bundler-audit 0.8.0.rc1 → 0.9.0.1

data/gemspec.yml

@@ -6,9 +6,9 @@ authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
-required_ruby_version: ">= 1.9.3"
+required_ruby_version: ">= 2.0.0"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ">= 0.18, < 2"
+  thor: "~> 1.0"
   bundler: ">= 1.2.0, < 3"

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,13 +12,16 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Represents an advisory loaded from the {Database}.
+    #
     class Advisory < Struct.new(:path,
                                 :id,
                                 :url,
@@ -45,7 +48,14 @@ module Bundler
       #
       def self.load(path)
         id   = File.basename(path).chomp('.yml')
-        data = YAML.load_file(path)
+        data = File.open(path) do |yaml|
+                 if Psych::VERSION >= '3.1.0'
+                   YAML.safe_load(yaml, permitted_classes: [Date])
+                 else
+                   # XXX: psych < 3.1.0 YAML.safe_load calling convention
+                   YAML.safe_load(yaml, [Date])
+                 end
+               end
 
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
@@ -200,6 +210,17 @@ module Bundler
         id == other.id
       end
 
+      #
+      # Converts the advisory to a Hash.
+      #
+      # @return [Hash{Symbol => Object}]
+      #
+      def to_h
+        super.merge({
+          criticality: criticality
+        })
+      end
+
       alias to_s id
 
     end

data/lib/bundler/audit/cli/formats/json.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -22,6 +22,9 @@ module Bundler
   module Audit
     class CLI < ::Thor
       module Formats
+        #
+        # The JSON output format.
+        #
         module JSON
           #
           # Outputs the report as JSON. Will pretty-print JSON if `output`
@@ -37,11 +40,22 @@ module Bundler
             hash = report.to_h
 
             if output.tty?
-              output.puts ::JSON.pretty_generate(hash)
+              output.puts(::JSON.pretty_generate(hash))
             else
               output.write(::JSON.generate(hash))
             end
           end
+
+          def criticality_label(advisory)
+            case advisory.criticality
+            when :none     then "none"
+            when :low      then "low"
+            when :medium   then "medium"
+            when :high     then "high"
+            when :critical then "critical"
+            else "unknown"
+            end
+          end
         end
 
         Formats.register :json, JSON

data/lib/bundler/audit/cli/formats/junit.rb

@@ -0,0 +1,127 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'thor'
+require 'cgi'
+
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Junit
+          #
+          # Prints any findings as an XML junit report.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report, output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+
+            print_xml_testsuite(report) do
+              report.each do |result|
+                print_xml_testcase(result)
+              end
+            end
+
+            $stdout = original_stdout
+          end
+
+          private
+
+          def say_xml(*lines)
+            say(lines.join($/))
+          end
+
+          def print_xml_testsuite(report)
+            say_xml(
+              %{<?xml version="1.0" encoding="UTF-8" ?>},
+              %{<testsuites id="#{Time.now.to_i}" name="Bundle Audit">},
+              %{  <testsuite id="Gemfile" name="Ruby Gemfile" failures="#{report.count}">}
+            )
+
+            yield
+
+            say_xml(
+              %{  </testsuite>},
+              %{</testsuites>}
+            )
+          end
+
+          def xml(string)
+            CGI.escapeHTML(string.to_s)
+          end
+
+          def print_xml_testcase(result)
+            case result
+            when Results::InsecureSource
+              say_xml(
+                %{    <testcase id="#{xml(result.source)}" name="Insecure Source URI found: #{xml(result.source)}">},
+                %{      <failure message="Insecure Source URI found: #{xml(result.source)}" type="Unknown"></failure>},
+                %{    </testcase>}
+              )
+            when Results::UnpatchedGem
+              say_xml(
+                %{    <testcase id="#{xml(result.gem.name)}" name="#{xml(bundle_title(result))}">},
+                %{      <failure message="#{xml(result.advisory.title)}" type="#{xml(result.advisory.criticality)}">},
+                %{        Name: #{xml(result.gem.name)}},
+                %{        Version: #{xml(result.gem.version)}},
+                %{        Advisory: #{xml(advisory_ref(result.advisory))}},
+                %{        Criticality: #{xml(advisory_criticality(result.advisory))}},
+                %{        URL: #{xml(result.advisory.url)}},
+                %{        Title: #{xml(result.advisory.title)}},
+                %{        Solution: #{xml(advisory_solution(result.advisory))}},
+                %{      </failure>},
+                %{    </testcase>}
+              )
+            end
+          end
+
+          def bundle_title(result)
+            "#{advisory_criticality(result.advisory).upcase} #{result.gem.name}(#{result.gem.version}) #{result.advisory.title}"
+          end
+
+          def advisory_solution(advisory)
+            unless advisory.patched_versions.empty?
+              "upgrade to #{advisory.patched_versions.join(', ')}"
+            else
+              "remove or disable this gem until a patch is available!"
+            end
+          end
+
+          def advisory_criticality(advisory)
+            if advisory.criticality
+              advisory.criticality.to_s.capitalize
+            else
+              "Unknown"
+            end
+          end
+
+          def advisory_ref(advisory)
+            advisory.identifiers.join(" ")
+          end
+
+          Formats.register :junit, Junit
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats/text.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -21,6 +21,9 @@ module Bundler
   module Audit
     class CLI < ::Thor
       module Formats
+        #
+        # The plain-text output format.
+        #
         module Text
           #
           # Prints any findings as plain-text.
@@ -66,20 +69,24 @@ module Bundler
             say "Version: ", :red
             say gem.version
 
-            say "Advisory: ", :red
-
             if advisory.cve
-              say "CVE-#{advisory.cve}"
-            elsif advisory.osvdb
-              say advisory.osvdb
+              say "CVE: ", :red
+              say advisory.cve_id
+            end
+
+            if advisory.ghsa
+              say "GHSA: ", :red
+              say advisory.ghsa_id
             end
 
             say "Criticality: ", :red
             case advisory.criticality
-            when :low    then say "Low"
-            when :medium then say "Medium", :yellow
-            when :high   then say "High", [:red, :bold]
-            else              say "Unknown"
+            when :none     then say "None"
+            when :low      then say "Low"
+            when :medium   then say "Medium", :yellow
+            when :high     then say "High", [:red, :bold]
+            when :critical then say "Critical", [:red, :bold]
+            else                say "Unknown"
             end
 
             say "URL: ", :red
@@ -89,7 +96,7 @@ module Bundler
               say "Description:", :red
               say
 
-              print_wrapped advisory.description, :indent => 2
+              print_wrapped advisory.description, indent: 2
               say
             else
               say "Title: ", :red
@@ -106,7 +113,6 @@ module Bundler
 
             say
           end
-
         end
 
         Formats.register :text, Text

data/lib/bundler/audit/cli/formats.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -126,15 +126,19 @@ module Bundler
         #
         def self.load(name)
           name = name.to_s
+          path = File.join(DIR,File.basename(name))
 
           begin
-            require File.join(DIR,File.basename(name))
+            require path
           rescue LoadError
             raise(FormatNotFound,"could not load format #{name.inspect}")
           end
 
-          return self[name] || \
+          unless (format = self[name])
             raise(FormatNotFound,"unknown format #{name.inspect}")
+          end
+
+          return  format
         end
       end
     end

data/lib/bundler/audit/cli/thor_ext/shell/basic/say_error.rb

@@ -0,0 +1,33 @@
+class Thor
+  module Shell
+    class Basic
+      #
+      # Prints an error message to `stderr`.
+      #
+      # @param [String] message
+      #   The message to print to `stderr`.
+      #
+      # @param [Symbol, nil] color
+      #   Optional ANSI color.
+      #
+      # @param [Boolean] force_new_line
+      #   Controls whether a newline character will be appended to the output.
+      #
+      def say_error(message,color=nil,force_new_line=(message.to_s !~ /( |\t)\Z/))
+        return if quiet?
+
+        buffer = prepare_message(message,*color)
+        buffer << $/ if force_new_line && !message.to_s.end_with?($/)
+
+        stderr.print(buffer)
+        stderr.flush
+      end
+    end
+
+    module_eval <<-METHOD, __FILE__, __LINE__ + 1
+      def say_error(*args,&block)
+        shell.say_error(*args,&block)
+      end
+    METHOD
+  end
+end

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/scanner'
@@ -20,40 +20,46 @@ require 'bundler/audit/version'
 require 'bundler/audit/cli/formats'
 
 require 'thor'
+require 'bundler/audit/cli/thor_ext/shell/basic/say_error'
 require 'bundler'
 
 module Bundler
   module Audit
+    #
+    # The `bundle-audit` command.
+    #
     class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
 
       desc 'check [DIR]', 'Checks the Gemfile.lock for insecure dependencies'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
-      method_option :verbose, :type => :boolean, :aliases => '-v'
-      method_option :ignore, :type => :array, :aliases => '-i'
-      method_option :update, :type => :boolean, :aliases => '-u'
-      method_option :database, :type => :string, :aliases => '-D', :default => Database::USER_PATH
-      method_option :format, :type => :string, :default => 'text',
-                             :aliases => '-F'
-      method_option :gemfile_lock, :type => :string, :aliases => '-G', :default => 'Gemfile.lock'
-      method_option :output, :type => :string, :aliases => '-o'
+      method_option :quiet, type: :boolean, aliases: '-q'
+      method_option :verbose, type: :boolean, aliases: '-v'
+      method_option :ignore, type: :array, aliases: '-i'
+      method_option :update, type: :boolean, aliases: '-u'
+      method_option :database, type: :string, aliases: '-D',
+                               default: Database::USER_PATH
+      method_option :format, type: :string, default: 'text', aliases: '-F'
+      method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
+      method_option :gemfile_lock, type: :string, aliases: '-G',
+                                   default: 'Gemfile.lock'
+      method_option :output, type: :string, aliases: '-o'
 
       def check(dir=Dir.pwd)
         unless File.directory?(dir)
-          say "No such file or directory: #{dir}", :red
+          say_error "No such file or directory: #{dir}", :red
           exit 1
         end
 
         begin
           extend Formats.load(options[:format])
         rescue Formats::FormatNotFound
-          say "Unknown format: #{options[:format]}", :red
+          say_error "Unknown format: #{options[:format]}", :red
           exit 1
         end
 
-        if !Database.exists?
+        if !Database.exists?(options[:database])
           download(options[:database])
         elsif options[:update]
           update(options[:database])
@@ -61,12 +67,13 @@ module Bundler
 
         database = Database.new(options[:database])
         scanner  = begin
-                     Scanner.new(dir,options[:gemfile_lock],database)
+                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
                    rescue Bundler::GemfileLockNotFound => exception
                      say exception.message, :red
                      exit 1
                    end
-        report   = scanner.report(:ignore => options.ignore)
+
+        report = scanner.report(ignore: options.ignore)
 
         output = if options[:output] then File.new(options[:output],'w')
                  else                     $stdout
@@ -80,7 +87,7 @@ module Bundler
       end
 
       desc 'stats', 'Prints ruby-advisory-db stats'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def stats(path=Database.path)
         database = Database.new(path)
@@ -88,10 +95,14 @@ module Bundler
         puts "ruby-advisory-db:"
         puts "  advisories:\t#{database.size} advisories"
         puts "  last updated:\t#{database.last_updated_at}"
+
+        if (commit_id = database.commit_id)
+          puts "  commit:\t#{commit_id}"
+        end
       end
 
       desc 'download', 'Downloads ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def download(path=Database.path)
         if Database.exists?(path)
@@ -112,7 +123,7 @@ module Bundler
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def update(path=Database.path)
         unless Database.exists?(path)
@@ -128,13 +139,14 @@ module Bundler
         when true
           say("Updated ruby-advisory-db", :green) unless options.quiet?
         when false
-          say "Failed updating ruby-advisory-db!", :red
+          say_error "Failed updating ruby-advisory-db!", :red
           exit 1
         when nil
           unless Bundler.git_present?
-            say "Git is not installed!", :red
+            say_error "Git is not installed!", :red
             exit 1
           end
+
           say "Skipping update", :yellow
         end
 
@@ -143,13 +155,18 @@ module Bundler
 
       desc 'version', 'Prints the bundler-audit version'
       def version
-        database = Database.new
-
-        puts "#{File.basename($0)} #{VERSION} (advisories: #{database.size})"
+        puts "bundler-audit #{VERSION}"
       end
 
       protected
 
+      #
+      # @note Silence deprecation warnings from Thor.
+      #
+      def self.exit_on_failure?
+        true
+      end
+
       #
       # @abstract
       #
@@ -157,11 +174,6 @@ module Bundler
         raise(NotImplementedError,"#{self.class}##{__method__} not defined")
       end
 
-      def say(message="", color=nil)
-        color = nil unless $stdout.tty?
-        super(message.to_s, color)
-      end
-
     end
   end
 end