bundler-audit 0.7.0.1 → 0.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1c2ead83ab8d3dac034093a5ac034fbf3235fed7077e47c2f491a9f8fa24d6c
-  data.tar.gz: c520084f591d25b66f1524a1bfaa900297a6c4517e000f38ce46bc66fbdb812a
+  metadata.gz: 762980c9b274b19e477ee0be0ae021e452a1e7d63796ceb6da0d667de704dad9
+  data.tar.gz: 3e0fae808a027e677f3d218949c092d8189fc124bb34f61b57fdf982b5ffd6b1
 SHA512:
-  metadata.gz: becd1a0bf6735ab08c3db5bd18199ceea5682e240a18ea2da88b8f9ff7c121ca11e5912613b559dc5916ff5db3e8e1d93627ead52e5a5bfc9f89ea574efb867d
-  data.tar.gz: 8a111e0b5e19eff5777bbe117560cc16f6d70a113fbb3d5059457557647a31ecef80f54956bb4f44d866d970579ed1fe19b0279aceed5355100b95a307a79491
+  metadata.gz: faa37304223ab40fd5678b6a4fcc1f9edb6d112c418c3a80a38aff6dbfbfacd416481f32f402998ece370d4646fe416e8f9453a5cec98d634845ff7bfd1abc6f
+  data.tar.gz: 7fbd39c761fdee364266207e4f0b52be6347b480b8447d31688428b8d3b5337c7f7403142ef0b2da0bc293ddfbe1ea5df93750b3a70be3920eff37af1d6a7884

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+github:
+  - postmodern
+  - reedloden

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,44 @@
+---
+name: Bug Report
+about: Report a bug
+title: ''
+labels: bug
+assignees: ''
+
+---
+<!--
+**Double Check**
+
+- Did you update to the latest bundler-audit? (ex: `bundle update bundler-audit` or `gem update bundler-audit`)
+- Did you update the ruby-advisory-db? (ex: `bundler-audit update`)
+-->
+
+## Description
+
+<!-- A clear and concise description of what the bug is. -->
+
+## Steps To Reproduce
+
+Steps to reproduce the bug:
+1. `$ bundle-audit ...`
+2. ???
+
+## Expected Behavior
+
+<!-- What should happen. -->
+
+## Actual Behavior
+
+<!-- The error message or backtrace. -->
+```
+```
+
+## Environment
+
+    $ bundler-audit --version
+    ...
+    $ bundle --version
+    ...
+    $ ruby --version
+    ...
+

data/.github/ISSUE_TEMPLATE/feature-request.md

@@ -0,0 +1,14 @@
+---
+name: Feature Request
+about: Request a new Feature
+title: ''
+labels: feature
+assignees: ''
+
+---
+
+## Description
+
+<!-- Explain how the desired feature would work. -->
+<!-- Explain why the desired feature is needed. -->
+<!-- Explain who would use the desired feature. -->

data/.github/workflows/ruby.yml

@@ -0,0 +1,43 @@
+name: CI
+
+on: [ push, pull_request ]
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+          - '3.0'
+          - 3.1
+          - jruby
+          - truffleruby-head
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run tests
+        run: bundle exec rake test
+
+  # rubocop linting
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.7
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run rubocop
+        run: bundle exec rubocop --parallel

data/.gitignore

@@ -6,5 +6,6 @@ doc/
 coverage/
 pkg/
 spec/bundle/*/.bundle/
+spec/fixtures/database
 vendor/bundle/
 tmp/

data/.rspec

@@ -1 +1 @@
---colour --format documentation
+--colour --format documentation --exclude-pattern spec/fixtures/**/*_spec.rb

data/.rubocop.yml

@@ -0,0 +1,86 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.7
+  Exclude:
+    - 'spec/bundle/**/*'
+    - 'spec/fixtures/database/**/*'
+    - 'vendor/**/*'
+
+#
+# Style
+#
+Layout/FirstArrayElementIndentation: { EnforcedStyle: consistent }
+Layout/FirstHashElementIndentation: { EnforcedStyle: consistent }
+Layout/SpaceAroundEqualsInParameterDefault: { EnforcedStyle: no_space }
+Style/SymbolArray: { EnforcedStyle: brackets }
+Style/PercentLiteralDelimiters:
+  Enabled: true
+  PreferredDelimiters:
+    default: '{}'
+    '%i': '[]'
+    '%I': '[]'
+    '%w': '[]'
+    '%W': '[]'
+
+# 
+# Rules that conflict with my style.
+#
+Metrics: { Enabled: false }
+Layout/BeginEndAlignment: { Enabled: false } # Offense count: 1
+Layout/BlockAlignment: { Enabled: false } # Offense count: 1
+Layout/EmptyLinesAroundClassBody: { Enabled: false } # Offense count: 15
+Layout/ExtraSpacing: { Enabled: false } # Offense count: 9
+Layout/HashAlignment: { Enabled: false  } # Offense count: 3
+Layout/SpaceAfterComma: { Enabled: false } # Offense count: 122
+Layout/SpaceInsideHashLiteralBraces: { Enabled: false } # Offense count: 8
+Lint/MissingSuper: { Enabled: false } # Offense count: 3
+Lint/ShadowingOuterLocalVariable: { Enabled: false }
+Lint/ConstantDefinitionInBlock: { Exclude: ['spec/cli/formats_spec.rb'] }
+Lint/SuppressedException: { Exclude: ['spec/cli_spec.rb'] }
+Lint/UnusedBlockArgument: { Enabled: false } # Offense count: 4
+Lint/UnusedMethodArgument: { Enabled: false } # Offense count: 6
+Naming/RescuedExceptionsVariableName: { Enabled: false } # Offense count: 2
+Style/BlockDelimiters: { Enabled: false } # Offense count: 20
+Style/CaseEquality: { Exclude: ['lib/bundler/audit/advisory.rb'] }
+Style/ClassCheck: { Enabled: false } # Offense count: 4
+Style/Documentation: { Enabled: false } # Offense count: 12
+Style/GuardClause: { Enabled: false } # Offense count: 1
+Style/HashSyntax:
+  Exclude:
+    - 'Rakefile'
+    - 'lib/bundler/audit/task.rb'
+Style/IfUnlessModifier: { Enabled: false } # Offense count: 14
+Style/MethodCallWithoutArgsParentheses: { Enabled: false } # Offense count: 1
+Style/MultilineBlockChain: { Exclude: ['spec/**/*'] } # Offense count: 6
+Style/MutableConstant: { Enabled: false } # Offense count: 4
+Style/ParenthesesAroundCondition: { Enabled: false } # Offense count: 1
+Style/RedundantBegin: { Exclude: ['spec/cli_spec.rb'] } # Offense count: 1
+Style/RedundantReturn: { Enabled: false } # Offense count: 6
+Style/SpecialGlobalVars: { Enabled: false } # Offense count: 5
+Style/StringLiterals: { Enabled: false } # Offense count: 333
+Style/StructInheritance: { Enabled: false } # Offense count: 1
+Style/UnlessElse: { Enabled: false } # Offense count: 1
+Style/WordArray: { Enabled: false } # Offense count: 1
+Style/Lambda: { Enabled: false } # Offense count: 2
+Style/SafeNavigation: { Enabled: false } # Offense count: 2
+Lint/IneffectiveAccessModifier: { Enabled: false } # Offense count: 1
+Gemspec/DuplicatedAssignment:
+  Exclude:
+    - 'bundler-audit.gemspec'
+
+#
+# Rules that may be disabled in the future.
+#
+# Layout/SpaceInsideParens: { Enabled: false }
+# Layout/TrailingWhitespace: { Enabled: false }
+
+#
+# Rules that I want to fully enabled in the future.
+#
+Style/DoubleNegation: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
+Style/EmptyMethod: { Exclude: ['spec/cli/formats_spec.rb'] } # Offense count: 2
+Style/ExpandPathArguments: { Enabled: false } # Offense count: 5
+Style/FrozenStringLiteralComment: { Enabled: false } # Offense count: 42
+Style/MixinUsage: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
+Layout/LineLength: { Enabled: false }

data/COPYING.txt

@@ -1,7 +1,7 @@
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found.
     GNU General Public License for more details.
 
     You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box".
   You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
+<https://www.gnu.org/licenses/>.
 
   The GNU General Public License does not permit incorporating your program
 into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+<https://www.gnu.org/philosophy/why-not-lgpl.html>.

data/ChangeLog.md

@@ -1,3 +1,114 @@
+### 0.9.1 / 2022-05-19
+
+#### CLI
+
+* Improve the readability of the suggested gem versions to upgrade to
+  (pull #331).
+
+#### Rake Task
+
+* Fixed a regression introduced in 0.9.0 where the `bundler:audit` rake task
+  was not exiting with an error status code if vulnerabilities were found.
+  Now when the `bundler-audit` command fails, the rake task will also exit with
+  the `bundler-audit` command's error code.
+* If the `bundler-audit` command could not be found for some reason raise the
+  {Bundler::Audit::Task::CommandNotFound} exception.
+
+### 0.9.0.1 / 2021-08-31
+
+* Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
+  (issue #319)
+  * Although, Ruby 2.5 and prior have all reached [End-of-Life] and
+  are no longer receiving security updates. It is strongly advised that you
+  should upgrade to a currently supported version of Ruby.
+
+[End-of-Life]: https://www.ruby-lang.org/en/downloads/branches/
+
+### 0.9.0 / 2021-08-31
+
+* Load advisory metadata using `YAML.safe_load`. (issue #302)
+  * Explicitly permit the `Date` class for Psych >= 4.0.0 and Ruby >= 3.1.0.
+* Added {Bundler::Audit::Advisory#to_h}. (pull #310)
+* Added {Bundler::Audit::Database#commit_id}.
+
+#### CLI
+
+* Added the `--config` option. (pull #306)
+* Added the `junit` output format (ex: `--format junit`). (pull #314)
+* Add missing output for CVSSv3 criticality information. (pull #302)
+  * Include criticality information in the JSON output as well. (pull #310)
+* `bundle-audit stats` now prints the commit ID of the ruby-advisory-db.
+* Fixed a deprecation warning from Thor. (issue #317)
+
+#### Rake Task
+
+* Add the `bundle:audit:update` task for updating the [ruby-advisory-db].
+  (pull #296)
+* Aliased `bundle:audit` to `bundle:audit:check`.
+* Aliased `bundler:audit:*` to `bundle:audit:*`.
+* Rake tasks now execute `bundle-audit` command as a subprocess to ensure
+  isolation.
+
+### 0.8.0 / 2021-03-10
+
+* No longer vendor [ruby-advisory-db].
+* Added {Bundler::Audit::Configuration}.
+  * Supports loading YAML configuration data from a `.bundler-audit.yml` file.
+* Added {Bundler::Audit::Results}.
+* Added {Bundler::Audit::Report}.
+* Added {Bundler::Audit::CLI::Formats}.
+* Added {Bundler::Audit::CLI::Formats::Text}.
+* Added {Bundler::Audit::CLI::Formats::JSON}.
+* Added {Bundler::Audit::Database::DEFAULT_PATH}.
+* Added {Bundler::Audit::Database.exists?}.
+* Added {Bundler::Audit::Database#git?}.
+* Added {Bundler::Audit::Database#update!}.
+  * Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
+    exception, if the `git pull` command fails.
+* Added {Bundler::Audit::Database#last_updated_at}.
+* Added {Bundler::Audit::Scanner#report}.
+* {Bundler::Audit::Database::USER_PATH} is now `Gem.user_home` aware.
+  * `Gem.user_home` will try to infer `HOME`, even if it is not set.
+* {Bundler::Audit::Database#download} will now raise a
+  {Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the
+  `git clone` command fails.
+* {Bundler::Audit::Scanner#initialize}:
+  * Now accepts an additional `database` and `config_dot_file` arguments.
+  * Will now raise a `Bundler::GemfileLockNotFound` exception,
+    if the given `Gemfile.lock` file cannot be found.
+* {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a
+  `127.0.0.0/8` or `::1/128` IP address.
+* {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in
+  {Bundler::Audit::Configuration#ignore}, which is loaded from the
+  `.bundler-audit.yml` file.
+* Deprecated {Bundler::Audit::Database.update!} in favor of
+  {Bundler::Audit::Database#update! #update!}.
+* Removed `Bundler::Audit::Database::VENDORED_PATH`.
+* Removed `Bundler::Audit::Database::VENDORED_TIMESTAMP`.
+
+#### CLI
+
+* Require [thor] ~> 1.0.
+* Added `bundler-audit stats`.
+* Added `bundler-audit download`.
+* `bundler-audit check`:
+  * Now accepts a optional `DIR` argument for the project directory.
+    * `bundler-audit check` will now print an explicit error message and exit,
+      if the given `DIR` does not exist.
+  * Will now auto-download [ruby-advisory-db] to ensure the latest advisory
+    information is used on first run.
+  * Now supports a `--database` option for specifying a path
+    to an alternative [ruby-advisory-db] copy.
+  * Now supports a `--gemfile-lock` option for specifying a
+    custom `Gemfile.lock` file within the project directory.
+  * Now supports a `--format` option for specifying the
+    desired format. `text` and `json` are supported, but other custom formats
+    can be loaded. See {Bundler::Audit::CLI::Formats}.
+  * Now supports a `--output` option for writing the report output to a file.
+  * Prints both CVE and GHSA IDs.
+* Print all error messages to stderr.
+* No longer print number of advisories in `bundler-audit version`.
+
 ### 0.7.0.1 / 2020-06-12
 
 * Forgot to populate `data/ruby-advisory-db`.
@@ -12,6 +123,7 @@
 * Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
 * Fixed issue with Bundler 2.x where source URIs are no longer parsed as
   `URI::HTTP` objects, but as `Bundler::URI::HTTP` objects. (@milgner)
+* Make it more explicit that git is required for database updates (@fatkodima)
 
 ### 0.6.1 / 2019-01-17
 
@@ -34,9 +146,9 @@
 
 #### CLI
 
-* Added the `--update` option to `bundle-audit check`.
-* `bundle-audit update` now returns a non-zero exit status on error.
-* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+* Added the `--update` option to `bundler-audit check`.
+* `bundler-audit update` now returns a non-zero exit status on error.
+* `bundler-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
   repository.
 
 ### 0.4.0 / 2015-06-30
@@ -74,7 +186,7 @@
 
 #### CLI
 
-* Added the `bundle-audit update` sub-command.
+* Added the `bundler-audit update` sub-command.
 
 ### 0.2.0 / 2013-03-05
 

data/Gemfile

@@ -4,10 +4,15 @@ gemspec
 
 group :development do
   gem 'rake'
-  gem 'kramdown',       '~> 0.14'
-
   gem 'rubygems-tasks', '~> 0.2'
+
+  gem 'rubocop',        '~> 1.18'
+
   gem 'rspec',          '~> 3.0'
+  gem 'simplecov',      '~> 0.7', require: false
+
+  gem 'kramdown',       '~> 2.0'
+  gem 'redcarpet',       platform: :mri
   gem 'yard',           '~> 0.9'
-  gem 'simplecov',      '~> 0.7', :require => false
+  gem 'yard-spellcheck', require: false
 end

data/README.md

@@ -1,11 +1,12 @@
 # bundler-audit
-[![Build Status](https://travis-ci.org/rubysec/bundler-audit.svg?branch=master)](https://travis-ci.org/rubysec/bundler-audit)
+
+[![CI](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml/badge.svg)](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml)
 [![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
+[![Gem Version](https://badge.fury.io/rb/bundler-audit.svg)](https://badge.fury.io/rb/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)
 * [Issues](https://github.com/rubysec/bundler-audit/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-audit/frames)
-* [Email](mailto:postmodern.mod3 at gmail.com)
 
 ## Description
 
@@ -14,7 +15,7 @@ Patch-level verification for [bundler].
 ## Features
 
 * Checks for vulnerable versions of gems in `Gemfile.lock`.
-* Checks for insecure gem sources (`http://`).
+* Checks for insecure gem sources (`http://` and `git://`).
 * Allows ignoring certain advisories that have been manually worked around.
 * Prints advisory information.
 * Does not require a network connection.
@@ -110,41 +111,127 @@ Update the [ruby-advisory-db] that `bundle audit` uses:
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
-    $ bundle-audit check --update
+```shell
+$ bundle-audit check --update
+```
+
+Checking the `Gemfile.lock` without updating the [ruby-advisory-db]:
+
+```shell
+$ bundle-audit check --no-update
+```
 
 Ignore specific advisories:
 
-    $ bundle-audit check --ignore OSVDB-108664
+```shell
+$ bundle-audit check --ignore OSVDB-108664
+```
+
+Checking a custom `Gemfile.lock` file:
+
+```shell
+$ bundle-audit check --gemfile-lock Gemfile.custom.lock
+```
+
+Output the audit's results in JSON:
+
+```shell
+$ bundle-audit check --format json
+```
+
+Output the audit's results in JSON, to a file:
+
+```shell
+$ bundle-audit check --format json --output bundle-audit.json
+```
+
+## Rake Tasks
+
+Bundler-audit provides Rake tasks for checking the code and for updating
+its vulnerability database:
+
+```bash
+rake bundle:audit
+rake bundle:audit:update
+```
+
+## Configuration File
+
+bundler-audit also supports a per-project configuration file:
+
+`.bundler-audit.yml`:
+
+```yaml
+---
+ignore:
+  - CVE-YYYY-XXXX
+  - ...
+```
 
-Rake task:
+* `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
 
-```ruby
-require 'bundler/audit/task'
-Bundler::Audit::Task.new
+You can provide a path to a config file using the `--config` flag:
 
-task default: 'bundle:audit'
+```shell
+$ bundle-audit check --config bundler-audit.custom.yaml
 ```
 
 ## Requirements
 
-* [ruby] >= 1.9.3
+* [git]
+* [ruby] >= 2.0.0
 * [rubygems] >= 1.8
-* [thor] >= 0.18, < 2
-* [bundler] ~> 1.2
+* [thor] ~> 1.0
+* [bundler] >= 1.2.0, < 3
 
 ## Install
 
-    $ [sudo] gem install bundler-audit
+```shell
+$ [sudo] gem install bundler-audit
+```
+
+### Git
+
+* Debian / Ubuntu:
+
+```shell
+$ sudo apt install git
+```
+
+* RedHat / Fedora:
+
+```shell
+$ sudo dnf install git
+```
+
+* Alpine Linux:
+
+```shell
+$ apk add git
+```
+
+* macOS:
+
+```shell
+$ brew install git
+```
 
 ## Contributing
 
-1. Clone the repo
-2. `git submodule update --init` # To populate data/ruby-advisory-db
-3. `bundle exec rake`
+1. https://github.com/rubysec/bundler-audit/fork
+2. `git clone YOUR_FORK_URI`
+3. `cd bundler-audit/`
+4. `bundle install`
+5. `bundle exec rake spec`
+6. `git checkout -b YOUR_FEATURE`
+7. Make your changes
+8. `bundle exec rake spec`
+9. `git commit -a`
+10. `git push origin YOUR_FEATURE`
 
 ## License
 
-Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -157,12 +244,13 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 
+[git]: https://git-scm.com
 [ruby]: https://ruby-lang.org
 [rubygems]: https://rubygems.org
 [thor]: http://whatisthor.com/
-[bundler]: https://github.com/carlhuda/bundler#readme
+[bundler]: https://bundler.io
 
 [OSVDB]: http://osvdb.org/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 require 'rubygems'
 
 begin
@@ -14,29 +12,6 @@ require 'time'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
-directory 'data/ruby-advisory-db' do
-  sh 'git', 'submodule', 'update', '--init'
-end
-
-namespace :db do
-  desc 'Updates data/ruby-advisory-db'
-  task :update => 'data/ruuby-advsisory-db' do
-    timestamp = nil
-
-    chdir 'data/ruby-advisory-db' do
-      sh 'git', 'pull', 'origin', 'master'
-
-      File.open('../ruby-advisory-db.ts','w') do |file|
-        file.write Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc
-      end
-    end
-
-    sh 'git', 'commit', 'data/ruby-advisory-db',
-                        'data/ruby-advisory-db.ts',
-                        '-m', 'Updated ruby-advisory-db'
-  end
-end
-
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
@@ -59,5 +34,11 @@ task :test    => :spec
 task :default => :spec
 
 require 'yard'
-YARD::Rake::YardocTask.new  
+YARD::Rake::YardocTask.new
 task :doc => :yard
+
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new

data/bundler-audit.gemspec

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 require 'yaml'
 
 Gem::Specification.new do |gem|
@@ -26,20 +24,13 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.files = glob[gemspec['files']] if gemspec['files']
 
-  # add paths from data/ruby-advisory-db/
-  gem.files += Dir.chdir('data/ruby-advisory-db') do
-    `git ls-files`.split($/).map do |sub_path|
-      File.join('data','ruby-advisory-db',sub_path)
-    end
-  end
-
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }
   end
   gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
 
   gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
-  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.test_files       = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
   gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
 
   gem.require_paths = Array(gemspec.fetch('require_paths') {
@@ -64,4 +55,5 @@ Gem::Specification.new do |gem|
       gem.add_development_dependency(name,split[versions])
     end
   end
+  gem.metadata['rubygems_mfa_required'] = 'true'
 end