bundler-audit 0.6.1 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a3d576304278048394827d4322e8e4be389a2a899b3e22bff638a0aaffcf91a
-  data.tar.gz: 025cf42cf42c6e868b1de3b07066aafe6e55878fe13f53f34c3e40396b44ba27
+  metadata.gz: c98968f6509b0551b595706cc23591bf2741626a472dcccda17e107c2e7788d0
+  data.tar.gz: 61c7ea8687934092a74aca4f0358e2565ce9eec53fe0713198bd1eadd5e2ae31
 SHA512:
-  metadata.gz: 4485f6c903fcda454232c9305aaefb7d170edc6d6ea4bb8d766880a4135460dde1b3249cb28a87434ae3f01138d60c8bc0792e36b31e2b2893d314ae8cfb5acd
-  data.tar.gz: c273401ad1f90286ff8a0981e858320cd2b14aa65718338ab7c54bb43b77cbf423848d982852217ab763e44b32ea9f6d977ce26e8dbc1f793cb405c52da3be82
+  metadata.gz: 3a10a9071b08c8781c33db982d9d72929c63c2ec3ce69839cf93186bcd47775e8483fe397cf9b05363f13c785757f9b7cb3dfef2bced8085f9913c38553d6714
+  data.tar.gz: 4789e6c07340509b1e08218b6f9b2e16fcc40f24f42476ca92fe530171b2035bab209984b324783bf387758c9262d3fce724ceb0f76cdc0e78c967109112431d

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+github:
+  - postmodern
+  - reedloden

data/.github/workflows/ruby.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on: [ push, pull_request ]
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - 2.4
+          - 2.5
+          - 2.6
+          - 2.7
+          - 3.0
+          - jruby
+          - truffleruby-head
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run tests
+        run: bundle exec rake test

data/.gitignore

@@ -5,7 +5,7 @@ doc/
 .yardoc/
 coverage/
 pkg/
-spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/
+spec/fixtures/database
 vendor/bundle/
 tmp/

data/.rspec

@@ -1 +1 @@
---colour --format documentation
+--colour --format documentation --exclude-pattern spec/fixtures/**/*_spec.rb

data/ChangeLog.md

@@ -1,3 +1,79 @@
+### 0.8.0 / 2021-03-10
+
+* No longer vendor [ruby-advisory-db].
+* Added {Bundler::Audit::Configuration}.
+  * Supports loading YAML configuration data from a `.bundler-audit.yml` file.
+* Added {Bundler::Audit::Results}.
+* Added {Bundler::Audit::Report}.
+* Added {Bundler::Audit::CLI::Formats}.
+* Added {Bundler::Audit::CLI::Formats::Text}.
+* Added {Bundler::Audit::CLI::Formats::JSON}.
+* Added {Bundler::Audit::Database::DEFAULT_PATH}.
+* Added {Bundler::Audit::Database.exists?}.
+* Added {Bundler::Audit::Database#git?}.
+* Added {Bundler::Audit::Database#update!}.
+  * Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
+    exception, if the `git pull` command fails.
+* Added {Bundler::Audit::Database#last_updated_at}.
+* Added {Bundler::Audit::Scanner#report}.
+* {Bundler::Audit::Database::USER_PATH} is now `Gem.user_home` aware.
+  * `Gem.user_home` will try to infer `HOME`, even if it is not set.
+* {Bundler::Audit::Database#download} will now raise a
+  {Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the
+  `git clone` command fails.
+* {Bundler::Audit::Scanner#initialize}:
+  * Now accepts an additional `database` and `config_dot_file` arguments.
+  * Will now raise a `Bundler::GemfileLockNotFound` exception,
+    if the given `Gemfile.lock` file cannot be found.
+* {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a
+  `127.0.0.0/8` or `::1/128` IP address.
+* {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in
+  {Bundler::Audit::Configuration#ignore}, which is loaded from the
+  `.bundler-audit.yml` file.
+* Deprecated {Bundler::Audit::Database.update!} in favor of
+  {Bundler::Audit::Database#update! #update!}.
+* Removed `Bundler::Audit::Database::VENDORED_PATH`.
+* Removed `Bundler::Audit::Database::VENDORED_TIMESTAMP`.
+
+#### CLI
+
+* Require [thor] ~> 1.0.
+* Added `bundler-audit stats`.
+* Added `bundler-audit download`.
+* `bundler-audit check`:
+  * Now accepts a optional `DIR` argument for the project directory.
+    * `bundler-audit check` will now print an explicit error message and exit,
+      if the given `DIR` does not exist.
+  * Will now auto-download [ruby-advisory-db] to ensure the latest advisory
+    information is used on first run.
+  * Now supports a `--database` option for specifying a path
+    to an alternative [ruby-advisory-db] copy.
+  * Now supports a `--gemfile-lock` option for specifying a
+    custom `Gemfile.lock` file within the project directory.
+  * Now supports a `--format` option for specifying the
+    desired format. `text` and `json` are supported, but other custom formats
+    can be loaded. See {Bundler::Audit::CLI::Formats}.
+  * Now supports a `--output` option for writing the report output to a file.
+  * Prints both CVE and GHSA IDs.
+* Print all error messages to stderr.
+* No longer print number of advisories in `bundler-audit version`.
+
+### 0.7.0.1 / 2020-06-12
+
+* Forgot to populate `data/ruby-advisory-db`.
+
+### 0.7.0 / 2020-06-12
+
+* Require [thor] >= 0.18, < 2.
+* Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
+* Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
+* Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
+* Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
+* Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
+* Fixed issue with Bundler 2.x where source URIs are no longer parsed as
+  `URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
+* Make it more explicit that git is required for database updates (@fatkodima)
+
 ### 0.6.1 / 2019-01-17
 
 * Require bundler `>= 1.2.0, < 3` to support [bundler] 2.0.
@@ -19,9 +95,9 @@
 
 #### CLI
 
-* Added the `--update` option to `bundle-audit check`.
-* `bundle-audit update` now returns a non-zero exit status on error.
-* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+* Added the `--update` option to `bundler-audit check`.
+* `bundler-audit update` now returns a non-zero exit status on error.
+* `bundler-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
   repository.
 
 ### 0.4.0 / 2015-06-30
@@ -59,7 +135,7 @@
 
 #### CLI
 
-* Added the `bundle-audit update` sub-command.
+* Added the `bundler-audit update` sub-command.
 
 ### 0.2.0 / 2013-03-05
 
@@ -126,4 +202,5 @@
 * [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
 
 [bundler]: http://gembundler.com/
+[thor]: http://whatisthor.com/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -4,7 +4,7 @@ gemspec
 
 group :development do
   gem 'rake'
-  gem 'kramdown',       '~> 0.14'
+  gem 'kramdown',       '~> 2.0'
 
   gem 'rubygems-tasks', '~> 0.2'
   gem 'rspec',          '~> 3.0'

data/README.md

@@ -1,11 +1,10 @@
 # bundler-audit
+[![CI](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml/badge.svg)](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml)
+[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
-* [Email](mailto:postmodern.mod3 at gmail.com)
-* [![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg)](https://travis-ci.org/rubysec/bundler-audit)
-* [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 
 ## Description
 
@@ -23,7 +22,7 @@ Patch-level verification for [bundler].
 
 Audit a project's `Gemfile.lock`:
 
-    $ bundle audit
+    $ bundle-audit
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91452
@@ -84,7 +83,7 @@ Audit a project's `Gemfile.lock`:
 
 Update the [ruby-advisory-db] that `bundle audit` uses:
 
-    $ bundle audit update
+    $ bundle-audit update
     Updating ruby-advisory-db ...
     remote: Counting objects: 44, done.
     remote: Compressing objects: 100% (24/24), done.
@@ -110,11 +109,27 @@ Update the [ruby-advisory-db] that `bundle audit` uses:
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
-    $ bundle audit check --update
+    $ bundle-audit check --update
+
+Checking the `Gemfile.lock` without updating the [ruby-advisory-db]:
+
+    $ bundle-audit check --no-update
 
 Ignore specific advisories:
 
-    $ bundle audit check --ignore OSVDB-108664
+    $ bundle-audit check --ignore OSVDB-108664
+
+Checking a custom `Gemfile.lock` file:
+
+    $ bundle-audit check --gemfile Gemfile.custom.lock
+
+Output the audit's results in JSON:
+
+    $ bundle-audit check --format json
+
+Output the audit's results in JSON, to a file:
+
+    $ bundle-audit check --format json --output bundle-audit.json
 
 Rake task:
 
@@ -125,26 +140,65 @@ Bundler::Audit::Task.new
 task default: 'bundle:audit'
 ```
 
+## Configuration File
+
+bundler-audit also supports a per-project configuration file:
+
+`.bundler-audit.yml`:
+
+    ---
+    ignore:
+      - CVE-YYYY-XXXX
+      - ...
+
+* `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
+
 ## Requirements
 
-* [ruby] >= 1.9.3
+* [git]
+* [ruby] >= 2.0.0
 * [rubygems] >= 1.8
-* [thor] ~> 0.18
-* [bundler] ~> 1.2
+* [thor] ~> 1.0
+* [bundler] >= 1.2.0, < 3
 
 ## Install
 
-    $ gem install bundler-audit
+    $ [sudo] gem install bundler-audit
+
+### Git
+
+* Debian / Ubuntu:
+
+      $ sudo apt install git
+
+* RedHat / Fedora:
+
+      $ sudo dnf install git
+
+* Alpine Linux:
+
+      $ apk add git
+
+* macOS:
+
+      $ brew install git
 
 ## Contributing
 
-1. Clone the repo
-1. `git submodule update --init` # To populate data/ruby-advisory-db
-1. `bundle exec rake`
+1. https://github.com/rubysec/bundler-audit/fork
+2. `git clone YOUR_FORK_URI`
+3. `cd bundler-audit/`
+4. `budle install`
+5. `bundle exec rake spec`
+6. `git checkout -b YOUR_FEATURE`
+7. Make your changes
+8. `bundle exec rake spec`
+9. `git commit -a`
+10. `git push origin YOUR_FEATURE`
 
 ## License
 
-Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -159,10 +213,12 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
+[git]: https://git-scm.com
 [ruby]: https://ruby-lang.org
 [rubygems]: https://rubygems.org
 [thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
+[git]: https://github.com/git/git
 
 [OSVDB]: http://osvdb.org/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -14,40 +14,23 @@ require 'time'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
-namespace :db do
-  desc 'Updates data/ruby-advisory-db'
-  task :update do
-    timestamp = nil
-
-    chdir 'data/ruby-advisory-db' do
-      sh 'git', 'pull', 'origin', 'master'
-
-      File.open('../ruby-advisory-db.ts','w') do |file|
-        file.write Time.parse(`git log --pretty="%cd" -1`).utc
-      end
-    end
-
-    sh 'git', 'commit', 'data/ruby-advisory-db',
-                        'data/ruby-advisory-db.ts',
-                        '-m', 'Updated ruby-advisory-db'
-  end
-end
-
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
-namespace :spec do
-  task :bundle do
-    root = 'spec/bundle'
+%w[secure unpatched_gems insecure_sources].each do |bundle|
+  bundle_dir   = File.join('spec/bundle',bundle)
+  gemfile      = File.join(bundle_dir,'Gemfile')
+  gemfile_lock = File.join(bundle_dir,'Gemfile.lock')
 
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
-      chdir(File.join(root,bundle)) do
-        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
-      end
+  file gemfile_lock => gemfile do
+    chdir(bundle_dir) do
+      sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
     end
   end
+
+  desc "Generates the spec/bundler/*/Gemfile.lock files"
+  task 'spec:bundle' => gemfile_lock
 end
-task :spec => 'spec:bundle'
 
 task :test    => :spec
 task :default => :spec

data/bundler-audit.gemspec

@@ -26,13 +26,6 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.files = glob[gemspec['files']] if gemspec['files']
 
-  # add paths from data/ruby-advisory-db/
-  gem.files += Dir.chdir('data/ruby-advisory-db') do
-    `git ls-files`.split($/).map do |sub_path|
-      File.join('data','ruby-advisory-db',sub_path)
-    end
-  end
-
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }
   end

data/gemspec.yml

@@ -6,9 +6,9 @@ authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
-required_ruby_version: ">= 1.9.3"
+required_ruby_version: ">= 2.0.0"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ~> 0.18
+  thor: "~> 1.0"
   bundler: ">= 1.2.0, < 3"

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -26,8 +26,10 @@ module Bundler
                                 :date,
                                 :description,
                                 :cvss_v2,
+                                :cvss_v3,
                                 :cve,
                                 :osvdb,
+                                :ghsa,
                                 :unaffected_versions,
                                 :patched_versions)
 
@@ -63,8 +65,10 @@ module Bundler
           data['date'],
           data['description'],
           data['cvss_v2'],
+          data['cvss_v3'],
           data['cve'],
           data['osvdb'],
+          data['ghsa'],
           parse_versions[data['unaffected_versions']],
           parse_versions[data['patched_versions']]
         )
@@ -88,17 +92,53 @@ module Bundler
         "OSVDB-#{osvdb}" if osvdb
       end
 
+      #
+      # The GHSA (GitHub Security Advisory) identifier
+      #
+      # @return [String, nil]
+      #
+      # @since 0.7.0
+      #
+      def ghsa_id
+        "GHSA-#{ghsa}" if ghsa
+      end
+
+      #
+      # Return a compacted list of all ids
+      #
+      # @return [Array<String>]
+      #
+      # @since 0.7.0
+      #
+      def identifiers
+        [
+          cve_id,
+          osvdb_id,
+          ghsa_id
+        ].compact
+      end
+
       #
       # Determines how critical the vulnerability is.
       #
-      # @return [:low, :medium, :high]
-      #   The criticality of the vulnerability based on the CVSSv2 score.
+      # @return [:none, :low, :medium, :high, :critical, nil]
+      #   The criticality of the vulnerability based on the CVSS score.
       #
       def criticality
-        case cvss_v2
-        when 0.0..3.3  then :low
-        when 3.3..6.6  then :medium
-        when 6.6..10.0 then :high
+        if cvss_v3
+          case cvss_v3
+          when 0.0       then :none
+          when 0.1..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..8.9  then :high
+          when 9.0..10.0 then :critical
+          end
+        elsif cvss_v2
+          case cvss_v2
+          when 0.0..3.9  then :low
+          when 4.0..6.9  then :medium
+          when 7.0..10.0 then :high
+          end
         end
       end
 
@@ -149,6 +189,17 @@ module Bundler
         !patched?(version) && !unaffected?(version)
       end
 
+      #
+      # Compares two advisories.
+      #
+      # @param [Advisory] other
+      #
+      # @return [Boolean]
+      #
+      def ==(other)
+        id == other.id
+      end
+
       alias to_s id
 
     end