bundler-audit 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.travis.yml +1 -0
- data/ChangeLog.md +10 -0
- data/README.md +5 -1
- data/Rakefile +8 -0
- data/data/ruby-advisory-db.ts +1 -0
- data/data/ruby-advisory-db/CONTRIBUTORS.md +9 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +20 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +21 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +27 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +24 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +22 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +24 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +22 -0
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +23 -0
- data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml +15 -0
- data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +2 -2
- data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +1 -1
- data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +1 -1
- data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +11 -0
- data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +10 -0
- data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +14 -0
- data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +3 -8
- data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +17 -0
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +12 -0
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +15 -0
- data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +1 -1
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +22 -0
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +17 -0
- data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +13 -0
- data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +12 -0
- data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +13 -0
- data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +1 -1
- data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +20 -0
- data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +2 -1
- data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +13 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +3 -2
- data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +14 -0
- data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +11 -0
- data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +15 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +3 -3
- data/data/ruby-advisory-db/spec/gems_spec.rb +3 -4
- data/gemspec.yml +1 -0
- data/lib/bundler/audit.rb +1 -1
- data/lib/bundler/audit/advisory.rb +1 -1
- data/lib/bundler/audit/cli.rb +5 -4
- data/lib/bundler/audit/database.rb +6 -3
- data/lib/bundler/audit/version.rb +2 -2
- data/spec/advisory_spec.rb +27 -2
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/database_spec.rb +58 -1
- data/spec/fixtures/not_a_hash.yml +2 -0
- data/spec/integration_spec.rb +10 -69
- data/spec/spec_helper.rb +40 -0
- metadata +44 -3
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
gem: nokogiri
|
3
|
+
cve: 2013-6461
|
4
|
+
osvdb: 101458
|
5
|
+
url: http://www.osvdb.org/show/osvdb/101458
|
6
|
+
title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS
|
7
|
+
date: 2013-12-14
|
8
|
+
description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
|
9
|
+
The issue is due to an incorrectly configured XML parser accepting XML external entities from
|
10
|
+
an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
|
11
|
+
loop and crash the program.
|
12
|
+
cvss_v2:
|
13
|
+
patched_versions:
|
14
|
+
- ~> 1.5.11
|
15
|
+
- ">= 1.6.1"
|
@@ -0,0 +1,22 @@
|
|
1
|
+
---
|
2
|
+
gem: omniauth-facebook
|
3
|
+
cve: 2013-4562
|
4
|
+
osvdb: 99693
|
5
|
+
url: http://www.osvdb.org/show/osvdb/99693
|
6
|
+
title: omniauth-facebook Gem for Ruby Unspecified CSRF
|
7
|
+
date: 2013-11-12
|
8
|
+
|
9
|
+
description: |
|
10
|
+
omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
|
11
|
+
require multiple steps, explicit confirmation, or a unique token when
|
12
|
+
performing certain sensitive actions. By tricking a user into following
|
13
|
+
a specially crafted link, a context-dependent attacker can perform a
|
14
|
+
Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
|
15
|
+
perform an unspecified action.
|
16
|
+
|
17
|
+
cvss_v2: 6.8
|
18
|
+
|
19
|
+
patched_versions:
|
20
|
+
- ">= 1.5.0"
|
21
|
+
unaffected_versions:
|
22
|
+
- "<= 1.4.0"
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
gem: omniauth-facebook
|
3
|
+
cve: 2013-4593
|
4
|
+
osvdb: 99888
|
5
|
+
url: http://www.osvdb.org/show/osvdb/99888
|
6
|
+
title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
|
7
|
+
date: 2013-11-14
|
8
|
+
|
9
|
+
description: |
|
10
|
+
omniauth-facebook Gem for Ruby contains a flaw that is due to the application
|
11
|
+
supporting passing the access token via the URL. This may allow a remote
|
12
|
+
attacker to bypass authentication and authenticate as another user.
|
13
|
+
|
14
|
+
cvss_v2: 6.8
|
15
|
+
|
16
|
+
patched_versions:
|
17
|
+
- ">= 1.5.1"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
---
|
2
|
+
gem: paperclip
|
3
|
+
osvdb: 103151
|
4
|
+
url: http://osvdb.org/show/osvdb/103151
|
5
|
+
title: Paperclip Gem for Ruby contains a flaw
|
6
|
+
date: 2014-01-31
|
7
|
+
description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
|
8
|
+
validate the file extension, instead only validating the Content-Type header during file uploads.
|
9
|
+
This may allow a remote attacker to bypass restrictions on file types for uploaded files by
|
10
|
+
spoofing the content-type.
|
11
|
+
cvss_v2:
|
12
|
+
patched_versions:
|
13
|
+
- ">= 4.0.0"
|
@@ -0,0 +1,12 @@
|
|
1
|
+
---
|
2
|
+
gem: paratrooper-newrelic
|
3
|
+
cve: 2014-1234
|
4
|
+
osvdb: 101839
|
5
|
+
url: http://www.osvdb.org/show/osvdb/101839
|
6
|
+
title: Paratrooper-newrelic Gem for Ruby contains a flaw
|
7
|
+
date: 2014-01-08
|
8
|
+
description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
|
9
|
+
The issue is triggered when the script exposes the API key, allowing a local attacker to
|
10
|
+
gain access to it by monitoring the process tree.
|
11
|
+
cvss_v2: 2.1
|
12
|
+
patched_versions:
|
@@ -0,0 +1,13 @@
|
|
1
|
+
---
|
2
|
+
gem: paratrooper-pingdom
|
3
|
+
cve: 2014-1233
|
4
|
+
osvdb: 101847
|
5
|
+
url: http://www.osvdb.org/show/osvdb/101847
|
6
|
+
title: Paratrooper-pingdom Gem for Ruby contains a flaw
|
7
|
+
date: 2013-12-26
|
8
|
+
description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
|
9
|
+
The issue is triggered when the script exposes API login credentials, allowing a local
|
10
|
+
attacker to gain access to the API key, username, and password for the API login by
|
11
|
+
monitoring the process tree.
|
12
|
+
cvss_v2: 2.1
|
13
|
+
patched_versions:
|
@@ -0,0 +1,20 @@
|
|
1
|
+
---
|
2
|
+
gem: rbovirt
|
3
|
+
cve: 2014-0036
|
4
|
+
osvdb: 104080
|
5
|
+
url: http://osvdb.org/show/osvdb/104080
|
6
|
+
title: rbovirt Gem for Ruby contains a flaw
|
7
|
+
date: 2014-03-05
|
8
|
+
|
9
|
+
description: |
|
10
|
+
rbovirt Gem for Ruby contains a flaw related to certificate validation.
|
11
|
+
The issue is due to the program failing to validate SSL certificates. This may
|
12
|
+
allow an attacker with access to network traffic (e.g. MiTM, DNS cache
|
13
|
+
poisoning) to spoof the SSL server via an arbitrary certificate that appears
|
14
|
+
valid. Such an attack would allow for the interception of sensitive traffic,
|
15
|
+
and potentially allow for the injection of content into the SSL stream.
|
16
|
+
|
17
|
+
cvss_v2:
|
18
|
+
|
19
|
+
patched_versions:
|
20
|
+
- '>= 0.0.24'
|
@@ -1,6 +1,7 @@
|
|
1
1
|
---
|
2
2
|
gem: rgpg
|
3
3
|
osvdb: 95948
|
4
|
+
cve: 2013-4203
|
4
5
|
url: http://www.osvdb.org/show/osvdb/95948
|
5
6
|
title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
|
6
7
|
date: 2013-08-02
|
@@ -8,6 +9,6 @@ description: |
|
|
8
9
|
rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
|
9
10
|
The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
|
10
11
|
This may allow a remote attacker to execute arbitrary commands.
|
11
|
-
cvss_v2:
|
12
|
+
cvss_v2: 7.5
|
12
13
|
patched_versions:
|
13
14
|
- ">= 0.2.3"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
---
|
2
|
+
gem: sfpagent
|
3
|
+
cve:
|
4
|
+
osvdb: 105971
|
5
|
+
url: http://www.osvdb.org/show/osvdb/105971
|
6
|
+
title: sfpagent Gem for Ruby Remote Command Injection
|
7
|
+
date: 2014-04-16
|
8
|
+
description: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
|
9
|
+
input is not properly sanitized when handling module names with shell metacharacters.
|
10
|
+
This may allow a context-dependent attacker to execute arbitrary commands.
|
11
|
+
cvss_v2:
|
12
|
+
patched_versions:
|
13
|
+
- ">= 0.4.15"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
---
|
1
|
+
---
|
2
2
|
gem: spree
|
3
3
|
cve: 2013-1656
|
4
4
|
osvdb: 91216
|
@@ -7,4 +7,5 @@ title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrar
|
|
7
7
|
date: 2013-02-21
|
8
8
|
description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
|
9
9
|
cvss_v2: 4.3
|
10
|
-
patched_versions:
|
10
|
+
patched_versions:
|
11
|
+
- ">= 2.0.0"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
---
|
1
|
+
---
|
2
2
|
gem: spree
|
3
3
|
cve: 2013-1656
|
4
4
|
osvdb: 91217
|
@@ -7,4 +7,5 @@ title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ru
|
|
7
7
|
date: 2013-02-21
|
8
8
|
description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
|
9
9
|
cvss_v2: 4.3
|
10
|
-
patched_versions:
|
10
|
+
patched_versions:
|
11
|
+
- ">= 2.0.0"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
---
|
1
|
+
---
|
2
2
|
gem: spree
|
3
3
|
cve: 2013-1656
|
4
4
|
osvdb: 91218
|
@@ -7,4 +7,5 @@ title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby O
|
|
7
7
|
date: 2013-02-21
|
8
8
|
description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
|
9
9
|
cvss_v2: 4.3
|
10
|
-
patched_versions:
|
10
|
+
patched_versions:
|
11
|
+
- ">= 2.0.0"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
---
|
1
|
+
---
|
2
2
|
gem: spree
|
3
3
|
cve: 2013-1656
|
4
4
|
osvdb: 91219
|
@@ -7,4 +7,5 @@ title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ru
|
|
7
7
|
date: 2013-02-21
|
8
8
|
description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
|
9
9
|
cvss_v2: 4.3
|
10
|
-
patched_versions:
|
10
|
+
patched_versions:
|
11
|
+
- ">= 2.0.0"
|
@@ -0,0 +1,14 @@
|
|
1
|
+
---
|
2
|
+
gem: sprout
|
3
|
+
cve: 2013-6421
|
4
|
+
osvdb: 100598
|
5
|
+
url: http://www.osvdb.org/show/osvdb/100598
|
6
|
+
title: Sprout Gem for Ruby contains a flaw
|
7
|
+
date: 2013-12-02
|
8
|
+
description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
|
9
|
+
The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
|
10
|
+
'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
|
11
|
+
cvss_v2: 7.5
|
12
|
+
patched_versions:
|
13
|
+
unaffected_versions:
|
14
|
+
- '< 0.7.246'
|
@@ -0,0 +1,11 @@
|
|
1
|
+
---
|
2
|
+
gem: webbynode
|
3
|
+
osvdb: 100920
|
4
|
+
url: http://osvdb.org/show/osvdb/100920
|
5
|
+
title: Webbynode Gem for Ruby contains a flaw
|
6
|
+
date: 2013-12-12
|
7
|
+
description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
|
8
|
+
when handling a specially crafted growlnotify message. This may allow a
|
9
|
+
context-dependent attacker to execute arbitrary commands.
|
10
|
+
cvss_v2: 7.5
|
11
|
+
patched_versions:
|
@@ -0,0 +1,15 @@
|
|
1
|
+
---
|
2
|
+
gem: will_paginate
|
3
|
+
osvdb: 101138
|
4
|
+
cve: 2013-6459
|
5
|
+
url: http://osvdb.org/show/osvdb/101138
|
6
|
+
title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
|
7
|
+
date: 2013-09-19
|
8
|
+
description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
|
9
|
+
This flaw exists because the application does not validate certain unspecified input related to
|
10
|
+
generated pagination links before returning it to the user. This may allow an attacker to create
|
11
|
+
a specially crafted request that would execute arbitrary script code in a users browser within the
|
12
|
+
trust relationship between their browser and the server.
|
13
|
+
cvss_v2: 4.3
|
14
|
+
patched_versions:
|
15
|
+
- ">= 3.0.5"
|
@@ -1,4 +1,4 @@
|
|
1
|
-
|
1
|
+
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
2
2
|
require 'yaml'
|
3
3
|
|
4
4
|
shared_examples_for 'Advisory' do |path|
|
@@ -131,7 +131,7 @@ shared_examples_for 'Advisory' do |path|
|
|
131
131
|
it "should contain valid RubyGem version requirements" do
|
132
132
|
lambda {
|
133
133
|
Gem::Requirement.new(*subject)
|
134
|
-
}.should_not raise_error
|
134
|
+
}.should_not raise_error
|
135
135
|
end
|
136
136
|
end
|
137
137
|
end
|
@@ -155,7 +155,7 @@ shared_examples_for 'Advisory' do |path|
|
|
155
155
|
it "should contain valid RubyGem version requirements" do
|
156
156
|
lambda {
|
157
157
|
Gem::Requirement.new(*subject)
|
158
|
-
}.should_not raise_error
|
158
|
+
}.should_not raise_error
|
159
159
|
end
|
160
160
|
end
|
161
161
|
end
|
@@ -1,8 +1,7 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
1
|
+
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
2
|
+
load File.join(File.dirname(__FILE__), 'advisory_example.rb')
|
4
3
|
describe "gems" do
|
5
|
-
Dir.glob('gems/*/*.yml') do |path|
|
4
|
+
Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*.yml')) do |path|
|
6
5
|
include_examples 'Advisory', path
|
7
6
|
end
|
8
7
|
end
|
data/gemspec.yml
CHANGED
data/lib/bundler/audit.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
2
|
+
# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
2
|
+
# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
data/lib/bundler/audit/cli.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
2
|
+
# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -18,12 +18,13 @@
|
|
18
18
|
require 'bundler/audit/scanner'
|
19
19
|
require 'bundler/audit/version'
|
20
20
|
|
21
|
+
require 'thor'
|
21
22
|
require 'bundler'
|
22
23
|
require 'bundler/vendored_thor'
|
23
24
|
|
24
25
|
module Bundler
|
25
26
|
module Audit
|
26
|
-
class CLI < Thor
|
27
|
+
class CLI < ::Thor
|
27
28
|
|
28
29
|
default_task :check
|
29
30
|
map '--version' => :version
|
@@ -72,9 +73,9 @@ module Bundler
|
|
72
73
|
|
73
74
|
protected
|
74
75
|
|
75
|
-
def say(
|
76
|
+
def say(message="", color=nil)
|
76
77
|
color = nil unless $stdout.tty?
|
77
|
-
super(
|
78
|
+
super(message.to_s, color)
|
78
79
|
end
|
79
80
|
|
80
81
|
def print_warning(message)
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
2
|
+
# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -34,8 +34,11 @@ module Bundler
|
|
34
34
|
# Default path to the ruby-advisory-db
|
35
35
|
VENDORED_PATH = File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
|
36
36
|
|
37
|
+
# Timestamp for when the database was last updated
|
38
|
+
VENDORED_TIMESTAMP = Time.parse(File.read("#{VENDORED_PATH}.ts")).utc
|
39
|
+
|
37
40
|
# Path to the user's copy of the ruby-advisory-db
|
38
|
-
USER_PATH = File.join(
|
41
|
+
USER_PATH = File.expand_path(File.join(ENV['HOME'],'.local','share','ruby-advisory-db'))
|
39
42
|
|
40
43
|
# The path to the advisory database
|
41
44
|
attr_reader :path
|
@@ -66,7 +69,7 @@ module Bundler
|
|
66
69
|
def self.path
|
67
70
|
if File.directory?(USER_PATH)
|
68
71
|
t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
|
69
|
-
t2 =
|
72
|
+
t2 = VENDORED_TIMESTAMP
|
70
73
|
|
71
74
|
if t1 >= t2 then USER_PATH
|
72
75
|
else VENDORED_PATH
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
2
|
+
# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -18,6 +18,6 @@
|
|
18
18
|
module Bundler
|
19
19
|
module Audit
|
20
20
|
# bundler-audit version
|
21
|
-
VERSION = '0.3.
|
21
|
+
VERSION = '0.3.1'
|
22
22
|
end
|
23
23
|
end
|
data/spec/advisory_spec.rb
CHANGED
@@ -7,6 +7,22 @@ describe Bundler::Audit::Advisory do
|
|
7
7
|
let(:gem) { 'actionpack' }
|
8
8
|
let(:id) { 'OSVDB-84243' }
|
9
9
|
let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
|
10
|
+
let(:an_unaffected_version) do
|
11
|
+
Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
|
12
|
+
# For all the rules, get the individual constraints out and see if we
|
13
|
+
# can find a suitable one...
|
14
|
+
version_rule.requirements.select { |(constraint, gem_version)|
|
15
|
+
# We only want constraints where the version number specified is
|
16
|
+
# one of the unaffected version. I.E. we don't want ">", "<", or if
|
17
|
+
# such a thing exists, "!=" constraints.
|
18
|
+
['~>', '>=', '=', '<='].include?(constraint)
|
19
|
+
}.map { |(constraint, gem_version)|
|
20
|
+
# Fetch just the version component, which is a Gem::Version,
|
21
|
+
# and extract the string representation of the version.
|
22
|
+
gem_version.version
|
23
|
+
}
|
24
|
+
}.flatten.first
|
25
|
+
end
|
10
26
|
|
11
27
|
describe "load" do
|
12
28
|
let(:data) { YAML.load_file(path) }
|
@@ -19,6 +35,15 @@ describe Bundler::Audit::Advisory do
|
|
19
35
|
its(:cvss_v2) { should == data['cvss_v2'] }
|
20
36
|
its(:description) { should == data['description'] }
|
21
37
|
|
38
|
+
context "YAML data not representing a hash" do
|
39
|
+
it "should raise an exception" do
|
40
|
+
path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
|
41
|
+
expect {
|
42
|
+
Advisory.load(path)
|
43
|
+
}.to raise_exception("advisory data in #{path.dump} was not a Hash")
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
22
47
|
describe "#patched_versions" do
|
23
48
|
subject { described_class.load(path).patched_versions }
|
24
49
|
|
@@ -58,7 +83,7 @@ describe Bundler::Audit::Advisory do
|
|
58
83
|
subject { described_class.load(path) }
|
59
84
|
|
60
85
|
context "when passed a version that matches one unaffected version" do
|
61
|
-
let(:version) { Gem::Version.new(
|
86
|
+
let(:version) { Gem::Version.new(an_unaffected_version) }
|
62
87
|
|
63
88
|
it "should return true" do
|
64
89
|
subject.unaffected?(version).should be_true
|
@@ -116,7 +141,7 @@ describe Bundler::Audit::Advisory do
|
|
116
141
|
subject { described_class.load(path) }
|
117
142
|
|
118
143
|
context "when passed a version that matches one unaffected version" do
|
119
|
-
let(:version) { Gem::Version.new(
|
144
|
+
let(:version) { Gem::Version.new(an_unaffected_version) }
|
120
145
|
|
121
146
|
it "should return false" do
|
122
147
|
subject.vulnerable?(version).should be_false
|