bundler-audit 0.8.0 → 0.9.0.1

data/lib/bundler/audit/results.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/insecure_source'

data/lib/bundler/audit/scanner.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler'
@@ -31,6 +31,9 @@ require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Scans a `Gemfile.lock` for security issues.
+    #
     class Scanner
 
       # The advisory database
@@ -63,6 +66,9 @@ module Bundler
       # @param [Database] database
       #   The database to scan against.
       #
+      # @param [String] config_dot_file
+      #   The file name of the bundler-audit config file.
+      #
       # @raise [Bundler::GemfileLockNotFound]
       #   The `gemfile_lock` file could not be found within the `root`
       #   directory.
@@ -79,7 +85,7 @@ module Bundler
 
         @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
 
-        config_dot_file_full_path = File.join(@root,config_dot_file)
+        config_dot_file_full_path = File.absolute_path(config_dot_file, @root)
 
         @config = if File.exist?(config_dot_file_full_path)
                     Configuration.load(config_dot_file_full_path)

data/lib/bundler/audit/task.rb

@@ -2,6 +2,9 @@ require 'rake/tasklib'
 
 module Bundler
   module Audit
+    #
+    # Defines the `bundle:audit` rake tasks.
+    #
     class Task < Rake::TaskLib
       #
       # Initializes the task.
@@ -13,16 +16,28 @@ module Bundler
       protected
 
       #
-      # Defines the `bundle:audit` task.
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
       #
       def define
         namespace :bundle do
-          desc 'Checks the Gemfile.lock for insecure dependencies'
-          task :audit do
-            require 'bundler/audit/cli'
-            Bundler::Audit::CLI.start %w[check]
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              system 'bundler-audit', 'check'
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              system 'bundler-audit', 'update'
+            end
           end
+
+          task :audit => 'audit:check'
         end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
       end
     end
   end

data/lib/bundler/audit/version.rb

@@ -12,12 +12,12 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.8.0'
+    VERSION = '0.9.0.1'
   end
 end

data/lib/bundler/audit.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/database'

data/spec/advisory_spec.rb

@@ -83,7 +83,7 @@ describe Bundler::Audit::Advisory do
     end
 
     context "YAML data not representing a hash" do
-      let(:path ) do
+      let(:path) do
         File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
       end
 
@@ -353,4 +353,12 @@ describe Bundler::Audit::Advisory do
       end
     end
   end
+
+  describe "#to_h" do
+    subject { super().to_h }
+
+    it "must include criticality: :critical" do
+      expect(subject[:criticality]).to be :critical
+    end
+  end
 end

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -10,122 +10,120 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    actioncable (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    actioncable (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailbox (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (>= 2.7.1)
-    actionmailer (6.1.0)
-      actionpack (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailer (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.0)
-      actionview (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionpack (6.1.3.2)
+      actionview (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.0)
-      actionpack (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actiontext (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nokogiri (>= 1.8.5)
-    actionview (6.1.0)
-      activesupport (= 6.1.0)
+    actionview (6.1.3.2)
+      activesupport (= 6.1.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.0)
-      activesupport (= 6.1.0)
+    activejob (6.1.3.2)
+      activesupport (= 6.1.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.1.0)
-      activesupport (= 6.1.0)
-    activerecord (6.1.0)
-      activemodel (= 6.1.0)
-      activesupport (= 6.1.0)
-    activestorage (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activesupport (= 6.1.0)
-      marcel (~> 0.3.1)
-      mimemagic (~> 0.3.2)
-    activesupport (6.1.0)
+    activemodel (6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activerecord (6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activestorage (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
     builder (3.2.4)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.8)
     crass (1.0.6)
     erubi (1.10.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.8.5)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.8.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.5.0)
-    minitest (5.14.2)
-    nio4r (2.5.4)
-    nokogiri (1.11.1)
+    mini_mime (1.0.3)
+    mini_portile2 (2.5.1)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.11.6)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    nokogiri (1.11.1-x86_64-linux)
+    nokogiri (1.11.6-x86_64-linux)
       racc (~> 1.4)
     racc (1.5.2)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.1.0)
-      actioncable (= 6.1.0)
-      actionmailbox (= 6.1.0)
-      actionmailer (= 6.1.0)
-      actionpack (= 6.1.0)
-      actiontext (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activemodel (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    rails (6.1.3.2)
+      actioncable (= 6.1.3.2)
+      actionmailbox (= 6.1.3.2)
+      actionmailer (= 6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actiontext (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       bundler (>= 1.15.0)
-      railties (= 6.1.0)
+      railties (= 6.1.3.2)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    railties (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       method_source
       rake (>= 0.8.7)
       thor (~> 1.0)
-    rake (13.0.1)
+    rake (13.0.3)
     sprockets (4.0.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -133,10 +131,10 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (1.0.1)
-    tzinfo (2.0.3)
+    thor (1.1.0)
+    tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.4)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     zeitwerk (2.4.2)

data/spec/bundle/secure/Gemfile.lock

@@ -1,103 +1,101 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.4.4)
-      actionpack (= 5.2.4.4)
+    actioncable (5.2.6)
+      actionpack (= 5.2.6)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      actionview (= 5.2.4.4)
-      activejob (= 5.2.4.4)
+    actionmailer (5.2.6)
+      actionpack (= 5.2.6)
+      actionview (= 5.2.6)
+      activejob (= 5.2.6)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.4.4)
-      actionview (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    actionpack (5.2.6)
+      actionview (= 5.2.6)
+      activesupport (= 5.2.6)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.4)
-      activesupport (= 5.2.4.4)
+    actionview (5.2.6)
+      activesupport (= 5.2.6)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.4.4)
-      activesupport (= 5.2.4.4)
+    activejob (5.2.6)
+      activesupport (= 5.2.6)
       globalid (>= 0.3.6)
-    activemodel (5.2.4.4)
-      activesupport (= 5.2.4.4)
-    activerecord (5.2.4.4)
-      activemodel (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    activemodel (5.2.6)
+      activesupport (= 5.2.6)
+    activerecord (5.2.6)
+      activemodel (= 5.2.6)
+      activesupport (= 5.2.6)
       arel (>= 9.0)
-    activestorage (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      activerecord (= 5.2.4.4)
-      marcel (~> 0.3.1)
-    activesupport (5.2.4.4)
+    activestorage (5.2.6)
+      actionpack (= 5.2.6)
+      activerecord (= 5.2.6)
+      marcel (~> 1.0.0)
+    activesupport (5.2.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     builder (3.2.4)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.8)
     crass (1.0.6)
     erubi (1.10.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.8.5)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.8.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.5.0)
-    minitest (5.14.2)
-    nio4r (2.5.4)
-    nokogiri (1.11.1)
+    mini_mime (1.1.0)
+    mini_portile2 (2.5.1)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.11.6)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    nokogiri (1.11.1-x86_64-linux)
+    nokogiri (1.11.6-x86_64-linux)
       racc (~> 1.4)
     racc (1.5.2)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.4.4)
-      actioncable (= 5.2.4.4)
-      actionmailer (= 5.2.4.4)
-      actionpack (= 5.2.4.4)
-      actionview (= 5.2.4.4)
-      activejob (= 5.2.4.4)
-      activemodel (= 5.2.4.4)
-      activerecord (= 5.2.4.4)
-      activestorage (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    rails (5.2.6)
+      actioncable (= 5.2.6)
+      actionmailer (= 5.2.6)
+      actionpack (= 5.2.6)
+      actionview (= 5.2.6)
+      activejob (= 5.2.6)
+      activemodel (= 5.2.6)
+      activerecord (= 5.2.6)
+      activestorage (= 5.2.6)
+      activesupport (= 5.2.6)
       bundler (>= 1.3.0)
-      railties (= 5.2.4.4)
+      railties (= 5.2.6)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    railties (5.2.6)
+      actionpack (= 5.2.6)
+      activesupport (= 5.2.6)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (13.0.1)
+    rake (13.0.3)
     sprockets (4.0.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -105,11 +103,11 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (1.0.1)
+    thor (1.1.0)
     thread_safe (0.3.6)
-    tzinfo (1.2.8)
+    tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.4)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)