bundler-audit 0.3.1 → 0.7.0

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -30,10 +30,14 @@ module Bundler
       map '--version' => :version
 
       desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
       method_option :verbose, :type => :boolean, :aliases => '-v'
       method_option :ignore, :type => :array, :aliases => '-i'
+      method_option :update, :type => :boolean, :aliases => '-u'
 
       def check
+        update if options[:update]
+
         scanner    = Scanner.new
         vulnerable = false
 
@@ -49,19 +53,36 @@ module Bundler
         end
 
         if vulnerable
-          say "Unpatched versions found!", :red
+          say "Vulnerabilities found!", :red
           exit 1
         else
-          say "No unpatched versions found", :green
+          say("No vulnerabilities found", :green) unless options.quiet?
         end
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
+      method_option :quiet, :type => :boolean, :aliases => '-q'
+
       def update
-        say "Updating ruby-advisory-db ..."
+        say("Updating ruby-advisory-db ...") unless options.quiet?
 
-        Database.update!
-        puts "ruby-advisory-db: #{Database.new.size} advisories"
+        case Database.update!(quiet: options.quiet?)
+        when true
+          say("Updated ruby-advisory-db", :green) unless options.quiet?
+        when false
+          say "Failed updating ruby-advisory-db!", :red
+          exit 1
+        when nil
+          unless Bundler.git_present?
+            say "Git is not installed!", :red
+            exit 1
+          end
+          say "Skipping update", :yellow
+        end
+
+        unless options.quiet?
+          puts("ruby-advisory-db: #{Database.new.size} advisories")
+        end
       end
 
       desc 'version', 'Prints the bundler-audit version'
@@ -90,14 +111,23 @@ module Bundler
         say gem.version
 
         say "Advisory: ", :red
-        say advisory.id
+
+        if advisory.cve
+          say advisory.cve_id
+        elsif advisory.osvdb
+          say advisory.osvdb_id
+        elsif advisory.ghsa
+          say advisory.ghsa_id
+        end
 
         say "Criticality: ", :red
         case advisory.criticality
-        when :low    then say "Low"
-        when :medium then say "Medium", :yellow
-        when :high   then say "High", [:red, :bold]
-        else              say "Unknown"
+        when :none     then say "None"
+        when :low      then say "Low"
+        when :medium   then say "Medium", :yellow
+        when :high     then say "High", [:red, :bold]
+        when :critical then say "Critical", [:red, :bold]
+        else                say "Unknown"
         end
 
         say "URL: ", :red

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -68,7 +68,7 @@ module Bundler
       #
       def self.path
         if File.directory?(USER_PATH)
-          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
+          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc }
           t2 = VENDORED_TIMESTAMP
 
           if t1 >= t2 then USER_PATH
@@ -82,21 +82,43 @@ module Bundler
       #
       # Updates the ruby-advisory-db.
       #
-      # @return [Boolean]
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Boolean] :quiet
+      #   Specify whether `git` should be `--quiet`.
+      #
+      # @return [Boolean, nil]
       #   Specifies whether the update was successful.
+      #   A `nil` indicates no update was performed.
+      #
+      # @raise [ArgumentError]
+      #   Invalid options were given.
       #
       # @note
       #   Requires network access.
       #
       # @since 0.3.0
       #
-      def self.update!
+      def self.update!(options={})
+        unless (options.keys - [:quiet]).empty?
+          raise(ArgumentError,"Invalid option(s)")
+        end
+
         if File.directory?(USER_PATH)
-          Dir.chdir(USER_PATH) do
-            system 'git', 'pull', 'origin', 'master'
+          if File.directory?(File.join(USER_PATH, ".git"))
+            Dir.chdir(USER_PATH) do
+              command = %w(git pull --no-rebase)
+              command << '--quiet' if options[:quiet]
+              command << 'origin' << 'master'
+              system *command
+            end
           end
         else
-          system 'git', 'clone', URL, USER_PATH
+          command = %w(git clone)
+          command << '--quiet' if options[:quiet]
+          command << URL << USER_PATH
+          system *command
         end
       end
 

data/lib/bundler/audit/scanner.rb

@@ -2,7 +2,10 @@ require 'bundler'
 require 'bundler/audit/database'
 require 'bundler/lockfile_parser'
 
+require 'ipaddr'
+require 'resolv'
 require 'set'
+require 'uri'
 
 module Bundler
   module Audit
@@ -33,11 +36,14 @@ module Bundler
       # @param [String] root
       #   The path to the project root.
       #
-      def initialize(root=Dir.pwd)
+      # @param [String] gemfile_lock
+      #   Alternative name for the `Gemfile.lock` file.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
         @root     = File.expand_path(root)
         @database = Database.new
         @lockfile = LockfileParser.new(
-          File.read(File.join(@root,'Gemfile.lock'))
+          File.read(File.join(@root,gemfile_lock))
         )
       end
 
@@ -59,39 +65,149 @@ module Bundler
       # @return [Enumerator]
       #   If no block is given, an Enumerator will be returned.
       #
-      def scan(options={})
-        return enum_for(__method__,options) unless block_given?
+      def scan(options={},&block)
+        return enum_for(__method__,options) unless block
 
         ignore = Set[]
         ignore += options[:ignore] if options[:ignore]
 
+        scan_sources(options,&block)
+        scan_specs(options,&block)
+
+        return self
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_sources(options={})
+        return enum_for(__method__,options) unless block_given?
+
         @lockfile.sources.map do |source|
           case source
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
-              yield InsecureSource.new(source.uri)
+              unless internal_source?(source.uri)
+                yield InsecureSource.new(source.uri)
+              end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
-              if uri.scheme == 'http'
+              if (uri.scheme == 'http' && !internal_source?(uri))
                 yield InsecureSource.new(uri.to_s)
               end
             end
           end
         end
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_specs(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-            unless ignore.include?(advisory.id)
-              yield UnpatchedGem.new(gem,advisory)
-            end
+            is_ignored = ignore.intersect?(advisory.identifiers.to_set)
+            next if is_ignored
+
+            yield UnpatchedGem.new(gem,advisory)
           end
         end
+      end
 
-        return self
+      private
+
+      #
+      # Determines whether a source is internal.
+      #
+      # @param [URI, String] uri
+      #   The URI.
+      #
+      # @return [Boolean]
+      #
+      def internal_source?(uri)
+        uri = URI.parse(uri.to_s)
+
+        internal_host?(uri.host) if uri.host
       end
 
+      #
+      # Determines whether a host is internal.
+      #
+      # @param [String] host
+      #   The hostname.
+      #
+      # @return [Boolean]
+      #
+      def internal_host?(host)
+        Resolv.getaddresses(host).all? { |ip| internal_ip?(ip) }
+      rescue URI::Error
+        false
+      end
+
+      # List of internal IP address ranges.
+      #
+      # @see https://tools.ietf.org/html/rfc1918#section-3
+      # @see https://tools.ietf.org/html/rfc4193#section-8
+      INTERNAL_SUBNETS = %w[
+        10.0.0.0/8
+        172.16.0.0/12
+        192.168.0.0/16
+        fc00::/7
+      ].map(&IPAddr.method(:new))
+
+      #
+      # Determines whether an IP is internal.
+      #
+      # @param [String] ip
+      #   The IPv4/IPv6 address.
+      #
+      # @return [Boolean]
+      #
+      def internal_ip?(ip)
+        INTERNAL_SUBNETS.any? { |subnet| subnet.include?(ip) }
+      end
     end
   end
 end

data/lib/bundler/audit/task.rb

@@ -0,0 +1,31 @@
+require 'rake/tasklib'
+
+module Bundler
+  module Audit
+    class Task < Rake::TaskLib
+      #
+      # Initializes the task.
+      #
+      def initialize
+        define
+      end
+
+      protected
+
+      #
+      # Defines the `bundle:audit` task.
+      #
+      def define
+        namespace :bundle do
+          desc 'Updates the ruby-advisory-db then runs bundle-audit'
+          task :audit do
+            require 'bundler/audit/cli'
+            %w(update check).each do |command|
+              Bundler::Audit::CLI.start [command]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.1'
+    VERSION = '0.7.0'
   end
 end

data/spec/advisory_spec.rb

@@ -5,7 +5,7 @@ require 'bundler/audit/advisory'
 describe Bundler::Audit::Advisory do
   let(:root) { Bundler::Audit::Database::VENDORED_PATH }
   let(:gem)  { 'actionpack' }
-  let(:id)   { 'OSVDB-84243' }
+  let(:id)   { 'CVE-2012-3424' }
   let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
   let(:an_unaffected_version) do
     Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
@@ -24,16 +24,45 @@ describe Bundler::Audit::Advisory do
     }.flatten.first
   end
 
+  subject { described_class.load(path) }
+
   describe "load" do
     let(:data) { YAML.load_file(path) }
 
-    subject { described_class.load(path) }
+    describe '#id' do
+      subject { super().id }
+      it { is_expected.to eq(id)                  }
+    end
+
+    describe '#url' do
+      subject { super().url }
+      it { is_expected.to eq(data['url'])         }
+    end
+
+    describe '#title' do
+      subject { super().title }
+      it { is_expected.to eq(data['title'])       }
+    end
+
+    describe '#date' do
+      subject { super().date }
+      it { is_expected.to eq(data['date'])        }
+    end
+
+    describe '#cvss_v2' do
+      subject { super().cvss_v2 }
+      it { is_expected.to eq(data['cvss_v2'])     }
+    end
 
-    its(:id)          { should == id                  }
-    its(:url)         { should == data['url']         }
-    its(:title)       { should == data['title']       }
-    its(:cvss_v2)     { should == data['cvss_v2']     }
-    its(:description) { should == data['description'] }
+    describe '#cvss_v3' do
+      subject { super().cvss_v3 }
+      it { is_expected.to eq(data['cvss_v3'])     }
+    end
+
+    describe '#description' do
+      subject { super().description }
+      it { is_expected.to eq(data['description']) }
+    end
 
     context "YAML data not representing a hash" do
       it "should raise an exception" do
@@ -48,45 +77,196 @@ describe Bundler::Audit::Advisory do
       subject { described_class.load(path).patched_versions }
 
       it "should all be Gem::Requirement objects" do
-        subject.all? { |version|
-          version.should be_kind_of(Gem::Requirement)
-        }.should be_true
+        expect(subject.all? { |version|
+          expect(version).to be_kind_of(Gem::Requirement)
+        }).to be_truthy
       end
 
       it "should parse the versions" do
-        subject.map(&:to_s).should == data['patched_versions']
+        expect(subject.map(&:to_s)).to eq(data['patched_versions'])
+      end
+    end
+  end
+
+  describe "#cve_id" do
+    let(:cve) { "2015-1234" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.cve = cve
       end
     end
+
+    it "should prepend CVE- to the CVE id" do
+      expect(subject.cve_id).to be == "CVE-#{cve}"
+    end
+
+    context "when cve is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.cve_id).to be_nil }
+    end
+  end
+
+  describe "#osvdb_id" do
+    let(:osvdb) { "123456" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.osvdb = osvdb
+      end
+    end
+
+    it "should prepend OSVDB- to the OSVDB id" do
+      expect(subject.osvdb_id).to be == "OSVDB-#{osvdb}"
+    end
+
+    context "when cve is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.osvdb_id).to be_nil }
+    end
+  end
+
+  describe "#ghsa_id" do
+    let(:ghsa) { "xfhh-rx56-rxcr" }
+
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.ghsa = ghsa
+      end
+    end
+
+    it "should prepend GHSA- to the GHSA id" do
+      expect(subject.ghsa_id).to be == "GHSA-#{ghsa}"
+    end
+
+    context "when ghsa is nil" do
+      subject { described_class.new }
+
+      it { expect(subject.ghsa_id).to be_nil }
+    end
+  end
+
+  describe "#identifiers" do
+    it "should include all identifiers if defined" do
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+        advisory.osvdb = "2019-2345"
+        advisory.ghsa = "2020-3456"
+      end
+
+      expect(advisory.identifiers).to eq([
+        "CVE-2018-1234",
+        "OSVDB-2019-2345",
+        "GHSA-2020-3456"
+      ])
+    end
+
+    it "should exclude nil identifiers" do
+      advisory = described_class.new
+      expect(advisory.identifiers).to eq([])
+
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+      end
+      expect(advisory.identifiers).to eq(["CVE-2018-1234"])
+
+      advisory = described_class.new.tap do |advisory|
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq(["GHSA-2020-3456"])
+    end
   end
 
   describe "#criticality" do
-    context "when cvss_v2 is between 0.0 and 3.3" do
-      before { subject.stub(:cvss_v2).and_return(3.3) }
+    context "when cvss_v2 is between 0.0 and 3.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 3.9
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:low) }
+    end
+
+    context "when cvss_v2 is between 4.0 and 6.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 6.9
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:medium) }
+    end
+
+    context "when cvss_v2 is between 7.0 and 10.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v2 = 10.0
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:high) }
+    end
+
+    context "when cvss_v3 is 0.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 0.0
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:none) }
+    end
+
+    context "when cvss_v3 is between 0.1 and 3.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 3.9
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:low) }
+    end
 
-      its(:criticality) { should == :low }
+    context "when cvss_v3 is between 4.0 and 6.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 6.9
+        end
+      end
+
+      it { expect(subject.criticality).to eq(:medium) }
     end
 
-    context "when cvss_v2 is between 3.3 and 6.6" do
-      before { subject.stub(:cvss_v2).and_return(6.6) }
+    context "when cvss_v3 is between 7.0 and 8.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 8.9
+        end
+      end
 
-      its(:criticality) { should == :medium }
+      it { expect(subject.criticality).to eq(:high) }
     end
 
-    context "when cvss_v2 is between 6.6 and 10.0" do
-      before { subject.stub(:cvss_v2).and_return(10.0) }
+    context "when cvss_v3 is between 9.0 and 10.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 10.0
+        end
+      end
 
-      its(:criticality) { should == :high }
+      it { expect(subject.criticality).to eq(:critical) }
     end
   end
 
   describe "#unaffected?" do
-    subject { described_class.load(path) }
-
     context "when passed a version that matches one unaffected version" do
       let(:version) { Gem::Version.new(an_unaffected_version) }
 
       it "should return true" do
-        subject.unaffected?(version).should be_true
+        expect(subject.unaffected?(version)).to be_truthy
       end
     end
 
@@ -94,19 +274,17 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('3.0.9') }
 
       it "should return false" do
-        subject.unaffected?(version).should be_false
+        expect(subject.unaffected?(version)).to be_falsey
       end
     end
   end
 
   describe "#patched?" do
-    subject { described_class.load(path) }
-
     context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return true" do
-        subject.patched?(version).should be_true
+        expect(subject.patched?(version)).to be_truthy
       end
     end
 
@@ -114,19 +292,17 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return false" do
-        subject.patched?(version).should be_false
+        expect(subject.patched?(version)).to be_falsey
       end
     end
   end
 
   describe "#vulnerable?" do
-    subject { described_class.load(path) }
-
     context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('3.1.11') }
 
       it "should return false" do
-        subject.vulnerable?(version).should be_false
+        expect(subject.vulnerable?(version)).to be_falsey
       end
     end
 
@@ -134,17 +310,17 @@ describe Bundler::Audit::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
-        subject.vulnerable?(version).should be_true
+        expect(subject.vulnerable?(version)).to be_truthy
       end
 
       context "when unaffected_versions is not empty" do
         subject { described_class.load(path) }
-     
+
         context "when passed a version that matches one unaffected version" do
           let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
-            subject.vulnerable?(version).should be_false
+            expect(subject.vulnerable?(version)).to be_falsey
           end
         end
 
@@ -152,7 +328,7 @@ describe Bundler::Audit::Advisory do
           let(:version) { Gem::Version.new('1.2.3') }
 
           it "should return true" do
-            subject.vulnerable?(version).should be_true
+            expect(subject.vulnerable?(version)).to be_truthy
           end
         end
       end