bundler-audit 0.1.2 → 0.2.0

data/spec/bundle/secure/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.12'
+gem 'rails', '3.2.14'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

data/spec/integration_spec.rb

@@ -7,8 +7,8 @@ describe "CLI" do
     File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit'))
   end
 
-  context "when auditing a vulnerable bundle" do
-    let(:bundle)    { 'vuln' }
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
     let(:directory) { File.join('spec','bundle',bundle) }
 
     subject do
@@ -20,10 +20,26 @@ describe "CLI" do
     end
 
     it "should print advisory information for the vulnerable gems" do
-      subject.should include(%{
+      expect = %{
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91452
+Criticality: Medium
+URL: http://www.osvdb.org/show/osvdb/91452
+Title: XSS vulnerability in sanitize_css in Action Pack
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
 Name: actionpack
 Version: 3.2.10
-CVE: 2013-0156
+Advisory: OSVDB-91454
+Criticality: Medium
+URL: http://osvdb.org/show/osvdb/91454
+Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-89026
 Criticality: High
 URL: http://osvdb.org/show/osvdb/89026
 Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
@@ -31,7 +47,15 @@ Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
 
 Name: activerecord
 Version: 3.2.10
-CVE: 2013-0276
+Advisory: OSVDB-91453
+Criticality: High
+URL: http://osvdb.org/show/osvdb/91453
+Title: Symbol DoS vulnerability in Active Record
+Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-90072
 Criticality: Medium
 URL: http://direct.osvdb.org/show/osvdb/90072
 Title: Ruby on Rails Active Record attr_protected Method Bypass
@@ -39,11 +63,56 @@ Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
 
 Name: activerecord
 Version: 3.2.10
-CVE: 2013-0155
+Advisory: OSVDB-89025
 Criticality: High
 URL: http://osvdb.org/show/osvdb/89025
 Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
 Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activesupport
+Version: 3.2.10
+Advisory: OSVDB-91451
+Criticality: High
+URL: http://www.osvdb.org/show/osvdb/91451
+Title: XML Parsing Vulnerability affecting JRuby users
+Solution: upgrade to ~> 3.1.12, >= 3.2.13
+
+Unpatched versions found!
+      }.strip.split "\n\n"
+
+      subject.strip.split("\n\n").should =~ expect
+    end
+  end
+
+  context "when auditing a bundle with ignored gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i OSVDB-89026'))
+    end
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should not print advisory information for ignored gem" do
+      subject.should_not include("OSVDB-89026")
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+
+    it "should print warnings about insecure sources" do
+      subject.should include(%{
+Insecure Source URI found: git://github.com/rails/jquery-rails.git
+Insecure Source URI found: http://rubygems.org/
       }.strip)
     end
   end

data/spec/scanner_spec.rb

@@ -0,0 +1,74 @@
+require 'spec_helper'
+require 'bundler/audit/scanner'
+
+describe Scanner do
+  describe "#scan" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+
+    subject { described_class.new(directory) }
+
+    it "should yield results" do
+      results = []
+
+      subject.scan { |result| results << result }
+
+      results.should_not be_empty
+    end
+
+    context "when not called with a block" do
+      it "should return an Enumerator" do
+        subject.scan.should be_kind_of(Enumerable)
+      end
+    end
+  end
+
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)  { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      subject.all? { |result|
+        result.advisory.vulnerable?(result.gem.version)
+      }.should be_true
+    end
+
+    context "when the :ignore option is given" do
+      subject { scanner.scan(:ignore => ['OSVDB-89026']) }
+
+      it "should ignore the specified advisories" do
+        ids = subject.map { |result| result.advisory.id }
+        
+        ids.should_not include('OSVDB-89026')
+      end
+    end
+  end
+
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should match unpatched gems to their advisories" do
+      subject[0].source.should == 'git://github.com/rails/jquery-rails.git'
+      subject[1].source.should == 'http://rubygems.org/'
+    end
+  end
+
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+
+    subject { scanner.scan.to_a }
+
+    it "should print nothing when everything is fine" do
+      subject.should be_empty
+    end
+  end
+end

metadata

@@ -1,20 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.1.2
-  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-18 00:00:00.000000000 Z
+date: 2013-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -55,68 +52,108 @@ files:
 - lib/bundler/audit/advisory.rb
 - lib/bundler/audit/cli.rb
 - lib/bundler/audit/database.rb
+- lib/bundler/audit/scanner.rb
 - lib/bundler/audit/version.rb
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
+- spec/bundle/insecure_sources/Gemfile
 - spec/bundle/secure/Gemfile
-- spec/bundle/vuln/Gemfile
+- spec/bundle/unpatched_gems/Gemfile
 - spec/database_spec.rb
 - spec/integration_spec.rb
+- spec/scanner_spec.rb
 - spec/spec_helper.rb
 - data/ruby-advisory-db/.rspec
+- data/ruby-advisory-db/CONTRIBUTING.md
+- data/ruby-advisory-db/CONTRIBUTORS.md
+- data/ruby-advisory-db/Gemfile
+- data/ruby-advisory-db/LICENSE.txt
 - data/ruby-advisory-db/README.md
-- data/ruby-advisory-db/gems/actionpack/2012-1099.yml
-- data/ruby-advisory-db/gems/actionpack/2012-3424.yml
-- data/ruby-advisory-db/gems/actionpack/2012-3463.yml
-- data/ruby-advisory-db/gems/actionpack/2012-3465.yml
-- data/ruby-advisory-db/gems/actionpack/2013-0156.yml
-- data/ruby-advisory-db/gems/activerecord/2012-2660.yml
-- data/ruby-advisory-db/gems/activerecord/2012-2661.yml
-- data/ruby-advisory-db/gems/activerecord/2013-0155.yml
-- data/ruby-advisory-db/gems/activerecord/2013-0276.yml
-- data/ruby-advisory-db/gems/activerecord/2013-0277.yml
-- data/ruby-advisory-db/gems/activesupport/2012-1098.yml
-- data/ruby-advisory-db/gems/activesupport/2012-3464.yml
-- data/ruby-advisory-db/gems/activesupport/2013-0333.yml
-- data/ruby-advisory-db/gems/devise/2013-0233.yml
-- data/ruby-advisory-db/gems/gtk2/2007-6183.yml
-- data/ruby-advisory-db/gems/json/2013-0269.yml
-- data/ruby-advisory-db/gems/mail/2011-0739.yml
-- data/ruby-advisory-db/gems/mail/2012-2139.yml
-- data/ruby-advisory-db/gems/mail/2012-2140.yml
-- data/ruby-advisory-db/gems/multi_xml/2013-0175.yml
-- data/ruby-advisory-db/gems/newrelic_rpm/2013-0284.yml
-- data/ruby-advisory-db/gems/nori/2013-0285.yml
-- data/ruby-advisory-db/gems/omniauth-oauth2/2012-6134.yml
-- data/ruby-advisory-db/gems/rack-cache/2012-267.yml
-- data/ruby-advisory-db/gems/rack/2013-0263.yml
-- data/ruby-advisory-db/gems/rdoc/2013-0256.yml
+- data/ruby-advisory-db/Rakefile
+- data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
+- data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
+- data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml
+- data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
+- data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
+- data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
+- data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
+- data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml
+- data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
+- data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
+- data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/json/OSVDB-90074.yml
+- data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
+- data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
+- data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml
+- data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-70667.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81631.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81632.yml
+- data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml
+- data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
+- data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
+- data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
+- data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
+- data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
+- data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
+- data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/lib/scrape.rb
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
 - data/ruby-advisory-db/spec/spec_helper.rb
-homepage: https://github.com/postmodern/bundler-audit#readme
+homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPLv3
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.8.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.25
+rubygems_version: 2.0.5
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Patch-level verification for Bundler
 test_files: []