RubyGems - bundler-audit - Versions diffs - 0.3.0 → 0.3.1 - Mend

bundler-audit 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

checksums.yaml +4 -4
data/.gitignore +3 -0
data/.travis.yml +1 -0
data/ChangeLog.md +10 -0
data/README.md +5 -1
data/Rakefile +8 -0
data/data/ruby-advisory-db.ts +1 -0
data/data/ruby-advisory-db/CONTRIBUTORS.md +9 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +20 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +21 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +27 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +24 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +22 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +24 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +22 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +23 -0
data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml +15 -0
data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +2 -2
data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +1 -1
data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +1 -1
data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +11 -0
data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +10 -0
data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +14 -0
data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +3 -8
data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +17 -0
data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +12 -0
data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +15 -0
data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +1 -1
data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +22 -0
data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +17 -0
data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +13 -0
data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +12 -0
data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +13 -0
data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +1 -1
data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +20 -0
data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +2 -1
data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +13 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +3 -2
data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +3 -2
data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +14 -0
data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +11 -0
data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +15 -0
data/data/ruby-advisory-db/spec/advisory_example.rb +3 -3
data/data/ruby-advisory-db/spec/gems_spec.rb +3 -4
data/gemspec.yml +1 -0
data/lib/bundler/audit.rb +1 -1
data/lib/bundler/audit/advisory.rb +1 -1
data/lib/bundler/audit/cli.rb +5 -4
data/lib/bundler/audit/database.rb +6 -3
data/lib/bundler/audit/version.rb +2 -2
data/spec/advisory_spec.rb +27 -2
data/spec/bundle/secure/Gemfile +1 -1
data/spec/database_spec.rb +58 -1
data/spec/fixtures/not_a_hash.yml +2 -0
data/spec/integration_spec.rb +10 -69
data/spec/spec_helper.rb +40 -0
metadata +44 -3

data/spec/bundle/secure/Gemfile CHANGED

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
-gem 'rails', '3.2.15'
+gem 'rails', '~> 3.2.17'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

data/spec/database_spec.rb CHANGED

@@ -3,12 +3,52 @@ require 'bundler/audit/database'
 require 'tmpdir'
 describe Bundler::Audit::Database do
+  let(:vendored_advisories) do
+    Dir[File.join(Bundler::Audit::Database::VENDORED_PATH, '**/*.yml')].sort
+  end
   describe "path" do
     subject { described_class.path }
     it "it should be a directory" do
       File.directory?(subject).should be_true
     end
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Audit::Database.update!
+      Dir.chdir(Bundler::Audit::Database::USER_PATH) do
+        puts "Timestamp:"
+        system 'git log --pretty="%cd" -1'
+      end
+      # As up to date...
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+      roll_user_repo_back(20)
+      expect(Bundler::Audit::Database.path).to eq Bundler::Audit::Database::VENDORED_PATH
+    end
+  end
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+      expect_update_to_update_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
   end
   describe "#initialize" do
@@ -70,7 +110,18 @@ describe Bundler::Audit::Database do
   end
   describe "#size" do
-    it { subject.size.should > 0 }
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Audit::Database.new.
+        advisories.
+        map(&:path).
+        sort
+      expect(actual_advisories).to eq vendored_advisories
+    end
   end
   describe "#to_s" do
@@ -78,4 +129,10 @@ describe Bundler::Audit::Database do
       subject.to_s.should == subject.path
     end
   end
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
+    end
+  end
 end

data/spec/fixtures/not_a_hash.yml ADDED

	@@ -0,0 +1,2 @@
1	+ ---
2	+ "Just a string."

data/spec/integration_spec.rb CHANGED

@@ -20,75 +20,16 @@ describe "CLI" do
     end
     it "should print advisory information for the vulnerable gems" do
-      expect = %{
-Name: actionmailer
-Version: 3.2.10
-Advisory: OSVDB-98629
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/98629
-Title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
-Solution: upgrade to >= 3.2.15
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91452
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/91452
-Title: XSS vulnerability in sanitize_css in Action Pack
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91454
-Criticality: Medium
-URL: http://osvdb.org/show/osvdb/91454
-Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-89026
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89026
-Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-91453
-Criticality: High
-URL: http://osvdb.org/show/osvdb/91453
-Title: Symbol DoS vulnerability in Active Record
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-90072
-Criticality: Medium
-URL: http://direct.osvdb.org/show/osvdb/90072
-Title: Ruby on Rails Active Record attr_protected Method Bypass
-Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-89025
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89025
-Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-Name: activesupport
-Version: 3.2.10
-Advisory: OSVDB-91451
-Criticality: High
-URL: http://www.osvdb.org/show/osvdb/91451
-Title: XML Parsing Vulnerability affecting JRuby users
-Solution: upgrade to ~> 3.1.12, >= 3.2.13
-Unpatched versions found!
-      }.strip.split "\n\n"
-      subject.strip.split("\n\n").should =~ expect
+      advisory_pattern = /(Name: [^\n]+
+Version: \d+.\d+.\d+
+Advisory: OSVDB-\d+
+Criticality: (High|Medium)
+URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
+Title: [^\n]*?
+Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Unpatched versions found!")
     end
   end

data/spec/spec_helper.rb CHANGED

@@ -13,6 +13,46 @@ module Helpers
   def decolorize(string)
     string.gsub(/\e\[\d+m/, "")
   end
+  def mocked_user_path
+    File.expand_path('../../tmp/ruby-advisory-db', __FILE__)
+  end
+  def expect_update_to_clone_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+  def expect_update_to_update_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'pull', 'origin', 'master').
+      and_call_original
+  end
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
+    end
+  end
 end
 include Bundler::Audit
+RSpec.configure do |config|
+  include Helpers
+  config.before(:each) do
+    stub_const("Bundler::Audit::Database::URL", Bundler::Audit::Database::VENDORED_PATH)
+    stub_const("Bundler::Audit::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf(mocked_user_path) if File.exist?(mocked_user_path)
+  end
+end

metadata CHANGED

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Postmodern
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-11-01 00:00:00.000000000 Z
+date: 2014-04-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.18'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -47,6 +61,7 @@ files:
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
+- data/ruby-advisory-db.ts
 - gemspec.yml
 - lib/bundler/audit.rb
 - lib/bundler/audit/advisory.rb
@@ -60,6 +75,7 @@ files:
 - spec/bundle/secure/Gemfile
 - spec/bundle/unpatched_gems/Gemfile
 - spec/database_spec.rb
+- spec/fixtures/not_a_hash.yml
 - spec/integration_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb
@@ -72,6 +88,13 @@ files:
 - data/ruby-advisory-db/README.md
 - data/ruby-advisory-db/Rakefile
 - data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
@@ -79,6 +102,7 @@ files:
 - data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
@@ -89,6 +113,7 @@ files:
 - data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml
 - data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml
 - data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
 - data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
@@ -96,6 +121,8 @@ files:
 - data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
 - data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
 - data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102129.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102130.yml
 - data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
 - data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
 - data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
@@ -105,8 +132,10 @@ files:
 - data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
 - data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml
 - data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml
 - data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
 - data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml
 - data/ruby-advisory-db/gems/json/OSVDB-90074.yml
 - data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
 - data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
@@ -119,22 +148,34 @@ files:
 - data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
 - data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
 - data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml
 - data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml
 - data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml
+- data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml
+- data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml
 - data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
 - data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
 - data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml
 - data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
 - data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml
 - data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
 - data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml
 - data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml
 - data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml
 - data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml
+- data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml
 - data/ruby-advisory-db/lib/scrape.rb
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
@@ -159,7 +200,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.0
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.12
+rubygems_version: 2.0.14
 signing_key:
 specification_version: 4
 summary: Patch-level verification for Bundler