bundler-audit 0.5.0 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +11 -6
- data/ChangeLog.md +7 -1
- data/Gemfile +1 -1
- data/README.md +13 -7
- data/bin/bundler-audit +3 -0
- data/data/ruby-advisory-db.ts +1 -1
- data/data/ruby-advisory-db/.gitignore +0 -1
- data/data/ruby-advisory-db/.travis.yml +0 -6
- data/data/ruby-advisory-db/CONTRIBUTING.md +34 -21
- data/data/ruby-advisory-db/CONTRIBUTORS.md +2 -0
- data/data/ruby-advisory-db/Gemfile +1 -1
- data/data/ruby-advisory-db/README.md +38 -21
- data/data/ruby-advisory-db/gems/RedCloth/{OSVDB-115941.yml → CVE-2012-6684.yml} +6 -1
- data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml +102 -102
- data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml +2 -2
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml +45 -45
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml +96 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml +90 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml +89 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml +57 -0
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml +80 -80
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml +89 -0
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml +56 -0
- data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml +78 -78
- data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml +91 -91
- data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml +73 -0
- data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml +14 -0
- data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml +10 -0
- data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml +16 -0
- data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml +2 -1
- data/data/ruby-advisory-db/gems/doorkeeper/CVE-2016-6582.yml +43 -0
- data/data/ruby-advisory-db/gems/espeak-ruby/CVE-2016-10193.yml +15 -0
- data/data/ruby-advisory-db/gems/festivaltts4r/CVE-2016-10194.yml +12 -0
- data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8968.yml +21 -0
- data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8969.yml +13 -0
- data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml +18 -11
- data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml +16 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml +42 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml +32 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml +44 -0
- data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml +16 -0
- data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml +17 -0
- data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml +17 -0
- data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml +14 -0
- data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml +13 -0
- data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml +16 -0
- data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml +1 -1
- data/data/ruby-advisory-db/rubies/ruby/CVE-2015-1855.yml +17 -0
- data/data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml +19 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +19 -4
- data/gemspec.yml +1 -1
- data/lib/bundler/audit/cli.rb +10 -5
- data/lib/bundler/audit/database.rb +13 -3
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/cli_spec.rb +80 -25
- data/spec/database_spec.rb +5 -5
- data/spec/integration_spec.rb +2 -2
- metadata +35 -5
@@ -0,0 +1,16 @@
|
|
1
|
+
---
|
2
|
+
gem: minitar
|
3
|
+
cve: 2016-10173
|
4
|
+
url: https://github.com/halostatue/minitar/issues/16
|
5
|
+
title: Minitar Directory Traversal Vulnerability
|
6
|
+
date: 2016-08-22
|
7
|
+
description: |
|
8
|
+
Minitar allows attackers to overwrite arbitrary files during archive
|
9
|
+
extraction via a .. (dot dot) in an extracted filename. Analogous
|
10
|
+
vulnerabilities for unzip and tar:
|
11
|
+
https://www.cvedetails.com/cve/CVE-2001-1268/ and
|
12
|
+
http://www.cvedetails.com/cve/CVE-2001-1267/
|
13
|
+
|
14
|
+
Credit: ecneladis
|
15
|
+
patched_versions:
|
16
|
+
- ">= 0.6.1"
|
@@ -0,0 +1,42 @@
|
|
1
|
+
---
|
2
|
+
gem: nokogiri
|
3
|
+
cve: 2015-8806
|
4
|
+
url: https://github.com/sparklemotion/nokogiri/issues/1473
|
5
|
+
title: Denial of service or RCE from libxml2 and libxslt
|
6
|
+
date: 2016-06-07
|
7
|
+
description: |
|
8
|
+
Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
|
9
|
+
which are libraries Nokogiri depends on. It was discovered that libxml2 and
|
10
|
+
libxslt incorrectly handled certain malformed documents, which can allow
|
11
|
+
malicious users to cause issues ranging from denial of service to remote code
|
12
|
+
execution attacks.
|
13
|
+
|
14
|
+
For more information, the Ubuntu Security Notice is a good start:
|
15
|
+
http://www.ubuntu.com/usn/usn-2994-1/
|
16
|
+
|
17
|
+
patched_versions:
|
18
|
+
- ">= 1.6.8"
|
19
|
+
unaffected_versions:
|
20
|
+
- "< 1.6.0"
|
21
|
+
related:
|
22
|
+
cve:
|
23
|
+
- 2016-1762
|
24
|
+
- 2016-1833
|
25
|
+
- 2016-1834
|
26
|
+
- 2016-1835
|
27
|
+
- 2016-1836
|
28
|
+
- 2016-1837
|
29
|
+
- 2016-1838
|
30
|
+
- 2016-1839
|
31
|
+
- 2016-1840
|
32
|
+
- 2016-2073
|
33
|
+
- 2016-3627
|
34
|
+
- 2016-3705
|
35
|
+
- 2016-4447
|
36
|
+
- 2016-4449
|
37
|
+
- 2016-4483
|
38
|
+
url:
|
39
|
+
- https://github.com/sparklemotion/nokogiri/issues/1473
|
40
|
+
- https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028
|
41
|
+
- https://mail.gnome.org/archives/xml/2016-May/msg00023.html
|
42
|
+
- http://www.ubuntu.com/usn/usn-2994-1/
|
@@ -0,0 +1,32 @@
|
|
1
|
+
---
|
2
|
+
gem: nokogiri
|
3
|
+
cve: 2016-4658
|
4
|
+
url: https://github.com/sparklemotion/nokogiri/issues/1615
|
5
|
+
title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
|
6
|
+
date: 2017-03-11
|
7
|
+
description: |
|
8
|
+
Nokogiri version 1.7.1 has been released, pulling in several upstream
|
9
|
+
patches to the vendored libxml2 to address the following CVEs:
|
10
|
+
|
11
|
+
CVE-2016-4658
|
12
|
+
CVSS v3 Base Score: 9.8 (Critical)
|
13
|
+
libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
|
14
|
+
watchOS before 3 allows remote attackers to execute arbitrary code or cause
|
15
|
+
a denial of service (memory corruption) via a crafted XML document.
|
16
|
+
|
17
|
+
CVE-2016-5131
|
18
|
+
CVSS v3 Base Score: 8.8 (HIGH)
|
19
|
+
Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google
|
20
|
+
Chrome before 52.0.2743.82, allows remote attackers to cause a denial of
|
21
|
+
service or possibly have unspecified other impact via vectors related to
|
22
|
+
the XPointer range-to function.
|
23
|
+
|
24
|
+
cvss_v3: 9.8
|
25
|
+
|
26
|
+
patched_versions:
|
27
|
+
- ">= 1.7.1"
|
28
|
+
related:
|
29
|
+
cve:
|
30
|
+
- 2016-5131
|
31
|
+
url:
|
32
|
+
- https://github.com/sparklemotion/nokogiri/issues/1615
|
@@ -0,0 +1,44 @@
|
|
1
|
+
---
|
2
|
+
gem: nokogiri
|
3
|
+
cve: 2017-5029
|
4
|
+
url: https://github.com/sparklemotion/nokogiri/issues/1634
|
5
|
+
title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
|
6
|
+
date: 2017-05-09
|
7
|
+
description: |
|
8
|
+
nokogiri version 1.7.2 has been released.
|
9
|
+
|
10
|
+
This is a security update based on 1.7.1, addressing two upstream
|
11
|
+
libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical
|
12
|
+
and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.
|
13
|
+
|
14
|
+
These patches only apply when using Nokogiri's vendored libxslt
|
15
|
+
package. If you're using your distro's system libraries, there's no
|
16
|
+
need to upgrade from 1.7.0.1 or 1.7.1 at this time.
|
17
|
+
|
18
|
+
Full details are available at the github issue linked to in the
|
19
|
+
changelog below.
|
20
|
+
|
21
|
+
-----
|
22
|
+
|
23
|
+
# 1.7.2 / 2017-05-09
|
24
|
+
|
25
|
+
## Security Notes
|
26
|
+
|
27
|
+
[MRI] Upstream libxslt patches are applied to the vendored libxslt
|
28
|
+
1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
|
29
|
+
|
30
|
+
For more information:
|
31
|
+
|
32
|
+
* https://github.com/sparklemotion/nokogiri/issues/1634
|
33
|
+
* http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
|
34
|
+
* http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
|
35
|
+
|
36
|
+
patched_versions:
|
37
|
+
- ">= 1.7.2"
|
38
|
+
related:
|
39
|
+
cve:
|
40
|
+
- 2016-4738
|
41
|
+
- 2017-5029
|
42
|
+
url:
|
43
|
+
- http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
|
44
|
+
- http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
|
@@ -0,0 +1,16 @@
|
|
1
|
+
---
|
2
|
+
gem: passenger
|
3
|
+
cve: 2016-10345
|
4
|
+
url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
|
5
|
+
title: Predictable tmp File Path Vulnerability in Phusion Passenger
|
6
|
+
date: 2017-04-18
|
7
|
+
|
8
|
+
description: >-
|
9
|
+
In Phusion Passenger before 5.1.0, a known /tmp filename was used during
|
10
|
+
passenger-install-nginx-module execution, which could allow local attackers
|
11
|
+
to gain the privileges of the passenger user.
|
12
|
+
|
13
|
+
cvss_v3: 5.5
|
14
|
+
|
15
|
+
patched_versions:
|
16
|
+
- ">= 5.1.0"
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
gem: rack-mini-profiler
|
3
|
+
cve: 2016-4442
|
4
|
+
url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c
|
5
|
+
title: rack-mini-profiler may disclose information to unauthorized users
|
6
|
+
date: 2016-05-18
|
7
|
+
description: >-
|
8
|
+
Carefully crafted requests can expose information about
|
9
|
+
strings and objects allocated during the request for unauthorised
|
10
|
+
users.
|
11
|
+
|
12
|
+
patched_versions:
|
13
|
+
- ">= 0.10.1"
|
14
|
+
|
15
|
+
related:
|
16
|
+
url:
|
17
|
+
- http://seclists.org/oss-sec/2016/q2/516
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
gem: ruby-saml
|
3
|
+
cve: 2016-5697
|
4
|
+
url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
|
5
|
+
title: XML signature wrapping attack
|
6
|
+
date: 2016-06-24
|
7
|
+
description: |
|
8
|
+
ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
|
9
|
+
in the specific scenario where there was a signature that referenced at the same time
|
10
|
+
2 elements (but past the scheme validator process since 1 of the element was inside
|
11
|
+
the encrypted assertion).
|
12
|
+
|
13
|
+
ruby-saml users must update to 1.3.0, which implements 3 extra validations to
|
14
|
+
mitigate this kind of attack.
|
15
|
+
cvss_v3: 6.1
|
16
|
+
patched_versions:
|
17
|
+
- ">= 1.3.0"
|
@@ -0,0 +1,14 @@
|
|
1
|
+
---
|
2
|
+
gem: rubyzip
|
3
|
+
cve: 2017-5946
|
4
|
+
url: https://github.com/rubyzip/rubyzip/issues/315
|
5
|
+
title: Directory traversal vulnerability in rubyzip
|
6
|
+
date: 2017-02-27
|
7
|
+
description: |
|
8
|
+
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
|
9
|
+
traversal vulnerability. If a site allows uploading of .zip files, an attacker
|
10
|
+
can upload a malicious file that uses "../" pathname substrings to write arbitrary
|
11
|
+
files to the filesystem.
|
12
|
+
cvss_v3: 6.1
|
13
|
+
patched_versions:
|
14
|
+
- ">= 1.2.1"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
---
|
2
|
+
gem: safemode
|
3
|
+
cve: 2016-3693
|
4
|
+
title: Safemode Gem for Ruby is vulnerable to information disclosure
|
5
|
+
date: 2016-04-20
|
6
|
+
url: http://seclists.org/oss-sec/2016/q2/119
|
7
|
+
description: |
|
8
|
+
Safemode is initialised with an optional 'delegate' object.
|
9
|
+
If the delegated object is a Rails controller, 'inspect' could
|
10
|
+
be called which then exposes all informations about the App,
|
11
|
+
including routes, secret tokens, caches and so on.
|
12
|
+
patched_versions:
|
13
|
+
- ">= 1.2.4"
|
@@ -0,0 +1,16 @@
|
|
1
|
+
---
|
2
|
+
gem: spina
|
3
|
+
cve: 2015-4619
|
4
|
+
title: Cross-site request forgery (CSRF) vulnerability in Spina gem
|
5
|
+
date: 2015-06-16
|
6
|
+
url: http://www.openwall.com/lists/oss-security/2015/06/16/11
|
7
|
+
|
8
|
+
description: >-
|
9
|
+
`Spina::ApplicationController` actions didn't have CSRF
|
10
|
+
protection. This causes a CSRF vulnerability across the
|
11
|
+
entire engine which includes administrative functionality
|
12
|
+
such as creating users, changing passwords,
|
13
|
+
and media management.
|
14
|
+
|
15
|
+
patched_versions:
|
16
|
+
- ">= 0.6.29"
|
@@ -3,7 +3,7 @@ gem: twitter-bootstrap-rails
|
|
3
3
|
framework: rails
|
4
4
|
cve: 2014-4920
|
5
5
|
osvdb: 109206
|
6
|
-
url:
|
6
|
+
url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/
|
7
7
|
title: Reflective XSS Vulnerability in twitter-bootstrap-rails
|
8
8
|
date: 2014-03-25
|
9
9
|
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
engine: ruby
|
3
|
+
cve: 2015-1855
|
4
|
+
url: https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
|
5
|
+
title: Ruby OpenSSL Hostname Verification
|
6
|
+
date: 2015-04-13
|
7
|
+
description: |
|
8
|
+
After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching
|
9
|
+
hostnames and particularly wildcard certificates.
|
10
|
+
Ruby’s OpenSSL extension will now provide a string-based matching algorithm which
|
11
|
+
follows more strict behavior, as recommended by these RFCs. In particular,
|
12
|
+
matching of more than one wildcard per subject/SAN is no-longer allowed. As well,
|
13
|
+
comparison of these values is now case-insensitive.
|
14
|
+
patched_versions:
|
15
|
+
- ~> 2.0.0.645
|
16
|
+
- ~> 2.1.6
|
17
|
+
- ">= 2.2.2"
|
@@ -0,0 +1,19 @@
|
|
1
|
+
---
|
2
|
+
engine: ruby
|
3
|
+
cve: 2015-9096
|
4
|
+
url: https://hackerone.com/reports/137631
|
5
|
+
title: SMTP command injection
|
6
|
+
date: 2015-12-09
|
7
|
+
description: |
|
8
|
+
Net::SMTP is vulnerable to SMTP command injection via CRLF sequences
|
9
|
+
in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences
|
10
|
+
immediately before and after a DATA substring.
|
11
|
+
|
12
|
+
Applications that validate email address format are not affected by this
|
13
|
+
vulnerability.
|
14
|
+
|
15
|
+
The injection attack is described in Terada, Takeshi. "SMTP Injection via
|
16
|
+
Recipient Email Addresses." 2015. The attacks described in the paper
|
17
|
+
(Terada, p. 4) can be applied to without any modification.
|
18
|
+
patched_versions:
|
19
|
+
- ">= 2.4.0"
|
@@ -59,8 +59,8 @@ shared_examples_for 'Advisory' do |path|
|
|
59
59
|
describe "osvdb" do
|
60
60
|
subject { advisory['osvdb'] }
|
61
61
|
|
62
|
-
it "may be nil or a
|
63
|
-
expect(subject).to be_kind_of(
|
62
|
+
it "may be nil or a Integer" do
|
63
|
+
expect(subject).to be_kind_of(Integer).or(be_nil)
|
64
64
|
end
|
65
65
|
|
66
66
|
it "should be id in filename if filename is OSVDB-XXX" do
|
@@ -112,6 +112,21 @@ shared_examples_for 'Advisory' do |path|
|
|
112
112
|
end
|
113
113
|
end
|
114
114
|
|
115
|
+
describe "cvss_v3" do
|
116
|
+
subject { advisory['cvss_v3'] }
|
117
|
+
|
118
|
+
it "may be nil or a Float" do
|
119
|
+
expect(subject).to be_kind_of(Float).or(be_nil)
|
120
|
+
end
|
121
|
+
|
122
|
+
case advisory['cvss_v3']
|
123
|
+
when Float
|
124
|
+
context "when a Float" do
|
125
|
+
it { expect((0.0)..(10.0)).to include(subject) }
|
126
|
+
end
|
127
|
+
end
|
128
|
+
end
|
129
|
+
|
115
130
|
describe "patched_versions" do
|
116
131
|
subject { advisory['patched_versions'] }
|
117
132
|
|
@@ -124,7 +139,7 @@ shared_examples_for 'Advisory' do |path|
|
|
124
139
|
advisory['patched_versions'].each do |version|
|
125
140
|
describe version do
|
126
141
|
subject { version.split(', ') }
|
127
|
-
|
142
|
+
|
128
143
|
it "should contain valid RubyGem version requirements" do
|
129
144
|
expect {
|
130
145
|
Gem::Requirement.new(*subject)
|
@@ -148,7 +163,7 @@ shared_examples_for 'Advisory' do |path|
|
|
148
163
|
advisory['unaffected_versions'].each do |version|
|
149
164
|
describe version do
|
150
165
|
subject { version.split(', ') }
|
151
|
-
|
166
|
+
|
152
167
|
it "should contain valid RubyGem version requirements" do
|
153
168
|
expect {
|
154
169
|
Gem::Requirement.new(*subject)
|
data/gemspec.yml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
name: bundler-audit
|
2
2
|
summary: Patch-level verification for Bundler
|
3
3
|
description: bundler-audit provides patch-level verification for Bundled apps.
|
4
|
-
license:
|
4
|
+
license: GPL-3.0+
|
5
5
|
authors: Postmodern
|
6
6
|
email: postmodern.mod3@gmail.com
|
7
7
|
homepage: https://github.com/rubysec/bundler-audit#readme
|
data/lib/bundler/audit/cli.rb
CHANGED
@@ -30,6 +30,7 @@ module Bundler
|
|
30
30
|
map '--version' => :version
|
31
31
|
|
32
32
|
desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
|
33
|
+
method_option :quiet, :type => :boolean, :aliases => '-q'
|
33
34
|
method_option :verbose, :type => :boolean, :aliases => '-v'
|
34
35
|
method_option :ignore, :type => :array, :aliases => '-i'
|
35
36
|
method_option :update, :type => :boolean, :aliases => '-u'
|
@@ -55,17 +56,19 @@ module Bundler
|
|
55
56
|
say "Vulnerabilities found!", :red
|
56
57
|
exit 1
|
57
58
|
else
|
58
|
-
say
|
59
|
+
say("No vulnerabilities found", :green) unless options.quiet?
|
59
60
|
end
|
60
61
|
end
|
61
62
|
|
62
63
|
desc 'update', 'Updates the ruby-advisory-db'
|
64
|
+
method_option :quiet, :type => :boolean, :aliases => '-q'
|
65
|
+
|
63
66
|
def update
|
64
|
-
say
|
67
|
+
say("Updating ruby-advisory-db ...") unless options.quiet?
|
65
68
|
|
66
|
-
case Database.update!
|
69
|
+
case Database.update!(quiet: options.quiet?)
|
67
70
|
when true
|
68
|
-
say
|
71
|
+
say("Updated ruby-advisory-db", :green) unless options.quiet?
|
69
72
|
when false
|
70
73
|
say "Failed updating ruby-advisory-db!", :red
|
71
74
|
exit 1
|
@@ -73,7 +76,9 @@ module Bundler
|
|
73
76
|
say "Skipping update", :yellow
|
74
77
|
end
|
75
78
|
|
76
|
-
|
79
|
+
unless options.quiet?
|
80
|
+
puts("ruby-advisory-db: #{Database.new.size} advisories")
|
81
|
+
end
|
77
82
|
end
|
78
83
|
|
79
84
|
desc 'version', 'Prints the bundler-audit version'
|
@@ -82,6 +82,9 @@ module Bundler
|
|
82
82
|
#
|
83
83
|
# Updates the ruby-advisory-db.
|
84
84
|
#
|
85
|
+
# @param [Boolean, quiet]
|
86
|
+
# Specify whether `git` should be `--quiet`.
|
87
|
+
#
|
85
88
|
# @return [Boolean, nil]
|
86
89
|
# Specifies whether the update was successful.
|
87
90
|
# A `nil` indicates no update was performed.
|
@@ -91,15 +94,22 @@ module Bundler
|
|
91
94
|
#
|
92
95
|
# @since 0.3.0
|
93
96
|
#
|
94
|
-
def self.update!
|
97
|
+
def self.update!(options={})
|
98
|
+
raise "Invalid option(s)" unless (options.keys - [:quiet]).empty?
|
95
99
|
if File.directory?(USER_PATH)
|
96
100
|
if File.directory?(File.join(USER_PATH, ".git"))
|
97
101
|
Dir.chdir(USER_PATH) do
|
98
|
-
|
102
|
+
command = %w(git pull)
|
103
|
+
command << '--quiet' if options[:quiet]
|
104
|
+
command << 'origin' << 'master'
|
105
|
+
system *command
|
99
106
|
end
|
100
107
|
end
|
101
108
|
else
|
102
|
-
|
109
|
+
command = %w(git clone)
|
110
|
+
command << '--quiet' if options[:quiet]
|
111
|
+
command << URL << USER_PATH
|
112
|
+
system *command
|
103
113
|
end
|
104
114
|
end
|
105
115
|
|