bundler-audit 0.3.0 → 0.4.0

data/spec/bundle/insecure_sources/Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '3.2.12'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/bundle/secure/Gemfile

@@ -1,11 +1,11 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.15'
+gem 'rails', '~> 3.2.17'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/bundle/unpatched_gems/Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '3.2.10'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/database_spec.rb

@@ -3,11 +3,51 @@ require 'bundler/audit/database'
 require 'tmpdir'
 
 describe Bundler::Audit::Database do
+  let(:vendored_advisories) do
+    Dir[File.join(Bundler::Audit::Database::VENDORED_PATH, '**/*.yml')].sort
+  end
+
   describe "path" do
     subject { described_class.path }
 
     it "it should be a directory" do
-      File.directory?(subject).should be_true
+      expect(File.directory?(subject)).to be_truthy
+    end
+
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Audit::Database.update!
+
+      Dir.chdir(Bundler::Audit::Database::USER_PATH) do
+        puts "Timestamp:"
+        system 'git log --pretty="%cd" -1'
+      end
+
+      # As up to date...
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      roll_user_repo_back(20)
+      expect(Bundler::Audit::Database.path).to eq Bundler::Audit::Database::VENDORED_PATH
+    end
+  end
+
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+
+      expect_update_to_update_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
     end
   end
 
@@ -16,7 +56,7 @@ describe Bundler::Audit::Database do
       subject { described_class.new }
 
       it "should default path to path" do
-        subject.path.should == described_class.path
+        expect(subject.path).to eq(described_class.path)
       end
     end
 
@@ -26,15 +66,15 @@ describe Bundler::Audit::Database do
       subject { described_class.new(path) }
 
       it "should set #path" do
-        subject.path.should == path
+        expect(subject.path).to eq(path)
       end
     end
 
     context "when given an invalid directory" do
       it "should raise an ArgumentError" do
-        lambda {
+        expect {
           described_class.new('/foo/bar/baz')
-        }.should raise_error(ArgumentError)
+        }.to raise_error(ArgumentError)
       end
     end
   end
@@ -55,27 +95,44 @@ describe Bundler::Audit::Database do
           advisories << advisory
         end
 
-        advisories.should_not be_empty
-        advisories.all? { |advisory|
+        expect(advisories).not_to be_empty
+        expect(advisories.all? { |advisory|
           advisory.kind_of?(Bundler::Audit::Advisory)
-        }.should be_true
+        }).to be_truthy
       end
     end
 
     context "when given no block" do
       it "should return an Enumerator" do
-        subject.check_gem(gem).should be_kind_of(Enumerable)
+        expect(subject.check_gem(gem)).to be_kind_of(Enumerable)
       end
     end
   end
 
   describe "#size" do
-    it { subject.size.should > 0 }
+    it { expect(subject.size).to eq vendored_advisories.count }
+  end
+
+  describe "#advisories" do
+    it "should return a list of all advisories." do
+      actual_advisories = Bundler::Audit::Database.new.
+        advisories.
+        map(&:path).
+        sort
+
+      expect(actual_advisories).to eq vendored_advisories
+    end
   end
 
   describe "#to_s" do
     it "should return the Database path" do
-      subject.to_s.should == subject.path
+      expect(subject.to_s).to eq(subject.path)
+    end
+  end
+
+  describe "#inspect" do
+    it "should produce a Ruby-ish instance descriptor" do
+      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
     end
   end
 end

data/spec/fixtures/not_a_hash.yml

@@ -0,0 +1,2 @@
+---
+"Just a string."

data/spec/integration_spec.rb

@@ -16,79 +16,20 @@ describe "CLI" do
     end
 
     it "should print a warning" do
-      subject.should include("Unpatched versions found!")
+      expect(subject).to include("Vulnerabilities found!")
     end
 
     it "should print advisory information for the vulnerable gems" do
-      expect = %{
-Name: actionmailer
-Version: 3.2.10
-Advisory: OSVDB-98629
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/98629
-Title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
-Solution: upgrade to >= 3.2.15
-
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91452
-Criticality: Medium
-URL: http://www.osvdb.org/show/osvdb/91452
-Title: XSS vulnerability in sanitize_css in Action Pack
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-91454
-Criticality: Medium
-URL: http://osvdb.org/show/osvdb/91454
-Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-Name: actionpack
-Version: 3.2.10
-Advisory: OSVDB-89026
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89026
-Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-91453
-Criticality: High
-URL: http://osvdb.org/show/osvdb/91453
-Title: Symbol DoS vulnerability in Active Record
-Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-90072
-Criticality: Medium
-URL: http://direct.osvdb.org/show/osvdb/90072
-Title: Ruby on Rails Active Record attr_protected Method Bypass
-Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-
-Name: activerecord
-Version: 3.2.10
-Advisory: OSVDB-89025
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89025
-Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-Name: activesupport
-Version: 3.2.10
-Advisory: OSVDB-91451
-Criticality: High
-URL: http://www.osvdb.org/show/osvdb/91451
-Title: XML Parsing Vulnerability affecting JRuby users
-Solution: upgrade to ~> 3.1.12, >= 3.2.13
-
-Unpatched versions found!
-      }.strip.split "\n\n"
-
-      subject.strip.split("\n\n").should =~ expect
+      advisory_pattern = /(Name: [^\n]+
+Version: \d+.\d+.\d+
+Advisory: CVE-[0-9]{4}-[0-9]{4}
+Criticality: (High|Medium)
+URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
+Title: [^\n]*?
+Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
+
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Vulnerabilities found!")
     end
   end
 
@@ -105,7 +46,7 @@ Unpatched versions found!
     end
 
     it "should not print advisory information for ignored gem" do
-      subject.should_not include("OSVDB-89026")
+      expect(subject).not_to include("OSVDB-89026")
     end
   end
 
@@ -118,7 +59,7 @@ Unpatched versions found!
     end
 
     it "should print warnings about insecure sources" do
-      subject.should include(%{
+      expect(subject).to include(%{
 Insecure Source URI found: git://github.com/rails/jquery-rails.git
 Insecure Source URI found: http://rubygems.org/
       }.strip)
@@ -134,7 +75,7 @@ Insecure Source URI found: http://rubygems.org/
     end
 
     it "should print nothing when everything is fine" do
-      subject.strip.should == "No unpatched versions found"
+      expect(subject.strip).to eq("No vulnerabilities found")
     end
   end
 end

data/spec/scanner_spec.rb

@@ -13,12 +13,12 @@ describe Scanner do
 
       subject.scan { |result| results << result }
 
-      results.should_not be_empty
+      expect(results).not_to be_empty
     end
 
     context "when not called with a block" do
       it "should return an Enumerator" do
-        subject.scan.should be_kind_of(Enumerable)
+        expect(subject.scan).to be_kind_of(Enumerable)
       end
     end
   end
@@ -31,9 +31,9 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should match unpatched gems to their advisories" do
-      subject.all? { |result|
+      expect(subject.all? { |result|
         result.advisory.vulnerable?(result.gem.version)
-      }.should be_true
+      }).to be_truthy
     end
 
     context "when the :ignore option is given" do
@@ -42,7 +42,7 @@ describe Scanner do
       it "should ignore the specified advisories" do
         ids = subject.map { |result| result.advisory.id }
         
-        ids.should_not include('OSVDB-89026')
+        expect(ids).not_to include('OSVDB-89026')
       end
     end
   end
@@ -55,8 +55,8 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should match unpatched gems to their advisories" do
-      subject[0].source.should == 'git://github.com/rails/jquery-rails.git'
-      subject[1].source.should == 'http://rubygems.org/'
+      expect(subject[0].source).to eq('git://github.com/rails/jquery-rails.git')
+      expect(subject[1].source).to eq('http://rubygems.org/')
     end
   end
 
@@ -68,7 +68,7 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should print nothing when everything is fine" do
-      subject.should be_empty
+      expect(subject).to be_empty
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,3 +1,6 @@
+require 'simplecov'
+SimpleCov.start
+
 require 'rspec'
 require 'bundler/audit/version'
 
@@ -13,6 +16,46 @@ module Helpers
   def decolorize(string)
     string.gsub(/\e\[\d+m/, "")
   end
+
+  def mocked_user_path
+    File.expand_path('../../tmp/ruby-advisory-db', __FILE__)
+  end
+
+  def expect_update_to_clone_repo!
+    expect(Bundler::Audit::Database).
+      to receive(:system).
+      with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+
+  def expect_update_to_update_repo!
+    expect(Bundler::Audit::Database).
+      to receive(:system).
+      with('git', 'pull', 'origin', 'master').
+      and_call_original
+  end
+
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
+    end
+  end
 end
 
 include Bundler::Audit
+
+RSpec.configure do |config|
+  include Helpers
+
+  config.before(:each) do
+    stub_const("Bundler::Audit::Database::URL", Bundler::Audit::Database::VENDORED_PATH)
+    stub_const("Bundler::Audit::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf(mocked_user_path) if File.exist?(mocked_user_path)
+  end
+end

metadata

@@ -1,27 +1,41 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-01 00:00:00.000000000 Z
+date: 2015-06-30 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
 description: bundler-audit provides patch-level verification for Bundled apps.
@@ -34,12 +48,12 @@ extra_rdoc_files:
 - ChangeLog.md
 - README.md
 files:
-- .document
-- .gitignore
-- .gitmodules
-- .rspec
-- .travis.yml
-- .yardopts
+- ".document"
+- ".gitignore"
+- ".gitmodules"
+- ".rspec"
+- ".travis.yml"
+- ".yardopts"
 - COPYING.txt
 - ChangeLog.md
 - Gemfile
@@ -47,22 +61,7 @@ files:
 - Rakefile
 - bin/bundle-audit
 - bundler-audit.gemspec
-- gemspec.yml
-- lib/bundler/audit.rb
-- lib/bundler/audit/advisory.rb
-- lib/bundler/audit/cli.rb
-- lib/bundler/audit/database.rb
-- lib/bundler/audit/scanner.rb
-- lib/bundler/audit/version.rb
-- spec/advisory_spec.rb
-- spec/audit_spec.rb
-- spec/bundle/insecure_sources/Gemfile
-- spec/bundle/secure/Gemfile
-- spec/bundle/unpatched_gems/Gemfile
-- spec/database_spec.rb
-- spec/integration_spec.rb
-- spec/scanner_spec.rb
-- spec/spec_helper.rb
+- data/ruby-advisory-db.ts
 - data/ruby-advisory-db/.gitignore
 - data/ruby-advisory-db/.rspec
 - data/ruby-advisory-db/CONTRIBUTING.md
@@ -72,6 +71,13 @@ files:
 - data/ruby-advisory-db/README.md
 - data/ruby-advisory-db/Rakefile
 - data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
@@ -79,6 +85,7 @@ files:
 - data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
 - data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
@@ -89,6 +96,7 @@ files:
 - data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml
 - data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml
 - data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
 - data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
@@ -96,6 +104,8 @@ files:
 - data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
 - data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
 - data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102129.yml
+- data/ruby-advisory-db/gems/echor/OSVDB-102130.yml
 - data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
 - data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
 - data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
@@ -105,8 +115,10 @@ files:
 - data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
 - data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml
 - data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml
 - data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
 - data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml
 - data/ruby-advisory-db/gems/json/OSVDB-90074.yml
 - data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
 - data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
@@ -119,26 +131,55 @@ files:
 - data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
 - data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
 - data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml
+- data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml
 - data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml
+- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml
 - data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml
+- data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml
+- data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml
 - data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
 - data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
 - data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml
 - data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
 - data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml
 - data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
 - data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml
 - data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml
 - data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml
 - data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml
+- data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml
 - data/ruby-advisory-db/lib/scrape.rb
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
 - data/ruby-advisory-db/spec/spec_helper.rb
+- gemspec.yml
+- lib/bundler/audit.rb
+- lib/bundler/audit/advisory.rb
+- lib/bundler/audit/cli.rb
+- lib/bundler/audit/database.rb
+- lib/bundler/audit/scanner.rb
+- lib/bundler/audit/version.rb
+- spec/advisory_spec.rb
+- spec/audit_spec.rb
+- spec/bundle/insecure_sources/Gemfile
+- spec/bundle/secure/Gemfile
+- spec/bundle/unpatched_gems/Gemfile
+- spec/database_spec.rb
+- spec/fixtures/not_a_hash.yml
+- spec/integration_spec.rb
+- spec/scanner_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPLv3
@@ -149,17 +190,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.12
+rubygems_version: 2.4.7
 signing_key: 
 specification_version: 4
 summary: Patch-level verification for Bundler