RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.9.0.1 - Mend

bundler-audit 0.6.1 → 0.9.0.1

Files changed (436) hide show

data/lib/bundler/audit/report.rb ADDED Viewed

@@ -0,0 +1,149 @@
+require 'bundler/audit/results'
+require 'bundler/audit/version'
+require 'time'
+module Bundler
+  module Audit
+    #
+    # Represents the result of a scan.
+    #
+    class Report
+      include Enumerable
+      # The version of `bundler-audit` which created the report object.
+      #
+      # @return [String]
+      attr_reader :version
+      # The time when the report was generated.
+      #
+      # @return [Time]
+      attr_reader :created_at
+      # The list of all results.
+      #
+      # @return [Array<Results::Result>]
+      attr_reader :results
+      # The insecure sources results.
+      #
+      # @return [Array<Results::InsecureSources>]
+      attr_reader :insecure_sources
+      # The unpatched gems results.
+      #
+      # @return [Array<Results::UnpatchedGems>]
+      attr_reader :unpatched_gems
+      #
+      # Initializes the report.
+      #
+      # @param [#each] results
+      #
+      def initialize(results=[])
+        @version    = VERSION
+        @created_at = Time.now
+        @results = []
+        @insecure_sources = []
+        @unpatched_gems = []
+        results.each { |result| self << result }
+      end
+      #
+      # Enumerates over the results.
+      #
+      # @yield [result]
+      #
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
+      #
+      # @return [Enumerator]
+      #
+      def each(&block)
+        @results.each(&block)
+      end
+      #
+      # Appends a result to the report.
+      #
+      # @param [InsecureSource, UnpatchedGem] result
+      #
+      def <<(result)
+        @results << result
+        case result
+        when Results::InsecureSource
+          @insecure_sources << result
+        when Results::UnpatchedGem
+          @unpatched_gems << result
+        end
+        return self
+      end
+      #
+      # Determines if there were vulnerabilities found.
+      #
+      # @return [Boolean]
+      #
+      def vulnerable?
+        !@results.empty?
+      end
+      #
+      # @yield [advisory]
+      #
+      # @yieldparam [Advisory] advisory
+      #
+      # @return [Enumerator]
+      #
+      def each_advisory
+        return enum_for(__method__) unless block_given?
+        @unpatched_gems.each { |result| yield result.advisory }
+      end
+      #
+      # @return [Array<Advisory>]
+      #
+      def advisories
+        @unpatched_gems.map(&:advisory)
+      end
+      #
+      # @yield [gem]
+      #
+      # @yieldparam [Gem::Specification]
+      #
+      # @return [Enumerator]
+      #
+      def each_vulnerable_gem
+        return enum_for(__method__) unless block_given?
+        @unpatched_gems.each { |result| yield result.gem }
+      end
+      #
+      # @return [Array<Gem::Specification>]
+      #
+      def vulnerable_gems
+        @unpatched_gems.map(&:gem)
+      end
+      #
+      # @return [Hash{Symbol => Object}]
+      #
+      def to_h
+        {
+          version:    @version,
+          created_at: @created_at,
+          results:    @results.map(&:to_h)
+        }
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/insecure_source.rb ADDED Viewed

@@ -0,0 +1,78 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'bundler/audit/results/result'
+module Bundler
+  module Audit
+    module Results
+      #
+      # Represents an insecure gem source (ex: `git://...` or `http://...`).
+      #
+      class InsecureSource < Result
+        # The insecure `git://` or `http://` URI.
+        #
+        # @return [URI::Generic, URI::HTTP]
+        attr_reader :source
+        #
+        # Initializes the insecure source result.
+        #
+        # @param [URI::Generic, URI::HTTP] source
+        #   The insecure `git://` or `http://` URI.
+        #
+        def initialize(source)
+          @source = source
+        end
+        #
+        # Compares the insecure source with another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && @source == other.source
+        end
+        #
+        # Converts the insecure source result to a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @source.to_s
+        end
+        #
+        # Converts the insecure source into a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :insecure_source,
+            source: @source
+          }
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/result.rb ADDED Viewed

@@ -0,0 +1,21 @@
+module Bundler
+  module Audit
+    module Results
+      #
+      # @abstract
+      #
+      class Result
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        # @abstract
+        #
+        def to_h
+          raise(NotImplementedError,"#{self.class}#to_h not implemented!")
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/unpatched_gem.rb ADDED Viewed

@@ -0,0 +1,98 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'bundler/audit/results/result'
+require 'uri'
+module Bundler
+  module Audit
+    module Results
+      #
+      # Represents a gem version that has known vulnerabilities and needs to be
+      # upgraded.
+      #
+      class UnpatchedGem < Result
+        # The specification of the vulnerable gem.
+        #
+        # @return [Gem::Specification]
+        attr_reader :gem
+        # The advisory documenting the vulnerability.
+        #
+        # @return [Advisory]
+        attr_reader :advisory
+        #
+        # Initializes the unpatched gem result.
+        #
+        # @param [Gem::Specification] gem
+        #   The specification of the vulnerable gem.
+        #
+        # @param [Advisory] advisory
+        #   The advisory documenting the vulnerability.
+        #
+        def initialize(gem,advisory)
+          @gem      = gem
+          @advisory = advisory
+        end
+        #
+        # Compares the unpatched gem to another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && (
+            @gem.name == other.gem.name &&
+            @gem.version == other.gem.version &&
+            @advisory == other.advisory
+          )
+        end
+        #
+        # Converts the unpatched gem result into a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @advisory.id
+        end
+        #
+        # Converts the unpatched gem to a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :unpatched_gem,
+            gem:  {
+              name: @gem.name,
+              version: @gem.version
+            },
+            advisory: @advisory.to_h
+          }
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/results.rb ADDED Viewed

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'

data/lib/bundler/audit/scanner.rb CHANGED Viewed

@@ -1,22 +1,41 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
 require 'bundler'
+require 'bundler/audit/configuration'
 require 'bundler/audit/database'
+require 'bundler/audit/report'
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'
 require 'bundler/lockfile_parser'
 require 'ipaddr'
 require 'resolv'
 require 'set'
 require 'uri'
+require 'yaml'
 module Bundler
   module Audit
+    #
+    # Scans a `Gemfile.lock` for security issues.
+    #
     class Scanner
-      # Represents a plain-text source
-      InsecureSource = Struct.new(:source)
-      # Represents a gem that is covered by an Advisory
-      UnpatchedGem = Struct.new(:gem, :advisory)
       # The advisory database
       #
       # @return [Database]
@@ -30,6 +49,11 @@ module Bundler
       # @return [Bundler::LockfileParser]
       attr_reader :lockfile
+      # The configuration loaded from the `.bundler-audit.yml` file from the project
+      #
+      # @return [Hash]
+      attr_reader :config
       #
       # Initializes a scanner.
       #
@@ -39,12 +63,65 @@ module Bundler
       # @param [String] gemfile_lock
       #   Alternative name for the `Gemfile.lock` file.
       #
-      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
+      # @param [Database] database
+      #   The database to scan against.
+      #
+      # @param [String] config_dot_file
+      #   The file name of the bundler-audit config file.
+      #
+      # @raise [Bundler::GemfileLockNotFound]
+      #   The `gemfile_lock` file could not be found within the `root`
+      #   directory.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock',database=Database.new,config_dot_file='.bundler-audit.yml')
         @root     = File.expand_path(root)
-        @database = Database.new
-        @lockfile = LockfileParser.new(
-          File.read(File.join(@root,gemfile_lock))
-        )
+        @database = database
+        gemfile_lock_path = File.join(@root,gemfile_lock)
+        unless File.file?(gemfile_lock_path)
+          raise(Bundler::GemfileLockNotFound,"Could not find #{gemfile_lock.inspect} in #{@root.inspect}")
+        end
+        @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
+        config_dot_file_full_path = File.absolute_path(config_dot_file, @root)
+        @config = if File.exist?(config_dot_file_full_path)
+                    Configuration.load(config_dot_file_full_path)
+                  else
+                    Configuration.new
+                  end
+      end
+      #
+      # Preforms a {#scan} and collects the results into a {Report report}.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Report]
+      #
+      # @since 0.8.0
+      #
+      def report(options={})
+        report = Report.new()
+        scan(options) do |result|
+          report << result
+          yield result if block_given?
+        end
+        return report
       end
       #
@@ -59,7 +136,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource, UnpatchedGem] result
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -68,9 +145,6 @@ module Bundler
       def scan(options={},&block)
         return enum_for(__method__,options) unless block
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
         scan_sources(options,&block)
         scan_specs(options,&block)
@@ -86,7 +160,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource] result
+      # @yieldparam [Results::InsecureSource] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -105,13 +179,13 @@ module Bundler
             case source.uri
             when /^git:/, /^http:/
               unless internal_source?(source.uri)
-                yield InsecureSource.new(source.uri)
+                yield Results::InsecureSource.new(source.uri)
               end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
               if (uri.scheme == 'http' && !internal_source?(uri))
-                yield InsecureSource.new(uri.to_s)
+                yield Results::InsecureSource.new(uri.to_s)
               end
             end
           end
@@ -130,7 +204,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [UnpatchedGem] result
+      # @yieldparam [Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -143,15 +217,16 @@ module Bundler
       def scan_specs(options={})
         return enum_for(__method__,options) unless block_given?
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
+        ignore = if options[:ignore] then Set.new(options[:ignore])
+                 else                     config.ignore
+                 end
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-            unless (ignore.include?(advisory.cve_id) ||
-                    ignore.include?(advisory.osvdb_id))
-              yield UnpatchedGem.new(gem,advisory)
-            end
+            is_ignored = ignore.intersect?(advisory.identifiers.to_set)
+            next if is_ignored
+            yield Results::UnpatchedGem.new(gem,advisory)
           end
         end
       end
@@ -167,7 +242,7 @@ module Bundler
       # @return [Boolean]
       #
       def internal_source?(uri)
-        uri = URI(uri)
+        uri = URI.parse(uri.to_s)
         internal_host?(uri.host) if uri.host
       end
@@ -190,11 +265,15 @@ module Bundler
       #
       # @see https://tools.ietf.org/html/rfc1918#section-3
       # @see https://tools.ietf.org/html/rfc4193#section-8
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.2
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.3
       INTERNAL_SUBNETS = %w[
         10.0.0.0/8
         172.16.0.0/12
         192.168.0.0/16
         fc00::/7
+        127.0.0.0/8
+        ::1/128
       ].map(&IPAddr.method(:new))
       #

data/lib/bundler/audit/task.rb CHANGED Viewed

@@ -2,6 +2,9 @@ require 'rake/tasklib'
 module Bundler
   module Audit
+    #
+    # Defines the `bundle:audit` rake tasks.
+    #
     class Task < Rake::TaskLib
       #
       # Initializes the task.
@@ -13,18 +16,28 @@ module Bundler
       protected
       #
-      # Defines the `bundle:audit` task.
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
       #
       def define
         namespace :bundle do
-          desc 'Updates the ruby-advisory-db then runs bundle-audit'
-          task :audit do
-            require 'bundler/audit/cli'
-            %w(update check).each do |command|
-              Bundler::Audit::CLI.start [command]
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              system 'bundler-audit', 'check'
+            end
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              system 'bundler-audit', 'update'
             end
           end
+          task :audit => 'audit:check'
         end
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
       end
     end
   end

data/lib/bundler/audit/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,12 +12,12 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.6.1'
+    VERSION = '0.9.0.1'
   end
 end

data/lib/bundler/audit.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2019 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 require 'bundler/audit/database'