bundler-audit 0.7.0.1 → 0.8.0.rc1

data/lib/bundler/audit/report.rb

@@ -0,0 +1,149 @@
+require 'bundler/audit/results'
+require 'bundler/audit/version'
+
+require 'time'
+
+module Bundler
+  module Audit
+    #
+    # Represents the result of a scan.
+    #
+    class Report
+
+      include Enumerable
+
+      # The version of `bundler-audit` which created the report object.
+      #
+      # @return [String]
+      attr_reader :version
+
+      # The time when the report was generated.
+      #
+      # @return [Time]
+      attr_reader :created_at
+
+      # The list of all results.
+      #
+      # @return [Array<Results::Result>]
+      attr_reader :results
+
+      # The insecure sources results.
+      #
+      # @return [Array<Results::InsecureSources>]
+      attr_reader :insecure_sources
+
+      # The unpatched gems results.
+      #
+      # @return [Array<Results::UnpatchedGems>]
+      attr_reader :unpatched_gems
+
+      #
+      # Initializes the report.
+      #
+      # @param [#each] results
+      #
+      def initialize(results=[])
+        @version    = VERSION
+        @created_at = Time.now
+
+        @results = []
+        @insecure_sources = []
+        @unpatched_gems = []
+
+        results.each { |result| self << result }
+      end
+
+      #
+      # Enumerates over the results.
+      #
+      # @yield [result]
+      #
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
+      #
+      # @return [Enumerator]
+      #
+      def each(&block)
+        @results.each(&block)
+      end
+
+      #
+      # Appends a result to the report.
+      #
+      # @param [InsecureSource, UnpatchedGem] result
+      #
+      def <<(result)
+        @results << result
+
+        case result
+        when Results::InsecureSource
+          @insecure_sources << result
+        when Results::UnpatchedGem
+          @unpatched_gems << result
+        end
+
+        return self
+      end
+
+      #
+      # Determines if there were vulnerabilities found.
+      #
+      # @return [Boolean]
+      #
+      def vulnerable?
+        !@results.empty?
+      end
+
+      #
+      # @yield [advisory]
+      #
+      # @yieldparam [Advisory] advisory
+      #
+      # @return [Enumerator]
+      #
+      def each_advisory
+        return enum_for(__method__) unless block_given?
+
+        @unpatched_gems.each { |result| yield result.advisory }
+      end
+
+      #
+      # @return [Array<Advisory>]
+      #
+      def advisories
+        @unpatched_gems.map(&:advisory)
+      end
+
+      #
+      # @yield [gem]
+      #
+      # @yieldparam [Gem::Specification]
+      #
+      # @return [Enumerator]
+      #
+      def each_vulnerable_gem
+        return enum_for(__method__) unless block_given?
+
+        @unpatched_gems.each { |result| yield result.gem }
+      end
+
+      #
+      # @return [Array<Gem::Specification>]
+      #
+      def vulnerable_gems
+        @unpatched_gems.map(&:gem)
+      end
+
+      #
+      # @return [Hash{Symbol => Object}]
+      #
+      def to_h
+        {
+          version:    @version,
+          created_at: @created_at,
+          results:    @results.map(&:to_h)
+        }
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/results.rb

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'

data/lib/bundler/audit/results/insecure_source.rb

@@ -0,0 +1,75 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/result'
+
+module Bundler
+  module Audit
+    module Results
+      class InsecureSource < Result
+
+        # The insecure `git://` or `http://` URI.
+        #
+        # @return [URI::Generic, URI::HTTP]
+        attr_reader :source
+
+        #
+        # Initializes the insecure source result.
+        #
+        # @param [URI::Generic, URI::HTTP] source
+        #   The insecure `git://` or `http://` URI.
+        #
+        def initialize(source)
+          @source = source
+        end
+
+        #
+        # Compares the insecure source with another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && @source == other.source
+        end
+
+        #
+        # Converts the insecure source result to a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @source.to_s
+        end
+
+        #
+        # Converts the insecure source into a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :insecure_source,
+            source: @source
+          }
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/result.rb

@@ -0,0 +1,21 @@
+module Bundler
+  module Audit
+    module Results
+      #
+      # @abstract
+      #
+      class Result
+
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        # @abstract
+        #
+        def to_h
+          raise(NotImplementedError,"#{self.class}#to_h not implemented!")
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -0,0 +1,94 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler/audit/results/result'
+
+require 'uri'
+
+module Bundler
+  module Audit
+    module Results
+      class UnpatchedGem < Result
+
+        # The specification of the vulnerable gem.
+        #
+        # @return [Gem::Specification]
+        attr_reader :gem
+
+        # The advisory documenting the vulnerability.
+        #
+        # @return [Advisory]
+        attr_reader :advisory
+
+        #
+        # Initializes the unpatched gem result.
+        #
+        # @param [Gem::Specification] gem
+        #   The specification of the vulnerable gem.
+        #
+        # @param [Advisory] advisory
+        #   The advisory documenting the vulnerability.
+        #
+        def initialize(gem,advisory)
+          @gem      = gem
+          @advisory = advisory
+        end
+
+        #
+        # Compares the unpatched gem to another result.
+        #
+        # @param [Result] other
+        #
+        # @return [Boolean]
+        #
+        def ==(other)
+          self.class == other.class && (
+            @gem.name == other.gem.name &&
+            @gem.version == other.gem.version &&
+            @advisory == other.advisory
+          )
+        end
+
+        #
+        # Converts the unpatched gem result into a String.
+        #
+        # @return [String]
+        #
+        def to_s
+          @advisory.id
+        end
+
+        #
+        # Converts the unpached gem to a Hash.
+        #
+        # @return [Hash{Symbol => Object}]
+        #
+        def to_h
+          {
+            type: :unpatched_gem,
+            gem:  {
+              name: @gem.name,
+              version: @gem.version
+            },
+            advisory: @advisory.to_h
+          }
+        end
+
+      end
+    end
+  end
+end

data/lib/bundler/audit/scanner.rb

@@ -1,22 +1,38 @@
+#
+# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
 require 'bundler'
+require 'bundler/audit/configuration'
 require 'bundler/audit/database'
+require 'bundler/audit/report'
+require 'bundler/audit/results/insecure_source'
+require 'bundler/audit/results/unpatched_gem'
 require 'bundler/lockfile_parser'
 
 require 'ipaddr'
 require 'resolv'
 require 'set'
 require 'uri'
+require 'yaml'
 
 module Bundler
   module Audit
     class Scanner
 
-      # Represents a plain-text source
-      InsecureSource = Struct.new(:source)
-
-      # Represents a gem that is covered by an Advisory
-      UnpatchedGem = Struct.new(:gem, :advisory)
-
       # The advisory database
       #
       # @return [Database]
@@ -30,6 +46,11 @@ module Bundler
       # @return [Bundler::LockfileParser]
       attr_reader :lockfile
 
+      # The configuration loaded from the `.bundler-audit.yml` file from the project
+      #
+      # @return [Hash]
+      attr_reader :config
+
       #
       # Initializes a scanner.
       #
@@ -39,12 +60,62 @@ module Bundler
       # @param [String] gemfile_lock
       #   Alternative name for the `Gemfile.lock` file.
       #
-      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
+      # @param [Database] database
+      #   The database to scan against.
+      #
+      # @raise [Bundler::GemfileLockNotFound]
+      #   The `gemfile_lock` file could not be found within the `root`
+      #   directory.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock',database=Database.new,config_dot_file='.bundler-audit.yml')
         @root     = File.expand_path(root)
-        @database = Database.new
-        @lockfile = LockfileParser.new(
-          File.read(File.join(@root,gemfile_lock))
-        )
+        @database = database
+
+        gemfile_lock_path = File.join(@root,gemfile_lock)
+
+        unless File.file?(gemfile_lock_path)
+          raise(Bundler::GemfileLockNotFound,"Could not find #{gemfile_lock.inspect} in #{@root.inspect}")
+        end
+
+        @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
+
+        config_dot_file_full_path = File.join(@root,config_dot_file)
+
+        @config = if File.exist?(config_dot_file_full_path)
+                    Configuration.load(config_dot_file_full_path)
+                  else
+                    Configuration.new
+                  end
+      end
+
+      #
+      # Preforms a {#scan} and collects the results into a {Report report}.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Report]
+      #
+      # @since 0.8.0
+      #
+      def report(options={})
+        report = Report.new()
+
+        scan(options) do |result|
+          report << result
+          yield result if block_given?
+        end
+
+        return report
       end
 
       #
@@ -59,7 +130,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource, UnpatchedGem] result
+      # @yieldparam [Results::InsecureSource, Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -68,9 +139,6 @@ module Bundler
       def scan(options={},&block)
         return enum_for(__method__,options) unless block
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
-
         scan_sources(options,&block)
         scan_specs(options,&block)
 
@@ -86,7 +154,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [InsecureSource] result
+      # @yieldparam [Results::InsecureSource] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -105,13 +173,13 @@ module Bundler
             case source.uri
             when /^git:/, /^http:/
               unless internal_source?(source.uri)
-                yield InsecureSource.new(source.uri)
+                yield Results::InsecureSource.new(source.uri)
               end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
               if (uri.scheme == 'http' && !internal_source?(uri))
-                yield InsecureSource.new(uri.to_s)
+                yield Results::InsecureSource.new(uri.to_s)
               end
             end
           end
@@ -130,7 +198,7 @@ module Bundler
       # @yield [result]
       #   The given block will be passed the results of the scan.
       #
-      # @yieldparam [UnpatchedGem] result
+      # @yieldparam [Results::UnpatchedGem] result
       #   A result from the scan.
       #
       # @return [Enumerator]
@@ -143,15 +211,16 @@ module Bundler
       def scan_specs(options={})
         return enum_for(__method__,options) unless block_given?
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
+        ignore = if options[:ignore] then Set.new(options[:ignore])
+                 else                     config.ignore
+                 end
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
             is_ignored = ignore.intersect?(advisory.identifiers.to_set)
             next if is_ignored
 
-            yield UnpatchedGem.new(gem,advisory)
+            yield Results::UnpatchedGem.new(gem,advisory)
           end
         end
       end
@@ -190,11 +259,15 @@ module Bundler
       #
       # @see https://tools.ietf.org/html/rfc1918#section-3
       # @see https://tools.ietf.org/html/rfc4193#section-8
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.2
+      # @see https://tools.ietf.org/html/rfc6890#section-2.2.3
       INTERNAL_SUBNETS = %w[
         10.0.0.0/8
         172.16.0.0/12
         192.168.0.0/16
         fc00::/7
+        127.0.0.0/8
+        ::1/128
       ].map(&IPAddr.method(:new))
 
       #