: https://github.com/postmodern/bundler-audit#readme
+homepage: https://github.com/rubysec/bundler-audit#readme
+
+required_rubygems_version: ">= 1.8.0"
 
 dependencies:
   bundler: ~> 1.2

data/lib/bundler/audit/advisory.rb

@@ -20,11 +20,12 @@ require 'yaml'
 module Bundler
   module Audit
     class Advisory < Struct.new(:path,
-                                :cve,
+                                :id,
                                 :url,
                                 :title,
                                 :description,
                                 :cvss_v2,
+                                :unaffected_versions,
                                 :patched_versions)
 
       #
@@ -38,23 +39,28 @@ module Bundler
       # @api semipublic
       #
       def self.load(path)
-        cve  = File.basename(path).chomp('.yml')
+        id   = File.basename(path).chomp('.yml')
         data = YAML.load_file(path)
 
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
         end
 
+        parse_versions = lambda { |versions|
+          Array(versions).map do |version|
+            Gem::Requirement.new(*version.split(', '))
+          end
+        }
+
         return new(
           path,
-          cve,
+          id,
           data['url'],
           data['title'],
           data['description'],
           data['cvss_v2'],
-          Array(data['patched_versions']).map { |version|
-            Gem::Requirement.new(*version.split(', '))
-          }
+          parse_versions[data['unaffected_versions']],
+          parse_versions[data['patched_versions']]
         )
       end
 
@@ -73,30 +79,54 @@ module Bundler
       end
 
       #
-      # Checks whether the version is vulnerable to the advisory.
+      # Checks whether the version is not affected by the advisory.
       #
       # @param [Gem::Version] version
-      #   The version to compare against {#patched_versions}.
+      #   The version to compare against {#unaffected_version}.
       #
       # @return [Boolean]
-      #   Specifies whether the version is vulnerable to the advisory or not.
+      #   Specifies whether the version is not affected by the advisory.
       #
-      def vulnerable?(version)
-        !patched_versions.any? do |patched_version|
+      # @since 0.2.0
+      #
+      def unaffected?(version)
+        unaffected_versions.any? do |unaffected_version|
+          unaffected_version === version
+        end
+      end
+
+      #
+      # Checks whether the version is patched against the advisory.
+      #
+      # @param [Gem::Version] version
+      #   The version to compare against {#patched_version}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is patched against the advisory.
+      #
+      # @since 0.2.0
+      #
+      def patched?(version)
+        patched_versions.any? do |patched_version|
           patched_version === version
         end
       end
 
       #
-      # Converts the advisory to a String.
+      # Checks whether the version is vulnerable to the advisory.
       #
-      # @return [String]
-      #   The CVE identifier.
+      # @param [Gem::Version] version
+      #   The version to compare against {#patched_versions}.
+      #
+      # @return [Boolean]
+      #   Specifies whether the version is vulnerable to the advisory or not.
       #
-      def to_s
-        "CVE-#{cve}"
+      def vulnerable?(version)
+        !patched?(version) && !unaffected?(version)
       end
 
+      alias to_s id
+
     end
   end
 end

data/lib/bundler/audit/cli.rb

@@ -15,11 +15,11 @@
 # along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-require 'bundler/audit/database'
+require 'bundler/audit/scanner'
 require 'bundler/audit/version'
 
-require 'bundler/vendored_thor'
 require 'bundler'
+require 'bundler/vendored_thor'
 
 module Bundler
   module Audit
@@ -30,16 +30,20 @@ module Bundler
 
       desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
       method_option :verbose, :type => :boolean, :aliases => '-v'
+      method_option :ignore, :type => :array, :aliases => '-i'
 
       def check
-        database    = Database.new
-        vulnerable  = false
-        lock_file   = load_gemfile_lock('Gemfile.lock')
-
-        lock_file.specs.each do |gem|
-          database.check_gem(gem) do |advisory|
-            vulnerable = true
-            print_advisory gem, advisory
+        scanner    = Scanner.new
+        vulnerable = false
+
+        scanner.scan(:ignore => options.ignore) do |result|
+          vulnerable = true
+
+          case result
+          when Scanner::InsecureSource
+            print_warning "Insecure Source URI found: #{result.source}"
+          when Scanner::UnpatchedGem
+            print_advisory result.gem, result.advisory
           end
         end
 
@@ -60,8 +64,13 @@ module Bundler
 
       protected
 
-      def load_gemfile_lock(path)
-        Bundler::LockfileParser.new(File.read(path))
+      def say(string="", color=nil)
+        color = nil unless $stdout.tty?
+        super(string, color)
+      end
+
+      def print_warning(message)
+        say message, :yellow
       end
 
       def print_advisory(gem, advisory)
@@ -71,8 +80,8 @@ module Bundler
         say "Version: ", :red
         say gem.version
 
-        say "CVE: ", :red
-        say advisory.cve
+        say "Advisory: ", :red
+        say advisory.id
 
         say "Criticality: ", :red
         case advisory.criticality
@@ -108,11 +117,6 @@ module Bundler
         say
       end
 
-      def say(string="", color=nil)
-        color = nil unless $stdout.tty?
-        super(string, color)
-      end
-
     end
   end
 end

data/lib/bundler/audit/scanner.rb

@@ -0,0 +1,97 @@
+require 'bundler'
+require 'bundler/audit/database'
+require 'bundler/lockfile_parser'
+
+require 'set'
+
+module Bundler
+  module Audit
+    class Scanner
+
+      # Represents a plain-text source
+      InsecureSource = Struct.new(:source)
+
+      # Represents a gem that is covered by an Advisory
+      UnpatchedGem = Struct.new(:gem, :advisory)
+
+      # The advisory database
+      #
+      # @return [Database]
+      attr_reader :database
+
+      # Project root directory
+      attr_reader :root
+
+      # The parsed `Gemfile.lock` from the project
+      #
+      # @return [Bundler::LockfileParser]
+      attr_reader :lockfile
+
+      #
+      # Initializes a scanner.
+      #
+      # @param [String] root
+      #   The path to the project root.
+      #
+      def initialize(root=Dir.pwd)
+        @root     = File.expand_path(root)
+        @database = Database.new
+        @lockfile = LockfileParser.new(
+          File.read(File.join(@root,'Gemfile.lock'))
+        )
+      end
+
+      #
+      # Scans the project for issues.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource, UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def scan(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        @lockfile.sources.map do |source|
+          case source
+          when Source::Git
+            case source.uri
+            when /^git:/, /^http:/
+              yield InsecureSource.new(source.uri)
+            end
+          when Source::Rubygems
+            source.remotes.each do |uri|
+              if uri.scheme == 'http'
+                yield InsecureSource.new(uri.to_s)
+              end
+            end
+          end
+        end
+
+        @lockfile.specs.each do |gem|
+          @database.check_gem(gem) do |advisory|
+            unless ignore.include?(advisory.id)
+              yield UnpatchedGem.new(gem,advisory)
+            end
+          end
+        end
+
+        return self
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = "0.1.2"
+    VERSION = '0.2.0'
   end
 end

data/spec/advisory_spec.rb

@@ -5,15 +5,15 @@ require 'bundler/audit/advisory'
 describe Bundler::Audit::Advisory do
   let(:root) { Bundler::Audit::Database::PATH }
   let(:gem)  { 'actionpack' }
-  let(:cve)  { '2013-0156' }
-  let(:path) { File.join(root,gem,"#{cve}.yml") }
+  let(:id)   { 'OSVDB-84243' }
+  let(:path) { File.join(root,gem,"#{id}.yml") }
 
   describe "load" do
     let(:data) { YAML.load_file(path) }
 
     subject { described_class.load(path) }
 
-    its(:cve)         { should == cve                 }
+    its(:id)          { should == id                  }
     its(:url)         { should == data['url']         }
     its(:title)       { should == data['title']       }
     its(:cvss_v2)     { should == data['cvss_v2']     }
@@ -54,10 +54,50 @@ describe Bundler::Audit::Advisory do
     end
   end
 
+  describe "#unaffected?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one unaffected version" do
+      let(:version) { Gem::Version.new('2.3.10') }
+
+      it "should return true" do
+        subject.unaffected?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no unaffected version" do
+      let(:version) { Gem::Version.new('3.0.9') }
+
+      it "should return false" do
+        subject.unaffected?(version).should be_false
+      end
+    end
+  end
+
+  describe "#patched?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return true" do
+        subject.patched?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return false" do
+        subject.patched?(version).should be_false
+      end
+    end
+  end
+
   describe "#vulnerable?" do
     subject { described_class.load(path) }
 
-    context "when passed a version that matches one patched_version" do
+    context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return false" do
@@ -65,12 +105,32 @@ describe Bundler::Audit::Advisory do
       end
     end
 
-    context "when passed a version that matches no patched_version" do
-      let(:version) { Gem::Version.new('3.1.9') }
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
         subject.vulnerable?(version).should be_true
       end
+
+      context "when unaffected_versions is not empty" do
+        subject { described_class.load(path) }
+     
+        context "when passed a version that matches one unaffected version" do
+          let(:version) { Gem::Version.new('2.3.12') }
+
+          it "should return false" do
+            subject.vulnerable?(version).should be_false
+          end
+        end
+
+        context "when passed a version that matches no unaffected version" do
+          let(:version) { Gem::Version.new('1.2.3') }
+
+          it "should return true" do
+            subject.vulnerable?(version).should be_true
+          end
+        end
+      end
     end
   end
 end

data/spec/bundle/insecure_sources/Gemfile

@@ -0,0 +1,39 @@
+source 'http://rubygems.org'
+
+gem 'rails', '3.2.12'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
+                    :tag => 'v2.2.1'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'