bundler-audit 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.travis.yml +4 -3
- data/ChangeLog.md +4 -0
- data/Gemfile +1 -1
- data/README.md +8 -8
- data/gemspec.yml +1 -1
- data/lib/bundler/audit.rb +1 -1
- data/lib/bundler/audit/advisory.rb +1 -1
- data/lib/bundler/audit/cli.rb +1 -1
- data/lib/bundler/audit/database.rb +1 -1
- data/lib/bundler/audit/scanner.rb +5 -2
- data/lib/bundler/audit/version.rb +2 -2
- data/spec/bundle/insecure_sources/Gemfile +2 -37
- data/spec/bundle/secure/Gemfile +1 -36
- data/spec/bundle/unpatched_gems/Gemfile +1 -36
- data/spec/integration_spec.rb +5 -5
- metadata +13 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 9a3d576304278048394827d4322e8e4be389a2a899b3e22bff638a0aaffcf91a
|
4
|
+
data.tar.gz: 025cf42cf42c6e868b1de3b07066aafe6e55878fe13f53f34c3e40396b44ba27
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4485f6c903fcda454232c9305aaefb7d170edc6d6ea4bb8d766880a4135460dde1b3249cb28a87434ae3f01138d60c8bc0792e36b31e2b2893d314ae8cfb5acd
|
7
|
+
data.tar.gz: c273401ad1f90286ff8a0981e858320cd2b14aa65718338ab7c54bb43b77cbf423848d982852217ab763e44b32ea9f6d977ce26e8dbc1f793cb405c52da3be82
|
data/.travis.yml
CHANGED
data/ChangeLog.md
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -3,13 +3,13 @@
|
|
3
3
|
* [Homepage](https://github.com/rubysec/bundler-audit#readme)
|
4
4
|
* [Issues](https://github.com/rubysec/bundler-audit/issues)
|
5
5
|
* [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
|
6
|
-
* [Email](mailto:
|
6
|
+
* [Email](mailto:postmodern.mod3 at gmail.com)
|
7
7
|
* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
|
8
8
|
* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
|
9
9
|
|
10
10
|
## Description
|
11
11
|
|
12
|
-
Patch-level verification for [
|
12
|
+
Patch-level verification for [bundler].
|
13
13
|
|
14
14
|
## Features
|
15
15
|
|
@@ -127,8 +127,8 @@ task default: 'bundle:audit'
|
|
127
127
|
|
128
128
|
## Requirements
|
129
129
|
|
130
|
-
* [
|
131
|
-
* [
|
130
|
+
* [ruby] >= 1.9.3
|
131
|
+
* [rubygems] >= 1.8
|
132
132
|
* [thor] ~> 0.18
|
133
133
|
* [bundler] ~> 1.2
|
134
134
|
|
@@ -139,12 +139,12 @@ task default: 'bundle:audit'
|
|
139
139
|
## Contributing
|
140
140
|
|
141
141
|
1. Clone the repo
|
142
|
-
1. `git submodule update --init` # To populate data
|
142
|
+
1. `git submodule update --init` # To populate data/ruby-advisory-db
|
143
143
|
1. `bundle exec rake`
|
144
144
|
|
145
145
|
## License
|
146
146
|
|
147
|
-
Copyright (c) 2013-
|
147
|
+
Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
148
148
|
|
149
149
|
bundler-audit is free software: you can redistribute it and/or modify
|
150
150
|
it under the terms of the GNU General Public License as published by
|
@@ -159,8 +159,8 @@ GNU General Public License for more details.
|
|
159
159
|
You should have received a copy of the GNU General Public License
|
160
160
|
along with bundler-audit. If not, see <http://www.gnu.org/licenses/>.
|
161
161
|
|
162
|
-
[
|
163
|
-
[
|
162
|
+
[ruby]: https://ruby-lang.org
|
163
|
+
[rubygems]: https://rubygems.org
|
164
164
|
[thor]: http://whatisthor.com/
|
165
165
|
[bundler]: https://github.com/carlhuda/bundler#readme
|
166
166
|
|
data/gemspec.yml
CHANGED
data/lib/bundler/audit.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
data/lib/bundler/audit/cli.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -36,11 +36,14 @@ module Bundler
|
|
36
36
|
# @param [String] root
|
37
37
|
# The path to the project root.
|
38
38
|
#
|
39
|
-
|
39
|
+
# @param [String] gemfile_lock
|
40
|
+
# Alternative name for the `Gemfile.lock` file.
|
41
|
+
#
|
42
|
+
def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
|
40
43
|
@root = File.expand_path(root)
|
41
44
|
@database = Database.new
|
42
45
|
@lockfile = LockfileParser.new(
|
43
|
-
File.read(File.join(@root,
|
46
|
+
File.read(File.join(@root,gemfile_lock))
|
44
47
|
)
|
45
48
|
end
|
46
49
|
|
@@ -1,5 +1,5 @@
|
|
1
1
|
#
|
2
|
-
# Copyright (c) 2013-
|
2
|
+
# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
|
3
3
|
#
|
4
4
|
# bundler-audit is free software: you can redistribute it and/or modify
|
5
5
|
# it under the terms of the GNU General Public License as published by
|
@@ -18,6 +18,6 @@
|
|
18
18
|
module Bundler
|
19
19
|
module Audit
|
20
20
|
# bundler-audit version
|
21
|
-
VERSION = '0.6.
|
21
|
+
VERSION = '0.6.1'
|
22
22
|
end
|
23
23
|
end
|
@@ -1,39 +1,4 @@
|
|
1
1
|
source 'http://rubygems.org'
|
2
2
|
|
3
|
-
gem 'rails'
|
4
|
-
|
5
|
-
# Bundle edge Rails instead:
|
6
|
-
# gem 'rails', :git => 'git://github.com/rails/rails.git'
|
7
|
-
|
8
|
-
gem 'sqlite3', platform: [:mri, :rbx]
|
9
|
-
|
10
|
-
|
11
|
-
# Gems used only for assets and not required
|
12
|
-
# in production environments by default.
|
13
|
-
group :assets do
|
14
|
-
# gem 'sass-rails', '~> 3.2.3'
|
15
|
-
# gem 'coffee-rails', '~> 3.2.1'
|
16
|
-
|
17
|
-
# See https://github.com/sstephenson/execjs#readme for more supported runtimes
|
18
|
-
# gem 'therubyracer', :platforms => :ruby
|
19
|
-
|
20
|
-
# gem 'uglifier', '>= 1.0.3'
|
21
|
-
end
|
22
|
-
|
23
|
-
gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
|
24
|
-
:tag => 'v2.2.1'
|
25
|
-
|
26
|
-
# To use ActiveModel has_secure_password
|
27
|
-
# gem 'bcrypt-ruby', '~> 3.0.0'
|
28
|
-
|
29
|
-
# To use Jbuilder templates for JSON
|
30
|
-
# gem 'jbuilder'
|
31
|
-
|
32
|
-
# Use unicorn as the app server
|
33
|
-
# gem 'unicorn'
|
34
|
-
|
35
|
-
# Deploy with Capistrano
|
36
|
-
# gem 'capistrano'
|
37
|
-
|
38
|
-
# To use debugger
|
39
|
-
# gem 'debugger'
|
3
|
+
gem 'rails'
|
4
|
+
gem 'jquery-rails', git: 'git://github.com/rails/jquery-rails.git'
|
data/spec/bundle/secure/Gemfile
CHANGED
@@ -1,38 +1,3 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
gem 'rails', '~>
|
4
|
-
|
5
|
-
# Bundle edge Rails instead:
|
6
|
-
# gem 'rails', :git => 'git://github.com/rails/rails.git'
|
7
|
-
|
8
|
-
gem 'sqlite3', platform: [:mri, :rbx]
|
9
|
-
|
10
|
-
|
11
|
-
# Gems used only for assets and not required
|
12
|
-
# in production environments by default.
|
13
|
-
group :assets do
|
14
|
-
# gem 'sass-rails', '~> 3.2.3'
|
15
|
-
# gem 'coffee-rails', '~> 3.2.1'
|
16
|
-
|
17
|
-
# See https://github.com/sstephenson/execjs#readme for more supported runtimes
|
18
|
-
# gem 'therubyracer', :platforms => :ruby
|
19
|
-
|
20
|
-
# gem 'uglifier', '>= 1.0.3'
|
21
|
-
end
|
22
|
-
|
23
|
-
gem 'jquery-rails'
|
24
|
-
|
25
|
-
# To use ActiveModel has_secure_password
|
26
|
-
# gem 'bcrypt-ruby', '~> 3.0.0'
|
27
|
-
|
28
|
-
# To use Jbuilder templates for JSON
|
29
|
-
# gem 'jbuilder'
|
30
|
-
|
31
|
-
# Use unicorn as the app server
|
32
|
-
# gem 'unicorn'
|
33
|
-
|
34
|
-
# Deploy with Capistrano
|
35
|
-
# gem 'capistrano'
|
36
|
-
|
37
|
-
# To use debugger
|
38
|
-
# gem 'debugger'
|
3
|
+
gem 'rails', '~> 5.2'
|
@@ -1,38 +1,3 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
gem '
|
4
|
-
|
5
|
-
# Bundle edge Rails instead:
|
6
|
-
# gem 'rails', :git => 'git://github.com/rails/rails.git'
|
7
|
-
|
8
|
-
gem 'sqlite3', platform: [:mri, :rbx]
|
9
|
-
|
10
|
-
|
11
|
-
# Gems used only for assets and not required
|
12
|
-
# in production environments by default.
|
13
|
-
group :assets do
|
14
|
-
# gem 'sass-rails', '~> 3.2.3'
|
15
|
-
# gem 'coffee-rails', '~> 3.2.1'
|
16
|
-
|
17
|
-
# See https://github.com/sstephenson/execjs#readme for more supported runtimes
|
18
|
-
# gem 'therubyracer', :platforms => :ruby
|
19
|
-
|
20
|
-
# gem 'uglifier', '>= 1.0.3'
|
21
|
-
end
|
22
|
-
|
23
|
-
gem 'jquery-rails'
|
24
|
-
|
25
|
-
# To use ActiveModel has_secure_password
|
26
|
-
# gem 'bcrypt-ruby', '~> 3.0.0'
|
27
|
-
|
28
|
-
# To use Jbuilder templates for JSON
|
29
|
-
# gem 'jbuilder'
|
30
|
-
|
31
|
-
# Use unicorn as the app server
|
32
|
-
# gem 'unicorn'
|
33
|
-
|
34
|
-
# Deploy with Capistrano
|
35
|
-
# gem 'capistrano'
|
36
|
-
|
37
|
-
# To use debugger
|
38
|
-
# gem 'debugger'
|
3
|
+
gem 'activerecord', '4.2.7'
|
data/spec/integration_spec.rb
CHANGED
@@ -20,13 +20,13 @@ describe "CLI" do
|
|
20
20
|
end
|
21
21
|
|
22
22
|
it "should print advisory information for the vulnerable gems" do
|
23
|
-
advisory_pattern =
|
24
|
-
Version: \d
|
23
|
+
advisory_pattern = %r{(Name: [^\n]+
|
24
|
+
Version: \d+\.\d+\.\d+(\.\d+)?
|
25
25
|
Advisory: CVE-[0-9]{4}-[0-9]{4}
|
26
|
-
Criticality: (High|Medium)
|
27
|
-
URL:
|
26
|
+
Criticality: (High|Medium|Low|Unknown)
|
27
|
+
URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
|
28
28
|
Title: [^\n]*?
|
29
|
-
Solution: upgrade to (
|
29
|
+
Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}
|
30
30
|
|
31
31
|
expect(subject).to match(advisory_pattern)
|
32
32
|
expect(subject).to include("Vulnerabilities found!")
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bundler-audit
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Postmodern
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-01-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -28,16 +28,22 @@ dependencies:
|
|
28
28
|
name: bundler
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - ">="
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: 1.2.0
|
34
|
+
- - "<"
|
32
35
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
36
|
+
version: '3'
|
34
37
|
type: :runtime
|
35
38
|
prerelease: false
|
36
39
|
version_requirements: !ruby/object:Gem::Requirement
|
37
40
|
requirements:
|
38
|
-
- - "
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: 1.2.0
|
44
|
+
- - "<"
|
39
45
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
46
|
+
version: '3'
|
41
47
|
description: bundler-audit provides patch-level verification for Bundled apps.
|
42
48
|
email: postmodern.mod3@gmail.com
|
43
49
|
executables:
|
@@ -472,7 +478,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
472
478
|
version: 1.8.0
|
473
479
|
requirements: []
|
474
480
|
rubyforge_project:
|
475
|
-
rubygems_version: 2.
|
481
|
+
rubygems_version: 2.7.6
|
476
482
|
signing_key:
|
477
483
|
specification_version: 4
|
478
484
|
summary: Patch-level verification for Bundler
|