bundler-audit 0.6.0 → 0.8.0.rc2

data/lib/bundler/audit/results.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'

data/lib/bundler/audit/results/insecure_source.rb

@@ -0,0 +1,75 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/result'
+
+module Bundler
+  module Audit
+    module Results
+      class InsecureSource < Result
+
+        # The insecure `git://` or `http://` URI.
+        #
+        # @return [URI::Generic, URI::HTTP]
+        attr_reader :source
+
+        #
+        # Initializes the insecure source result.
+        #
+        # @param [URI::Generic, URI::HTTP] source
+        #   The insecure `git://` or `http://` URI.
+        #
+        def initialize(source)
+          @source = source
+        end
+
+        #
+        # Compares the insecure source with another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && @source == other.source
+        end
+
+        #
+        # Converts the insecure source result to a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @source.to_s
+        end
+
+        #
+        # Converts the insecure source into a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :insecure_source,
+            source: @source
+          }
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/result.rb

@@ -0,0 +1,21 @@
+module Bundler
+  module Audit
+    module Results
+      #
+      # @abstract
+      #
+      class Result
+
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        # @abstract
+        #
+        def to_h
+          raise(NotImplementedError,"#{self.class}#to_h not implemented!")
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -0,0 +1,94 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/result'
+
+require 'uri'
+
+module Bundler
+  module Audit
+    module Results
+      class UnpatchedGem < Result
+
+        # The specification of the vulnerable gem.
+        #
+        # @return [Gem::Specification]
+        attr_reader :gem
+
+        # The advisory documenting the vulnerability.
+        #
+        # @return [Advisory]
+        attr_reader :advisory
+
+        #
+        # Initializes the unpatched gem result.
+        #
+        # @param [Gem::Specification] gem
+        #   The specification of the vulnerable gem.
+        #
+        # @param [Advisory] advisory
+        #   The advisory documenting the vulnerability.
+        #
+        def initialize(gem,advisory)
+          @gem      = gem
+          @advisory = advisory
+        end
+
+        #
+        # Compares the unpatched gem to another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && (
+            @gem.name == other.gem.name &&
+            @gem.version == other.gem.version &&
+            @advisory == other.advisory
+          )
+        end
+
+        #
+        # Converts the unpatched gem result into a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @advisory.id
+        end
+
+        #
+        # Converts the unpached gem to a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :unpatched_gem,
+            gem:  {
+              name: @gem.name,
+              version: @gem.version
+            },
+            advisory: @advisory.to_h
+          }
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/scanner.rb

@@ -1,22 +1,38 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 require 'bundler'
+require 'bundler/audit/configuration'
 require 'bundler/audit/database'
+require 'bundler/audit/report'
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'
 require 'bundler/lockfile_parser'
 
 require 'ipaddr'
 require 'resolv'
 require 'set'
 require 'uri'
+require 'yaml'
 
 module Bundler
   module Audit
     class Scanner
 
-      # Represents a plain-text source
-      InsecureSource = Struct.new(:source)
-
-      # Represents a gem that is covered by an Advisory
-      UnpatchedGem = Struct.new(:gem, :advisory)
-
       # The advisory database
       #
       # @return [Database]
@@ -30,18 +46,76 @@ module Bundler
       # @return [Bundler::LockfileParser]
       attr_reader :lockfile
 
+      # The configuration loaded from the `.bundler-audit.yml` file from the project
+      #
+      # @return [Hash]
+      attr_reader :config
+
       #
       # Initializes a scanner.
       #
       # @param [String] root
       #   The path to the project root.
       #
-      def initialize(root=Dir.pwd)
+      # @param [String] gemfile_lock
+      #   Alternative name for the `Gemfile.lock` file.
+      #
+      # @param [Database] database
+      #   The database to scan against.
+      #
+      # @raise [Bundler::GemfileLockNotFound]
+      #   The `gemfile_lock` file could not be found within the `root`
+      #   directory.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock',database=Database.new,config_dot_file='.bundler-audit.yml')
         @root     = File.expand_path(root)
-        @database = Database.new
-        @lockfile = LockfileParser.new(
-          File.read(File.join(@root,'Gemfile.lock'))
-        )
+        @database = database
+
+        gemfile_lock_path = File.join(@root,gemfile_lock)
+
+        unless File.file?(gemfile_lock_path)
+          raise(Bundler::GemfileLockNotFound,"Could not find #{gemfile_lock.inspect} in #{@root.inspect}")
+        end
+
+        @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
+
+        config_dot_file_full_path = File.join(@root,config_dot_file)
+
+        @config = if File.exist?(config_dot_file_full_path)
+                    Configuration.load(config_dot_file_full_path)
+                  else
+                    Configuration.new
+                  end
+      end
+
+      #
+      # Preforms a {#scan} and collects the results into a {Report report}.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Report]
+      #
+      # @since 0.8.0
+      #
+      def report(options={})
+        report = Report.new()
+
+        scan(options) do |result|
+          report << result
+          yield result if block_given?
+        end
+
+        return report
       end
 
       #
@@ -56,7 +130,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource, UnpatchedGem] result
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -65,9 +139,6 @@ module Bundler
       def scan(options={},&block)
         return enum_for(__method__,options) unless block
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
-
         scan_sources(options,&block)
         scan_specs(options,&block)
 
@@ -83,7 +154,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource] result
+      # @yieldparam [Results::InsecureSource] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -102,13 +173,13 @@ module Bundler
             case source.uri
             when /^git:/, /^http:/
               unless internal_source?(source.uri)
-                yield InsecureSource.new(source.uri)
+                yield Results::InsecureSource.new(source.uri)
               end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
               if (uri.scheme == 'http' && !internal_source?(uri))
-                yield InsecureSource.new(uri.to_s)
+                yield Results::InsecureSource.new(uri.to_s)
               end
             end
           end
@@ -127,7 +198,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [UnpatchedGem] result
+      # @yieldparam [Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -140,15 +211,16 @@ module Bundler
       def scan_specs(options={})
         return enum_for(__method__,options) unless block_given?
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
+        ignore = if options[:ignore] then Set.new(options[:ignore])
+                 else                     config.ignore
+                 end
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-            unless (ignore.include?(advisory.cve_id) ||
-                    ignore.include?(advisory.osvdb_id))
-              yield UnpatchedGem.new(gem,advisory)
-            end
+            is_ignored = ignore.intersect?(advisory.identifiers.to_set)
+            next if is_ignored
+
+            yield Results::UnpatchedGem.new(gem,advisory)
           end
         end
       end
@@ -164,7 +236,7 @@ module Bundler
       # @return [Boolean]
       #
       def internal_source?(uri)
-        uri = URI(uri)
+        uri = URI.parse(uri.to_s)
 
         internal_host?(uri.host) if uri.host
       end
@@ -187,11 +259,15 @@ module Bundler
       #
       # @see https://tools.ietf.org/html/rfc1918#section-3
       # @see https://tools.ietf.org/html/rfc4193#section-8
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.2
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.3
       INTERNAL_SUBNETS = %w[
         10.0.0.0/8
         172.16.0.0/12
         192.168.0.0/16
         fc00::/7
+        127.0.0.0/8
+        ::1/128
       ].map(&IPAddr.method(:new))
 
       #

data/lib/bundler/audit/task.rb

@@ -17,12 +17,10 @@ module Bundler
       #
       def define
         namespace :bundle do
-          desc 'Updates the ruby-advisory-db then runs bundle-audit'
+          desc 'Checks the Gemfile.lock for insecure dependencies'
           task :audit do
             require 'bundler/audit/cli'
-            %w(update check).each do |command|
-              Bundler::Audit::CLI.start [command]
-            end
+            Bundler::Audit::CLI.start %w[check]
           end
         end
       end