bundler-audit 0.7.0.1 → 0.9.1

data/spec/database_spec.rb

@@ -4,75 +4,162 @@ require 'tmpdir'
 
 describe Bundler::Audit::Database do
   let(:vendored_advisories) do
-    Dir[File.join(Bundler::Audit::Database::VENDORED_PATH, 'gems/*/*.yml')].sort
+    Dir[File.join(Fixtures::Database::PATH, 'gems/*/*.yml')].sort
   end
 
-  describe "path" do
+  describe ".path" do
     subject { described_class.path }
 
     it "it should be a directory" do
-      expect(File.directory?(subject)).to be_truthy
+      expect(described_class.path).to be_truthy
     end
+  end
+
+  describe ".exists?" do
+    subject { described_class }
+
+    context "when the directory does not exist" do
+      let(:path) { '/does/not/exist' }
+
+      it { expect(subject.exists?(path)).to be(false) }
+    end
+
+    context "when the directory does exist" do
+      context "but is empty" do
+        let(:path) { Fixtures.join('empty_dir') }
+
+        before { FileUtils.mkdir(path) }
+
+        it { expect(subject.exists?(path)).to be(false) }
+
+        after { FileUtils.rmdir(path) }
+      end
+
+      context "and there are files within the directory" do
+        let(:path) { Fixtures.join('not_empty_dir') }
+
+        before do
+          FileUtils.mkdir(path)
+          FileUtils.touch(File.join(path,'file.txt'))
+        end
+
+        it { expect(subject.exists?(path)).to be(true) }
+
+        after { FileUtils.rm_r(path) }
+      end
+    end
+  end
 
-    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
-      described_class.update!(quiet: false)
+  describe ".download" do
+    subject { described_class }
 
-      ts_const = described_class::VENDORED_TIMESTAMP
+    let(:url)  { described_class::URL          }
+    let(:path) { described_class::DEFAULT_PATH }
 
-      current_user_ts = Dir.chdir(described_class::USER_PATH) do
-        Time.parse(`git log --date=iso8601 --pretty="%cd" -1`).utc
+    it "should execute `git clone` with URL and DEFAULT_PATH" do
+      expect(subject).to receive(:system).with('git', 'clone', url, path).and_return(true)
+      expect(subject).to receive(:new)
+
+      subject.download
+    end
+
+    context "with :path" do
+      let(:url)  { described_class::URL          }
+      let(:path) { Fixtures.join('new-database') }
+
+      it "should execute `git clone` with the given output path" do
+        expect(subject).to receive(:system).with('git', 'clone', url, path).and_return(true)
+        expect(subject).to receive(:new)
+
+        subject.download(path: path)
       end
+    end
 
-      puts "Timestamp: #{current_user_ts}"
+    context "with :quiet" do
+      it "should execute `git clone` with the `--quiet` option" do
+        expect(subject).to receive(:system).with('git', 'clone', '--quiet', url, path).and_return(true)
+        expect(subject).to receive(:new)
 
-      # As up to date...
-      expect do
-        # Stub the vendor copy to be the exact same as the user path copy
-        stub_const(ts_const, current_user_ts)
-        # When they are the exact same, prefer the user copy
-        expect(subject).to eq mocked_user_path
+        subject.download(quiet: true)
       end
+    end
+
+    context "when the command fails" do
+      it do
+        expect(subject).to receive(:system).with('git', 'clone', url, path).and_return(false)
 
-      # Prefer the newest; in this case, user copy
-      expect do
-        # Stub the vendor copy to be older than the user path copy
-        stub_const(ts_const, current_user_ts-1)
-        # When vendor copy is older, prefer the user copy
-        expect(subject).to eq mocked_user_path
+        expect {
+          subject.download
+        }.to raise_error(described_class::DownloadFailed)
       end
+    end
 
-      # Prefer the newest; in this case, vendor copy
-      expect do
-        # Stub the vendor copy to be newer than the user path copy
-        stub_const(ts_const, current_user_ts+1)
-        # When user copy is older, prefer the vendor copy
-        expect(subject).to eq described_class::VENDORED_PATH
+    context "with an unknown option" do
+      it do
+        expect {
+          subject.download(foo: true)
+        }.to raise_error(ArgumentError)
       end
     end
   end
 
-  describe "update!" do
+  describe ".update!" do
     subject { described_class }
 
-    it "should create the USER_PATH path as needed" do
-      subject.update!(quiet: false)
+    context "when :path does not yet exist" do
+      let(:dest_dir) { Fixtures.join('new-ruby-advisory-db') }
 
-      expect(File.directory?(mocked_user_path)).to be true
+      before { stub_const("#{described_class}::DEFAULT_PATH",dest_dir) }
+
+      let(:url)  { described_class::URL          }
+      let(:path) { described_class::DEFAULT_PATH }
+
+      it "should execute `git clone` and call .new" do
+        expect(subject).to receive(:system).with('git', 'clone', url, path).and_return(true)
+        expect(subject).to receive(:new)
+
+        subject.update!(quiet: false)
+      end
+
+      context "when the `git clone` fails" do
+        before { stub_const("#{described_class}::URL",'https://example.com/') }
+
+        it do
+          expect(subject).to receive(:system).with('git', 'clone', url, path).and_return(false)
+
+          expect(subject.update!(quiet: false)).to eq(false)
+        end
+      end
+
+      after { FileUtils.rm_rf(dest_dir) }
     end
 
-    it "should create the repo, then update it given multiple successive calls." do
-      expect_update_to_clone_repo!
-      subject.update!(quiet: false)
-      expect(File.directory?(mocked_user_path)).to be true
+    context "when :path already exists" do
+      let(:dest_dir) { Fixtures.join('existing-ruby-advisory-db') }
+
+      before { FileUtils.cp_r(Fixtures::Database::PATH,dest_dir) }
+      before { stub_const("#{described_class}::DEFAULT_PATH",dest_dir) }
+
+      it "should execute `git pull`" do
+        expect_any_instance_of(subject).to receive(:system).with('git', 'pull', 'origin', 'master').and_return(true)
+
+        subject.update!(quiet: false)
+      end
+
+      after { FileUtils.rm_rf(dest_dir) }
 
-      expect_update_to_update_repo!
-      subject.update!(quiet: false)
-      expect(File.directory?(mocked_user_path)).to be true
+      context "when the `git pull` fails" do
+        it do
+          expect_any_instance_of(subject).to receive(:system).with('git', 'pull', 'origin', 'master').and_return(false)
+
+          expect(subject.update!(quiet: false)).to eq(false)
+        end
+      end
     end
 
     context "when given an invalid option" do
       it do
-        expect { subject.update!(foo: 1) }.to raise_error(ArgumentError)
+        expect { subject.update!(foo: 1) }.to raise_error(RuntimeError)
       end
     end
   end
@@ -87,7 +174,7 @@ describe Bundler::Audit::Database do
     end
 
     context "when given a directory" do
-      let(:path ) { Dir.tmpdir }
+      let(:path) { Dir.tmpdir }
 
       subject { described_class.new(path) }
 
@@ -105,6 +192,151 @@ describe Bundler::Audit::Database do
     end
   end
 
+  describe "#git?" do
+    subject { described_class.new(path) }
+
+    context "when a '.git' directory exists within the database" do
+      let(:path) { Fixtures.join('mock-git-database') }
+
+      before do
+        FileUtils.mkdir(path)
+        FileUtils.mkdir(File.join(path,'.git'))
+      end
+
+      it { expect(subject.git?).to be(true) }
+
+      after { FileUtils.rm_rf(path) }
+    end
+
+    context "when no '.git' directory exists within the database" do
+      let(:path) { Fixtures.join('mock-bare-database') }
+
+      before do
+        FileUtils.mkdir(path)
+      end
+
+      it { expect(subject.git?).to be(false) }
+
+      after { FileUtils.rm_rf(path) }
+    end
+  end
+
+  describe "#update!" do
+    context "when the database is a git repository" do
+      it do
+        expect(subject).to receive(:system).with('git', 'pull', 'origin', 'master').and_return(true)
+
+        subject.update!
+      end
+
+      context "when the :quiet option is given" do
+        it do
+          expect(subject).to receive(:system).with('git', 'pull', '--quiet', 'origin', 'master').and_return(true)
+
+          subject.update!(quiet: true)
+        end
+      end
+
+      context "when the `git pull` command fails" do
+        it do
+          expect(subject).to receive(:system).with('git', 'pull', 'origin', 'master').and_return(false)
+
+          expect {
+            subject.update!
+          }.to raise_error(described_class::UpdateFailed)
+        end
+      end
+    end
+
+    context "when the database is a bare directory" do
+      let(:path) { Fixtures.join('mock-bare-database') }
+
+      before { FileUtils.mkdir(path) }
+
+      subject { described_class.new(path) }
+
+      it do
+        expect(subject.update!).to be(nil)
+      end
+
+      after { FileUtils.rmdir(path) }
+    end
+  end
+
+  describe "#commit_id" do
+    context "when the database is a git repository" do
+      let(:last_commit) { Fixtures::Database::COMMIT }
+
+      it "should return the last commit ID" do
+        expect(subject.commit_id).to be == last_commit
+      end
+    end
+
+    context "when the database is a bare directory" do
+      let(:path) { Fixtures.join('mock-database-dir') }
+
+      before { FileUtils.mkdir(path) }
+
+      subject { described_class.new(path) }
+
+      it "should return the mtime of the directory" do
+        expect(subject.commit_id).to be(nil)
+      end
+
+      after { FileUtils.rmdir(path) }
+    end
+  end
+
+  describe "#last_updated_at" do
+    context "when the database is a git repository" do
+      let(:last_commit) { Fixtures::Database::COMMIT }
+      let(:last_commit_timestamp) do
+        Dir.chdir(Fixtures::Database::PATH) do
+          Time.parse(`git log -n 2 --date=iso8601 --pretty="%cd" #{last_commit}`)
+        end
+      end
+
+      it "should return the timestamp of the last commit" do
+        expect(subject.last_updated_at).to be == last_commit_timestamp
+      end
+    end
+
+    context "when the database is a bare directory" do
+      let(:path) { Fixtures.join('mock-database-dir') }
+
+      before { FileUtils.mkdir(path) }
+
+      subject { described_class.new(path) }
+
+      it "should return the mtime of the directory" do
+        expect(subject.last_updated_at).to be == File.mtime(path)
+      end
+
+      after { FileUtils.rmdir(path) }
+    end
+  end
+
+  describe "#advisories" do
+    subject { super().advisories }
+
+    it "should return a list of all advisories." do
+      expect(subject.map(&:path)).to match_array(vendored_advisories)
+    end
+  end
+
+  describe "#advisories_for" do
+    let(:gem) { 'activesupport' }
+    let(:vendored_advisories_for) do
+      Dir[File.join(Fixtures::Database::PATH, "gems/#{gem}/*.yml")].sort
+    end
+
+    subject { super().advisories_for(gem) }
+
+    it "should return a list of all advisories." do
+      expect(subject.map(&:path)).to match_array(vendored_advisories_for)
+    end
+  end
+
   describe "#check_gem" do
     let(:gem) do
       Gem::Specification.new do |s|
@@ -139,17 +371,6 @@ describe Bundler::Audit::Database do
     it { expect(subject.size).to eq vendored_advisories.count }
   end
 
-  describe "#advisories" do
-    it "should return a list of all advisories." do
-      actual_advisories = Bundler::Audit::Database.new.
-        advisories.
-        map(&:path).
-        sort
-
-      expect(actual_advisories).to eq vendored_advisories
-    end
-  end
-
   describe "#to_s" do
     it "should return the Database path" do
       expect(subject.to_s).to eq(subject.path)
@@ -158,7 +379,7 @@ describe Bundler::Audit::Database do
 
   describe "#inspect" do
     it "should produce a Ruby-ish instance descriptor" do
-      expect(Bundler::Audit::Database.new.inspect).to eq("#<Bundler::Audit::Database:#{Bundler::Audit::Database::VENDORED_PATH}>")
+      expect(subject.inspect).to eq("#<#{described_class}:#{subject.path}>")
     end
   end
 end

data/spec/fixtures/advisory/CVE-2020-1234.yml

@@ -0,0 +1,21 @@
+---
+gem: test
+cve: 2020-1234
+ghsa: aaaa-bbbb-cccc
+url: https://example.com/
+title: Test advisory
+date: 2015-06-16
+
+description: |
+  This is a test advisory.
+
+cvss_v2: 10.0
+cvss_v3: 9.8
+
+unaffected_versions:
+  - "< 0.1.0"
+
+patched_versions:
+  - "~> 0.1.42"
+  - "~> 0.2.42"
+  - ">= 1.0.0"

data/spec/fixtures/config/bad/ignore_contains_a_non_string.yml

@@ -0,0 +1,4 @@
+---
+ignore:
+  - CVE-123
+  - hello: world

data/spec/fixtures/config/bad/ignore_is_not_an_array.yml

@@ -0,0 +1,3 @@
+---
+ignore:
+  foo: bar

data/spec/fixtures/config/valid.yml

@@ -0,0 +1,4 @@
+---
+ignore:
+  - CVE-123
+  - CVE-456

data/spec/fixtures/lib/bundler/audit/cli/formats/bad.rb

@@ -0,0 +1,17 @@
+require 'thor'
+
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Bad
+          def print_report(report,output=$stdout)
+            say "I am a bad format!", :red
+          end
+        end
+
+        Formats.register :incorrect, Bad
+      end
+    end
+  end
+end

data/spec/fixtures/lib/bundler/audit/cli/formats/good.rb

@@ -0,0 +1,17 @@
+require 'thor'
+
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Good
+          def print_report(report,output=$stdout)
+            say "I am a good format.", :green
+          end
+        end
+
+        Formats.register :good, Good
+      end
+    end
+  end
+end

data/spec/integration_spec.rb

@@ -1,103 +1,31 @@
 require 'spec_helper'
 
-describe "CLI" do
-  include Helpers
-
-  let(:command) do
-    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit'))
-  end
-
-  context "when auditing a bundle with unpatched gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print a warning" do
-      expect(subject).to include("Vulnerabilities found!")
-    end
-
-    it "should print advisory information for the vulnerable gems" do
-      advisory_pattern = %r{(Name: [^\n]+
-Version: \d+\.\d+\.\d+(\.\d+)?
-Advisory: CVE-[0-9]{4}-[0-9]{4}
-Criticality: (Critical|High|Medium|Low|None|Unknown)
-URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
-Title: [^\n]*?
-Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}
-
-      expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Vulnerabilities found!")
-    end
-  end
-
-  context "when auditing a bundle with ignored gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    let(:command) do
-      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -i CVE-2013-0156'))
-    end
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should not print advisory information for ignored gem" do
-      expect(subject).not_to include("CVE-2013-0156")
-    end
+describe "bin/bundler-audit" do
+  let(:name) { 'bundler-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  context "when auditing a bundle with insecure sources" do
-    let(:bundle)    { 'insecure_sources' }
-    let(:directory) { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
+  subject { sh(command) }
 
-    it "should print warnings about insecure sources" do
-      expect(subject).to include(%{
-Insecure Source URI found: git://github.com/rails/jquery-rails.git
-Insecure Source URI found: http://rubygems.org/
-      }.strip)
-    end
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
+end
 
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command) }
-    end
-
-    it "should print nothing when everything is fine" do
-      expect(subject.strip).to eq("No vulnerabilities found")
-    end
+describe "bin/bundle-audit" do
+  let(:name) { 'bundle-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  describe "update" do
-
-    let(:update_command) { "#{command} update" }
-    let(:bundle)         { 'secure' }
-    let(:directory)      { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(update_command) }
-    end
-
-    context "when advisories update successfully" do
-      it "should print status" do
-        expect(subject).not_to include("Fail")
-        expect(subject).to include("Updating ruby-advisory-db ...\n")
-        expect(subject).to include("Updated ruby-advisory-db\n")
-        expect(subject.lines.to_a.last).to match(/ruby-advisory-db: [1-9]\d+ advisories/)
-      end
-    end
+  subject { sh(command) }
 
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
-
 end

data/spec/report_spec.rb

@@ -0,0 +1,98 @@
+require 'spec_helper'
+require 'bundler/audit/report'
+
+describe Bundler::Audit::Report do
+  let(:uri) { URI('git://github.com/foo/bar.git') }
+  let(:insecure_source) do
+    Bundler::Audit::Results::InsecureSource.new(uri)
+  end
+
+  let(:gem) do
+    Gem::Specification.new do |spec|
+      spec.name = 'test'
+      spec.version = '0.0.0'
+    end
+  end
+  let(:advisory) { double('Bundler::Audit::Advisory', id: 'CVE-3000-1234') }
+  let(:unpatched_gem) do
+    Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+  end
+
+  let(:results) do
+    [insecure_source, unpatched_gem]
+  end
+
+  subject { described_class.new(results) }
+
+  describe "#version" do
+    it "should be the VERSION constant" do
+      expect(subject.version).to be(Bundler::Audit::VERSION)
+    end
+  end
+
+  describe "#time" do
+    it { expect(subject.created_at).to be_kind_of(Time) }
+  end
+
+  describe "#<<" do
+    subject { described_class.new }
+
+    it "should return self" do
+      expect(subject << insecure_source).to be(subject)
+    end
+
+    context "when given a Result::InsecureSource" do
+      let(:result) { insecure_source }
+
+      before { subject << result }
+
+      it "should add the result to the report" do
+        expect(subject.results.last).to be(result)
+      end
+
+      it "should also add the result to #insecure_sources" do
+        expect(subject.insecure_sources.last).to be(result)
+      end
+    end
+
+    context "when given a Result::UnpatchedGem" do
+      let(:result) { unpatched_gem }
+
+      before { subject << result }
+
+      it "should add the result to the report" do
+        expect(subject.results.last).to be(result)
+      end
+
+      it "should also add the result to #unpatched_gems" do
+        expect(subject.unpatched_gems.last).to be(result)
+      end
+    end
+  end
+
+  describe "#each" do
+    context "when given a block" do
+      it "should enumerate over each result in the report" do
+        expect { |b| subject.each(&b) }.to yield_successive_args(*results)
+      end
+    end
+
+    context "when no block is given" do
+      it "should return an Enumerator" do
+        expect(subject.each).to be_kind_of(Enumerator)
+      end
+    end
+  end
+
+  describe "#vulnerable?" do
+    context "when the report is empty" do
+      subject { described_class.new }
+
+      it { expect(subject.vulnerable?).to be false }
+    end
+
+    context "when then report contains results" do
+      it { expect(subject.vulnerable?).to be true }
+    end
+  end
+end