bundler-audit 0.8.0.rc1 → 0.9.0.1

data/lib/bundler/audit/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'yaml'
@@ -26,14 +26,17 @@ module Bundler
     # @since 0.8.0
     #
     class Configuration
-      class InvalidConfigurationError < StandardError; end
-      class FileNotFound < StandardError; end
+      class InvalidConfigurationError < StandardError
+      end
+
+      class FileNotFound < StandardError
+      end
 
       #
       # A constructor method for loading configuration from a YAML file.
       #
       # @param [String] file_path
-      #   Path to the yaml file holding the configuration.
+      #   Path to the YAML file holding the configuration.
       #
       # @raise [FileNotFound]
       #   Will raise a file not found error when the path to the
@@ -52,6 +55,10 @@ module Bundler
 
         doc = YAML.parse(File.new(file_path))
 
+        unless doc.kind_of?(YAML::Nodes::Document)
+          raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not YAML")
+        end
+
         unless doc.root.kind_of?(YAML::Nodes::Mapping)
           raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not a Hash")
         end

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/advisory'
@@ -82,7 +82,7 @@ module Bundler
       #   The given path of the database to check.
       #
       # @return [Boolean]
-      # 
+      #
       # @since 0.8.0
       #
       def self.exists?(path=DEFAULT_PATH)
@@ -119,7 +119,7 @@ module Bundler
 
         path = options.fetch(:path,DEFAULT_PATH)
 
-        command = %w(git clone)
+        command = %w[git clone]
         command << '--quiet' if options[:quiet]
         command << URL << path
 
@@ -199,7 +199,7 @@ module Bundler
       def update!(options={})
         if git?
           Dir.chdir(@path) do
-            command = %w(git pull)
+            command = %w[git pull]
             command << '--quiet' if options[:quiet]
             command << 'origin' << 'master'
 
@@ -212,6 +212,22 @@ module Bundler
         end
       end
 
+      #
+      # The last commit ID of the repository.
+      #
+      # @return [String, nil]
+      #   The commit hash or `nil` if the database is not a git repository.
+      #
+      # @since 0.9.0
+      #
+      def commit_id
+        if git?
+          Dir.chdir(@path) do
+            `git rev-parse HEAD`.chomp
+          end
+        end
+      end
+
       #
       # Determines the time when the database was last updated.
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -20,6 +20,9 @@ require 'bundler/audit/results/result'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents an insecure gem source (ex: `git://...` or `http://...`).
+      #
       class InsecureSource < Result
 
         # The insecure `git://` or `http://` URI.

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -22,6 +22,10 @@ require 'uri'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents a gem version that has known vulnerabilities and needs to be
+      # upgraded.
+      #
       class UnpatchedGem < Result
 
         # The specification of the vulnerable gem.
@@ -73,7 +77,7 @@ module Bundler
         end
 
         #
-        # Converts the unpached gem to a Hash.
+        # Converts the unpatched gem to a Hash.
         #
         # @return [Hash{Symbol => Object}]
         #

data/lib/bundler/audit/results.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/insecure_source'

data/lib/bundler/audit/scanner.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler'
@@ -31,6 +31,9 @@ require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Scans a `Gemfile.lock` for security issues.
+    #
     class Scanner
 
       # The advisory database
@@ -63,6 +66,9 @@ module Bundler
       # @param [Database] database
       #   The database to scan against.
       #
+      # @param [String] config_dot_file
+      #   The file name of the bundler-audit config file.
+      #
       # @raise [Bundler::GemfileLockNotFound]
       #   The `gemfile_lock` file could not be found within the `root`
       #   directory.
@@ -79,7 +85,7 @@ module Bundler
 
         @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
 
-        config_dot_file_full_path = File.join(@root,config_dot_file)
+        config_dot_file_full_path = File.absolute_path(config_dot_file, @root)
 
         @config = if File.exist?(config_dot_file_full_path)
                     Configuration.load(config_dot_file_full_path)

data/lib/bundler/audit/task.rb

@@ -2,6 +2,9 @@ require 'rake/tasklib'
 
 module Bundler
   module Audit
+    #
+    # Defines the `bundle:audit` rake tasks.
+    #
     class Task < Rake::TaskLib
       #
       # Initializes the task.
@@ -13,16 +16,28 @@ module Bundler
       protected
 
       #
-      # Defines the `bundle:audit` task.
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
       #
       def define
         namespace :bundle do
-          desc 'Checks the Gemfile.lock for insecure dependencies'
-          task :audit do
-            require 'bundler/audit/cli'
-            Bundler::Audit::CLI.start %w[check]
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              system 'bundler-audit', 'check'
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              system 'bundler-audit', 'update'
+            end
           end
+
+          task :audit => 'audit:check'
         end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
       end
     end
   end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,12 +12,12 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.8.0.rc1'
+    VERSION = '0.9.0.1'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2020 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/database'

data/spec/advisory_spec.rb

@@ -83,7 +83,7 @@ describe Bundler::Audit::Advisory do
     end
 
     context "YAML data not representing a hash" do
-      let(:path ) do
+      let(:path) do
         File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
       end
 
@@ -353,4 +353,12 @@ describe Bundler::Audit::Advisory do
       end
     end
   end
+
+  describe "#to_h" do
+    subject { super().to_h }
+
+    it "must include criticality: :critical" do
+      expect(subject[:criticality]).to be :critical
+    end
+  end
 end

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -10,118 +10,120 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    actioncable (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    actioncable (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailbox (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (>= 2.7.1)
-    actionmailer (6.1.0)
-      actionpack (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailer (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.0)
-      actionview (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionpack (6.1.3.2)
+      actionview (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.0)
-      actionpack (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actiontext (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nokogiri (>= 1.8.5)
-    actionview (6.1.0)
-      activesupport (= 6.1.0)
+    actionview (6.1.3.2)
+      activesupport (= 6.1.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.0)
-      activesupport (= 6.1.0)
+    activejob (6.1.3.2)
+      activesupport (= 6.1.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.1.0)
-      activesupport (= 6.1.0)
-    activerecord (6.1.0)
-      activemodel (= 6.1.0)
-      activesupport (= 6.1.0)
-    activestorage (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activesupport (= 6.1.0)
-      marcel (~> 0.3.1)
-      mimemagic (~> 0.3.2)
-    activesupport (6.1.0)
+    activemodel (6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activerecord (6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activestorage (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
     builder (3.2.4)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.8)
     crass (1.0.6)
     erubi (1.10.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.8.5)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.8.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.2)
-    nio4r (2.5.4)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
+    mini_mime (1.0.3)
+    mini_portile2 (2.5.1)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.11.6)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    nokogiri (1.11.6-x86_64-linux)
+      racc (~> 1.4)
+    racc (1.5.2)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.1.0)
-      actioncable (= 6.1.0)
-      actionmailbox (= 6.1.0)
-      actionmailer (= 6.1.0)
-      actionpack (= 6.1.0)
-      actiontext (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activemodel (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    rails (6.1.3.2)
+      actioncable (= 6.1.3.2)
+      actionmailbox (= 6.1.3.2)
+      actionmailer (= 6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actiontext (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       bundler (>= 1.15.0)
-      railties (= 6.1.0)
+      railties (= 6.1.3.2)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    railties (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       method_source
       rake (>= 0.8.7)
       thor (~> 1.0)
-    rake (13.0.1)
+    rake (13.0.3)
     sprockets (4.0.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -129,10 +131,10 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (1.0.1)
-    tzinfo (2.0.3)
+    thor (1.1.0)
+    tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.4)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     zeitwerk (2.4.2)