bundler-audit 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: eb1773e0d185dcc826b346744c13db1af6aaebab
-  data.tar.gz: 617a25945731a1f38563599b1fb715ff0f95a4d2
+  metadata.gz: 9660b06fce10c2532f0c7aaa5fef6ca2d5c99067
+  data.tar.gz: 751d7e542727defa267b6d8abf2ad0b3f391ab70
 SHA512:
-  metadata.gz: 30ad678294da6ef14df9fac8b0d3bbcabaac517eb25c23a26efaeff8a9f01b34f458e3d10ef518ce720b9840362fce0506420064e56b15b1cfca724cae35dcc0
-  data.tar.gz: 7d4810f14c9bb158dba5a57fe5151dd9ff812c948c9919defbb291ee76a140def1e62ecaacd8daab3feb88e95a49fd0c1769c12269d301a6bd224f28b0f64bff
+  metadata.gz: 2a3cb90acc0cecc82ee931fedd43ab4d0439fd2436bc29563a45a4a328862c9038f243f7bff68a9e394bb0c12fee6f83b1496347187783b3a6d972435169dbf3
+  data.tar.gz: 89a771db86e3baf43430b5448bee5664e1b73f017fed9c48756ea8a58f6f4515c761d4c46333a93e9bcde71e3c6777271ec799a933d5662a76df9504a29dd09d

data/.gitignore

@@ -1,6 +1,9 @@
+.ruby-version
+.ruby-gemset
 Gemfile.lock
 doc/
 .yardoc/
+coverage/
 pkg/
 spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/

data/.travis.yml

@@ -1,5 +1,7 @@
 rvm:
-  - 1.8.7
-  - 1.9.2
   - 1.9.3
-  - 2.0.0
+  - 2.0
+  - 2.1
+  - 2.2
+before_install:
+  - gem install rspec

data/ChangeLog.md

@@ -1,3 +1,18 @@
+### 0.4.0 / 2015-06-30
+
+* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
+* Added {Bundler::Audit::Advisory#osvdb}.
+* Resolve the IP addresses of gem sources and ignore intranet gem sources.
+  (PR #90)
+* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
+  (PR #92)
+
+#### CLI
+
+* Print the CVE or OSVDB id.
+* No longer print "Unpatched versions found!" when an insecure gem source
+  is detected. (PR #84)
+
 ### 0.3.1 / 2014-04-20
 
 * Added thor ~> 0.18 as a dependency.

data/Gemfile

@@ -7,6 +7,7 @@ group :development do
   gem 'kramdown',       '~> 0.14'
 
   gem 'rubygems-tasks', '~> 0.2'
-  gem 'rspec',          '~> 2.4'
+  gem 'rspec',          '~> 3.0'
   gem 'yard',           '~> 0.8'
+  gem 'simplecov',      '~> 0.7', :require => false
 end

data/README.md

@@ -108,8 +108,13 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
      create mode 100644 gems/wicked/OSVDB-98270.yml
     ruby-advisory-db: 64 advisories
 
+Ignore specific advisories:
+
+    $ bundle-audit check --ignore OSVDB-108664
+
 ## Requirements
 
+* [Ruby] >= 1.9.3
 * [RubyGems] >= 1.8
 * [thor] ~> 0.18
 * [bundler] ~> 1.2
@@ -120,7 +125,7 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 ## License
 
-Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -135,8 +140,10 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
+[Ruby]: https://ruby-lang.org
 [RubyGems]: https://rubygems.org
 [thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [OSVDB]: http://osvdb.org/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -3,19 +3,9 @@
 require 'rubygems'
 
 begin
-  require 'bundler'
+  require 'bundler/setup'
 rescue LoadError => e
-  warn e.message
-  warn "Run `gem install bundler` to install Bundler."
-  exit -1
-end
-
-begin
-  Bundler.setup(:development)
-rescue Bundler::BundlerError => e
-  warn e.message
-  warn "Run `bundle install` to install missing gems."
-  exit e.status_code
+  abort e.message
 end
 
 require 'rake'
@@ -52,7 +42,7 @@ namespace :spec do
 
     %w[secure unpatched_gems insecure_sources].each do |bundle|
       chdir(File.join(root,bundle)) do
-        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
+        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
       end
     end
   end

data/gemspec.yml

@@ -6,6 +6,7 @@ authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
+required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -25,6 +25,8 @@ module Bundler
                                 :title,
                                 :description,
                                 :cvss_v2,
+                                :cve,
+                                :osvdb,
                                 :unaffected_versions,
                                 :patched_versions)
 
@@ -59,6 +61,8 @@ module Bundler
           data['title'],
           data['description'],
           data['cvss_v2'],
+          data['cve'],
+          data['osvdb'],
           parse_versions[data['unaffected_versions']],
           parse_versions[data['patched_versions']]
         )

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -49,10 +49,10 @@ module Bundler
         end
 
         if vulnerable
-          say "Unpatched versions found!", :red
+          say "Vulnerabilities found!", :red
           exit 1
         else
-          say "No unpatched versions found", :green
+          say "No vulnerabilities found", :green
         end
       end
 
@@ -90,7 +90,12 @@ module Bundler
         say gem.version
 
         say "Advisory: ", :red
-        say advisory.id
+
+        if advisory.cve
+          say "CVE-#{advisory.cve}"
+        elsif advisory.osvdb
+          say advisory.osvdb
+        end
 
         say "Criticality: ", :red
         case advisory.criticality

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -68,7 +68,7 @@ module Bundler
       #
       def self.path
         if File.directory?(USER_PATH)
-          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
+          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
           t2 = VENDORED_TIMESTAMP
 
           if t1 >= t2 then USER_PATH

data/lib/bundler/audit/scanner.rb

@@ -2,7 +2,10 @@ require 'bundler'
 require 'bundler/audit/database'
 require 'bundler/lockfile_parser'
 
+require 'ipaddr'
+require 'resolv'
 require 'set'
+require 'uri'
 
 module Bundler
   module Audit
@@ -59,17 +62,46 @@ module Bundler
       # @return [Enumerator]
       #   If no block is given, an Enumerator will be returned.
       #
-      def scan(options={})
-        return enum_for(__method__,options) unless block_given?
+      def scan(options={},&block)
+        return enum_for(__method__,options) unless block
 
         ignore = Set[]
         ignore += options[:ignore] if options[:ignore]
 
+        scan_sources(options,&block)
+        scan_specs(options,&block)
+
+        return self
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_sources(options={})
+        return enum_for(__method__,options) unless block_given?
+
         @lockfile.sources.map do |source|
           case source
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
+              next if internal_host?(source.uri)
               yield InsecureSource.new(source.uri)
             end
           when Source::Rubygems
@@ -80,6 +112,35 @@ module Bundler
             end
           end
         end
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_specs(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
@@ -88,10 +149,47 @@ module Bundler
             end
           end
         end
+      end
 
-        return self
+      private
+
+      #
+      # Determines whether a URI is internal.
+      #
+      # @param [String] uri
+      #   The source URI.
+      #
+      # @return [Boolean]
+      #
+      def internal_host?(uri)
+        return unless host = URI.parse(uri).host
+        Resolv.getaddresses(host).all? { |ip| internal_ip?(ip) }
+      rescue URI::Error
+        false
       end
 
+      # List of internal IP address ranges.
+      #
+      # @see https://tools.ietf.org/html/rfc1918#section-3
+      # @see https://tools.ietf.org/html/rfc4193#section-8
+      INTERNAL_SUBNETS = %w[
+        10.0.0.0/8
+        172.16.0.0/12
+        192.168.0.0/16
+        fc00::/7
+      ].map(&IPAddr.method(:new))
+
+      #
+      # Determines whether an IP is internal.
+      #
+      # @param [String] ip
+      #   The IPv4/IPv6 address.
+      #
+      # @return [Boolean]
+      #
+      def internal_ip?(ip)
+        INTERNAL_SUBNETS.any? { |subnet| subnet.include?(ip) }
+      end
     end
   end
 end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.1'
+    VERSION = '0.4.0'
   end
 end

data/spec/advisory_spec.rb

@@ -29,11 +29,30 @@ describe Bundler::Audit::Advisory do
 
     subject { described_class.load(path) }
 
-    its(:id)          { should == id                  }
-    its(:url)         { should == data['url']         }
-    its(:title)       { should == data['title']       }
-    its(:cvss_v2)     { should == data['cvss_v2']     }
-    its(:description) { should == data['description'] }
+    describe '#id' do
+      subject { super().id }
+      it { is_expected.to eq(id)                  }
+    end
+
+    describe '#url' do
+      subject { super().url }
+      it { is_expected.to eq(data['url'])         }
+    end
+
+    describe '#title' do
+      subject { super().title }
+      it { is_expected.to eq(data['title'])       }
+    end
+
+    describe '#cvss_v2' do
+      subject { super().cvss_v2 }
+      it { is_expected.to eq(data['cvss_v2'])     }
+    end
+
+    describe '#description' do
+      subject { super().description }
+      it { is_expected.to eq(data['description']) }
+    end
 
     context "YAML data not representing a hash" do
       it "should raise an exception" do
@@ -48,34 +67,41 @@ describe Bundler::Audit::Advisory do
       subject { described_class.load(path).patched_versions }
 
       it "should all be Gem::Requirement objects" do
-        subject.all? { |version|
-          version.should be_kind_of(Gem::Requirement)
-        }.should be_true
+        expect(subject.all? { |version|
+          expect(version).to be_kind_of(Gem::Requirement)
+        }).to be_truthy
       end
 
       it "should parse the versions" do
-        subject.map(&:to_s).should == data['patched_versions']
+        expect(subject.map(&:to_s)).to eq(data['patched_versions'])
       end
     end
   end
 
   describe "#criticality" do
     context "when cvss_v2 is between 0.0 and 3.3" do
-      before { subject.stub(:cvss_v2).and_return(3.3) }
-
-      its(:criticality) { should == :low }
+      before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 3.3
+      }
+      it { expect(@advisory.criticality).to eq(:low) }
     end
 
     context "when cvss_v2 is between 3.3 and 6.6" do
-      before { subject.stub(:cvss_v2).and_return(6.6) }
+      before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 6.6
+      }
+      it { expect(@advisory.criticality).to eq(:medium) }
 
-      its(:criticality) { should == :medium }
     end
 
     context "when cvss_v2 is between 6.6 and 10.0" do
-      before { subject.stub(:cvss_v2).and_return(10.0) }
-
-      its(:criticality) { should == :high }
+     before {
+        @advisory = Advisory.new
+        @advisory.cvss_v2 = 10.0
+      }
+      it { expect(@advisory.criticality).to eq(:high) }
     end
   end
 
@@ -86,7 +112,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new(an_unaffected_version) }
 
       it "should return true" do
-        subject.unaffected?(version).should be_true
+        expect(subject.unaffected?(version)).to be_truthy
       end
     end
 
@@ -94,7 +120,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.0.9') }
 
       it "should return false" do
-        subject.unaffected?(version).should be_false
+        expect(subject.unaffected?(version)).to be_falsey
       end
     end
   end
@@ -106,7 +132,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return true" do
-        subject.patched?(version).should be_true
+        expect(subject.patched?(version)).to be_truthy
       end
     end
 
@@ -114,7 +140,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return false" do
-        subject.patched?(version).should be_false
+        expect(subject.patched?(version)).to be_falsey
       end
     end
   end
@@ -126,7 +152,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return false" do
-        subject.vulnerable?(version).should be_false
+        expect(subject.vulnerable?(version)).to be_falsey
       end
     end
 
@@ -134,7 +160,7 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
-        subject.vulnerable?(version).should be_true
+        expect(subject.vulnerable?(version)).to be_truthy
       end
 
       context "when unaffected_versions is not empty" do
@@ -144,7 +170,7 @@ describe Bundler::Audit::Advisory do
           let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
-            subject.vulnerable?(version).should be_false
+            expect(subject.vulnerable?(version)).to be_falsey
           end
         end
 
@@ -152,7 +178,7 @@ describe Bundler::Audit::Advisory do
           let(:version) { Gem::Version.new('1.2.3') }
 
           it "should return true" do
-            subject.vulnerable?(version).should be_true
+            expect(subject.vulnerable?(version)).to be_truthy
           end
         end
       end

data/spec/audit_spec.rb

@@ -3,6 +3,6 @@ require 'bundler/audit'
 
 describe Bundler::Audit do
   it "should have a VERSION constant" do
-    subject.const_get('VERSION').should_not be_empty
+    expect(subject.const_get('VERSION')).not_to be_empty
   end
 end

data/spec/bundle/insecure_sources/Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '3.2.12'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/bundle/secure/Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '~> 3.2.17'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/bundle/unpatched_gems/Gemfile

@@ -5,7 +5,7 @@ gem 'rails', '3.2.10'
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
 
-gem 'sqlite3'
+gem 'sqlite3', platform: [:mri, :rbx]
 
 
 # Gems used only for assets and not required

data/spec/database_spec.rb

@@ -11,7 +11,7 @@ describe Bundler::Audit::Database do
     subject { described_class.path }
 
     it "it should be a directory" do
-      File.directory?(subject).should be_true
+      expect(File.directory?(subject)).to be_truthy
     end
 
     it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
@@ -56,7 +56,7 @@ describe Bundler::Audit::Database do
       subject { described_class.new }
 
       it "should default path to path" do
-        subject.path.should == described_class.path
+        expect(subject.path).to eq(described_class.path)
       end
     end
 
@@ -66,15 +66,15 @@ describe Bundler::Audit::Database do
       subject { described_class.new(path) }
 
       it "should set #path" do
-        subject.path.should == path
+        expect(subject.path).to eq(path)
       end
     end
 
     context "when given an invalid directory" do
       it "should raise an ArgumentError" do
-        lambda {
+        expect {
           described_class.new('/foo/bar/baz')
-        }.should raise_error(ArgumentError)
+        }.to raise_error(ArgumentError)
       end
     end
   end
@@ -95,16 +95,16 @@ describe Bundler::Audit::Database do
           advisories << advisory
         end
 
-        advisories.should_not be_empty
-        advisories.all? { |advisory|
+        expect(advisories).not_to be_empty
+        expect(advisories.all? { |advisory|
           advisory.kind_of?(Bundler::Audit::Advisory)
-        }.should be_true
+        }).to be_truthy
       end
     end
 
     context "when given no block" do
       it "should return an Enumerator" do
-        subject.check_gem(gem).should be_kind_of(Enumerable)
+        expect(subject.check_gem(gem)).to be_kind_of(Enumerable)
       end
     end
   end
@@ -126,7 +126,7 @@ describe Bundler::Audit::Database do
 
   describe "#to_s" do
     it "should return the Database path" do
-      subject.to_s.should == subject.path
+      expect(subject.to_s).to eq(subject.path)
     end
   end
 

data/spec/integration_spec.rb

@@ -16,20 +16,20 @@ describe "CLI" do
     end
 
     it "should print a warning" do
-      subject.should include("Unpatched versions found!")
+      expect(subject).to include("Vulnerabilities found!")
     end
 
     it "should print advisory information for the vulnerable gems" do
       advisory_pattern = /(Name: [^\n]+
 Version: \d+.\d+.\d+
-Advisory: OSVDB-\d+
+Advisory: CVE-[0-9]{4}-[0-9]{4}
 Criticality: (High|Medium)
 URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
 Title: [^\n]*?
 Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
 
       expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Unpatched versions found!")
+      expect(subject).to include("Vulnerabilities found!")
     end
   end
 
@@ -46,7 +46,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
     end
 
     it "should not print advisory information for ignored gem" do
-      subject.should_not include("OSVDB-89026")
+      expect(subject).not_to include("OSVDB-89026")
     end
   end
 
@@ -59,7 +59,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
     end
 
     it "should print warnings about insecure sources" do
-      subject.should include(%{
+      expect(subject).to include(%{
 Insecure Source URI found: git://github.com/rails/jquery-rails.git
 Insecure Source URI found: http://rubygems.org/
       }.strip)
@@ -75,7 +75,7 @@ Insecure Source URI found: http://rubygems.org/
     end
 
     it "should print nothing when everything is fine" do
-      subject.strip.should == "No unpatched versions found"
+      expect(subject.strip).to eq("No vulnerabilities found")
     end
   end
 end

data/spec/scanner_spec.rb

@@ -13,12 +13,12 @@ describe Scanner do
 
       subject.scan { |result| results << result }
 
-      results.should_not be_empty
+      expect(results).not_to be_empty
     end
 
     context "when not called with a block" do
       it "should return an Enumerator" do
-        subject.scan.should be_kind_of(Enumerable)
+        expect(subject.scan).to be_kind_of(Enumerable)
       end
     end
   end
@@ -31,9 +31,9 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should match unpatched gems to their advisories" do
-      subject.all? { |result|
+      expect(subject.all? { |result|
         result.advisory.vulnerable?(result.gem.version)
-      }.should be_true
+      }).to be_truthy
     end
 
     context "when the :ignore option is given" do
@@ -42,7 +42,7 @@ describe Scanner do
       it "should ignore the specified advisories" do
         ids = subject.map { |result| result.advisory.id }
         
-        ids.should_not include('OSVDB-89026')
+        expect(ids).not_to include('OSVDB-89026')
       end
     end
   end
@@ -55,8 +55,8 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should match unpatched gems to their advisories" do
-      subject[0].source.should == 'git://github.com/rails/jquery-rails.git'
-      subject[1].source.should == 'http://rubygems.org/'
+      expect(subject[0].source).to eq('git://github.com/rails/jquery-rails.git')
+      expect(subject[1].source).to eq('http://rubygems.org/')
     end
   end
 
@@ -68,7 +68,7 @@ describe Scanner do
     subject { scanner.scan.to_a }
 
     it "should print nothing when everything is fine" do
-      subject.should be_empty
+      expect(subject).to be_empty
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,3 +1,6 @@
+require 'simplecov'
+SimpleCov.start
+
 require 'rspec'
 require 'bundler/audit/version'
 
@@ -19,15 +22,15 @@ module Helpers
   end
 
   def expect_update_to_clone_repo!
-    Bundler::Audit::Database.
-      should_receive(:system).
+    expect(Bundler::Audit::Database).
+      to receive(:system).
       with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
       and_call_original
   end
 
   def expect_update_to_update_repo!
-    Bundler::Audit::Database.
-      should_receive(:system).
+    expect(Bundler::Audit::Database).
+      to receive(:system).
       with('git', 'pull', 'origin', 'master').
       and_call_original
   end

metadata

@@ -1,41 +1,41 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-20 00:00:00.000000000 Z
+date: 2015-06-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.18'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.18'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
 description: bundler-audit provides patch-level verification for Bundled apps.
@@ -48,12 +48,12 @@ extra_rdoc_files:
 - ChangeLog.md
 - README.md
 files:
-- .document
-- .gitignore
-- .gitmodules
-- .rspec
-- .travis.yml
-- .yardopts
+- ".document"
+- ".gitignore"
+- ".gitmodules"
+- ".rspec"
+- ".travis.yml"
+- ".yardopts"
 - COPYING.txt
 - ChangeLog.md
 - Gemfile
@@ -62,23 +62,6 @@ files:
 - bin/bundle-audit
 - bundler-audit.gemspec
 - data/ruby-advisory-db.ts
-- gemspec.yml
-- lib/bundler/audit.rb
-- lib/bundler/audit/advisory.rb
-- lib/bundler/audit/cli.rb
-- lib/bundler/audit/database.rb
-- lib/bundler/audit/scanner.rb
-- lib/bundler/audit/version.rb
-- spec/advisory_spec.rb
-- spec/audit_spec.rb
-- spec/bundle/insecure_sources/Gemfile
-- spec/bundle/secure/Gemfile
-- spec/bundle/unpatched_gems/Gemfile
-- spec/database_spec.rb
-- spec/fixtures/not_a_hash.yml
-- spec/integration_spec.rb
-- spec/scanner_spec.rb
-- spec/spec_helper.rb
 - data/ruby-advisory-db/.gitignore
 - data/ruby-advisory-db/.rspec
 - data/ruby-advisory-db/CONTRIBUTING.md
@@ -180,6 +163,23 @@ files:
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
 - data/ruby-advisory-db/spec/spec_helper.rb
+- gemspec.yml
+- lib/bundler/audit.rb
+- lib/bundler/audit/advisory.rb
+- lib/bundler/audit/cli.rb
+- lib/bundler/audit/database.rb
+- lib/bundler/audit/scanner.rb
+- lib/bundler/audit/version.rb
+- spec/advisory_spec.rb
+- spec/audit_spec.rb
+- spec/bundle/insecure_sources/Gemfile
+- spec/bundle/secure/Gemfile
+- spec/bundle/unpatched_gems/Gemfile
+- spec/database_spec.rb
+- spec/fixtures/not_a_hash.yml
+- spec/integration_spec.rb
+- spec/scanner_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
 - GPLv3
@@ -190,17 +190,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 2.4.7
 signing_key: 
 specification_version: 4
 summary: Patch-level verification for Bundler