bundler-audit 0.8.0.rc1 → 0.9.0.1

data/spec/cli/formats/text_spec.rb

@@ -76,43 +76,137 @@ describe Bundler::Audit::CLI::Formats::Text do
           expect(output_lines).to include("Version: #{gem.version}")
         end
 
-        it "must print 'Advisory: CVE-YYYY-NNNN'" do
-          expect(output_lines).to include("Advisory: CVE-#{advisory.cve}")
+        context "when the advisory has a CVE ID" do
+          it "must print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to include("CVE: CVE-#{advisory.cve}")
+          end
         end
 
-        context "when Advisory#criticality is :low" do
-          let(:advisory) do
-            super().tap do |advisory|
-              advisory.cvss_v2 = 0.0
-            end
+        context "when the advisory does not have a CVE ID" do
+          before { advisory.cve = nil }
+
+          it "must not print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to_not include("CVE: CVE-#{advisory.cve}")
+          end
+        end
+
+        context "when the advisory has a GHSA ID" do
+          it "must print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to include("GHSA: GHSA-#{advisory.ghsa}")
           end
+        end
 
-          it "must print 'Criticality: Low'" do
-            expect(output_lines).to include("Criticality: Low")
+        context "when the advisory does not have a GHSA ID" do
+          before { advisory.ghsa = nil }
+
+          it "must not print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to_not include("GHSA: GHSA-#{advisory.ghsa}")
           end
         end
 
-        context "when Advisory#criticality is :medium" do
-          let(:advisory) do
-            super().tap do |advisory|
-              advisory.cvss_v2 = 6.9
+        context "when CVSS v3 is present" do
+          context "when Advisory#criticality is :none (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: None'" do
+              expect(output_lines).to include("Criticality: None")
             end
           end
 
-          it "must print 'Criticality: Medium'" do
-            expect(output_lines).to include("Criticality: Medium")
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.1
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
+          end
+
+          context "when Advisory#criticality is :critical (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 9.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: Critical")
+            end
           end
         end
 
-        context "when Advisory#criticality is :high" do
+        context "when CVSS v2 is present" do
           let(:advisory) do
             super().tap do |advisory|
-              advisory.cvss_v2 = 10.0
+              advisory.cvss_v3 = nil
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
             end
           end
 
-          it "must print 'Criticality: High'" do
-            expect(output_lines).to include("Criticality: High")
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
           end
         end
 

data/spec/cli_spec.rb

@@ -15,28 +15,68 @@ describe Bundler::Audit::CLI do
     end
   end
 
+  describe "#stats" do
+    let(:size) { 1234 }
+    let(:last_updated_at) { Time.now }
+    let(:commit_id) { 'f0f97c4c493b853319e029d226e96f2c2f0dc539' }
+
+    let(:database) { double(Bundler::Audit::Database) }
+
+    before do
+      expect(Bundler::Audit::Database).to receive(:new).and_return(database)
+
+      expect(database).to receive(:size).and_return(size)
+      expect(database).to receive(:last_updated_at).and_return(last_updated_at)
+      expect(database).to receive(:commit_id).and_return(commit_id)
+    end
+
+    it "prints total advisory count" do
+      expect { subject.stats }.to output(
+        include(
+          "advisories:\t#{size} advisories",
+          "last updated:\t#{last_updated_at}",
+          "commit:\t#{commit_id}"
+        )
+      ).to_stdout
+    end
+  end
+
   describe "#update" do
+    let(:database) { double(Bundler::Audit::Database) }
+
+    before do
+      allow(Bundler::Audit::Database).to receive(:new).and_return(database)
+    end
+
     context "not --quiet (the default)" do
       context "when update succeeds" do
+        let(:size) { 1234 }
+        let(:last_updated_at) { Time.now }
+        let(:commit_id) { 'f0f97c4c493b853319e029d226e96f2c2f0dc539' }
+
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(true)
+          expect(database).to receive(:update!).and_return(true)
+          expect(database).to receive(:size).and_return(size)
+          expect(database).to receive(:last_updated_at).and_return(last_updated_at)
+          expect(database).to receive(:commit_id).and_return(commit_id)
         end
 
-        it "prints updated message" do
-          expect { subject.update }.to output(/Updated ruby-advisory-db/).to_stdout
-        end
-
-        it "prints total advisory count" do
-          size = 1234
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:size).and_return(size)
-
-          expect { subject.update }.to output(/advisories:\t#{size} advisories/).to_stdout
+        it "prints updated message and then the stats" do
+          expect { subject.update }.to output(
+            include(
+              "Updated ruby-advisory-db",
+              "ruby-advisory-db:",
+              "  advisories:\t#{size} advisories",
+              "  last updated:\t#{last_updated_at}",
+              "  commit:\t#{commit_id}"
+            )
+          ).to_stdout
         end
       end
 
       context "when update fails" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(false)
+          expect(database).to receive(:update!).and_return(false)
         end
 
         it "prints failure message" do
@@ -45,7 +85,7 @@ describe Bundler::Audit::CLI do
               subject.update
             rescue SystemExit
             end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stdout
+          }.to output(/Failed updating ruby-advisory-db!/).to_stderr
         end
 
         it "exits with error status code" do
@@ -58,22 +98,22 @@ describe Bundler::Audit::CLI do
             expect(error.status).to eq(1)
           end
         end
-
       end
 
       context "when git is not installed" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(nil)
+          expect(database).to receive(:update!).and_return(nil)
+
           expect(Bundler).to receive(:git_present?).and_return(false)
         end
 
         it "prints failure message" do
-          expect do
+          expect {
             begin
               subject.update
             rescue SystemExit
             end
-          end.to output(/Git is not installed!/).to_stdout
+          }.to output(/Git is not installed!/).to_stderr
         end
 
         it "exits with error status code" do
@@ -90,13 +130,13 @@ describe Bundler::Audit::CLI do
     end
 
     context "--quiet" do
-      before do
-        allow(subject).to receive(:options).and_return(double("Options", quiet?: true))
+      subject do
+        described_class.new([], {quiet: true})
       end
 
       context "when update succeeds" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to(
+          expect(database).to(
             receive(:update!).with(quiet: true).and_return(true)
           )
         end
@@ -108,7 +148,7 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to(
+          expect(database).to(
             receive(:update!).with(quiet: true).and_return(false)
           )
         end
@@ -119,7 +159,7 @@ describe Bundler::Audit::CLI do
               subject.update
             rescue SystemExit
             end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stdout
+          }.to_not output.to_stderr
         end
 
         it "exits with error status code" do

data/spec/configuration_spec.rb

@@ -22,6 +22,14 @@ describe Bundler::Audit::Configuration do
     end
 
     context "validations" do
+      context "when the file is empty" do
+        let(:path) { File.join(fixtures_dir,'bad','empty.yml') }
+
+        it 'raises a validation error' do
+          expect { subject }.to raise_error(described_class::InvalidConfigurationError)
+        end
+      end
+
       context "when ignore is not an array" do
         let(:path) { File.join(fixtures_dir,'bad','ignore_is_not_an_array.yml') }
 

data/spec/database_spec.rb

@@ -174,7 +174,7 @@ describe Bundler::Audit::Database do
     end
 
     context "when given a directory" do
-      let(:path ) { Dir.tmpdir }
+      let(:path) { Dir.tmpdir }
 
       subject { described_class.new(path) }
 
@@ -263,6 +263,30 @@ describe Bundler::Audit::Database do
     end
   end
 
+  describe "#commit_id" do
+    context "when the database is a git repository" do
+      let(:last_commit) { Fixtures::Database::COMMIT }
+
+      it "should return the last commit ID" do
+        expect(subject.commit_id).to be == last_commit
+      end
+    end
+
+    context "when the database is a bare directory" do
+      let(:path) { Fixtures.join('mock-database-dir') }
+
+      before { FileUtils.mkdir(path) }
+
+      subject { described_class.new(path) }
+
+      it "should return the mtime of the directory" do
+        expect(subject.commit_id).to be(nil)
+      end
+
+      after { FileUtils.rmdir(path) }
+    end
+  end
+
   describe "#last_updated_at" do
     context "when the database is a git repository" do
       let(:last_commit) { Fixtures::Database::COMMIT }

data/spec/fixtures/advisory/CVE-2020-1234.yml

@@ -1,6 +1,7 @@
 ---
 gem: test
 cve: 2020-1234
+ghsa: aaaa-bbbb-cccc
 url: https://example.com/
 title: Test advisory
 date: 2015-06-16
@@ -9,6 +10,7 @@ description: |
   This is a test advisory.
 
 cvss_v2: 10.0
+cvss_v3: 9.8
 
 unaffected_versions:
   - "< 0.1.0"

data/spec/fixtures/lib/bundler/audit/cli/formats/bad.rb

@@ -5,11 +5,9 @@ module Bundler
     class CLI < ::Thor
       module Formats
         module Bad
-
           def print_report(report,output=$stdout)
             say "I am a bad format!", :red
           end
-
         end
 
         Formats.register :incorrect, Bad

data/spec/fixtures/lib/bundler/audit/cli/formats/good.rb

@@ -5,11 +5,9 @@ module Bundler
     class CLI < ::Thor
       module Formats
         module Good
-
           def print_report(report,output=$stdout)
             say "I am a good format.", :green
           end
-
         end
 
         Formats.register :good, Good

data/spec/integration_spec.rb

@@ -1,117 +1,31 @@
 require 'spec_helper'
 
-describe "CLI" do
-  include Helpers
-
-  let(:command) do
-    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit'))
-  end
-
-  context "when auditing a bundle with unpatched gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print a warning" do
-      expect(subject).to include("Vulnerabilities found!")
-    end
-
-    it "should print advisory information for the vulnerable gems" do
-      advisory_pattern = %r{(Name: [^\n]+
-Version: \d+\.\d+\.\d+(\.\d+)?
-Advisory: CVE-[0-9]{4}-[0-9]{4}
-Criticality: (Critical|High|Medium|Low|None|Unknown)
-URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
-Title: [^\n]*?
-Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}
-
-      expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Vulnerabilities found!")
-    end
-  end
-
-  context "when auditing a bundle with ignored gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    let(:command) do
-      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -i CVE-2013-0156'))
-    end
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should not print advisory information for ignored gem" do
-      expect(subject).not_to include("CVE-2013-0156")
-    end
-  end
-
-  context "when auditing a bundle with insecure sources" do
-    let(:bundle)    { 'insecure_sources' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print warnings about insecure sources" do
-      expect(subject).to include(%{
-Insecure Source URI found: git://github.com/rails/jquery-rails.git
-Insecure Source URI found: http://rubygems.org/
-      }.strip)
-    end
+describe "bin/bundler-audit" do
+  let(:name) { 'bundler-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(command) }
-    end
+  subject { sh(command) }
 
-    it "should print nothing when everything is fine" do
-      expect(subject.strip).to eq("No vulnerabilities found")
-    end
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
+end
 
-  context "when auditing a non-existent Gemfile.lock file" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:root)      { File.expand_path(directory) }
-
-    let(:gemfile_lock) { 'Gemfile.foo.lock' }
-    let(:command) { "#{super()} --gemfile-lock #{gemfile_lock}" }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print an error message" do
-      expect(subject.strip).to eq("Could not find #{gemfile_lock.inspect} in #{root.inspect}")
-    end
+describe "bin/bundle-audit" do
+  let(:name) { 'bundle-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  describe "update" do
-    let(:update_command) { "#{command} update" }
-    let(:bundle)         { 'secure' }
-    let(:directory)      { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(update_command) }
-    end
+  subject { sh(command) }
 
-    context "when advisories update successfully" do
-      it "should print status" do
-        expect(subject).not_to include("Fail")
-        expect(subject).to include("Updating ruby-advisory-db ...\n")
-        expect(subject).to include("Updated ruby-advisory-db\n")
-        expect(subject).to match(/ruby-advisory-db:\n  advisories:\s+[1-9]\d+ advisories/)
-      end
-    end
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
 end