bundler-audit 0.6.1 → 0.7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a3d576304278048394827d4322e8e4be389a2a899b3e22bff638a0aaffcf91a
-  data.tar.gz: 025cf42cf42c6e868b1de3b07066aafe6e55878fe13f53f34c3e40396b44ba27
+  metadata.gz: c1c2ead83ab8d3dac034093a5ac034fbf3235fed7077e47c2f491a9f8fa24d6c
+  data.tar.gz: c520084f591d25b66f1524a1bfaa900297a6c4517e000f38ce46bc66fbdb812a
 SHA512:
-  metadata.gz: 4485f6c903fcda454232c9305aaefb7d170edc6d6ea4bb8d766880a4135460dde1b3249cb28a87434ae3f01138d60c8bc0792e36b31e2b2893d314ae8cfb5acd
-  data.tar.gz: c273401ad1f90286ff8a0981e858320cd2b14aa65718338ab7c54bb43b77cbf423848d982852217ab763e44b32ea9f6d977ce26e8dbc1f793cb405c52da3be82
+  metadata.gz: becd1a0bf6735ab08c3db5bd18199ceea5682e240a18ea2da88b8f9ff7c121ca11e5912613b559dc5916ff5db3e8e1d93627ead52e5a5bfc9f89ea574efb867d
+  data.tar.gz: 8a111e0b5e19eff5777bbe117560cc16f6d70a113fbb3d5059457557647a31ecef80f54956bb4f44d866d970579ed1fe19b0279aceed5355100b95a307a79491

data/.gitignore

@@ -5,7 +5,6 @@ doc/
 .yardoc/
 coverage/
 pkg/
-spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/
 vendor/bundle/
 tmp/

data/.travis.yml

@@ -4,10 +4,11 @@ rvm:
   - 2.4
   - 2.5
   - 2.6
+  - 2.7
   - jruby
-  - rbx-3
+  - truffleruby
 
 matrix:
   allow_failures:
     - rvm: jruby
-    - rvm: rbx-3
+    - rvm: truffleruby

data/ChangeLog.md

@@ -1,3 +1,18 @@
+### 0.7.0.1 / 2020-06-12
+
+* Forgot to populate `data/ruby-advisory-db`.
+
+### 0.7.0 / 2020-06-12
+
+* Require [thor] >= 0.18, < 2.
+* Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
+* Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
+* Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
+* Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
+* Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
+* Fixed issue with Bundler 2.x where source URIs are no longer parsed as
+  `URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
+
 ### 0.6.1 / 2019-01-17
 
 * Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
@@ -126,4 +141,5 @@
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
 
 [bundler]: http://gembundler.com/
+[thor]: http://whatisthor.com/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/README.md

@@ -1,11 +1,11 @@
 # bundler-audit
+[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
+[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
 * [Email](mailto:postmodern.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 ## Description
 
@@ -23,7 +23,7 @@ Patch-level verification for [bundler].
 
 Audit a project's `Gemfile.lock`:
 
-    $ bundle audit
+    $ bundle-audit
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91452
@@ -84,7 +84,7 @@ Audit a project's `Gemfile.lock`:
 
 Update the [ruby-advisory-db] that `bundle audit` uses:
 
-    $ bundle audit update
+    $ bundle-audit update
     Updating ruby-advisory-db ...
     remote: Counting objects: 44, done.
     remote: Compressing objects: 100% (24/24), done.
@@ -110,11 +110,11 @@ Update the [ruby-advisory-db] that `bundle audit` uses:
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
-    $ bundle audit check --update
+    $ bundle-audit check --update
 
 Ignore specific advisories:
 
-    $ bundle audit check --ignore OSVDB-108664
+    $ bundle-audit check --ignore OSVDB-108664
 
 Rake task:
 
@@ -129,22 +129,22 @@ task default: 'bundle:audit'
 
 * [ruby] >= 1.9.3
 * [rubygems] >= 1.8
-* [thor] ~> 0.18
+* [thor] >= 0.18, < 2
 * [bundler] ~> 1.2
 
 ## Install
 
-    $ gem install bundler-audit
+    $ [sudo] gem install bundler-audit
 
 ## Contributing
 
 1. Clone the repo
-1. `git submodule update --init` # To populate data/ruby-advisory-db
-1. `bundle exec rake`
+2. `git submodule update --init` # To populate data/ruby-advisory-db
+3. `bundle exec rake`
 
 ## License
 
-Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/Rakefile

@@ -14,16 +14,20 @@ require 'time'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
+directory 'data/ruby-advisory-db' do
+  sh 'git', 'submodule', 'update', '--init'
+end
+
 namespace :db do
   desc 'Updates data/ruby-advisory-db'
-  task :update do
+  task :update => 'data/ruuby-advsisory-db' do
     timestamp = nil
 
     chdir 'data/ruby-advisory-db' do
       sh 'git', 'pull', 'origin', 'master'
 
       File.open('../ruby-advisory-db.ts','w') do |file|
-        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+        file.write Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc
       end
     end
 
@@ -36,18 +40,20 @@ end
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
-namespace :spec do
-  task :bundle do
-    root = 'spec/bundle'
+%w[secure unpatched_gems insecure_sources].each do |bundle|
+  bundle_dir   = File.join('spec/bundle',bundle)
+  gemfile      = File.join(bundle_dir,'Gemfile')
+  gemfile_lock = File.join(bundle_dir,'Gemfile.lock')
 
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
-      chdir(File.join(root,bundle)) do
-        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
-      end
+  file gemfile_lock => gemfile do
+    chdir(bundle_dir) do
+      sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
     end
   end
+
+  desc "Generates the spec/bundler/*/Gemfile.lock files"
+  task 'spec:bundle' => gemfile_lock
 end
-task :spec => 'spec:bundle'
 
 task :test    => :spec
 task :default => :spec

data/data/ruby-advisory-db.ts

@@ -1 +1 @@
-2017-06-13 16:51:56 UTC
+2020-06-12 22:55:28 UTC

data/data/ruby-advisory-db/CONTRIBUTING.md

@@ -16,6 +16,7 @@ bundle exec rspec
     ---
     gem: examplegem
     cve: 2013-0156
+    date: 2013-05-01
     url: https://github.com/rubysec/ruby-advisory-db/issues/123456
     title: |
       Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
@@ -28,6 +29,7 @@ bundle exec rspec
       arbitrary code.
 
     cvss_v2: 10.0
+    cvss_v3: 9.8
 
     patched_versions:
       - ~> 2.3.15
@@ -47,23 +49,23 @@ bundle exec rspec
 ```
 ### Schema
 
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Integer\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
+* `gem` \[String\] (required): Name of the affected gem.
+* `framework` \[String\] (optional): Name of the framework which the affected gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)
+* `cve` \[String\] (optional): Common Vulnerabilities and Exposures (CVE) ID.
+* `osvdb` \[Integer\] (optional): Open Sourced Vulnerability Database (OSVDB) ID.
+* `ghsa` \[String\] (optional): GitHub Security Advisory (GHSA) ID.
+* `url` \[String\] (required): The URL to the full advisory.
+* `title` \[String\] (required): The title of the advisory or individual vulnerability.
+* `date` \[Date\] (required): The public disclosure date of the advisory.
+* `description` \[String\] (required): One or more paragraphs describing the vulnerability.
+* `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability.
+* `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability.
 * `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
   unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
+* `patched_versions` \[Array\<String\>\] (optional): The version requirements for the
   patched versions of the Ruby library.
-* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
-
+* `related` \[Hash\<Array\<String\>\>\] (optional): Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
 
 [CVSSv2]: https://www.first.org/cvss/v2/guide
 [CVSSv3]: https://www.first.org/cvss/user-guide

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -36,5 +36,6 @@ This database would not be possible without volunteers willing to submit pull re
 * [Reed Loden](https://github.com/reedloden)
 * [ecneladis](https://github.com/ecneladis)
 * [Brendan Coles](https://github.com/bcoles)
+* [Florian Wininger](https://github.com/fwininger)
 
 The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-advisory-db/Gemfile

@@ -1,7 +1,9 @@
 source 'https://rubygems.org'
 
-gem 'rspec'
+gem 'faraday'
 gem 'rake'
+gem 'kwalify'
+gem 'rspec'
 
 group :development do
   gem 'pry'

data/data/ruby-advisory-db/README.md

@@ -27,6 +27,7 @@ Each advisory file contains the advisory information in [YAML] format:
     ---
     gem: examplegem
     cve: 2013-0156
+    date: 2013-05-01
     url: https://github.com/rubysec/ruby-advisory-db/issues/123456
     title: |
       Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
@@ -39,6 +40,7 @@ Each advisory file contains the advisory information in [YAML] format:
       arbitrary code.
 
     cvss_v2: 10.0
+    cvss_v3: 9.8
 
     patched_versions:
       - ~> 2.3.15
@@ -58,22 +60,24 @@ Each advisory file contains the advisory information in [YAML] format:
 
 ### Schema
 
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Integer\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
+* `gem` \[String\] (required): Name of the affected gem.
+* `framework` \[String\] (optional): Name of the framework which the affected
+  gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)
+* `cve` \[String\] (optional): Common Vulnerabilities and Exposures (CVE) ID.
+* `osvdb` \[Integer\] (optional): Open Sourced Vulnerability Database (OSVDB) ID.
+* `ghsa` \[String\] (optional): GitHub Security Advisory (GHSA) ID.
+* `url` \[String\] (required): The URL to the full advisory.
+* `title` \[String\] (required): The title of the advisory or individual vulnerability.
+* `date` \[Date\] (required): The public disclosure date of the advisory.
+* `description` \[String\] (required): One or more paragraphs describing the vulnerability.
+* `cvss_v2` \[Float\] (optional): The [CVSSv2] score for the vulnerability.
+* `cvss_v3` \[Float\] (optional): The [CVSSv3] score for the vulnerability.
 * `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
   unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
+* `patched_versions` \[Array\<String\>\] (optional): The version requirements for the
   patched versions of the Ruby library.
-* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
+* `related` \[Hash\<Array\<String\>\>\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url`
 
 ### Tests
 Prior to submitting a pull request, run the tests:
@@ -83,16 +87,46 @@ bundle install
 bundle exec rspec
 ```
 
+### GitHub Advisory Sync
+
+There is a script that will create initial yaml files for RubyGem advisories which
+are in the [GitHub Security Advisory API](https://developer.github.com/v4/object/securityadvisory/),
+but are not already in this dataset.  This script can be periodically run to ensure
+this repo has all the data that is present in the GitHub Advisory data.
+
+The GitHub Advisory API requires a token to access it.
+- It can be a completely scopeless token (recommended); it does not require any permissions at all.
+- Get yours at https://github.com/settings/tokens
+
+To run the GitHub Advisory sync, start by executing the rake task:
+```
+GH_API_TOKEN=<your GitHub API Token> bundle exec rake sync_github_advisories
+```
+
+- The rake task will write yaml files for any missing advisories.
+- Those files must be further edited.
+  - Fill in `cvss_v3` field by following the CVE link and getting it from page
+  - Fill in `patched_versions` field, using the comments at the bottom of the file
+  - Fill in `unaffected_versions`, optional, if there are unaffected_versions
+  - delete the GitHub data at the bottom of the yaml file
+  - double check all the data, commit it, and make a PR
+    - *The GitHub Advisory data is structured opposite of RubySec unfortunately:
+       GitHub identifies version range which are vulnerable; RubySec identifies
+      version ranges which are not vulnerable.  This is why some manual
+      work to translate is needed.*
+
+
 ## Credits
 
 Please see [CONTRIBUTORS.md].
 
-This database also includes data from the [Open Source Vulnerability Database][OSVDB]
+This database also includes data from the [Open Sourced Vulnerability Database][OSVDB]
 developed by the Open Security Foundation (OSF) and its contributors.
 
 [rubygems.org]: https://rubygems.org/
-[CVE]: http://cve.mitre.org/
+[CVE]: https://cve.mitre.org/
 [OSVDB]: http://www.osvdb.org/
+[GHSA]: https://help.github.com/en/articles/about-maintainer-security-advisories
 [CVSSv2]: https://www.first.org/cvss/v2/guide
 [CVSSv3]: https://www.first.org/cvss/user-guide
 [YAML]: http://www.yaml.org/

data/data/ruby-advisory-db/Rakefile

@@ -10,17 +10,13 @@ namespace :lint do
       abort "Please run `gem install rspec` to install RSpec."
     end
   end
+end
 
-  task :cve do
-    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
-      advisory = YAML.load_file(path)
-
-      unless advisory['cve']
-        puts "Missing CVE: #{path}"
-      end
-    end
-  end
+desc "Sync GitHub RubyGem Advisories into this project"
+task :sync_github_advisories do
+  require_relative "lib/github_advisory_sync"
+  GitHub::GitHubAdvisorySync.sync
 end
 
-task :lint    => ['lint:yaml', 'lint:cve']
+task :lint    => ['lint:yaml']
 task :default => :lint

data/data/ruby-advisory-db/gems/Arabic-Prawn/{OSVDB-104365.yml → CVE-2014-2322.yml}

@@ -2,7 +2,7 @@
 gem: Arabic-Prawn
 cve: 2014-2322
 osvdb: 104365
-url: http://osvdb.org/show/osvdb/104365
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-2322
 title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote Command Injection
 date: 2014-03-10
 description: |

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4995.yml

@@ -2,7 +2,7 @@
 gem: VladTheEnterprising
 cve: 2014-4995
 osvdb: 108728
-url: http://www.osvdb.org/show/osvdb/108728
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4995
 title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
 date: 2014-06-30
 description: |

data/data/ruby-advisory-db/gems/VladTheEnterprising/CVE-2014-4996.yml

@@ -2,7 +2,7 @@
 gem: VladTheEnterprising
 cve: 2014-4996
 osvdb: 108728
-url: http://www.osvdb.org/show/osvdb/108728
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4996
 title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact 
 date: 2014-06-30
 description: |

data/data/ruby-advisory-db/gems/actionmailer/{OSVDB-98629.yml → CVE-2013-4389.yml}

@@ -2,7 +2,7 @@
 gem: actionmailer
 cve: 2013-4389
 osvdb: 98629
-url: http://www.osvdb.org/show/osvdb/98629
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
 title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
 date: 2013-10-16
 description: Action Mailer Gem for Ruby contains a format string flaw in

data/data/ruby-advisory-db/gems/actionpack-page_caching/CVE-2020-8159.yml

@@ -0,0 +1,40 @@
+---
+gem: actionpack-page_caching
+cve: 2020-8159
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8
+date: 2020-05-06
+title: Arbitrary file write/potential remote code execution in actionpack-page_caching
+description: |
+  There is a vulnerability in the actionpack-page_caching gem that allows an attacker
+  to write arbitrary files to a web server, potentially resulting in remote code execution
+  if the attacker can write unescaped ERB to a view.
+
+  Versions Affected:  All versions of actionpack-page_caching (part of Rails prior to Rails 4.0)
+  Not affected:       Applications not using actionpack-page_caching
+  Fixed Versions:     actionpack-page_caching >= 1.2.1
+
+  Impact
+  ------
+
+  The Action Pack Page Caching gem writes cache files to the file system in
+  order for the front end webserver (nginx, Apache, etc) to serve the cached
+  file without making a request to the application server.  Paths contain what
+  is effectively user input can be used to manipulate the location of the cache
+  file.
+
+  For example "/users/123" could be changed to "/users/../../../foo" and this
+  will escape the cache directory.  Attackers can use this technique to
+  springboard to an RCE if they can write arbitrary ERb to a view folder.
+
+  Impacted code looks like this:
+
+  ```
+  class BooksController < ApplicationController
+    caches_page :show
+  end
+  ```
+
+  Where the `show` action of the `BooksController` may be vulnerable.
+
+patched_versions:
+  - ">= 1.2.1"