bundler-audit 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c98968f6509b0551b595706cc23591bf2741626a472dcccda17e107c2e7788d0
-  data.tar.gz: 61c7ea8687934092a74aca4f0358e2565ce9eec53fe0713198bd1eadd5e2ae31
+  metadata.gz: 1c6db011cec167c3f5091b4bc3928b297862b2d3e74184db2c33a203374f8d67
+  data.tar.gz: fe1c745f2e1202bfddfee708c512cbd34f928d6a429d8161f82394695d52b462
 SHA512:
-  metadata.gz: 3a10a9071b08c8781c33db982d9d72929c63c2ec3ce69839cf93186bcd47775e8483fe397cf9b05363f13c785757f9b7cb3dfef2bced8085f9913c38553d6714
-  data.tar.gz: 4789e6c07340509b1e08218b6f9b2e16fcc40f24f42476ca92fe530171b2035bab209984b324783bf387758c9262d3fce724ceb0f76cdc0e78c967109112431d
+  metadata.gz: edd782d23e4e776350bf77cc1dadda0d78d89cf8816540ae8b20706b42f0dbefd7a3bb30fa9093afa23c5feb78dcbe1471139fc9471cde2c575f9cb5a658a71e
+  data.tar.gz: 50c0fa97a5d5a73624cf59dde9fe5ee5f0e300230b725b1055c2b74908866d2d962c91764e3d248878237eea66b23ce170a0e70ba4829f00a7e4423a76dd6774

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,44 @@
+---
+name: Bug Report
+about: Report a bug
+title: ''
+labels: bug
+assignees: ''
+
+---
+<!--
+**Double Check**
+
+- Did you update to the latest bundler-audit? (ex: `bundle update bundler-audit` or `gem update bundler-audit`)
+- Did you update the ruby-advisory-db? (ex: `bundler-audit update`)
+-->
+
+## Description
+
+<!-- A clear and concise description of what the bug is. -->
+
+## Steps To Reproduce
+
+Steps to reproduce the bug:
+1. `$ bundle-audit ...`
+2. ???
+
+## Expected Behavior
+
+<!-- What should happen. -->
+
+## Actual Behavior
+
+<!-- The error message or backtrace. -->
+```
+```
+
+## Environment
+
+    $ bundler-audit --version
+    ...
+    $ bundle --version
+    ...
+    $ ruby --version
+    ...
+

data/.github/workflows/ruby.yml

@@ -9,8 +9,6 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
-          - 2.4
-          - 2.5
           - 2.6
           - 2.7
           - 3.0
@@ -27,3 +25,17 @@ jobs:
         run: bundle install --jobs 4 --retry 3
       - name: Run tests
         run: bundle exec rake test
+
+  # rubocop linting
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.7
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run rubocop
+        run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -0,0 +1,83 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 2.7
+  Exclude:
+    - 'spec/bundle/**/*'
+    - 'spec/fixtures/database/**/*'
+    - 'vendor/**/*'
+
+#
+# Style
+#
+Layout/FirstArrayElementIndentation: { EnforcedStyle: consistent }
+Layout/FirstHashElementIndentation: { EnforcedStyle: consistent }
+Layout/SpaceAroundEqualsInParameterDefault: { EnforcedStyle: no_space }
+Style/SymbolArray: { EnforcedStyle: brackets }
+Style/PercentLiteralDelimiters:
+  Enabled: true
+  PreferredDelimiters:
+    default: '{}'
+    '%i': '[]'
+    '%I': '[]'
+    '%w': '[]'
+    '%W': '[]'
+
+# 
+# Rules that conflict with my style.
+#
+Metrics: { Enabled: false }
+Layout/BeginEndAlignment: { Enabled: false } # Offense count: 1
+Layout/BlockAlignment: { Enabled: false } # Offense count: 1
+Layout/EmptyLinesAroundClassBody: { Enabled: false } # Offense count: 15
+Layout/ExtraSpacing: { Enabled: false } # Offense count: 9
+Layout/HashAlignment: { Enabled: false  } # Offense count: 3
+Layout/SpaceAfterComma: { Enabled: false } # Offense count: 122
+Layout/SpaceInsideHashLiteralBraces: { Enabled: false } # Offense count: 8
+Lint/MissingSuper: { Enabled: false } # Offense count: 3
+Lint/ShadowingOuterLocalVariable: { Enabled: false }
+Lint/ConstantDefinitionInBlock: { Exclude: ['spec/cli/formats_spec.rb'] }
+Lint/SuppressedException: { Exclude: ['spec/cli_spec.rb'] }
+Lint/UnusedBlockArgument: { Enabled: false } # Offense count: 4
+Lint/UnusedMethodArgument: { Enabled: false } # Offense count: 6
+Naming/RescuedExceptionsVariableName: { Enabled: false } # Offense count: 2
+Style/BlockDelimiters: { Enabled: false } # Offense count: 20
+Style/CaseEquality: { Exclude: ['lib/bundler/audit/advisory.rb'] }
+Style/ClassCheck: { Enabled: false } # Offense count: 4
+Style/Documentation: { Enabled: false } # Offense count: 12
+Style/GuardClause: { Enabled: false } # Offense count: 1
+Style/HashSyntax:
+  Exclude:
+    - 'Rakefile'
+    - 'lib/bundler/audit/task.rb'
+Style/IfUnlessModifier: { Enabled: false } # Offense count: 14
+Style/MethodCallWithoutArgsParentheses: { Enabled: false } # Offense count: 1
+Style/MultilineBlockChain: { Exclude: ['spec/**/*'] } # Offense count: 6
+Style/MutableConstant: { Enabled: false } # Offense count: 4
+Style/ParenthesesAroundCondition: { Enabled: false } # Offense count: 1
+Style/RedundantBegin: { Exclude: ['spec/cli_spec.rb'] } # Offense count: 1
+Style/RedundantReturn: { Enabled: false } # Offense count: 6
+Style/SpecialGlobalVars: { Enabled: false } # Offense count: 5
+Style/StringLiterals: { Enabled: false } # Offense count: 333
+Style/StructInheritance: { Enabled: false } # Offense count: 1
+Style/UnlessElse: { Enabled: false } # Offense count: 1
+Style/WordArray: { Enabled: false } # Offense count: 1
+Style/Lambda: { Enabled: false } # Offense count: 2
+Style/SafeNavigation: { Enabled: false } # Offense count: 2
+Lint/IneffectiveAccessModifier: { Enabled: false } # Offense count: 1
+
+#
+# Rules that may be disabled in the future.
+#
+# Layout/SpaceInsideParens: { Enabled: false }
+# Layout/TrailingWhitespace: { Enabled: false }
+
+#
+# Rules that I want to fully enabled in the future.
+#
+Style/DoubleNegation: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
+Style/EmptyMethod: { Exclude: ['spec/cli/formats_spec.rb'] } # Offense count: 2
+Style/ExpandPathArguments: { Enabled: false } # Offense count: 5
+Style/FrozenStringLiteralComment: { Enabled: false } # Offense count: 42
+Style/MixinUsage: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
+Layout/LineLength: { Enabled: false }

data/COPYING.txt

@@ -1,7 +1,7 @@
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  Everyone is permitted to copy and distribute verbatim copies
  of this license document, but changing it is not allowed.
 
@@ -645,7 +645,7 @@ the "copyright" line and a pointer to where the full notice is found.
     GNU General Public License for more details.
 
     You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
 Also add information on how to contact you by electronic and paper mail.
 
@@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box".
   You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
+<https://www.gnu.org/licenses/>.
 
   The GNU General Public License does not permit incorporating your program
 into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+<https://www.gnu.org/philosophy/why-not-lgpl.html>.

data/ChangeLog.md

@@ -1,3 +1,28 @@
+### 0.9.0 / 2021-08-31
+
+* Load advisory metadata using `YAML.safe_load`. (issue #302)
+  * Explicitly permit the `Date` class for Psych >= 4.0.0 and Ruby >= 3.1.0.
+* Added {Bundler::Audit::Advisory#to_h}. (pull #310)
+* Added {Bundler::Audit::Database#commit_id}.
+
+#### CLI
+
+* Added the `--config` option. (pull #306)
+* Added the `junit` output format (ex: `--format junit`). (pull #314)
+* Add missing output for CVSSv3 criticality information. (pull #302)
+  * Include criticality information in the JSON output as well. (pull #310)
+* `bundle-audit stats` now prints the commit ID of the ruby-advisory-db.
+* Fixed a deprecation warning from Thor. (issue #317)
+
+#### Rake Task
+
+* Add the `bundle:audit:update` task for updating the [ruby-advisory-db].
+  (pull #296)
+* Aliased `bundle:audit` to `bundle:audit:check`.
+* Aliased `bundler:audit:*` to `bundle:audit:*`.
+* Rake tasks now execute `bundle-audit` command as a subprocess to ensure
+  isolation.
+
 ### 0.8.0 / 2021-03-10
 
 * No longer vendor [ruby-advisory-db].

data/Gemfile

@@ -4,10 +4,14 @@ gemspec
 
 group :development do
   gem 'rake'
-  gem 'kramdown',       '~> 2.0'
-
   gem 'rubygems-tasks', '~> 0.2'
+
+  gem 'rubocop',        '~> 1.18'
+
   gem 'rspec',          '~> 3.0'
+  gem 'simplecov',      '~> 0.7', require: false
+
+  gem 'kramdown',       '~> 2.0'
   gem 'yard',           '~> 0.9'
-  gem 'simplecov',      '~> 0.7', :require => false
+  gem 'yard-spellcheck', require: false
 end

data/README.md

@@ -13,7 +13,7 @@ Patch-level verification for [bundler].
 ## Features
 
 * Checks for vulnerable versions of gems in `Gemfile.lock`.
-* Checks for insecure gem sources (`http://`).
+* Checks for insecure gem sources (`http://` and `git://`).
 * Allows ignoring certain advisories that have been manually worked around.
 * Prints advisory information.
 * Does not require a network connection.
@@ -131,13 +131,14 @@ Output the audit's results in JSON, to a file:
 
     $ bundle-audit check --format json --output bundle-audit.json
 
-Rake task:
+## Rake Tasks
 
-```ruby
-require 'bundler/audit/task'
-Bundler::Audit::Task.new
+Bundler-audit provides Rake tasks for checking the code and for updating
+its vulnerability database:
 
-task default: 'bundle:audit'
+```bash
+rake bundle:audit
+rake bundle:audit:update
 ```
 
 ## Configuration File
@@ -153,6 +154,10 @@ bundler-audit also supports a per-project configuration file:
 
 * `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
 
+You can provide a path to a config file using the `--config` flag:
+
+    $ bundle-audit check --config bundler-audit.custom.yaml
+
 ## Requirements
 
 * [git]
@@ -188,7 +193,7 @@ bundler-audit also supports a per-project configuration file:
 1. https://github.com/rubysec/bundler-audit/fork
 2. `git clone YOUR_FORK_URI`
 3. `cd bundler-audit/`
-4. `budle install`
+4. `bundle install`
 5. `bundle exec rake spec`
 6. `git checkout -b YOUR_FEATURE`
 7. Make your changes
@@ -211,14 +216,13 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 
 [git]: https://git-scm.com
 [ruby]: https://ruby-lang.org
 [rubygems]: https://rubygems.org
 [thor]: http://whatisthor.com/
-[bundler]: https://github.com/carlhuda/bundler#readme
-[git]: https://github.com/git/git
+[bundler]: https://bundler.io
 
 [OSVDB]: http://osvdb.org/
 [ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 require 'rubygems'
 
 begin
@@ -36,5 +34,11 @@ task :test    => :spec
 task :default => :spec
 
 require 'yard'
-YARD::Rake::YardocTask.new  
+YARD::Rake::YardocTask.new
 task :doc => :yard
+
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+
+require 'rubocop/rake_task'
+RuboCop::RakeTask.new

data/bundler-audit.gemspec

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 require 'yaml'
 
 Gem::Specification.new do |gem|
@@ -23,8 +21,9 @@ Gem::Specification.new do |gem|
 
   glob = lambda { |patterns| gem.files & Dir[*patterns] }
 
-  gem.files = `git ls-files`.split($/)
-  gem.files = glob[gemspec['files']] if gemspec['files']
+  gem.files = if gemspec['files'] then glob[gemspec['files']]
+              else                     `git ls-files`.split($/)
+              end
 
   gem.executables = gemspec.fetch('executables') do
     glob['bin/*'].map { |path| File.basename(path) }

data/lib/bundler/audit/advisory.rb

@@ -12,13 +12,16 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Represents an advisory loaded from the {Database}.
+    #
     class Advisory < Struct.new(:path,
                                 :id,
                                 :url,
@@ -45,7 +48,9 @@ module Bundler
       #
       def self.load(path)
         id   = File.basename(path).chomp('.yml')
-        data = YAML.load_file(path)
+        data = File.open(path) do |yaml|
+                 YAML.safe_load(yaml, permitted_classes: [Date])
+               end
 
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
@@ -200,6 +205,17 @@ module Bundler
         id == other.id
       end
 
+      #
+      # Converts the advisory to a Hash.
+      #
+      # @return [Hash{Symbol => Object}]
+      #
+      def to_h
+        super.merge({
+          criticality: criticality
+        })
+      end
+
       alias to_s id
 
     end

data/lib/bundler/audit/cli/formats/json.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -22,6 +22,9 @@ module Bundler
   module Audit
     class CLI < ::Thor
       module Formats
+        #
+        # The JSON output format.
+        #
         module JSON
           #
           # Outputs the report as JSON. Will pretty-print JSON if `output`
@@ -37,11 +40,22 @@ module Bundler
             hash = report.to_h
 
             if output.tty?
-              output.puts ::JSON.pretty_generate(hash)
+              output.puts(::JSON.pretty_generate(hash))
             else
               output.write(::JSON.generate(hash))
             end
           end
+
+          def criticality_label(advisory)
+            case advisory.criticality
+            when :none     then "none"
+            when :low      then "low"
+            when :medium   then "medium"
+            when :high     then "high"
+            when :critical then "critical"
+            else "unknown"
+            end
+          end
         end
 
         Formats.register :json, JSON

data/lib/bundler/audit/cli/formats/junit.rb

@@ -0,0 +1,127 @@
+#
+# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'thor'
+require 'cgi'
+
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Junit
+          #
+          # Prints any findings as an XML junit report.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report, output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+
+            print_xml_testsuite(report) do
+              report.each do |result|
+                print_xml_testcase(result)
+              end
+            end
+
+            $stdout = original_stdout
+          end
+
+          private
+
+          def say_xml(*lines)
+            say(lines.join($/))
+          end
+
+          def print_xml_testsuite(report)
+            say_xml(
+              %{<?xml version="1.0" encoding="UTF-8" ?>},
+              %{<testsuites id="#{Time.now.to_i}" name="Bundle Audit">},
+              %{  <testsuite id="Gemfile" name="Ruby Gemfile" failures="#{report.count}">}
+            )
+
+            yield
+
+            say_xml(
+              %{  </testsuite>},
+              %{</testsuites>}
+            )
+          end
+
+          def xml(string)
+            CGI.escapeHTML(string.to_s)
+          end
+
+          def print_xml_testcase(result)
+            case result
+            when Results::InsecureSource
+              say_xml(
+                %{    <testcase id="#{xml(result.source)}" name="Insecure Source URI found: #{xml(result.source)}">},
+                %{      <failure message="Insecure Source URI found: #{xml(result.source)}" type="Unknown"></failure>},
+                %{    </testcase>}
+              )
+            when Results::UnpatchedGem
+              say_xml(
+                %{    <testcase id="#{xml(result.gem.name)}" name="#{xml(bundle_title(result))}">},
+                %{      <failure message="#{xml(result.advisory.title)}" type="#{xml(result.advisory.criticality)}">},
+                %{        Name: #{xml(result.gem.name)}},
+                %{        Version: #{xml(result.gem.version)}},
+                %{        Advisory: #{xml(advisory_ref(result.advisory))}},
+                %{        Criticality: #{xml(advisory_criticality(result.advisory))}},
+                %{        URL: #{xml(result.advisory.url)}},
+                %{        Title: #{xml(result.advisory.title)}},
+                %{        Solution: #{xml(advisory_solution(result.advisory))}},
+                %{      </failure>},
+                %{    </testcase>}
+              )
+            end
+          end
+
+          def bundle_title(result)
+            "#{advisory_criticality(result.advisory).upcase} #{result.gem.name}(#{result.gem.version}) #{result.advisory.title}"
+          end
+
+          def advisory_solution(advisory)
+            unless advisory.patched_versions.empty?
+              "upgrade to #{advisory.patched_versions.join(', ')}"
+            else
+              "remove or disable this gem until a patch is available!"
+            end
+          end
+
+          def advisory_criticality(advisory)
+            if advisory.criticality
+              advisory.criticality.to_s.capitalize
+            else
+              "Unknown"
+            end
+          end
+
+          def advisory_ref(advisory)
+            advisory.identifiers.join(" ")
+          end
+
+          Formats.register :junit, Junit
+        end
+      end
+    end
+  end
+end