bundler-audit 0.5.0 → 0.8.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 650484979d4eb765a3c725eb4b31303d24fe5b59
-  data.tar.gz: dfc8d83b2c4488bf7284103276941bd4ab8d5f1c
+SHA256:
+  metadata.gz: 94290135207c14256ac6d7251be3f0641619ec1273c562bb9c14a1b8ee8e28d5
+  data.tar.gz: 83d1b6b88e88d5c850d7daadde5d3235389c9620ab35414d78f1be13cd54387d
 SHA512:
-  metadata.gz: 4da6b5b6f801ee56c94b581c2190d0cf0f607c347269b1ad5c5b3ce3bfbfdcf4e8679abc9f4d5f34542587936beede85315ba25ebc78dffe077e52ac670ecc62
-  data.tar.gz: 961867353bb8145023a2f9ab6ba41e609c8594c697adc1c6c3e4e86708e3d39b9c6326a1d8baafeff521101a8109f0b9a9edf15e8ded29383e9e29606f36a523
+  metadata.gz: 28a461def90014d7d1dea437c17637d342bb8a46a08d1874091effa135a9303b621428ecf57d497867db2a9bda4d76bea032197e447edf8730432558ee1208cd
+  data.tar.gz: 400fb39383074b315b5d2d7e9339da907f24554c99a00358bd309ca7d6101443229997bb49cb54d8d473e4d6acf3793b294c795349dcc3d0615683e283fbd17a

data/.github/workflows/ruby.yml

@@ -0,0 +1,28 @@
+name: CI
+
+on: [ push, pull_request ]
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - jruby
+          - truffleruby
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run tests
+        run: bundle exec rake test

data/.gitignore

@@ -5,7 +5,7 @@ doc/
 .yardoc/
 coverage/
 pkg/
-spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/
+spec/fixtures/database
 vendor/bundle/
 tmp/

data/.rspec

@@ -1 +1 @@
---colour --format documentation
+--colour --format documentation --exclude-pattern spec/fixtures/**/*_spec.rb

data/ChangeLog.md

@@ -1,4 +1,86 @@
-### 0.5.0 / 2015-02-28
+### 0.8.0 / 2020-12-XX
+
+* No longer vendor [ruby-advisory-db].
+* Added {Bundler::Audit::Configuration}.
+  * Supports loading YAML configuration data from a `.bundler-audit.yml` file.
+* Added {Bundler::Audit::Results}.
+* Added {Bundler::Audit::Report}.
+* Added {Bundler::Audit::CLI::Formats}.
+* Added {Bundler::Audit::CLI::Formats::Text}.
+* Added {Bundler::Audit::CLI::Formats::JSON}.
+* Added {Bundler::Audit::Database::DEFAULT_PATH}.
+* Added {Bundler::Audit::Database.exists?}.
+* Added {Bundler::Audit::Database#git?}.
+* Added {Bundler::Audit::Database#update!}.
+  * Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
+    exception, if the `git pull` command fails.
+* Added {Bundler::Audit::Database#last_updated_at}.
+* Added {Bundler::Audit::Scanner#report}.
+* {Bundler::Audit::Database::USER_PATH} is now `Gem.user_home` aware.
+  * `Gem.user_home` will try to infer `HOME`, even if it is not set.
+* {Bundler::Audit::Database#download} will now raise a
+  {Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the
+  `git clone` command fails.
+* {Bundler::Audit::Scanner#initialize}:
+  * Now accepts an additional `database` and `config_dot_file` arguments.
+  * Will now raise a `Bundler::GemfileLockNotFound` exception,
+    if the given `Gemfile.lock` file cannot be found.
+* {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a
+  `127.0.0.0/8` or `::1/128` IP address.
+* {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in
+  {Bundler::Audit::Configuration#ignore}, which is loaded from the
+  `.bundler-audit.yml` file.
+* Deprecated {Bundler::Audit::Database.update!} in favor of
+  {Bundler::Audit::Database#update! #update!}.
+* Removed `Bundler::Audit::Database::VENDORED_PATH`.
+* Removed `Bundler::Audit::Database::VENDORED_TIMESTAMP`.
+
+#### CLI
+
+* Added `bundle-audit stats`.
+* Added `bundle-audit download`.
+* `bundle-audit check`:
+  * Now accepts a optional `DIR` argument for the project directory.
+    * `bundle-audit check` will now print an explicit error message and exit,
+      if the given `DIR` does not exist.
+  * Will now auto-download/auto-update [ruby-advisory-db] to
+    ensure the latest advisory information.
+  * Now supports a `--database` option for specifying a path
+    to an alternative [ruby-advisory-db] copy.
+  * Now supports a `--gemfile-lock` option for specifying a
+    custom `Gemfile.lock` file within the project directory.
+  * Now supports a `--format` option for specifying the
+    desired format. `text` and `json` are supported, but other custom formats
+    can be loaded. See {Bundler::Audit::CLI::Formats}.
+  * Now supports a `--output` option for writing the report output to a file.
+
+### 0.7.0.1 / 2020-06-12
+
+* Forgot to populate `data/ruby-advisory-db`.
+
+### 0.7.0 / 2020-06-12
+
+* Require [thor] >= 0.18, < 2.
+* Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
+* Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
+* Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
+* Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
+* Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
+* Fixed issue with Bundler 2.x where source URIs are no longer parsed as
+  `URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
+* Make it more explicit that git is required for database updates (@fatkodima)
+
+### 0.6.1 / 2019-01-17
+
+* Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
+
+### 0.6.0 / 2017-07-18
+
+* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
+* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
+  (@vassilevsky).
+
+### 0.5.0 / 2016-02-28
 
 * Added {Bundler::Audit::Task}.
 * Added {Bundler::Audit::Advisory#date}.
@@ -116,4 +198,5 @@
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
 
 [bundler]: http://gembundler.com/
+[thor]: http://whatisthor.com/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -3,11 +3,11 @@ source 'https://rubygems.org/'
 gemspec
 
 group :development do
-  gem 'rake',           '~> 10.0'
-  gem 'kramdown',       '~> 0.14'
+  gem 'rake'
+  gem 'kramdown',       '~> 2.0'
 
   gem 'rubygems-tasks', '~> 0.2'
   gem 'rspec',          '~> 3.0'
-  gem 'yard',           '~> 0.8'
+  gem 'yard',           '~> 0.9'
   gem 'simplecov',      '~> 0.7', :require => false
 end

data/README.md

@@ -1,15 +1,15 @@
 # bundler-audit
+[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
+[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
-* [Email](mailto:rubysec.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
+* [Email](mailto:postmodern.mod3 at gmail.com)
 
 ## Description
 
-Patch-level verification for [Bundler][bundler].
+Patch-level verification for [bundler].
 
 ## Features
 
@@ -21,7 +21,7 @@ Patch-level verification for [Bundler][bundler].
 
 ## Synopsis
 
-Audit a projects `Gemfile.lock`:
+Audit a project's `Gemfile.lock`:
 
     $ bundle-audit
     Name: actionpack
@@ -82,7 +82,7 @@ Audit a projects `Gemfile.lock`:
 
     Unpatched versions found!
 
-Update the [ruby-advisory-db] that `bundle-audit` uses:
+Update the [ruby-advisory-db] that `bundle audit` uses:
 
     $ bundle-audit update
     Updating ruby-advisory-db ...
@@ -112,33 +112,94 @@ Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
     $ bundle-audit check --update
 
+Checking the `Gemfile.lock` without updating the [ruby-advisory-db]:
+
+    $ bundle-audit check --no-update
+
 Ignore specific advisories:
 
     $ bundle-audit check --ignore OSVDB-108664
 
+Checking a custom `Gemfile.lock` file:
+
+    $ bundle-audit check --gemfile Gemfile.custom.lock
+
+Output the audit's results in JSON:
+
+    $ bundle-audit check --format json
+
+Output the audit's results in JSON, to a file:
+
+    $ bundle-audit check --format json --output bundle-audit.json
+
 Rake task:
 
 ```ruby
-require_relative 'lib/bundler/audit/task'
+require 'bundler/audit/task'
 Bundler::Audit::Task.new
 
 task default: 'bundle:audit'
 ```
 
+## Configuration File
+
+bundler-audit also supports a per-project configuration file:
+
+`.bundler-audit.yml`:
+
+    ---
+    ignore:
+      - CVE-YYYY-XXXX
+      - ...
+
+* `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
+
 ## Requirements
 
-* [Ruby] >= 1.9.3
-* [RubyGems] >= 1.8
-* [thor] ~> 0.18
-* [bundler] ~> 1.2
+* [git]
+* [ruby] >= 1.9.3
+* [rubygems] >= 1.8
+* [thor] >= 0.18, < 2
+* [bundler] >= 1.2.0, < 3
 
 ## Install
 
-    $ gem install bundler-audit
+    $ [sudo] gem install bundler-audit
+
+### Git
+
+* Debian / Ubuntu:
+
+      $ sudo apt install git
+
+* RedHat / Fedora:
+
+      $ sudo dnf install git
+
+* Alpine Linux:
+
+      $ apk add git
+
+* macOS:
+
+      $ brew install git
+
+## Contributing
+
+1. https://github.com/rubysec/bundler-audit/fork
+2. `git clone YOUR_FORK_URI`
+3. `cd bundler-audit/`
+4. `budle install`
+5. `bundle exec rake spec`
+6. `git checkout -b YOUR_FEATURE`
+7. Make your changes
+8. `bundle exec rake spec`
+9. `git commit -a`
+10. `git push origin YOUR_FEATURE`
 
 ## License
 
-Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -153,10 +214,12 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
-[Ruby]: https://ruby-lang.org
-[RubyGems]: https://rubygems.org
+[git]: https://git-scm.com
+[ruby]: https://ruby-lang.org
+[rubygems]: https://rubygems.org
 [thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
+[git]: https://github.com/git/git
 
 [OSVDB]: http://osvdb.org/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -14,40 +14,23 @@ require 'time'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
-namespace :db do
-  desc 'Updates data/ruby-advisory-db'
-  task :update do
-    timestamp = nil
-
-    chdir 'data/ruby-advisory-db' do
-      sh 'git', 'pull', 'origin', 'master'
-
-      File.open('../ruby-advisory-db.ts','w') do |file|
-        file.write Time.parse(`git log --pretty="%cd" -1`).utc
-      end
-    end
-
-    sh 'git', 'commit', 'data/ruby-advisory-db',
-                        'data/ruby-advisory-db.ts',
-                        '-m', 'Updated ruby-advisory-db'
-  end
-end
-
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
-namespace :spec do
-  task :bundle do
-    root = 'spec/bundle'
+%w[secure unpatched_gems insecure_sources].each do |bundle|
+  bundle_dir   = File.join('spec/bundle',bundle)
+  gemfile      = File.join(bundle_dir,'Gemfile')
+  gemfile_lock = File.join(bundle_dir,'Gemfile.lock')
 
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
-      chdir(File.join(root,bundle)) do
-        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
-      end
+  file gemfile_lock => gemfile do
+    chdir(bundle_dir) do
+      sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
     end
   end
+
+  desc "Generates the spec/bundler/*/Gemfile.lock files"
+  task 'spec:bundle' => gemfile_lock
 end
-task :spec => 'spec:bundle'
 
 task :test    => :spec
 task :default => :spec

data/bin/bundler-audit

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+load File.expand_path('../bundle-audit', __FILE__)

data/bundler-audit.gemspec

@@ -26,13 +26,6 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.files = glob[gemspec['files']] if gemspec['files']
 
-  # add paths from data/ruby-advisory-db/
-  gem.files += Dir.chdir('data/ruby-advisory-db') do
-    `git ls-files`.split($/).map do |sub_path|
-      File.join('data','ruby-advisory-db',sub_path)
-    end
-  end
-
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }
   end

data/gemspec.yml

@@ -1,7 +1,7 @@
 name: bundler-audit
 summary: Patch-level verification for Bundler
 description: bundler-audit provides patch-level verification for Bundled apps.
-license: GPLv3
+license: GPL-3.0+
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
@@ -10,5 +10,5 @@ required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ~> 0.18
-  bundler: ~> 1.2
+  thor: ">= 0.18, < 2"
+  bundler: ">= 1.2.0, < 3"

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -26,8 +26,10 @@ module Bundler
                                 :date,
                                 :description,
                                 :cvss_v2,
+                                :cvss_v3,
                                 :cve,
                                 :osvdb,
+                                :ghsa,
                                 :unaffected_versions,
                                 :patched_versions)
 
@@ -63,8 +65,10 @@ module Bundler
           data['date'],
           data['description'],
           data['cvss_v2'],
+          data['cvss_v3'],
           data['cve'],
           data['osvdb'],
+          data['ghsa'],
           parse_versions[data['unaffected_versions']],
           parse_versions[data['patched_versions']]
         )
@@ -88,17 +92,53 @@ module Bundler
         "OSVDB-#{osvdb}" if osvdb
       end
 
+      #
+      # The GHSA (GitHub Security Advisory) identifier
+      #
+      # @return [String, nil]
+      #
+      # @since 0.7.0
+      #
+      def ghsa_id
+        "GHSA-#{ghsa}" if ghsa
+      end
+
+      #
+      # Return a compacted list of all ids
+      #
+      # @return [Array<String>]
+      #
+      # @since 0.7.0
+      #
+      def identifiers
+        [
+          cve_id,
+          osvdb_id,
+          ghsa_id
+        ].compact
+      end
+
       #
       # Determines how critical the vulnerability is.
       #
-      # @return [:low, :medium, :high]
-      #   The criticality of the vulnerability based on the CVSSv2 score.
+      # @return [:none, :low, :medium, :high, :critical, nil]
+      #   The criticality of the vulnerability based on the CVSS score.
       #
       def criticality
-        case cvss_v2
-        when 0.0..3.3  then :low
-        when 3.3..6.6  then :medium
-        when 6.6..10.0 then :high
+        if cvss_v3
+          case cvss_v3
+          when 0.0       then :none
+          when 0.1..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..8.9  then :high
+          when 9.0..10.0 then :critical
+          end
+        elsif cvss_v2
+          case cvss_v2
+          when 0.0..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..10.0 then :high
+          end
         end
       end
 
@@ -149,6 +189,17 @@ module Bundler
         !patched?(version) && !unaffected?(version)
       end
 
+      #
+      # Compares two advisories.
+      #
+      # @param [Advisory] other
+      #
+      # @return [Boolean]
+      #
+      def ==(other)
+        id == other.id
+      end
+
       alias to_s id
 
     end