bundler-audit 0.3.1 → 0.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +3 -1
- data/.travis.yml +13 -4
- data/ChangeLog.md +53 -0
- data/Gemfile +4 -3
- data/README.md +44 -18
- data/Rakefile +13 -21
- data/bin/bundler-audit +3 -0
- data/data/ruby-advisory-db.ts +1 -1
- data/gemspec.yml +4 -3
- data/lib/bundler/audit.rb +1 -1
- data/lib/bundler/audit/advisory.rb +71 -7
- data/lib/bundler/audit/cli.rb +41 -11
- data/lib/bundler/audit/database.rb +29 -7
- data/lib/bundler/audit/scanner.rb +126 -10
- data/lib/bundler/audit/task.rb +31 -0
- data/lib/bundler/audit/version.rb +2 -2
- data/spec/advisory_spec.rb +211 -35
- data/spec/audit_spec.rb +1 -1
- data/spec/bundle/insecure_sources/Gemfile +2 -37
- data/spec/bundle/secure/Gemfile +2 -36
- data/spec/bundle/unpatched_gems/Gemfile +1 -36
- data/spec/cli_spec.rb +126 -0
- data/spec/database_spec.rb +51 -25
- data/spec/integration_spec.rb +35 -13
- data/spec/scanner_spec.rb +11 -10
- data/spec/spec_helper.rb +9 -17
- metadata +38 -121
- data/data/ruby-advisory-db/.gitignore +0 -1
- data/data/ruby-advisory-db/.rspec +0 -1
- data/data/ruby-advisory-db/CONTRIBUTING.md +0 -6
- data/data/ruby-advisory-db/CONTRIBUTORS.md +0 -23
- data/data/ruby-advisory-db/Gemfile +0 -3
- data/data/ruby-advisory-db/LICENSE.txt +0 -5
- data/data/ruby-advisory-db/README.md +0 -82
- data/data/ruby-advisory-db/Rakefile +0 -27
- data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml +0 -17
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +0 -20
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +0 -21
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +0 -27
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +0 -24
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +0 -22
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +0 -24
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +0 -22
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml +0 -26
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml +0 -28
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml +0 -23
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml +0 -26
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml +0 -24
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml +0 -20
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml +0 -23
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +0 -23
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml +0 -25
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml +0 -24
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml +0 -24
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml +0 -21
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml +0 -23
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml +0 -26
- data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml +0 -26
- data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml +0 -23
- data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml +0 -25
- data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml +0 -28
- data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml +0 -15
- data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +0 -15
- data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml +0 -10
- data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +0 -17
- data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml +0 -11
- data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +0 -12
- data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml +0 -20
- data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml +0 -19
- data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +0 -11
- data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +0 -10
- data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml +0 -9
- data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml +0 -18
- data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml +0 -12
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml +0 -10
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml +0 -10
- data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml +0 -10
- data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml +0 -9
- data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml +0 -13
- data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml +0 -18
- data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +0 -14
- data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml +0 -20
- data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +0 -14
- data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +0 -17
- data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml +0 -23
- data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml +0 -10
- data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml +0 -10
- data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml +0 -10
- data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml +0 -21
- data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml +0 -21
- data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml +0 -14
- data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml +0 -16
- data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml +0 -10
- data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml +0 -15
- data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml +0 -16
- data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml +0 -17
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +0 -12
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +0 -15
- data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +0 -19
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +0 -22
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +0 -17
- data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml +0 -16
- data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +0 -13
- data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +0 -12
- data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +0 -13
- data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml +0 -11
- data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml +0 -18
- data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +0 -23
- data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +0 -20
- data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml +0 -27
- data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml +0 -16
- data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +0 -14
- data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml +0 -11
- data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +0 -13
- data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml +0 -13
- data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +0 -11
- data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +0 -11
- data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +0 -11
- data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +0 -11
- data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +0 -14
- data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml +0 -10
- data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +0 -11
- data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml +0 -14
- data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +0 -15
- data/data/ruby-advisory-db/lib/scrape.rb +0 -87
- data/data/ruby-advisory-db/spec/advisory_example.rb +0 -165
- data/data/ruby-advisory-db/spec/gems_spec.rb +0 -7
- data/data/ruby-advisory-db/spec/spec_helper.rb +0 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 966ad54c7aa972a1def015d74d836cfa2268970ef74ab064766c775ed5e9d2f8
|
4
|
+
data.tar.gz: c5d32686e71351ba9a3907a8a0b9d4b3ee0d3e695f3b69dd25c95dc92eb9c7df
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 53e93bd363d19723be6b12ef095b0912e1781f0ae513bbad8bff5a0cc199ee57b1ac4abe5e003740c0d6d1a283738b0228b54472a3a1e2bd52d2af972b0cb9fd
|
7
|
+
data.tar.gz: 2636a1378516f65b291cf7132397d82e0270f511fa5a1cdb2419b2bf63b828807598f968642f5e2c41e0efb0e1011894223460123c7d76461703f2df26b2f87d
|
data/.gitignore
CHANGED
data/.travis.yml
CHANGED
data/ChangeLog.md
CHANGED
@@ -1,3 +1,55 @@
|
|
1
|
+
### 0.7.0 / 2020-06-12
|
2
|
+
|
3
|
+
* Require [thor] >= 0.18, < 2.
|
4
|
+
* Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
|
5
|
+
* Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
|
6
|
+
* Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
|
7
|
+
* Updated {Bundler::Audit::Advisory#criticality} ranges (@reedlonden).
|
8
|
+
* Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
|
9
|
+
* Fixed issue with Bundler 2.x where source URIs are no longer parsed as
|
10
|
+
`URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
|
11
|
+
|
12
|
+
### 0.6.1 / 2019-01-17
|
13
|
+
|
14
|
+
* Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
|
15
|
+
|
16
|
+
### 0.6.0 / 2017-07-18
|
17
|
+
|
18
|
+
* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
|
19
|
+
* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
|
20
|
+
(@vassilevsky).
|
21
|
+
|
22
|
+
### 0.5.0 / 2016-02-28
|
23
|
+
|
24
|
+
* Added {Bundler::Audit::Task}.
|
25
|
+
* Added {Bundler::Audit::Advisory#date}.
|
26
|
+
* Added {Bundler::Audit::Advisory#cve_id}.
|
27
|
+
* Added {Bundler::Audit::Advisory#osvdb_id}.
|
28
|
+
* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
|
29
|
+
private network.
|
30
|
+
|
31
|
+
#### CLI
|
32
|
+
|
33
|
+
* Added the `--update` option to `bundle-audit check`.
|
34
|
+
* `bundle-audit update` now returns a non-zero exit status on error.
|
35
|
+
* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
|
36
|
+
repository.
|
37
|
+
|
38
|
+
### 0.4.0 / 2015-06-30
|
39
|
+
|
40
|
+
* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
|
41
|
+
* Added {Bundler::Audit::Advisory#osvdb}.
|
42
|
+
* Resolve the IP addresses of gem sources and ignore intranet gem sources.
|
43
|
+
(PR #90)
|
44
|
+
* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
|
45
|
+
(PR #92)
|
46
|
+
|
47
|
+
#### CLI
|
48
|
+
|
49
|
+
* Print the CVE or OSVDB id.
|
50
|
+
* No longer print "Unpatched versions found!" when an insecure gem source
|
51
|
+
is detected. (PR #84)
|
52
|
+
|
1
53
|
### 0.3.1 / 2014-04-20
|
2
54
|
|
3
55
|
* Added thor ~> 0.18 as a dependency.
|
@@ -85,4 +137,5 @@
|
|
85
137
|
* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
|
86
138
|
|
87
139
|
[bundler]: http://gembundler.com/
|
140
|
+
[thor]: http://whatisthor.com/
|
88
141
|
[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme
|
data/Gemfile
CHANGED
@@ -3,10 +3,11 @@ source 'https://rubygems.org/'
|
|
3
3
|
gemspec
|
4
4
|
|
5
5
|
group :development do
|
6
|
-
gem 'rake'
|
6
|
+
gem 'rake'
|
7
7
|
gem 'kramdown', '~> 0.14'
|
8
8
|
|
9
9
|
gem 'rubygems-tasks', '~> 0.2'
|
10
|
-
gem 'rspec', '~>
|
11
|
-
gem 'yard', '~> 0.
|
10
|
+
gem 'rspec', '~> 3.0'
|
11
|
+
gem 'yard', '~> 0.9'
|
12
|
+
gem 'simplecov', '~> 0.7', :require => false
|
12
13
|
end
|
data/README.md
CHANGED
@@ -1,15 +1,15 @@
|
|
1
1
|
# bundler-audit
|
2
|
+
[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
|
3
|
+
[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
|
2
4
|
|
3
5
|
* [Homepage](https://github.com/rubysec/bundler-audit#readme)
|
4
6
|
* [Issues](https://github.com/rubysec/bundler-audit/issues)
|
5
7
|
* [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
|
6
|
-
* [Email](mailto:
|
7
|
-
* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.png)](https://travis-ci.org/rubysec/bundler-audit)
|
8
|
-
* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.png)](https://codeclimate.com/github/rubysec/bundler-audit)
|
8
|
+
* [Email](mailto:postmodern.mod3 at gmail.com)
|
9
9
|
|
10
10
|
## Description
|
11
11
|
|
12
|
-
Patch-level verification for [
|
12
|
+
Patch-level verification for [bundler].
|
13
13
|
|
14
14
|
## Features
|
15
15
|
|
@@ -21,7 +21,7 @@ Patch-level verification for [Bundler][bundler].
|
|
21
21
|
|
22
22
|
## Synopsis
|
23
23
|
|
24
|
-
Audit a
|
24
|
+
Audit a project's `Gemfile.lock`:
|
25
25
|
|
26
26
|
$ bundle-audit
|
27
27
|
Name: actionpack
|
@@ -31,7 +31,7 @@ Audit a projects `Gemfile.lock`:
|
|
31
31
|
URL: http://www.osvdb.org/show/osvdb/91452
|
32
32
|
Title: XSS vulnerability in sanitize_css in Action Pack
|
33
33
|
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
34
|
-
|
34
|
+
|
35
35
|
Name: actionpack
|
36
36
|
Version: 3.2.10
|
37
37
|
Advisory: OSVDB-91454
|
@@ -39,7 +39,7 @@ Audit a projects `Gemfile.lock`:
|
|
39
39
|
URL: http://osvdb.org/show/osvdb/91454
|
40
40
|
Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
|
41
41
|
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
42
|
-
|
42
|
+
|
43
43
|
Name: actionpack
|
44
44
|
Version: 3.2.10
|
45
45
|
Advisory: OSVDB-89026
|
@@ -47,7 +47,7 @@ Audit a projects `Gemfile.lock`:
|
|
47
47
|
URL: http://osvdb.org/show/osvdb/89026
|
48
48
|
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
|
49
49
|
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
50
|
-
|
50
|
+
|
51
51
|
Name: activerecord
|
52
52
|
Version: 3.2.10
|
53
53
|
Advisory: OSVDB-91453
|
@@ -55,7 +55,7 @@ Audit a projects `Gemfile.lock`:
|
|
55
55
|
URL: http://osvdb.org/show/osvdb/91453
|
56
56
|
Title: Symbol DoS vulnerability in Active Record
|
57
57
|
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
|
58
|
-
|
58
|
+
|
59
59
|
Name: activerecord
|
60
60
|
Version: 3.2.10
|
61
61
|
Advisory: OSVDB-90072
|
@@ -63,7 +63,7 @@ Audit a projects `Gemfile.lock`:
|
|
63
63
|
URL: http://direct.osvdb.org/show/osvdb/90072
|
64
64
|
Title: Ruby on Rails Active Record attr_protected Method Bypass
|
65
65
|
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
|
66
|
-
|
66
|
+
|
67
67
|
Name: activerecord
|
68
68
|
Version: 3.2.10
|
69
69
|
Advisory: OSVDB-89025
|
@@ -71,7 +71,7 @@ Audit a projects `Gemfile.lock`:
|
|
71
71
|
URL: http://osvdb.org/show/osvdb/89025
|
72
72
|
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
|
73
73
|
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
|
74
|
-
|
74
|
+
|
75
75
|
Name: activesupport
|
76
76
|
Version: 3.2.10
|
77
77
|
Advisory: OSVDB-91451
|
@@ -79,10 +79,10 @@ Audit a projects `Gemfile.lock`:
|
|
79
79
|
URL: http://www.osvdb.org/show/osvdb/91451
|
80
80
|
Title: XML Parsing Vulnerability affecting JRuby users
|
81
81
|
Solution: upgrade to ~> 3.1.12, >= 3.2.13
|
82
|
-
|
82
|
+
|
83
83
|
Unpatched versions found!
|
84
84
|
|
85
|
-
Update the [ruby-advisory-db] that `bundle
|
85
|
+
Update the [ruby-advisory-db] that `bundle audit` uses:
|
86
86
|
|
87
87
|
$ bundle-audit update
|
88
88
|
Updating ruby-advisory-db ...
|
@@ -108,19 +108,43 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
|
|
108
108
|
create mode 100644 gems/wicked/OSVDB-98270.yml
|
109
109
|
ruby-advisory-db: 64 advisories
|
110
110
|
|
111
|
+
Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
|
112
|
+
|
113
|
+
$ bundle-audit check --update
|
114
|
+
|
115
|
+
Ignore specific advisories:
|
116
|
+
|
117
|
+
$ bundle-audit check --ignore OSVDB-108664
|
118
|
+
|
119
|
+
Rake task:
|
120
|
+
|
121
|
+
```ruby
|
122
|
+
require 'bundler/audit/task'
|
123
|
+
Bundler::Audit::Task.new
|
124
|
+
|
125
|
+
task default: 'bundle:audit'
|
126
|
+
```
|
127
|
+
|
111
128
|
## Requirements
|
112
129
|
|
113
|
-
* [
|
114
|
-
* [
|
130
|
+
* [ruby] >= 1.9.3
|
131
|
+
* [rubygems] >= 1.8
|
132
|
+
* [thor] >= 0.18, < 2
|
115
133
|
* [bundler] ~> 1.2
|
116
134
|
|
117
135
|
## Install
|
118
136
|
|
119
|
-
$ gem install bundler-audit
|
137
|
+
$ [sudo] gem install bundler-audit
|
138
|
+
|
139
|
+
## Contributing
|
140
|
+
|
141
|
+
1. Clone the repo
|
142
|
+
2. `git submodule update --init` # To populate data/ruby-advisory-db
|
143
|
+
3. `bundle exec rake`
|
120
144
|
|
121
145
|
## License
|
122
146
|
|
123
|
-
Copyright (c) 2013-
|
147
|
+
Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
|
124
148
|
|
125
149
|
bundler-audit is free software: you can redistribute it and/or modify
|
126
150
|
it under the terms of the GNU General Public License as published by
|
@@ -135,8 +159,10 @@ GNU General Public License for more details.
|
|
135
159
|
You should have received a copy of the GNU General Public License
|
136
160
|
along with bundler-audit. If not, see <http://www.gnu.org/licenses/>.
|
137
161
|
|
138
|
-
[
|
162
|
+
[ruby]: https://ruby-lang.org
|
163
|
+
[rubygems]: https://rubygems.org
|
139
164
|
[thor]: http://whatisthor.com/
|
140
165
|
[bundler]: https://github.com/carlhuda/bundler#readme
|
141
166
|
|
142
167
|
[OSVDB]: http://osvdb.org/
|
168
|
+
[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db
|
data/Rakefile
CHANGED
@@ -3,19 +3,9 @@
|
|
3
3
|
require 'rubygems'
|
4
4
|
|
5
5
|
begin
|
6
|
-
require 'bundler'
|
6
|
+
require 'bundler/setup'
|
7
7
|
rescue LoadError => e
|
8
|
-
|
9
|
-
warn "Run `gem install bundler` to install Bundler."
|
10
|
-
exit -1
|
11
|
-
end
|
12
|
-
|
13
|
-
begin
|
14
|
-
Bundler.setup(:development)
|
15
|
-
rescue Bundler::BundlerError => e
|
16
|
-
warn e.message
|
17
|
-
warn "Run `bundle install` to install missing gems."
|
18
|
-
exit e.status_code
|
8
|
+
abort e.message
|
19
9
|
end
|
20
10
|
|
21
11
|
require 'rake'
|
@@ -33,7 +23,7 @@ namespace :db do
|
|
33
23
|
sh 'git', 'pull', 'origin', 'master'
|
34
24
|
|
35
25
|
File.open('../ruby-advisory-db.ts','w') do |file|
|
36
|
-
file.write Time.parse(`git log --pretty="%cd" -1`).utc
|
26
|
+
file.write Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc
|
37
27
|
end
|
38
28
|
end
|
39
29
|
|
@@ -46,18 +36,20 @@ end
|
|
46
36
|
require 'rspec/core/rake_task'
|
47
37
|
RSpec::Core::RakeTask.new
|
48
38
|
|
49
|
-
|
50
|
-
|
51
|
-
|
39
|
+
%w[secure unpatched_gems insecure_sources].each do |bundle|
|
40
|
+
bundle_dir = File.join('spec/bundle',bundle)
|
41
|
+
gemfile = File.join(bundle_dir,'Gemfile')
|
42
|
+
gemfile_lock = File.join(bundle_dir,'Gemfile.lock')
|
52
43
|
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
end
|
44
|
+
file gemfile_lock => gemfile do
|
45
|
+
chdir(bundle_dir) do
|
46
|
+
sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
|
57
47
|
end
|
58
48
|
end
|
49
|
+
|
50
|
+
desc "Generates the spec/bundler/*/Gemfile.lock files"
|
51
|
+
task 'spec:bundle' => gemfile_lock
|
59
52
|
end
|
60
|
-
task :spec => 'spec:bundle'
|
61
53
|
|
62
54
|
task :test => :spec
|
63
55
|
task :default => :spec
|
data/bin/bundler-audit
ADDED
data/data/ruby-advisory-db.ts
CHANGED
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
2020-06-05 17:45:49 UTC
|
data/gemspec.yml
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
name: bundler-audit
|
2
2
|
summary: Patch-level verification for Bundler
|
3
3
|
description: bundler-audit provides patch-level verification for Bundled apps.
|
4
|
-
license:
|
4
|
+
license: GPL-3.0+
|
5
5
|
authors: Postmodern
|
6
6
|
email: postmodern.mod3@gmail.com
|
7
7
|
homepage: https://github.com/rubysec/bundler-audit#readme
|
8
8
|
|
9
|
+
required_ruby_version: ">= 1.9.3"
|
9
10
|
required_rubygems_version: ">= 1.8.0"
|
10
11
|
|
11
12
|
dependencies:
|
12
|
-
thor:
|
13
|
-
bundler:
|
13
|
+
thor: ">= 0.18, < 2"
|
14
|
+
bundler: ">= 1.2.0, < 3"
|
data/lib/bundler/audit.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -23,8 +23,13 @@ module Bundler
|
|
23
23
|
:id,
|
24
24
|
:url,
|
25
25
|
:title,
|
26
|
+
:date,
|
26
27
|
:description,
|
27
28
|
:cvss_v2,
|
29
|
+
:cvss_v3,
|
30
|
+
:cve,
|
31
|
+
:osvdb,
|
32
|
+
:ghsa,
|
28
33
|
:unaffected_versions,
|
29
34
|
:patched_versions)
|
30
35
|
|
@@ -57,24 +62,83 @@ module Bundler
|
|
57
62
|
id,
|
58
63
|
data['url'],
|
59
64
|
data['title'],
|
65
|
+
data['date'],
|
60
66
|
data['description'],
|
61
67
|
data['cvss_v2'],
|
68
|
+
data['cvss_v3'],
|
69
|
+
data['cve'],
|
70
|
+
data['osvdb'],
|
71
|
+
data['ghsa'],
|
62
72
|
parse_versions[data['unaffected_versions']],
|
63
73
|
parse_versions[data['patched_versions']]
|
64
74
|
)
|
65
75
|
end
|
66
76
|
|
77
|
+
#
|
78
|
+
# The CVE identifier.
|
79
|
+
#
|
80
|
+
# @return [String, nil]
|
81
|
+
#
|
82
|
+
def cve_id
|
83
|
+
"CVE-#{cve}" if cve
|
84
|
+
end
|
85
|
+
|
86
|
+
#
|
87
|
+
# The OSVDB identifier.
|
88
|
+
#
|
89
|
+
# @return [String, nil]
|
90
|
+
#
|
91
|
+
def osvdb_id
|
92
|
+
"OSVDB-#{osvdb}" if osvdb
|
93
|
+
end
|
94
|
+
|
95
|
+
#
|
96
|
+
# The GHSA (GitHub Security Advisory) identifier
|
97
|
+
#
|
98
|
+
# @return [String, nil]
|
99
|
+
#
|
100
|
+
# @since 0.7.0
|
101
|
+
#
|
102
|
+
def ghsa_id
|
103
|
+
"GHSA-#{ghsa}" if ghsa
|
104
|
+
end
|
105
|
+
|
106
|
+
#
|
107
|
+
# Return a compacted list of all ids
|
108
|
+
#
|
109
|
+
# @return [Array<String>]
|
110
|
+
#
|
111
|
+
# @since 0.7.0
|
112
|
+
#
|
113
|
+
def identifiers
|
114
|
+
[
|
115
|
+
cve_id,
|
116
|
+
osvdb_id,
|
117
|
+
ghsa_id
|
118
|
+
].compact
|
119
|
+
end
|
120
|
+
|
67
121
|
#
|
68
122
|
# Determines how critical the vulnerability is.
|
69
123
|
#
|
70
|
-
# @return [:low, :medium, :high]
|
71
|
-
# The criticality of the vulnerability based on the
|
124
|
+
# @return [:none, :low, :medium, :high, :critical]
|
125
|
+
# The criticality of the vulnerability based on the CVSS score.
|
72
126
|
#
|
73
127
|
def criticality
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
128
|
+
if cvss_v3
|
129
|
+
case cvss_v3
|
130
|
+
when 0.0 then :none
|
131
|
+
when 0.1..3.9 then :low
|
132
|
+
when 4.0..6.9 then :medium
|
133
|
+
when 7.0..8.9 then :high
|
134
|
+
when 9.0..10.0 then :critical
|
135
|
+
end
|
136
|
+
elsif cvss_v2
|
137
|
+
case cvss_v2
|
138
|
+
when 0.0..3.9 then :low
|
139
|
+
when 4.0..6.9 then :medium
|
140
|
+
when 7.0..10.0 then :high
|
141
|
+
end
|
78
142
|
end
|
79
143
|
end
|
80
144
|
|