bundler-audit 0.8.0 → 0.9.0

data/lib/bundler/audit/cli/formats/text.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -21,6 +21,9 @@ module Bundler
   module Audit
     class CLI < ::Thor
       module Formats
+        #
+        # The plain-text output format.
+        #
         module Text
           #
           # Prints any findings as plain-text.
@@ -78,10 +81,12 @@ module Bundler
 
             say "Criticality: ", :red
             case advisory.criticality
-            when :low    then say "Low"
-            when :medium then say "Medium", :yellow
-            when :high   then say "High", [:red, :bold]
-            else              say "Unknown"
+            when :none     then say "None"
+            when :low      then say "Low"
+            when :medium   then say "Medium", :yellow
+            when :high     then say "High", [:red, :bold]
+            when :critical then say "Critical", [:red, :bold]
+            else                say "Unknown"
             end
 
             say "URL: ", :red
@@ -91,7 +96,7 @@ module Bundler
               say "Description:", :red
               say
 
-              print_wrapped advisory.description, :indent => 2
+              print_wrapped advisory.description, indent: 2
               say
             else
               say "Title: ", :red
@@ -108,7 +113,6 @@ module Bundler
 
             say
           end
-
         end
 
         Formats.register :text, Text

data/lib/bundler/audit/cli/formats.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -126,15 +126,19 @@ module Bundler
         #
         def self.load(name)
           name = name.to_s
+          path = File.join(DIR,File.basename(name))
 
           begin
-            require File.join(DIR,File.basename(name))
+            require path
           rescue LoadError
             raise(FormatNotFound,"could not load format #{name.inspect}")
           end
 
-          return self[name] || \
+          unless (format = self[name])
             raise(FormatNotFound,"unknown format #{name.inspect}")
+          end
+
+          return  format
         end
       end
     end

data/lib/bundler/audit/cli.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/scanner'
@@ -25,21 +25,26 @@ require 'bundler'
 
 module Bundler
   module Audit
+    #
+    # The `bundle-audit` command.
+    #
     class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
 
       desc 'check [DIR]', 'Checks the Gemfile.lock for insecure dependencies'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
-      method_option :verbose, :type => :boolean, :aliases => '-v'
-      method_option :ignore, :type => :array, :aliases => '-i'
-      method_option :update, :type => :boolean, :aliases => '-u'
-      method_option :database, :type => :string, :aliases => '-D', :default => Database::USER_PATH
-      method_option :format, :type => :string, :default => 'text',
-                             :aliases => '-F'
-      method_option :gemfile_lock, :type => :string, :aliases => '-G', :default => 'Gemfile.lock'
-      method_option :output, :type => :string, :aliases => '-o'
+      method_option :quiet, type: :boolean, aliases: '-q'
+      method_option :verbose, type: :boolean, aliases: '-v'
+      method_option :ignore, type: :array, aliases: '-i'
+      method_option :update, type: :boolean, aliases: '-u'
+      method_option :database, type: :string, aliases: '-D',
+                               default: Database::USER_PATH
+      method_option :format, type: :string, default: 'text', aliases: '-F'
+      method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
+      method_option :gemfile_lock, type: :string, aliases: '-G',
+                                   default: 'Gemfile.lock'
+      method_option :output, type: :string, aliases: '-o'
 
       def check(dir=Dir.pwd)
         unless File.directory?(dir)
@@ -62,12 +67,13 @@ module Bundler
 
         database = Database.new(options[:database])
         scanner  = begin
-                     Scanner.new(dir,options[:gemfile_lock],database)
+                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
                    rescue Bundler::GemfileLockNotFound => exception
                      say exception.message, :red
                      exit 1
                    end
-        report   = scanner.report(:ignore => options.ignore)
+
+        report = scanner.report(ignore: options.ignore)
 
         output = if options[:output] then File.new(options[:output],'w')
                  else                     $stdout
@@ -81,7 +87,7 @@ module Bundler
       end
 
       desc 'stats', 'Prints ruby-advisory-db stats'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def stats(path=Database.path)
         database = Database.new(path)
@@ -89,10 +95,14 @@ module Bundler
         puts "ruby-advisory-db:"
         puts "  advisories:\t#{database.size} advisories"
         puts "  last updated:\t#{database.last_updated_at}"
+
+        if (commit_id = database.commit_id)
+          puts "  commit:\t#{commit_id}"
+        end
       end
 
       desc 'download', 'Downloads ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def download(path=Database.path)
         if Database.exists?(path)
@@ -113,7 +123,7 @@ module Bundler
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def update(path=Database.path)
         unless Database.exists?(path)
@@ -150,6 +160,13 @@ module Bundler
 
       protected
 
+      #
+      # @note Silence deprecation warnings from Thor.
+      #
+      def self.exit_on_failure?
+        true
+      end
+
       #
       # @abstract
       #

data/lib/bundler/audit/configuration.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'yaml'
@@ -26,14 +26,17 @@ module Bundler
     # @since 0.8.0
     #
     class Configuration
-      class InvalidConfigurationError < StandardError; end
-      class FileNotFound < StandardError; end
+      class InvalidConfigurationError < StandardError
+      end
+
+      class FileNotFound < StandardError
+      end
 
       #
       # A constructor method for loading configuration from a YAML file.
       #
       # @param [String] file_path
-      #   Path to the yaml file holding the configuration.
+      #   Path to the YAML file holding the configuration.
       #
       # @raise [FileNotFound]
       #   Will raise a file not found error when the path to the

data/lib/bundler/audit/database.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/advisory'
@@ -82,7 +82,7 @@ module Bundler
       #   The given path of the database to check.
       #
       # @return [Boolean]
-      # 
+      #
       # @since 0.8.0
       #
       def self.exists?(path=DEFAULT_PATH)
@@ -119,7 +119,7 @@ module Bundler
 
         path = options.fetch(:path,DEFAULT_PATH)
 
-        command = %w(git clone)
+        command = %w[git clone]
         command << '--quiet' if options[:quiet]
         command << URL << path
 
@@ -199,7 +199,7 @@ module Bundler
       def update!(options={})
         if git?
           Dir.chdir(@path) do
-            command = %w(git pull)
+            command = %w[git pull]
             command << '--quiet' if options[:quiet]
             command << 'origin' << 'master'
 
@@ -212,6 +212,22 @@ module Bundler
         end
       end
 
+      #
+      # The last commit ID of the repository.
+      #
+      # @return [String, nil]
+      #   The commit hash or `nil` if the database is not a git repository.
+      #
+      # @since 0.9.0
+      #
+      def commit_id
+        if git?
+          Dir.chdir(@path) do
+            `git rev-parse HEAD`.chomp
+          end
+        end
+      end
+
       #
       # Determines the time when the database was last updated.
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -20,6 +20,9 @@ require 'bundler/audit/results/result'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents an insecure gem source (ex: `git://...` or `http://...`).
+      #
       class InsecureSource < Result
 
         # The insecure `git://` or `http://` URI.

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -22,6 +22,10 @@ require 'uri'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents a gem version that has known vulnerabilities and needs to be
+      # upgraded.
+      #
       class UnpatchedGem < Result
 
         # The specification of the vulnerable gem.
@@ -73,7 +77,7 @@ module Bundler
         end
 
         #
-        # Converts the unpached gem to a Hash.
+        # Converts the unpatched gem to a Hash.
         #
         # @return [Hash{Symbol => Object}]
         #

data/lib/bundler/audit/results.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/insecure_source'

data/lib/bundler/audit/scanner.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler'
@@ -31,6 +31,9 @@ require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Scans a `Gemfile.lock` for security issues.
+    #
     class Scanner
 
       # The advisory database
@@ -63,6 +66,9 @@ module Bundler
       # @param [Database] database
       #   The database to scan against.
       #
+      # @param [String] config_dot_file
+      #   The file name of the bundler-audit config file.
+      #
       # @raise [Bundler::GemfileLockNotFound]
       #   The `gemfile_lock` file could not be found within the `root`
       #   directory.
@@ -79,7 +85,7 @@ module Bundler
 
         @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
 
-        config_dot_file_full_path = File.join(@root,config_dot_file)
+        config_dot_file_full_path = File.absolute_path(config_dot_file, @root)
 
         @config = if File.exist?(config_dot_file_full_path)
                     Configuration.load(config_dot_file_full_path)

data/lib/bundler/audit/task.rb

@@ -2,6 +2,9 @@ require 'rake/tasklib'
 
 module Bundler
   module Audit
+    #
+    # Defines the `bundle:audit` rake tasks.
+    #
     class Task < Rake::TaskLib
       #
       # Initializes the task.
@@ -13,16 +16,28 @@ module Bundler
       protected
 
       #
-      # Defines the `bundle:audit` task.
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
       #
       def define
         namespace :bundle do
-          desc 'Checks the Gemfile.lock for insecure dependencies'
-          task :audit do
-            require 'bundler/audit/cli'
-            Bundler::Audit::CLI.start %w[check]
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              system 'bundler-audit', 'check'
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              system 'bundler-audit', 'update'
+            end
           end
+
+          task :audit => 'audit:check'
         end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
       end
     end
   end

data/lib/bundler/audit/version.rb

@@ -12,12 +12,12 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.8.0'
+    VERSION = '0.9.0'
   end
 end

data/lib/bundler/audit.rb

@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/database'

data/spec/advisory_spec.rb

@@ -83,7 +83,7 @@ describe Bundler::Audit::Advisory do
     end
 
     context "YAML data not representing a hash" do
-      let(:path ) do
+      let(:path) do
         File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
       end
 
@@ -353,4 +353,12 @@ describe Bundler::Audit::Advisory do
       end
     end
   end
+
+  describe "#to_h" do
+    subject { super().to_h }
+
+    it "must include criticality: :critical" do
+      expect(subject[:criticality]).to be :critical
+    end
+  end
 end