RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.9.0.1 - Mend

bundler-audit 0.6.1 → 0.9.0.1

Files changed (436) hide show

data/spec/advisory_spec.rb CHANGED Viewed

@@ -3,12 +3,15 @@ require 'bundler/audit/database'
 require 'bundler/audit/advisory'
 describe Bundler::Audit::Advisory do
-  let(:root) { Bundler::Audit::Database::VENDORED_PATH }
-  let(:gem)  { 'actionpack' }
-  let(:id)   { 'OSVDB-84243' }
-  let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
-  let(:an_unaffected_version) do
-    Bundler::Audit::Advisory.load(path).unaffected_versions.map { |version_rule|
+  let(:root) { Fixtures::DATABASE_PATH }
+  let(:gem)  { 'test' }
+  let(:id)   { 'CVE-2020-1234' }
+  let(:path) { Fixtures.join('advisory',"#{id}.yml") }
+  subject { described_class.load(path) }
+  let(:a_patched_version) do
+    subject.patched_versions.map { |version_rule|
       # For all the rules, get the individual constraints out and see if we
       # can find a suitable one...
       version_rule.requirements.select { |(constraint, gem_version)|
@@ -24,7 +27,22 @@ describe Bundler::Audit::Advisory do
     }.flatten.first
   end
-  subject { described_class.load(path) }
+  let(:an_unaffected_version) do
+    subject.unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
   describe "load" do
     let(:data) { YAML.load_file(path) }
@@ -54,14 +72,22 @@ describe Bundler::Audit::Advisory do
       it { is_expected.to eq(data['cvss_v2'])     }
     end
+    describe '#cvss_v3' do
+      subject { super().cvss_v3 }
+      it { is_expected.to eq(data['cvss_v3'])     }
+    end
     describe '#description' do
       subject { super().description }
       it { is_expected.to eq(data['description']) }
     end
     context "YAML data not representing a hash" do
+      let(:path) do
+        File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
+      end
       it "should raise an exception" do
-        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
         expect {
           Advisory.load(path)
         }.to raise_exception("advisory data in #{path.dump} was not a Hash")
@@ -123,28 +149,79 @@ describe Bundler::Audit::Advisory do
     end
   end
+  describe "#ghsa_id" do
+    let(:ghsa) { "xfhh-rx56-rxcr" }
+    subject do
+      described_class.new.tap do |advisory|
+        advisory.ghsa = ghsa
+      end
+    end
+    it "should prepend GHSA- to the GHSA id" do
+      expect(subject.ghsa_id).to be == "GHSA-#{ghsa}"
+    end
+    context "when ghsa is nil" do
+      subject { described_class.new }
+      it { expect(subject.ghsa_id).to be_nil }
+    end
+  end
+  describe "#identifiers" do
+    it "should include all identifiers if defined" do
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+        advisory.osvdb = "2019-2345"
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq([
+        "CVE-2018-1234",
+        "OSVDB-2019-2345",
+        "GHSA-2020-3456"
+      ])
+    end
+    it "should exclude nil identifiers" do
+      advisory = described_class.new
+      expect(advisory.identifiers).to eq([])
+      advisory = described_class.new.tap do |advisory|
+        advisory.cve = "2018-1234"
+      end
+      expect(advisory.identifiers).to eq(["CVE-2018-1234"])
+      advisory = described_class.new.tap do |advisory|
+        advisory.ghsa = "2020-3456"
+      end
+      expect(advisory.identifiers).to eq(["GHSA-2020-3456"])
+    end
+  end
   describe "#criticality" do
-    context "when cvss_v2 is between 0.0 and 3.3" do
+    context "when cvss_v2 is between 0.0 and 3.9" do
       subject do
         described_class.new.tap do |advisory|
-          advisory.cvss_v2 = 3.3
+          advisory.cvss_v2 = 3.9
         end
       end
       it { expect(subject.criticality).to eq(:low) }
     end
-    context "when cvss_v2 is between 3.3 and 6.6" do
+    context "when cvss_v2 is between 4.0 and 6.9" do
       subject do
         described_class.new.tap do |advisory|
-          advisory.cvss_v2 = 6.6
+          advisory.cvss_v2 = 6.9
         end
       end
       it { expect(subject.criticality).to eq(:medium) }
     end
-    context "when cvss_v2 is between 6.6 and 10.0" do
+    context "when cvss_v2 is between 7.0 and 10.0" do
       subject do
         described_class.new.tap do |advisory|
           advisory.cvss_v2 = 10.0
@@ -153,6 +230,56 @@ describe Bundler::Audit::Advisory do
       it { expect(subject.criticality).to eq(:high) }
     end
+    context "when cvss_v3 is 0.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 0.0
+        end
+      end
+      it { expect(subject.criticality).to eq(:none) }
+    end
+    context "when cvss_v3 is between 0.1 and 3.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 3.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:low) }
+    end
+    context "when cvss_v3 is between 4.0 and 6.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 6.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:medium) }
+    end
+    context "when cvss_v3 is between 7.0 and 8.9" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 8.9
+        end
+      end
+      it { expect(subject.criticality).to eq(:high) }
+    end
+    context "when cvss_v3 is between 9.0 and 10.0" do
+      subject do
+        described_class.new.tap do |advisory|
+          advisory.cvss_v3 = 10.0
+        end
+      end
+      it { expect(subject.criticality).to eq(:critical) }
+    end
   end
   describe "#unaffected?" do
@@ -175,7 +302,7 @@ describe Bundler::Audit::Advisory do
   describe "#patched?" do
     context "when passed a version that matches one patched version" do
-      let(:version) { Gem::Version.new('3.1.11') }
+      let(:version) { Gem::Version.new(a_patched_version) }
       it "should return true" do
         expect(subject.patched?(version)).to be_truthy
@@ -183,7 +310,7 @@ describe Bundler::Audit::Advisory do
     end
     context "when passed a version that matches no patched version" do
-      let(:version) { Gem::Version.new('2.9.0') }
+      let(:version) { Gem::Version.new('0.1.1') }
       it "should return false" do
         expect(subject.patched?(version)).to be_falsey
@@ -193,7 +320,7 @@ describe Bundler::Audit::Advisory do
   describe "#vulnerable?" do
     context "when passed a version that matches one patched version" do
-      let(:version) { Gem::Version.new('3.1.11') }
+      let(:version) { Gem::Version.new(a_patched_version) }
       it "should return false" do
         expect(subject.vulnerable?(version)).to be_falsey
@@ -201,15 +328,13 @@ describe Bundler::Audit::Advisory do
     end
     context "when passed a version that matches no patched version" do
-      let(:version) { Gem::Version.new('2.9.0') }
+      let(:version) { Gem::Version.new('0.1.1') }
       it "should return true" do
         expect(subject.vulnerable?(version)).to be_truthy
       end
       context "when unaffected_versions is not empty" do
-        subject { described_class.load(path) }
         context "when passed a version that matches one unaffected version" do
           let(:version) { Gem::Version.new(an_unaffected_version) }
@@ -219,7 +344,7 @@ describe Bundler::Audit::Advisory do
         end
         context "when passed a version that matches no unaffected version" do
-          let(:version) { Gem::Version.new('1.2.3') }
+          let(:version) { Gem::Version.new('0.1.0') }
           it "should return true" do
             expect(subject.vulnerable?(version)).to be_truthy
@@ -228,4 +353,12 @@ describe Bundler::Audit::Advisory do
       end
     end
   end
+  describe "#to_h" do
+    subject { super().to_h }
+    it "must include criticality: :critical" do
+      expect(subject[:criticality]).to be :critical
+    end
+  end
 end

data/spec/bundle/insecure_sources/Gemfile.lock ADDED Viewed

@@ -0,0 +1,151 @@
+GIT
+  remote: git://github.com/rails/jquery-rails.git
+  revision: a8b003d726522cf663611c114d8f0e79abf8d200
+  specs:
+    jquery-rails (4.4.0)
+      rails-dom-testing (>= 1, < 3)
+      railties (>= 4.2.0)
+      thor (>= 0.14, < 2.0)
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actioncable (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      mail (>= 2.7.1)
+    actionmailer (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (6.1.3.2)
+      actionview (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      rack (~> 2.0, >= 2.0.9)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      nokogiri (>= 1.8.5)
+    actionview (6.1.3.2)
+      activesupport (= 6.1.3.2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.1.3.2)
+      activesupport (= 6.1.3.2)
+      globalid (>= 0.3.6)
+    activemodel (6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activerecord (6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activestorage (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    builder (3.2.4)
+    concurrent-ruby (1.1.8)
+    crass (1.0.6)
+    erubi (1.10.0)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
+    loofah (2.9.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (1.0.1)
+    method_source (1.0.0)
+    mini_mime (1.0.3)
+    mini_portile2 (2.5.1)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.11.6)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    nokogiri (1.11.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (6.1.3.2)
+      actioncable (= 6.1.3.2)
+      actionmailbox (= 6.1.3.2)
+      actionmailer (= 6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actiontext (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      bundler (>= 1.15.0)
+      railties (= 6.1.3.2)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      method_source
+      rake (>= 0.8.7)
+      thor (~> 1.0)
+    rake (13.0.3)
+    sprockets (4.0.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.2)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (1.1.0)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    websocket-driver (0.7.4)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.5)
+    zeitwerk (2.4.2)
+PLATFORMS
+  ruby
+  x86_64-linux
+DEPENDENCIES
+  jquery-rails!
+  rails
+BUNDLED WITH
+   2.2.0

data/spec/bundle/secure/Gemfile CHANGED Viewed

@@ -1,3 +1,4 @@
 source 'https://rubygems.org'
 gem 'rails', '~> 5.2'
+gem 'rails-html-sanitizer', '~> 1.0.3'

data/spec/bundle/secure/Gemfile.lock ADDED Viewed

@@ -0,0 +1,123 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.2.6)
+      actionpack (= 5.2.6)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.6)
+      actionpack (= 5.2.6)
+      actionview (= 5.2.6)
+      activejob (= 5.2.6)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.6)
+      actionview (= 5.2.6)
+      activesupport (= 5.2.6)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.6)
+      activesupport (= 5.2.6)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.6)
+      activesupport (= 5.2.6)
+      globalid (>= 0.3.6)
+    activemodel (5.2.6)
+      activesupport (= 5.2.6)
+    activerecord (5.2.6)
+      activemodel (= 5.2.6)
+      activesupport (= 5.2.6)
+      arel (>= 9.0)
+    activestorage (5.2.6)
+      actionpack (= 5.2.6)
+      activerecord (= 5.2.6)
+      marcel (~> 1.0.0)
+    activesupport (5.2.6)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    builder (3.2.4)
+    concurrent-ruby (1.1.8)
+    crass (1.0.6)
+    erubi (1.10.0)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
+    loofah (2.9.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (1.0.1)
+    method_source (1.0.0)
+    mini_mime (1.1.0)
+    mini_portile2 (2.5.1)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.11.6)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    nokogiri (1.11.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (5.2.6)
+      actioncable (= 5.2.6)
+      actionmailer (= 5.2.6)
+      actionpack (= 5.2.6)
+      actionview (= 5.2.6)
+      activejob (= 5.2.6)
+      activemodel (= 5.2.6)
+      activerecord (= 5.2.6)
+      activestorage (= 5.2.6)
+      activesupport (= 5.2.6)
+      bundler (>= 1.3.0)
+      railties (= 5.2.6)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.6)
+      actionpack (= 5.2.6)
+      activesupport (= 5.2.6)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
+    rake (13.0.3)
+    sprockets (4.0.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.2)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (1.1.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.9)
+      thread_safe (~> 0.1)
+    websocket-driver (0.7.4)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.5)
+PLATFORMS
+  ruby
+  x86_64-linux
+DEPENDENCIES
+  rails (~> 5.2)
+  rails-html-sanitizer (~> 1.0.3)
+BUNDLED WITH
+   2.2.0

data/spec/bundle/unpatched_gems/Gemfile CHANGED Viewed

@@ -1,3 +1,3 @@
 source 'https://rubygems.org'
-gem 'activerecord', '4.2.7'
+gem 'activerecord', '3.2.10'

data/spec/bundle/unpatched_gems/Gemfile.lock ADDED Viewed

@@ -0,0 +1,31 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (3.2.10)
+      activesupport (= 3.2.10)
+      builder (~> 3.0.0)
+    activerecord (3.2.10)
+      activemodel (= 3.2.10)
+      activesupport (= 3.2.10)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activesupport (3.2.10)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.3)
+    builder (3.0.4)
+    concurrent-ruby (1.1.7)
+    i18n (0.9.5)
+      concurrent-ruby (~> 1.0)
+    multi_json (1.15.0)
+    tzinfo (0.3.58)
+PLATFORMS
+  ruby
+  x86_64-linux
+DEPENDENCIES
+  activerecord (= 3.2.10)
+BUNDLED WITH
+   2.2.0

data/spec/bundle/unpatched_gems_with_dot_configuration/.bundler-audit.yml ADDED Viewed

@@ -0,0 +1,3 @@
+---
+ignore:
+- OSVDB-89025

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile ADDED Viewed

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gem 'activerecord', '3.2.10'

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile.lock ADDED Viewed

@@ -0,0 +1,31 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (3.2.10)
+      activesupport (= 3.2.10)
+      builder (~> 3.0.0)
+    activerecord (3.2.10)
+      activemodel (= 3.2.10)
+      activesupport (= 3.2.10)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activesupport (3.2.10)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.3)
+    builder (3.0.4)
+    concurrent-ruby (1.1.7)
+    i18n (0.9.5)
+      concurrent-ruby (~> 1.0)
+    multi_json (1.15.0)
+    tzinfo (0.3.58)
+PLATFORMS
+  ruby
+  x86_64-linux
+DEPENDENCIES
+  activerecord (= 3.2.10)
+BUNDLED WITH
+   2.2.0