bundler-audit 0.4.0 → 0.5.0

data/data/ruby-advisory-db/spec/advisory_example.rb

@@ -5,38 +5,33 @@ shared_examples_for 'Advisory' do |path|
   advisory = YAML.load_file(path)
 
   describe path do
-    let(:gem) { File.basename(File.dirname(path)) }
+    let(:filename) { File.basename(path).chomp('.yml') }
+
     let(:filename_cve) do
-      if File.basename(path).start_with?('CVE-')
-        File.basename(path).gsub('CVE-','').chomp('.yml')
-      else
-        nil
+      if filename.start_with?('CVE-')
+        filename.gsub('CVE-','')
       end
     end
+
     let(:filename_osvdb) do
-      if File.basename(path).start_with?('OSVDB-')
-        File.basename(path).gsub('OSVDB-','').chomp('.yml')
-      else
-        nil
+      if filename.start_with?('OSVDB-')
+        filename.gsub('OSVDB-','')
       end
     end
 
-    it "should have CVE or OSVDB" do
-      (advisory['cve'] || advisory['osvdb']).should_not be_nil
+    it "should be correctly named CVE-XXX or OSVDB-XXX" do
+      expect(filename).to match(/^(CVE-\d{4}-(0\d{3}|[1-9]\d{3,})|OSVDB-\d+)$/)
     end
 
-    describe "gem" do
-      subject { advisory['gem'] }
-
-      it { should be_kind_of(String) }
-      it { should == gem }
+    it "should have CVE or OSVDB" do
+      expect(advisory['cve'] || advisory['osvdb']).not_to be_nil
     end
 
     describe "framework" do
       subject { advisory['framework'] }
 
       it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
+        expect(subject).to be_kind_of(String).or(be_nil)
       end
     end
 
@@ -44,7 +39,7 @@ shared_examples_for 'Advisory' do |path|
       subject { advisory['platform'] }
 
       it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
+        expect(subject).to be_kind_of(String).or(be_nil)
       end
     end
 
@@ -52,23 +47,25 @@ shared_examples_for 'Advisory' do |path|
       subject { advisory['cve'] }
 
       it "may be nil or a String" do
-        [NilClass, String].should include(subject.class)
+        expect(subject).to be_kind_of(String).or(be_nil)
       end
       it "should be id in filename if filename is CVE-XXX" do
         if filename_cve
-          should == filename_cve
+          is_expected.to eq(filename_cve)
         end
       end
     end
 
     describe "osvdb" do
       subject { advisory['osvdb'] }
+
       it "may be nil or a Fixnum" do
-        [NilClass, Fixnum].should include(subject.class)
+        expect(subject).to be_kind_of(Fixnum).or(be_nil)
       end
+
        it "should be id in filename if filename is OSVDB-XXX" do
         if filename_osvdb
-          should == filename_osvdb.to_i
+          is_expected.to eq(filename_osvdb.to_i)
         end
       end
     end
@@ -76,41 +73,41 @@ shared_examples_for 'Advisory' do |path|
     describe "url" do
       subject { advisory['url'] }
 
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
     end
 
     describe "title" do
       subject { advisory['title'] }
 
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
     end
 
     describe "date" do
       subject { advisory['date'] }
 
-      it { should be_kind_of(Date) }
+      it { is_expected.to be_kind_of(Date) }
     end
 
     describe "description" do
       subject { advisory['description'] }
 
-      it { should be_kind_of(String) }
-      it { should_not be_empty }
+      it { is_expected.to be_kind_of(String) }
+      it { is_expected.not_to be_empty }
     end
 
     describe "cvss_v2" do
       subject { advisory['cvss_v2'] }
 
       it "may be nil or a Float" do
-        [NilClass, Float].should include(subject.class)
+        expect(subject).to be_kind_of(Float).or(be_nil)
       end
 
       case advisory['cvss_v2']
       when Float
         context "when a Float" do
-          it { ((0.0)..(10.0)).should include(subject) }
+          it { expect((0.0)..(10.0)).to include(subject) }
         end
       end
     end
@@ -119,7 +116,7 @@ shared_examples_for 'Advisory' do |path|
       subject { advisory['patched_versions'] }
 
       it "may be nil or an Array" do
-        [NilClass, Array].should include(subject.class)
+        expect(subject).to be_kind_of(Array).or(be_nil)
       end
 
       describe "each patched version" do
@@ -129,9 +126,9 @@ shared_examples_for 'Advisory' do |path|
               subject { version.split(', ') }
               
               it "should contain valid RubyGem version requirements" do
-                lambda {
+                expect {
                 Gem::Requirement.new(*subject)
-                }.should_not raise_error
+                }.not_to raise_error
               end
             end
           end
@@ -143,7 +140,7 @@ shared_examples_for 'Advisory' do |path|
       subject { advisory['unaffected_versions'] }
 
       it "may be nil or an Array" do
-        [NilClass, Array].should include(subject.class)
+        expect(subject).to be_kind_of(Array).or(be_nil)
       end
 
       case advisory['unaffected_versions']
@@ -153,13 +150,38 @@ shared_examples_for 'Advisory' do |path|
             subject { version.split(', ') }
             
             it "should contain valid RubyGem version requirements" do
-              lambda {
+              expect {
                 Gem::Requirement.new(*subject)
-              }.should_not raise_error
+              }.not_to raise_error
+            end
+          end
+        end
+      end
+    end
+
+    describe "related" do
+      subject { advisory['related'] }
+
+      it "may be nil or a Hash" do
+        expect(subject).to be_kind_of(Hash).or(be_nil)
+      end
+
+      case advisory["related"]
+      when Hash
+        advisory["related"].each_pair do |name, values|
+          describe name do
+            it "should be either a cve, an osvdb or a url" do
+              expect(["cve", "osvdb", "url"]).to include(name)
+            end
+
+            it "should always contain an array" do
+              expect(values).to be_kind_of(Array)
             end
           end
         end
       end
     end
+
+
   end
 end

data/data/ruby-advisory-db/spec/gem_example.rb

@@ -0,0 +1,22 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Gem Advisory" do |path|
+  include_examples 'Advisory', path
+  
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:gem) { File.basename(File.dirname(path)) }
+
+    describe "gem" do
+      subject { advisory['gem'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(gem.downcase)
+      end
+    end
+  end
+
+end

data/data/ruby-advisory-db/spec/gems_spec.rb

@@ -1,7 +1,23 @@
 load File.join(File.dirname(__FILE__), 'spec_helper.rb')
-load File.join(File.dirname(__FILE__), 'advisory_example.rb')
+require 'gem_example'
+require 'library_example'
+require 'ruby_example'
+
 describe "gems" do
   Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*.yml')) do |path|
-    include_examples 'Advisory', path
+    include_examples 'Gem Advisory', path
   end
 end
+
+describe "libraries" do
+  Dir.glob(File.join(File.dirname(__FILE__), '../libraries/*/*.yml')) do |path|
+    include_examples 'Libraries Advisory', path
+  end
+end
+
+describe "rubies" do
+  Dir.glob(File.join(File.dirname(__FILE__), '../rubies/*/*.yml')) do |path|
+    include_examples 'Rubies Advisory', path
+  end
+end
+

data/data/ruby-advisory-db/spec/library_example.rb

@@ -0,0 +1,21 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Libraries Advisory" do |path|
+  include_examples 'Advisory', path
+
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:library) { File.basename(File.dirname(path)) }
+
+    describe "library" do
+      subject { advisory['library'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(library.downcase)
+      end
+    end
+  end
+end

data/data/ruby-advisory-db/spec/ruby_example.rb

@@ -0,0 +1,23 @@
+load File.join(File.dirname(__FILE__), 'spec_helper.rb')
+require 'advisory_example'
+
+shared_examples_for "Rubies Advisory" do |path|
+  include_examples 'Advisory', path
+  
+  advisory = YAML.load_file(path)
+
+  describe path do
+    let(:engine) { File.basename(File.dirname(path)) }
+
+    describe "engine" do
+      subject { advisory['engine'] }
+
+      it { is_expected.to be_kind_of(String) }
+      it "should be equal to filename (case-insensitive)" do
+        expect(subject.downcase).to eq(engine.downcase)
+      end
+    end
+  end
+
+end
+

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -23,6 +23,7 @@ module Bundler
                                 :id,
                                 :url,
                                 :title,
+                                :date,
                                 :description,
                                 :cvss_v2,
                                 :cve,
@@ -59,6 +60,7 @@ module Bundler
           id,
           data['url'],
           data['title'],
+          data['date'],
           data['description'],
           data['cvss_v2'],
           data['cve'],
@@ -68,6 +70,24 @@ module Bundler
         )
       end
 
+      #
+      # The CVE identifier.
+      #
+      # @return [String, nil]
+      #
+      def cve_id
+        "CVE-#{cve}" if cve
+      end
+
+      #
+      # The OSVDB identifier.
+      #
+      # @return [String, nil]
+      #
+      def osvdb_id
+        "OSVDB-#{osvdb}" if osvdb
+      end
+
       #
       # Determines how critical the vulnerability is.
       #

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -32,8 +32,11 @@ module Bundler
       desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
       method_option :verbose, :type => :boolean, :aliases => '-v'
       method_option :ignore, :type => :array, :aliases => '-i'
+      method_option :update, :type => :boolean, :aliases => '-u'
 
       def check
+        update if options[:update]
+
         scanner    = Scanner.new
         vulnerable = false
 
@@ -60,7 +63,16 @@ module Bundler
       def update
         say "Updating ruby-advisory-db ..."
 
-        Database.update!
+        case Database.update!
+        when true
+          say "Updated ruby-advisory-db", :green
+        when false
+          say "Failed updating ruby-advisory-db!", :red
+          exit 1
+        when nil
+          say "Skipping update", :yellow
+        end
+
         puts "ruby-advisory-db: #{Database.new.size} advisories"
       end
 

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -82,8 +82,9 @@ module Bundler
       #
       # Updates the ruby-advisory-db.
       #
-      # @return [Boolean]
+      # @return [Boolean, nil]
       #   Specifies whether the update was successful.
+      #   A `nil` indicates no update was performed.
       #
       # @note
       #   Requires network access.
@@ -92,8 +93,10 @@ module Bundler
       #
       def self.update!
         if File.directory?(USER_PATH)
-          Dir.chdir(USER_PATH) do
-            system 'git', 'pull', 'origin', 'master'
+          if File.directory?(File.join(USER_PATH, ".git"))
+            Dir.chdir(USER_PATH) do
+              system 'git', 'pull', 'origin', 'master'
+            end
           end
         else
           system 'git', 'clone', URL, USER_PATH

data/lib/bundler/audit/scanner.rb

@@ -101,12 +101,13 @@ module Bundler
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
-              next if internal_host?(source.uri)
-              yield InsecureSource.new(source.uri)
+              unless internal_source?(source.uri)
+                yield InsecureSource.new(source.uri)
+              end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
-              if uri.scheme == 'http'
+              if (uri.scheme == 'http' && !internal_source?(uri))
                 yield InsecureSource.new(uri.to_s)
               end
             end
@@ -144,7 +145,8 @@ module Bundler
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-            unless ignore.include?(advisory.id)
+            unless (ignore.include?(advisory.cve_id) ||
+                    ignore.include?(advisory.osvdb_id))
               yield UnpatchedGem.new(gem,advisory)
             end
           end
@@ -154,15 +156,28 @@ module Bundler
       private
 
       #
-      # Determines whether a URI is internal.
+      # Determines whether a source is internal.
+      #
+      # @param [URI, String] uri
+      #   The URI.
+      #
+      # @return [Boolean]
+      #
+      def internal_source?(uri)
+        uri = URI(uri)
+
+        internal_host?(uri.host) if uri.host
+      end
+
+      #
+      # Determines whether a host is internal.
       #
-      # @param [String] uri
-      #   The source URI.
+      # @param [String] host
+      #   The hostname.
       #
       # @return [Boolean]
       #
-      def internal_host?(uri)
-        return unless host = URI.parse(uri).host
+      def internal_host?(host)
         Resolv.getaddresses(host).all? { |ip| internal_ip?(ip) }
       rescue URI::Error
         false