RubyGems - bundler-audit - Versions diffs - 0.6.0 → 0.8.0.rc2 - Mend

bundler-audit 0.6.0 → 0.8.0.rc2

Files changed (427) hide show

data/lib/bundler/audit/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.6.0'
+    VERSION = '0.8.0.rc2'
   end
 end

data/spec/advisory_spec.rb CHANGED Viewed

@@ -3,12 +3,15 @@ require 'bundler/audit/database'
 require 'bundler/audit/advisory'
 describe Bundler::Audit::Advisory do
-  let(:root) { Bundler::Audit::Database::VENDORED_PATH }
-  let(:gem)  { 'actionpack' }
-  let(:id)   { 'OSVDB-84243' }
-  let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
-  let(:an_unaffected_version) do
-    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+  let(:root) { Fixtures::DATABASE_PATH }
+  let(:gem)  { 'test' }
+  let(:id)   { 'CVE-2020-1234' }
+  let(:path) { Fixtures.join('advisory',"#{id}.yml") }
+  subject { described_class.load(path) }
+  let(:a_patched_version) do
+    subject.patched_versions.map { |version_rule|
       # For all the rules, get the individual constraints out and see if we
       # can find a suitable one...
       version_rule.requirements.select { |(constraint, gem_version)|
@@ -24,7 +27,22 @@ describe Bundler::Audit::Advisory do
     }.flatten.first
   end
-  subject { described_class.load(path) }
+  let(:an_unaffected_version) do
+    subject.unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
   describe "load" do
     let(:data) { YAML.load_file(path) }
@@ -54,14 +72,22 @@ describe Bundler::Audit::Advisory do
       it { is_expected.to eq(data['cvss_v2'])     }
     end
+    describe '#cvss_v3' do
+      subject { super().cvss_v3 }
+      it { is_expected.to eq(data['cvss_v3'])     }
+    end
     describe '#description' do
       subject { super().description }
       it { is_expected.to eq(data['description']) }
     end
     context "YAML data not representing a hash" do
+      let(:path ) do
+        File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
+      end
       it "should raise an exception" do
-        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
         expect {
           Advisory.load(path)
         }.to raise_exception("advisory data in #{path.dump} was not a Hash")
@@ -123,28 +149,79 @@ describe Bundler::Audit::Advisory do
     end
   end
+  describe "#ghsa_id" do
+    let(:ghsa) { "xfhh-rx56-rxcr" }
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.ghsa = ghsa
+      end
+    end
+    it "should prepend GHSA- to the GHSA id" do
+      expect(subject.ghsa_id).to be == "GHSA-#{ghsa}"
+    end
+    context "when ghsa is nil" do
+      subject { described_class.new }
+      it { expect(subject.ghsa_id).to be_nil }
+    end
+  end
+  describe "#identifiers" do
+    it "should include all identifiers if defined" do
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+        advisory.osvdb = "2019-2345"
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq([
+        "CVE-2018-1234",
+        "OSVDB-2019-2345",
+        "GHSA-2020-3456"
+      ])
+    end
+    it "should exclude nil identifiers" do
+      advisory = described_class.new
+      expect(advisory.identifiers).to eq([])
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+      end
+      expect(advisory.identifiers).to eq(["CVE-2018-1234"])
+      advisory = described_class.new.tap do |advisory|
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq(["GHSA-2020-3456"])
+    end
+  end
   describe "#criticality" do
-    context "when cvss_v2 is between 0.0 and 3.3" do
+    context "when cvss_v2 is between 0.0 and 3.9" do
       subject do
         described_class.new.tap do |advisory|
-          advisory.cvss_v2 = 3.3
+          advisory.cvss_v2 = 3.9
         end
       end
       it { expect(subject.criticality).to eq(:low) }
     end
-    context "when cvss_v2 is between 3.3 and 6.6" do
+    context "when cvss_v2 is between 4.0 and 6.9" do
       subject do
         described_class.new.tap do |advisory|
-          advisory.cvss_v2 = 6.6
+          advisory.cvss_v2 = 6.9
         end
       end
       it { expect(subject.criticality).to eq(:medium) }
     end
-    context "when cvss_v2 is between 6.6 and 10.0" do
+    context "when cvss_v2 is between 7.0 and 10.0" do
       subject do
         described_class.new.tap do |advisory|
           advisory.cvss_v2 = 10.0
@@ -153,6 +230,56 @@ describe Bundler::Audit::Advisory do
       it { expect(subject.criticality).to eq(:high) }
     end
+    context "when cvss_v3 is 0.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 0.0
+        end
+      end
+      it { expect(subject.criticality).to eq(:none) }
+    end
+    context "when cvss_v3 is between 0.1 and 3.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 3.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:low) }
+    end
+    context "when cvss_v3 is between 4.0 and 6.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 6.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:medium) }
+    end
+    context "when cvss_v3 is between 7.0 and 8.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 8.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:high) }
+    end
+    context "when cvss_v3 is between 9.0 and 10.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 10.0
+        end
+      end
+      it { expect(subject.criticality).to eq(:critical) }
+    end
   end
   describe "#unaffected?" do
@@ -175,7 +302,7 @@ describe Bundler::Audit::Advisory do
   describe "#patched?" do
     context "when passed a version that matches one patched version" do
-      let(:version) { Gem::Version.new('3.1.11') }
+      let(:version) { Gem::Version.new(a_patched_version) }
       it "should return true" do
         expect(subject.patched?(version)).to be_truthy
@@ -183,7 +310,7 @@ describe Bundler::Audit::Advisory do
     end
     context "when passed a version that matches no patched version" do
-      let(:version) { Gem::Version.new('2.9.0') }
+      let(:version) { Gem::Version.new('0.1.1') }
       it "should return false" do
         expect(subject.patched?(version)).to be_falsey
@@ -193,7 +320,7 @@ describe Bundler::Audit::Advisory do
   describe "#vulnerable?" do
     context "when passed a version that matches one patched version" do
-      let(:version) { Gem::Version.new('3.1.11') }
+      let(:version) { Gem::Version.new(a_patched_version) }
       it "should return false" do
         expect(subject.vulnerable?(version)).to be_falsey
@@ -201,15 +328,13 @@ describe Bundler::Audit::Advisory do
     end
     context "when passed a version that matches no patched version" do
-      let(:version) { Gem::Version.new('2.9.0') }
+      let(:version) { Gem::Version.new('0.1.1') }
       it "should return true" do
         expect(subject.vulnerable?(version)).to be_truthy
       end
       context "when unaffected_versions is not empty" do
-        subject { described_class.load(path) }
         context "when passed a version that matches one unaffected version" do
           let(:version) { Gem::Version.new(an_unaffected_version) }
@@ -219,7 +344,7 @@ describe Bundler::Audit::Advisory do
         end
         context "when passed a version that matches no unaffected version" do
-          let(:version) { Gem::Version.new('1.2.3') }
+          let(:version) { Gem::Version.new('0.1.0') }
           it "should return true" do
             expect(subject.vulnerable?(version)).to be_truthy

data/spec/bundle/insecure_sources/Gemfile CHANGED Viewed

@@ -1,39 +1,4 @@
 source 'http://rubygems.org'
-gem 'rails', '3.2.12'
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-gem 'sqlite3', platform: [:mri, :rbx]
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-  # gem 'uglifier', '>= 1.0.3'
-end
-gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
-                    :tag => 'v2.2.1'
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-# Use unicorn as the app server
-# gem 'unicorn'
-# Deploy with Capistrano
-# gem 'capistrano'
-# To use debugger
-# gem 'debugger'
+gem 'rails'
+gem 'jquery-rails', git: 'git://github.com/rails/jquery-rails.git'

data/spec/bundle/secure/Gemfile CHANGED Viewed

@@ -1,38 +1,4 @@
 source 'https://rubygems.org'
-gem 'rails', '~> 4.2.7.1'
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-gem 'sqlite3', platform: [:mri, :rbx]
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-  # gem 'uglifier', '>= 1.0.3'
-end
-gem 'jquery-rails'
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-# Use unicorn as the app server
-# gem 'unicorn'
-# Deploy with Capistrano
-# gem 'capistrano'
-# To use debugger
-# gem 'debugger'
+gem 'rails', '~> 5.2'
+gem 'rails-html-sanitizer', '~> 1.0.3'

data/spec/bundle/unpatched_gems/Gemfile CHANGED Viewed

@@ -1,38 +1,3 @@
 source 'https://rubygems.org'
-gem 'rails', '3.2.10'
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-gem 'sqlite3', platform: [:mri, :rbx]
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-  # gem 'uglifier', '>= 1.0.3'
-end
-gem 'jquery-rails'
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-# Use unicorn as the app server
-# gem 'unicorn'
-# Deploy with Capistrano
-# gem 'capistrano'
-# To use debugger
-# gem 'debugger'
+gem 'activerecord', '3.2.10'

data/spec/bundle/unpatched_gems_with_dot_configuration/.bundler-audit.yml ADDED Viewed

@@ -0,0 +1,3 @@
+---
+ignore:
+- OSVDB-89025

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile ADDED Viewed

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gem 'activerecord', '3.2.10'

data/spec/cli/formats/json_spec.rb ADDED Viewed

@@ -0,0 +1,113 @@
+require 'spec_helper'
+require 'bundler/audit/cli/formats'
+require 'bundler/audit/cli/formats/json'
+require 'bundler/audit/report'
+describe Bundler::Audit::CLI::Formats::JSON do
+  it "must register the 'json' format" do
+    expect(Bundler::Audit::CLI::Formats[:json]).to be described_class
+  end
+  let(:options) { {} }
+  subject do
+    Bundler::Audit::CLI.new([],options).tap do |obj|
+      obj.extend described_class
+    end
+  end
+  describe "#print_report" do
+    let(:report) { Bundler::Audit::Report.new }
+    let(:stdout) { StringIO.new }
+    before { subject.print_report(report,stdout) }
+    let(:output) { stdout.string }
+    let(:output_json) { JSON.parse(output, symbolize_names: true) }
+    it "must output a JSON hash" do
+      expect(output_json).to be_kind_of(Hash)
+    end
+    it 'must output a "version" key with the Bundler::Audit::VERSION' do
+      expect(output_json[:version]).to be == Bundler::Audit::VERSION
+    end
+    it 'must output a "created_at" key with the Report#created_at timestamp' do
+      expect(output_json[:created_at]).to be == report.created_at.to_s
+    end
+    context "when vulnerabilities were found" do
+      context "when the report contains InsecureSources" do
+        let(:uri) { URI('git://github.com/foo/bar.git') }
+        let(:insecure_source) do
+          Bundler::Audit::Results::InsecureSource.new(uri)
+        end
+        let(:report) do
+          super().tap do |report|
+            report << insecure_source
+          end
+        end
+        it 'must output the InsecureSource as JSON in the "results" Array' do
+          expect(output_json[:results]).to be_kind_of(Array)
+          expect(output_json[:results][0]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:type]).to be == 'insecure_source'
+          expect(output_json[:results][0][:source]).to be == uri.to_s
+        end
+      end
+      context "when the report contains UnpatchedGems" do
+        let(:gem) do
+          Gem::Specification.new do |spec|
+            spec.name = 'test'
+            spec.version = '0.1.0'
+          end
+        end
+        let(:advisory) do
+          Bundler::Audit::Advisory.load(Fixtures.join('advisory','CVE-2020-1234.yml'))
+        end
+        let(:unpatched_gem) do
+          Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+        end
+        let(:report) do
+          super().tap do |report|
+            report << unpatched_gem
+          end
+        end
+        it 'must output the UnpatchedGem as JSON in the "results" Array' do
+          expect(output_json[:results]).to be_kind_of(Array)
+          expect(output_json[:results][0]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:type]).to be == 'unpatched_gem'
+          expect(output_json[:results][0][:gem]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:gem][:name]).to be == gem.name
+          expect(output_json[:results][0][:gem][:version]).to be == gem.version.to_s
+          expect(output_json[:results][0][:advisory]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:advisory][:path]).to be == advisory.path
+          expect(output_json[:results][0][:advisory][:id]).to be == advisory.id
+          expect(output_json[:results][0][:advisory][:url]).to be == advisory.url
+          expect(output_json[:results][0][:advisory][:title]).to be == advisory.title
+          expect(output_json[:results][0][:advisory][:date]).to be == advisory.date.to_s
+          expect(output_json[:results][0][:advisory][:description]).to be == advisory.description
+          expect(output_json[:results][0][:advisory][:cvss_v2]).to be == advisory.cvss_v2
+          expect(output_json[:results][0][:advisory][:cve]).to be == advisory.cve
+          expect(output_json[:results][0][:advisory][:osvdb]).to be == advisory.osvdb
+          expect(output_json[:results][0][:advisory][:ghsa]).to be == advisory.ghsa
+          expect(output_json[:results][0][:advisory][:unaffected_versions]).to be == advisory.unaffected_versions.map(&:to_s)
+          expect(output_json[:results][0][:advisory][:patched_versions]).to be == advisory.patched_versions.map(&:to_s)
+        end
+      end
+    end
+    context "when no vulnerabilities were found" do
+      it 'must output an "results" key with an empty Array' do
+        expect(output_json[:results]).to be_kind_of(Array)
+        expect(output_json[:results]).to be_empty
+      end
+    end
+  end
+end