bundler-audit 0.7.0.1 → 0.9.0.1

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile.lock

@@ -0,0 +1,31 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activemodel (3.2.10)
+      activesupport (= 3.2.10)
+      builder (~> 3.0.0)
+    activerecord (3.2.10)
+      activemodel (= 3.2.10)
+      activesupport (= 3.2.10)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activesupport (3.2.10)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.3)
+    builder (3.0.4)
+    concurrent-ruby (1.1.7)
+    i18n (0.9.5)
+      concurrent-ruby (~> 1.0)
+    multi_json (1.15.0)
+    tzinfo (0.3.58)
+
+PLATFORMS
+  ruby
+  x86_64-linux
+
+DEPENDENCIES
+  activerecord (= 3.2.10)
+
+BUNDLED WITH
+   2.2.0

data/spec/cli/formats/json_spec.rb

@@ -0,0 +1,114 @@
+require 'spec_helper'
+require 'bundler/audit/cli/formats'
+require 'bundler/audit/cli/formats/json'
+require 'bundler/audit/report'
+
+describe Bundler::Audit::CLI::Formats::JSON do
+  it "must register the 'json' format" do
+    expect(Bundler::Audit::CLI::Formats[:json]).to be described_class
+  end
+
+  let(:options) { {} }
+
+  subject do
+    Bundler::Audit::CLI.new([],options).tap do |obj|
+      obj.extend described_class
+    end
+  end
+
+  describe "#print_report" do
+    let(:report) { Bundler::Audit::Report.new }
+    let(:stdout) { StringIO.new }
+
+    before { subject.print_report(report,stdout) }
+
+    let(:output) { stdout.string }
+    let(:output_json) { JSON.parse(output, symbolize_names: true) }
+
+    it "must output a JSON hash" do
+      expect(output_json).to be_kind_of(Hash)
+    end
+
+    it 'must output a "version" key with the Bundler::Audit::VERSION' do
+      expect(output_json[:version]).to be == Bundler::Audit::VERSION
+    end
+
+    it 'must output a "created_at" key with the Report#created_at timestamp' do
+      expect(output_json[:created_at]).to be == report.created_at.to_s
+    end
+
+    context "when vulnerabilities were found" do
+      context "when the report contains InsecureSources" do
+        let(:uri) { URI('git://github.com/foo/bar.git') }
+        let(:insecure_source) do
+          Bundler::Audit::Results::InsecureSource.new(uri)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << insecure_source
+          end
+        end
+
+        it 'must output the InsecureSource as JSON in the "results" Array' do
+          expect(output_json[:results]).to be_kind_of(Array)
+          expect(output_json[:results][0]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:type]).to be == 'insecure_source'
+          expect(output_json[:results][0][:source]).to be == uri.to_s
+        end
+      end
+
+      context "when the report contains UnpatchedGems" do
+        let(:gem) do
+          Gem::Specification.new do |spec|
+            spec.name = 'test'
+            spec.version = '0.1.0'
+          end
+        end
+
+        let(:advisory) do
+          Bundler::Audit::Advisory.load(Fixtures.join('advisory','CVE-2020-1234.yml'))
+        end
+        let(:unpatched_gem) do
+          Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << unpatched_gem
+          end
+        end
+
+        it 'must output the UnpatchedGem as JSON in the "results" Array' do
+          expect(output_json[:results]).to be_kind_of(Array)
+          expect(output_json[:results][0]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:type]).to be == 'unpatched_gem'
+          expect(output_json[:results][0][:gem]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:gem][:name]).to be == gem.name
+          expect(output_json[:results][0][:gem][:version]).to be == gem.version.to_s
+          expect(output_json[:results][0][:advisory]).to be_kind_of(Hash)
+          expect(output_json[:results][0][:advisory][:path]).to be == advisory.path
+          expect(output_json[:results][0][:advisory][:id]).to be == advisory.id
+          expect(output_json[:results][0][:advisory][:url]).to be == advisory.url
+          expect(output_json[:results][0][:advisory][:title]).to be == advisory.title
+          expect(output_json[:results][0][:advisory][:date]).to be == advisory.date.to_s
+          expect(output_json[:results][0][:advisory][:description]).to be == advisory.description
+          expect(output_json[:results][0][:advisory][:cvss_v2]).to be == advisory.cvss_v2
+          expect(output_json[:results][0][:advisory][:cve]).to be == advisory.cve
+          expect(output_json[:results][0][:advisory][:osvdb]).to be == advisory.osvdb
+          expect(output_json[:results][0][:advisory][:ghsa]).to be == advisory.ghsa
+          expect(output_json[:results][0][:advisory][:criticality]).to be == advisory.criticality.to_s.downcase
+          expect(output_json[:results][0][:advisory][:unaffected_versions]).to be == advisory.unaffected_versions.map(&:to_s)
+          expect(output_json[:results][0][:advisory][:patched_versions]).to be == advisory.patched_versions.map(&:to_s)
+        end
+      end
+    end
+
+    context "when no vulnerabilities were found" do
+      it 'must output an "results" key with an empty Array' do
+        expect(output_json[:results]).to be_kind_of(Array)
+        expect(output_json[:results]).to be_empty
+      end
+    end
+  end
+end

data/spec/cli/formats/junit_spec.rb

@@ -0,0 +1,284 @@
+require 'spec_helper'
+require 'bundler/audit/cli/formats'
+require 'bundler/audit/cli/formats/junit'
+require 'bundler/audit/report'
+
+describe Bundler::Audit::CLI::Formats::Junit do
+  it "must register the 'junit' format" do
+    expect(Bundler::Audit::CLI::Formats[:junit]).to be described_class
+  end
+
+  let(:options) { {} }
+
+  subject do
+    Bundler::Audit::CLI.new([],options).tap do |obj|
+      obj.extend described_class
+    end
+  end
+
+  describe "#print_report" do
+    let(:report) { Bundler::Audit::Report.new }
+    let(:stdout) { StringIO.new }
+
+    before { subject.print_report(report,stdout) }
+
+    let(:output) { stdout.string }
+
+    context "when vulnerabilities were found" do
+      context "when the report contains InsecureSources" do
+        let(:uri) { URI('git://github.com/foo/bar.git') }
+        let(:insecure_source) do
+          Bundler::Audit::Results::InsecureSource.new(uri)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << insecure_source
+          end
+        end
+
+        it 'must print "Insecure Source URI found: ..."' do
+          expect(output).to include("Insecure Source URI found: #{uri}")
+        end
+
+        it 'must print have a positive number of failures' do
+          expect(output).to match(/failures="[1-9][0-9]*"/)
+        end
+      end
+
+      context "when the report contains UnpatchedGems" do
+        let(:gem) do
+          Gem::Specification.new do |spec|
+            spec.name = 'test'
+            spec.version = '0.1.0'
+          end
+        end
+
+        let(:advisory) do
+          Bundler::Audit::Advisory.load(Fixtures.join('advisory','CVE-2020-1234.yml'))
+        end
+        let(:unpatched_gem) do
+          Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << unpatched_gem
+          end
+        end
+
+        it "must print 'Name: ...'" do
+          expect(output).to include("Name: #{gem.name}")
+        end
+
+        it "must print 'Version: ...'" do
+          expect(output).to include("Version: #{gem.version}")
+        end
+
+        context "when the advisory has a CVE ID" do
+          it "must print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output).to include("Advisory: CVE-#{advisory.cve} GHSA-aaaa-bbbb-cccc")
+          end
+        end
+
+        context "when the advisory does not have a CVE ID" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.cve = nil
+            end
+          end
+
+          it "must not print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output).to_not include("CVE-")
+          end
+        end
+
+        context "when the advisory has a GHSA ID" do
+          it "must print 'GHSA-xxxx-xxxx-xxxx'" do
+            expect(output).to include("GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when the advisory does not have a GHSA ID" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.ghsa = nil
+            end
+          end
+
+          it "must not print 'GHSA-xxxx-xxxx-xxxx'" do
+            expect(output).to_not include("GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when CVSS v3 is present" do
+          context "when Advisory#criticality is :none (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: None'" do
+              expect(output).to include("Criticality: None")
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.1
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: High")
+            end
+          end
+
+          context "when Advisory#criticality is :critical (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 9.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: Critical")
+            end
+          end
+        end
+
+        context "when CVSS v2 is present" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.cvss_v3 = nil
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: High")
+            end
+          end
+        end
+
+        it "must print 'URL: ...'" do
+          expect(output).to include("URL: #{advisory.url}")
+        end
+
+        context "when :verbose is not enabled" do
+          it 'must print "Title:" and the advisory description' do
+            expect(output).to include("Title: #{advisory.title}")
+          end
+        end
+
+        context "when Advisory#title contains XML special chars" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.title = '<entity id="one">One</entity>'
+            end
+          end
+
+          it 'must print "Title:" with escaped characters' do
+            expect(output).to include("Title: #{CGI.escapeHTML(advisory.title)}")
+          end
+        end
+
+        context "when Advisory#patched_versions is not empty" do
+          it 'must print "Solution: upgrade to ..."' do
+            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.join(', '))}")
+          end
+        end
+
+        context "when Advisory#patched_versions is empty" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.patched_versions = []
+            end
+          end
+
+          it 'must print "Solution: remove or disable this gem until a patch is available!"' do
+            expect(output).to include("Solution: remove or disable this gem until a patch is available!")
+          end
+        end
+
+        it 'must print have a positive number of failures' do
+          expect(output).to match(/failures="[1-9][0-9]*"/)
+        end
+      end
+    end
+
+    context "when no vulnerabilities were found" do
+      it 'must print an empty testsuite' do
+        expect(output).to include('failures="0"')
+      end
+
+      context "when :quiet is enabled" do
+        let(:options) { {quiet: true} }
+
+        it "should print nothing" do
+          expect(output).to be_empty
+        end
+      end
+    end
+
+    it "must restore $stdout" do
+      expect($stdout).to_not be(stdout)
+    end
+  end
+end

data/spec/cli/formats/text_spec.rb

@@ -0,0 +1,273 @@
+require 'spec_helper'
+require 'bundler/audit/cli/formats'
+require 'bundler/audit/cli/formats/text'
+require 'bundler/audit/report'
+
+describe Bundler::Audit::CLI::Formats::Text do
+  it "must register the 'text' format" do
+    expect(Bundler::Audit::CLI::Formats[:text]).to be described_class
+  end
+
+  let(:options) { {} }
+
+  subject do
+    Bundler::Audit::CLI.new([],options).tap do |obj|
+      obj.extend described_class
+    end
+  end
+
+  describe "#print_report" do
+    let(:report) { Bundler::Audit::Report.new }
+    let(:stdout) { StringIO.new }
+
+    before { subject.print_report(report,stdout) }
+
+    let(:output) { stdout.string }
+    let(:output_lines) { output.lines.map(&:chomp) }
+
+    context "when vulnerabilities were found" do
+      context "when the report contains InsecureSources" do
+        let(:uri) { URI('git://github.com/foo/bar.git') }
+        let(:insecure_source) do
+          Bundler::Audit::Results::InsecureSource.new(uri)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << insecure_source
+          end
+        end
+
+        it 'must print "Insecure Source URI found: ..."' do
+          expect(output_lines).to include("Insecure Source URI found: #{uri}")
+        end
+
+        it 'must print "Vulnerabilities found!"' do
+          expect(output_lines).to include("Vulnerabilities found!")
+        end
+      end
+
+      context "when the report contains UnpatchedGems" do
+        let(:gem) do
+          Gem::Specification.new do |spec|
+            spec.name = 'test'
+            spec.version = '0.1.0'
+          end
+        end
+
+        let(:advisory) do
+          Bundler::Audit::Advisory.load(Fixtures.join('advisory','CVE-2020-1234.yml'))
+        end
+        let(:unpatched_gem) do
+          Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << unpatched_gem
+          end
+        end
+
+        it "must print 'Name: ...'" do
+          expect(output_lines).to include("Name: #{gem.name}")
+        end
+
+        it "must print 'Version: ...'" do
+          expect(output_lines).to include("Version: #{gem.version}")
+        end
+
+        context "when the advisory has a CVE ID" do
+          it "must print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to include("CVE: CVE-#{advisory.cve}")
+          end
+        end
+
+        context "when the advisory does not have a CVE ID" do
+          before { advisory.cve = nil }
+
+          it "must not print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to_not include("CVE: CVE-#{advisory.cve}")
+          end
+        end
+
+        context "when the advisory has a GHSA ID" do
+          it "must print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to include("GHSA: GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when the advisory does not have a GHSA ID" do
+          before { advisory.ghsa = nil }
+
+          it "must not print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to_not include("GHSA: GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when CVSS v3 is present" do
+          context "when Advisory#criticality is :none (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: None'" do
+              expect(output_lines).to include("Criticality: None")
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.1
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
+          end
+
+          context "when Advisory#criticality is :critical (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 9.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: Critical")
+            end
+          end
+        end
+
+        context "when CVSS v2 is present" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.cvss_v3 = nil
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
+          end
+        end
+
+        it "must print 'URL: ...'" do
+          expect(output_lines).to include("URL: #{advisory.url}")
+        end
+
+        context "when :verbose is enabled" do
+          let(:options) { {verbose: true} }
+
+          it 'must print "Description:" and the advisory description' do
+            expect(output_lines).to include("Description:","","  #{advisory.description.chomp}",'')
+          end
+        end
+
+        context "when :verbose is not enabled" do
+          it 'must print "Title:" and the advisory description' do
+            expect(output_lines).to include("Title: #{advisory.title}")
+          end
+        end
+
+        context "when Advisory#patched_versions is not empty" do
+          it 'must print "Solution: upgrade to ..."' do
+            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.join(', ')}")
+          end
+        end
+
+        context "when Advisory#patched_versions is empty" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.patched_versions = []
+            end
+          end
+
+          it 'must print "Solution: remove or disable this gem until a patch is available!"' do
+            expect(output_lines).to include("Solution: remove or disable this gem until a patch is available!")
+          end
+        end
+
+        it 'must print "Vulnerabilities found!"' do
+          expect(output_lines).to include("Vulnerabilities found!")
+        end
+      end
+    end
+
+    context "when no vulnerabilities were found" do
+      it 'must print "No vulnerabilities found"' do
+        expect(output_lines).to include('No vulnerabilities found')
+      end
+
+      context "when :quiet is enabled" do
+        let(:options) { {quiet: true} }
+
+        it "should print nothing" do
+          expect(output_lines).to be_empty
+        end
+      end
+    end
+
+    it "must restore $stdout" do
+      expect($stdout).to_not be(stdout)
+    end
+  end
+end