bundler-audit 0.3.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: eb1773e0d185dcc826b346744c13db1af6aaebab
-  data.tar.gz: 617a25945731a1f38563599b1fb715ff0f95a4d2
+SHA256:
+  metadata.gz: 966ad54c7aa972a1def015d74d836cfa2268970ef74ab064766c775ed5e9d2f8
+  data.tar.gz: c5d32686e71351ba9a3907a8a0b9d4b3ee0d3e695f3b69dd25c95dc92eb9c7df
 SHA512:
-  metadata.gz: 30ad678294da6ef14df9fac8b0d3bbcabaac517eb25c23a26efaeff8a9f01b34f458e3d10ef518ce720b9840362fce0506420064e56b15b1cfca724cae35dcc0
-  data.tar.gz: 7d4810f14c9bb158dba5a57fe5151dd9ff812c948c9919defbb291ee76a140def1e62ecaacd8daab3feb88e95a49fd0c1769c12269d301a6bd224f28b0f64bff
+  metadata.gz: 53e93bd363d19723be6b12ef095b0912e1781f0ae513bbad8bff5a0cc199ee57b1ac4abe5e003740c0d6d1a283738b0228b54472a3a1e2bd52d2af972b0cb9fd
+  data.tar.gz: 2636a1378516f65b291cf7132397d82e0270f511fa5a1cdb2419b2bf63b828807598f968642f5e2c41e0efb0e1011894223460123c7d76461703f2df26b2f87d

data/.gitignore

@@ -1,8 +1,10 @@
+.ruby-version
+.ruby-gemset
 Gemfile.lock
 doc/
 .yardoc/
+coverage/
 pkg/
-spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/
 vendor/bundle/
 tmp/

data/.travis.yml

@@ -1,5 +1,14 @@
+language: ruby
 rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
+  - jruby
+  - truffleruby
+
+matrix:
+  allow_failures:
+    - rvm: jruby
+    - rvm: truffleruby

data/ChangeLog.md

@@ -1,3 +1,55 @@
+### 0.7.0 / 2020-06-12
+
+* Require [thor] >= 0.18, < 2.
+* Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
+* Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
+* Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
+* Updated {Bundler::Audit::Advisory#criticality} ranges (@reedlonden).
+* Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
+* Fixed issue with Bundler 2.x where source URIs are no longer parsed as
+  `URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
+
+### 0.6.1 / 2019-01-17
+
+* Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
+
+### 0.6.0 / 2017-07-18
+
+* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
+* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
+  (@vassilevsky).
+
+### 0.5.0 / 2016-02-28
+
+* Added {Bundler::Audit::Task}.
+* Added {Bundler::Audit::Advisory#date}.
+* Added {Bundler::Audit::Advisory#cve_id}.
+* Added {Bundler::Audit::Advisory#osvdb_id}.
+* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
+  private network.
+
+#### CLI
+
+* Added the `--update` option to `bundle-audit check`.
+* `bundle-audit update` now returns a non-zero exit status on error.
+* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+  repository.
+
+### 0.4.0 / 2015-06-30
+
+* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
+* Added {Bundler::Audit::Advisory#osvdb}.
+* Resolve the IP addresses of gem sources and ignore intranet gem sources.
+  (PR #90)
+* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
+  (PR #92)
+
+#### CLI
+
+* Print the CVE or OSVDB id.
+* No longer print "Unpatched versions found!" when an insecure gem source
+  is detected. (PR #84)
+
 ### 0.3.1 / 2014-04-20
 
 * Added thor ~> 0.18 as a dependency.
@@ -85,4 +137,5 @@
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
 
 [bundler]: http://gembundler.com/
+[thor]: http://whatisthor.com/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -3,10 +3,11 @@ source 'https://rubygems.org/'
 gemspec
 
 group :development do
-  gem 'rake',           '~> 10.0'
+  gem 'rake'
   gem 'kramdown',       '~> 0.14'
 
   gem 'rubygems-tasks', '~> 0.2'
-  gem 'rspec',          '~> 2.4'
-  gem 'yard',           '~> 0.8'
+  gem 'rspec',          '~> 3.0'
+  gem 'yard',           '~> 0.9'
+  gem 'simplecov',      '~> 0.7', :require => false
 end

data/README.md

@@ -1,15 +1,15 @@
 # bundler-audit
+[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
+[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
-* [Email](mailto:rubysec.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
+* [Email](mailto:postmodern.mod3 at gmail.com)
 
 ## Description
 
-Patch-level verification for [Bundler][bundler].
+Patch-level verification for [bundler].
 
 ## Features
 
@@ -21,7 +21,7 @@ Patch-level verification for [Bundler][bundler].
 
 ## Synopsis
 
-Audit a projects `Gemfile.lock`:
+Audit a project's `Gemfile.lock`:
 
     $ bundle-audit
     Name: actionpack
@@ -31,7 +31,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91452
     Title: XSS vulnerability in sanitize_css in Action Pack
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91454
@@ -39,7 +39,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91454
     Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-89026
@@ -47,7 +47,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89026
     Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
     Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-91453
@@ -55,7 +55,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91453
     Title: Symbol DoS vulnerability in Active Record
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-90072
@@ -63,7 +63,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
     Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-89025
@@ -71,7 +71,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89025
     Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
     Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activesupport
     Version: 3.2.10
     Advisory: OSVDB-91451
@@ -79,10 +79,10 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91451
     Title: XML Parsing Vulnerability affecting JRuby users
     Solution: upgrade to ~> 3.1.12, >= 3.2.13
-    
+
     Unpatched versions found!
 
-Update the [ruby-advisory-db] that `bundle-audit` uses:
+Update the [ruby-advisory-db] that `bundle audit` uses:
 
     $ bundle-audit update
     Updating ruby-advisory-db ...
@@ -108,19 +108,43 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
      create mode 100644 gems/wicked/OSVDB-98270.yml
     ruby-advisory-db: 64 advisories
 
+Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
+
+    $ bundle-audit check --update
+
+Ignore specific advisories:
+
+    $ bundle-audit check --ignore OSVDB-108664
+
+Rake task:
+
+```ruby
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+
+task default: 'bundle:audit'
+```
+
 ## Requirements
 
-* [RubyGems] >= 1.8
-* [thor] ~> 0.18
+* [ruby] >= 1.9.3
+* [rubygems] >= 1.8
+* [thor] >= 0.18, < 2
 * [bundler] ~> 1.2
 
 ## Install
 
-    $ gem install bundler-audit
+    $ [sudo] gem install bundler-audit
+
+## Contributing
+
+1. Clone the repo
+2. `git submodule update --init` # To populate data/ruby-advisory-db
+3. `bundle exec rake`
 
 ## License
 
-Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -135,8 +159,10 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
-[RubyGems]: https://rubygems.org
+[ruby]: https://ruby-lang.org
+[rubygems]: https://rubygems.org
 [thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [OSVDB]: http://osvdb.org/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -3,19 +3,9 @@
 require 'rubygems'
 
 begin
-  require 'bundler'
+  require 'bundler/setup'
 rescue LoadError => e
-  warn e.message
-  warn "Run `gem install bundler` to install Bundler."
-  exit -1
-end
-
-begin
-  Bundler.setup(:development)
-rescue Bundler::BundlerError => e
-  warn e.message
-  warn "Run `bundle install` to install missing gems."
-  exit e.status_code
+  abort e.message
 end
 
 require 'rake'
@@ -33,7 +23,7 @@ namespace :db do
       sh 'git', 'pull', 'origin', 'master'
 
       File.open('../ruby-advisory-db.ts','w') do |file|
-        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+        file.write Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc
       end
     end
 
@@ -46,18 +36,20 @@ end
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
-namespace :spec do
-  task :bundle do
-    root = 'spec/bundle'
+%w[secure unpatched_gems insecure_sources].each do |bundle|
+  bundle_dir   = File.join('spec/bundle',bundle)
+  gemfile      = File.join(bundle_dir,'Gemfile')
+  gemfile_lock = File.join(bundle_dir,'Gemfile.lock')
 
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
-      chdir(File.join(root,bundle)) do
-        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
-      end
+  file gemfile_lock => gemfile do
+    chdir(bundle_dir) do
+      sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
     end
   end
+
+  desc "Generates the spec/bundler/*/Gemfile.lock files"
+  task 'spec:bundle' => gemfile_lock
 end
-task :spec => 'spec:bundle'
 
 task :test    => :spec
 task :default => :spec

data/bin/bundler-audit

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+load File.expand_path('../bundle-audit', __FILE__)

data/data/ruby-advisory-db.ts

@@ -1 +1 @@
-2014-02-11 00:45:58 UTC
+2020-06-05 17:45:49 UTC

data/gemspec.yml

@@ -1,13 +1,14 @@
 name: bundler-audit
 summary: Patch-level verification for Bundler
 description: bundler-audit provides patch-level verification for Bundled apps.
-license: GPLv3
+license: GPL-3.0+
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
+required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ~> 0.18
-  bundler: ~> 1.2
+  thor: ">= 0.18, < 2"
+  bundler: ">= 1.2.0, < 3"

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -23,8 +23,13 @@ module Bundler
                                 :id,
                                 :url,
                                 :title,
+                                :date,
                                 :description,
                                 :cvss_v2,
+                                :cvss_v3,
+                                :cve,
+                                :osvdb,
+                                :ghsa,
                                 :unaffected_versions,
                                 :patched_versions)
 
@@ -57,24 +62,83 @@ module Bundler
           id,
           data['url'],
           data['title'],
+          data['date'],
           data['description'],
           data['cvss_v2'],
+          data['cvss_v3'],
+          data['cve'],
+          data['osvdb'],
+          data['ghsa'],
           parse_versions[data['unaffected_versions']],
           parse_versions[data['patched_versions']]
         )
       end
 
+      #
+      # The CVE identifier.
+      #
+      # @return [String, nil]
+      #
+      def cve_id
+        "CVE-#{cve}" if cve
+      end
+
+      #
+      # The OSVDB identifier.
+      #
+      # @return [String, nil]
+      #
+      def osvdb_id
+        "OSVDB-#{osvdb}" if osvdb
+      end
+
+      #
+      # The GHSA (GitHub Security Advisory) identifier
+      #
+      # @return [String, nil]
+      #
+      # @since 0.7.0
+      #
+      def ghsa_id
+        "GHSA-#{ghsa}" if ghsa
+      end
+
+      #
+      # Return a compacted list of all ids
+      #
+      # @return [Array<String>]
+      #
+      # @since 0.7.0
+      #
+      def identifiers
+        [
+          cve_id,
+          osvdb_id,
+          ghsa_id
+        ].compact
+      end
+
       #
       # Determines how critical the vulnerability is.
       #
-      # @return [:low, :medium, :high]
-      #   The criticality of the vulnerability based on the CVSSv2 score.
+      # @return [:none, :low, :medium, :high, :critical]
+      #   The criticality of the vulnerability based on the CVSS score.
       #
       def criticality
-        case cvss_v2
-        when 0.0..3.3  then :low
-        when 3.3..6.6  then :medium
-        when 6.6..10.0 then :high
+        if cvss_v3
+          case cvss_v3
+          when 0.0       then :none
+          when 0.1..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..8.9  then :high
+          when 9.0..10.0 then :critical
+          end
+        elsif cvss_v2
+          case cvss_v2
+          when 0.0..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..10.0 then :high
+          end
         end
       end