bundler-audit 0.8.0 → 0.9.1

data/lib/bundler/audit/cli/formats/junit.rb

@@ -0,0 +1,127 @@
+#
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'thor'
+require 'cgi'
+
+module Bundler
+  module Audit
+    class CLI < ::Thor
+      module Formats
+        module Junit
+          #
+          # Prints any findings as an XML junit report.
+          #
+          # @param [Report] report
+          #   The results from the {Scanner}.
+          #
+          # @param [IO, File] output
+          #   Optional output stream.
+          #
+          def print_report(report, output=$stdout)
+            original_stdout = $stdout
+            $stdout = output
+
+            print_xml_testsuite(report) do
+              report.each do |result|
+                print_xml_testcase(result)
+              end
+            end
+
+            $stdout = original_stdout
+          end
+
+          private
+
+          def say_xml(*lines)
+            say(lines.join($/))
+          end
+
+          def print_xml_testsuite(report)
+            say_xml(
+              %{<?xml version="1.0" encoding="UTF-8" ?>},
+              %{<testsuites id="#{Time.now.to_i}" name="Bundle Audit">},
+              %{  <testsuite id="Gemfile" name="Ruby Gemfile" failures="#{report.count}">}
+            )
+
+            yield
+
+            say_xml(
+              %{  </testsuite>},
+              %{</testsuites>}
+            )
+          end
+
+          def xml(string)
+            CGI.escapeHTML(string.to_s)
+          end
+
+          def print_xml_testcase(result)
+            case result
+            when Results::InsecureSource
+              say_xml(
+                %{    <testcase id="#{xml(result.source)}" name="Insecure Source URI found: #{xml(result.source)}">},
+                %{      <failure message="Insecure Source URI found: #{xml(result.source)}" type="Unknown"></failure>},
+                %{    </testcase>}
+              )
+            when Results::UnpatchedGem
+              say_xml(
+                %{    <testcase id="#{xml(result.gem.name)}" name="#{xml(bundle_title(result))}">},
+                %{      <failure message="#{xml(result.advisory.title)}" type="#{xml(result.advisory.criticality)}">},
+                %{        Name: #{xml(result.gem.name)}},
+                %{        Version: #{xml(result.gem.version)}},
+                %{        Advisory: #{xml(advisory_ref(result.advisory))}},
+                %{        Criticality: #{xml(advisory_criticality(result.advisory))}},
+                %{        URL: #{xml(result.advisory.url)}},
+                %{        Title: #{xml(result.advisory.title)}},
+                %{        Solution: #{xml(advisory_solution(result.advisory))}},
+                %{      </failure>},
+                %{    </testcase>}
+              )
+            end
+          end
+
+          def bundle_title(result)
+            "#{advisory_criticality(result.advisory).upcase} #{result.gem.name}(#{result.gem.version}) #{result.advisory.title}"
+          end
+
+          def advisory_solution(advisory)
+            unless advisory.patched_versions.empty?
+              "upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
+            else
+              "remove or disable this gem until a patch is available!"
+            end
+          end
+
+          def advisory_criticality(advisory)
+            if advisory.criticality
+              advisory.criticality.to_s.capitalize
+            else
+              "Unknown"
+            end
+          end
+
+          def advisory_ref(advisory)
+            advisory.identifiers.join(" ")
+          end
+
+          Formats.register :junit, Junit
+        end
+      end
+    end
+  end
+end

data/lib/bundler/audit/cli/formats/text.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -21,6 +21,9 @@ module Bundler
   module Audit
     class CLI < ::Thor
       module Formats
+        #
+        # The plain-text output format.
+        #
         module Text
           #
           # Prints any findings as plain-text.
@@ -78,10 +81,12 @@ module Bundler
 
             say "Criticality: ", :red
             case advisory.criticality
-            when :low    then say "Low"
-            when :medium then say "Medium", :yellow
-            when :high   then say "High", [:red, :bold]
-            else              say "Unknown"
+            when :none     then say "None"
+            when :low      then say "Low"
+            when :medium   then say "Medium", :yellow
+            when :high     then say "High", [:red, :bold]
+            when :critical then say "Critical", [:red, :bold]
+            else                say "Unknown"
             end
 
             say "URL: ", :red
@@ -91,7 +96,7 @@ module Bundler
               say "Description:", :red
               say
 
-              print_wrapped advisory.description, :indent => 2
+              print_wrapped advisory.description, indent: 2
               say
             else
               say "Title: ", :red
@@ -100,7 +105,7 @@ module Bundler
 
             unless advisory.patched_versions.empty?
               say "Solution: upgrade to ", :red
-              say advisory.patched_versions.join(', ')
+              say advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')
             else
               say "Solution: ", :red
               say "remove or disable this gem until a patch is available!", [:red, :bold]
@@ -108,7 +113,6 @@ module Bundler
 
             say
           end
-
         end
 
         Formats.register :text, Text

data/lib/bundler/audit/cli/formats.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'thor'
@@ -126,15 +126,19 @@ module Bundler
         #
         def self.load(name)
           name = name.to_s
+          path = File.join(DIR,File.basename(name))
 
           begin
-            require File.join(DIR,File.basename(name))
+            require path
           rescue LoadError
             raise(FormatNotFound,"could not load format #{name.inspect}")
           end
 
-          return self[name] || \
+          unless (format = self[name])
             raise(FormatNotFound,"unknown format #{name.inspect}")
+          end
+
+          return  format
         end
       end
     end

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/scanner'
@@ -25,21 +25,26 @@ require 'bundler'
 
 module Bundler
   module Audit
+    #
+    # The `bundle-audit` command.
+    #
     class CLI < ::Thor
 
       default_task :check
       map '--version' => :version
 
       desc 'check [DIR]', 'Checks the Gemfile.lock for insecure dependencies'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
-      method_option :verbose, :type => :boolean, :aliases => '-v'
-      method_option :ignore, :type => :array, :aliases => '-i'
-      method_option :update, :type => :boolean, :aliases => '-u'
-      method_option :database, :type => :string, :aliases => '-D', :default => Database::USER_PATH
-      method_option :format, :type => :string, :default => 'text',
-                             :aliases => '-F'
-      method_option :gemfile_lock, :type => :string, :aliases => '-G', :default => 'Gemfile.lock'
-      method_option :output, :type => :string, :aliases => '-o'
+      method_option :quiet, type: :boolean, aliases: '-q'
+      method_option :verbose, type: :boolean, aliases: '-v'
+      method_option :ignore, type: :array, aliases: '-i'
+      method_option :update, type: :boolean, aliases: '-u'
+      method_option :database, type: :string, aliases: '-D',
+                               default: Database::USER_PATH
+      method_option :format, type: :string, default: 'text', aliases: '-F'
+      method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
+      method_option :gemfile_lock, type: :string, aliases: '-G',
+                                   default: 'Gemfile.lock'
+      method_option :output, type: :string, aliases: '-o'
 
       def check(dir=Dir.pwd)
         unless File.directory?(dir)
@@ -62,15 +67,18 @@ module Bundler
 
         database = Database.new(options[:database])
         scanner  = begin
-                     Scanner.new(dir,options[:gemfile_lock],database)
+                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
                    rescue Bundler::GemfileLockNotFound => exception
                      say exception.message, :red
                      exit 1
                    end
-        report   = scanner.report(:ignore => options.ignore)
 
-        output = if options[:output] then File.new(options[:output],'w')
-                 else                     $stdout
+        report = scanner.report(ignore: options.ignore)
+
+        output = if options[:output]
+                   File.new(options[:output],'w')
+                 else
+                   $stdout
                  end
 
         print_report(report,output)
@@ -81,7 +89,7 @@ module Bundler
       end
 
       desc 'stats', 'Prints ruby-advisory-db stats'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def stats(path=Database.path)
         database = Database.new(path)
@@ -89,10 +97,14 @@ module Bundler
         puts "ruby-advisory-db:"
         puts "  advisories:\t#{database.size} advisories"
         puts "  last updated:\t#{database.last_updated_at}"
+
+        if (commit_id = database.commit_id)
+          puts "  commit:\t#{commit_id}"
+        end
       end
 
       desc 'download', 'Downloads ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def download(path=Database.path)
         if Database.exists?(path)
@@ -113,7 +125,7 @@ module Bundler
       end
 
       desc 'update', 'Updates the ruby-advisory-db'
-      method_option :quiet, :type => :boolean, :aliases => '-q'
+      method_option :quiet, type: :boolean, aliases: '-q'
 
       def update(path=Database.path)
         unless Database.exists?(path)
@@ -150,6 +162,13 @@ module Bundler
 
       protected
 
+      #
+      # @note Silence deprecation warnings from Thor.
+      #
+      def self.exit_on_failure?
+        true
+      end
+
       #
       # @abstract
       #

data/lib/bundler/audit/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'yaml'
@@ -26,14 +26,17 @@ module Bundler
     # @since 0.8.0
     #
     class Configuration
-      class InvalidConfigurationError < StandardError; end
-      class FileNotFound < StandardError; end
+      class InvalidConfigurationError < StandardError
+      end
+
+      class FileNotFound < StandardError
+      end
 
       #
       # A constructor method for loading configuration from a YAML file.
       #
       # @param [String] file_path
-      #   Path to the yaml file holding the configuration.
+      #   Path to the YAML file holding the configuration.
       #
       # @raise [FileNotFound]
       #   Will raise a file not found error when the path to the

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/advisory'
@@ -34,18 +34,20 @@ module Bundler
       class UpdateFailed < RuntimeError
       end
 
-      # Git URL of the ruby-advisory-db
+      # Git URL of the ruby-advisory-db.
       URL = 'https://github.com/rubysec/ruby-advisory-db.git'
 
-      # Path to the user's copy of the ruby-advisory-db
+      # Path to the user's copy of the ruby-advisory-db.
       USER_PATH = File.expand_path(File.join(Gem.user_home,'.local','share','ruby-advisory-db'))
 
-      # Default path to the ruby-advisory-db
+      # Default path to the ruby-advisory-db.
       #
       # @since 0.8.0
-      DEFAULT_PATH = ENV['BUNDLER_AUDIT_DB'] || USER_PATH
+      DEFAULT_PATH = ENV.fetch('BUNDLER_AUDIT_DB',USER_PATH)
 
-      # The path to the advisory database
+      # The path to the advisory database.
+      #
+      # @return [String]
       attr_reader :path
 
       #
@@ -82,7 +84,7 @@ module Bundler
       #   The given path of the database to check.
       #
       # @return [Boolean]
-      # 
+      #
       # @since 0.8.0
       #
       def self.exists?(path=DEFAULT_PATH)
@@ -119,7 +121,7 @@ module Bundler
 
         path = options.fetch(:path,DEFAULT_PATH)
 
-        command = %w(git clone)
+        command = %w[git clone]
         command << '--quiet' if options[:quiet]
         command << URL << path
 
@@ -199,7 +201,7 @@ module Bundler
       def update!(options={})
         if git?
           Dir.chdir(@path) do
-            command = %w(git pull)
+            command = %w[git pull]
             command << '--quiet' if options[:quiet]
             command << 'origin' << 'master'
 
@@ -212,6 +214,22 @@ module Bundler
         end
       end
 
+      #
+      # The last commit ID of the repository.
+      #
+      # @return [String, nil]
+      #   The commit hash or `nil` if the database is not a git repository.
+      #
+      # @since 0.9.0
+      #
+      def commit_id
+        if git?
+          Dir.chdir(@path) do
+            `git rev-parse HEAD`.chomp
+          end
+        end
+      end
+
       #
       # Determines the time when the database was last updated.
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -20,6 +20,9 @@ require 'bundler/audit/results/result'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents an insecure gem source (ex: `git://...` or `http://...`).
+      #
       class InsecureSource < Result
 
         # The insecure `git://` or `http://` URI.

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/result'
@@ -22,6 +22,10 @@ require 'uri'
 module Bundler
   module Audit
     module Results
+      #
+      # Represents a gem version that has known vulnerabilities and needs to be
+      # upgraded.
+      #
       class UnpatchedGem < Result
 
         # The specification of the vulnerable gem.
@@ -73,7 +77,7 @@ module Bundler
         end
 
         #
-        # Converts the unpached gem to a Hash.
+        # Converts the unpatched gem to a Hash.
         #
         # @return [Hash{Symbol => Object}]
         #

data/lib/bundler/audit/results.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/results/insecure_source'

data/lib/bundler/audit/scanner.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler'
@@ -31,9 +31,12 @@ require 'yaml'
 
 module Bundler
   module Audit
+    #
+    # Scans a `Gemfile.lock` for security issues.
+    #
     class Scanner
 
-      # The advisory database
+      # The advisory database.
       #
       # @return [Database]
       attr_reader :database
@@ -41,12 +44,13 @@ module Bundler
       # Project root directory
       attr_reader :root
 
-      # The parsed `Gemfile.lock` from the project
+      # The parsed `Gemfile.lock` from the project.
       #
       # @return [Bundler::LockfileParser]
       attr_reader :lockfile
 
-      # The configuration loaded from the `.bundler-audit.yml` file from the project
+      # The configuration loaded from the `.bundler-audit.yml` file from the
+      # project.
       #
       # @return [Hash]
       attr_reader :config
@@ -63,6 +67,9 @@ module Bundler
       # @param [Database] database
       #   The database to scan against.
       #
+      # @param [String] config_dot_file
+      #   The file name of the bundler-audit config file.
+      #
       # @raise [Bundler::GemfileLockNotFound]
       #   The `gemfile_lock` file could not be found within the `root`
       #   directory.
@@ -79,7 +86,7 @@ module Bundler
 
         @lockfile = LockfileParser.new(File.read(gemfile_lock_path))
 
-        config_dot_file_full_path = File.join(@root,config_dot_file)
+        config_dot_file_full_path = File.absolute_path(config_dot_file, @root)
 
         @config = if File.exist?(config_dot_file_full_path)
                     Configuration.load(config_dot_file_full_path)
@@ -211,8 +218,10 @@ module Bundler
       def scan_specs(options={})
         return enum_for(__method__,options) unless block_given?
 
-        ignore = if options[:ignore] then Set.new(options[:ignore])
-                 else                     config.ignore
+        ignore = if options[:ignore]
+                   Set.new(options[:ignore])
+                 else
+                   config.ignore
                  end
 
         @lockfile.specs.each do |gem|