bundler-audit 0.8.0 → 0.9.1

data/lib/bundler/audit/task.rb

@@ -2,7 +2,13 @@ require 'rake/tasklib'
 
 module Bundler
   module Audit
+    #
+    # Defines the `bundle:audit` rake tasks.
+    #
     class Task < Rake::TaskLib
+      class CommandNotFound < RuntimeError
+      end
+
       #
       # Initializes the task.
       #
@@ -13,15 +19,54 @@ module Bundler
       protected
 
       #
-      # Defines the `bundle:audit` task.
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
       #
       def define
         namespace :bundle do
-          desc 'Checks the Gemfile.lock for insecure dependencies'
-          task :audit do
-            require 'bundler/audit/cli'
-            Bundler::Audit::CLI.start %w[check]
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              bundler_audit 'check'
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              bundler_audit 'update'
+            end
           end
+
+          task :audit => 'audit:check'
+        end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
+      end
+
+      #
+      # Runs the `bundler-audit` command with the additional arguments.
+      #
+      # @param [Array<String>] arguments
+      #   Additional command-line arguments for `bundler-audit`.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      def bundler_audit(*arguments)
+        case system('bundler-audit',*arguments)
+        when false
+          exit $?.exitstatus || 1
+        when nil
+          raise(CommandNotFound,"bundler-audit could not be executed")
+        else
+          return true
         end
       end
     end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,12 +12,12 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.8.0'
+    VERSION = '0.9.1'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -12,7 +12,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+# along with bundler-audit.  If not, see <https://www.gnu.org/licenses/>.
 #
 
 require 'bundler/audit/database'

data/spec/advisory_spec.rb

@@ -45,7 +45,16 @@ describe Bundler::Audit::Advisory do
   end
 
   describe "load" do
-    let(:data) { YAML.load_file(path) }
+    let(:data) do
+      File.open(path) do |yaml|
+        if Psych::VERSION >= '3.1.0'
+          YAML.safe_load(yaml, permitted_classes: [Date])
+        else
+          # XXX: psych < 3.1.0 YAML.safe_load calling convention
+          YAML.safe_load(yaml, [Date])
+        end
+      end
+    end
 
     describe '#id' do
       subject { super().id }
@@ -83,7 +92,7 @@ describe Bundler::Audit::Advisory do
     end
 
     context "YAML data not representing a hash" do
-      let(:path ) do
+      let(:path) do
         File.expand_path('../fixtures/advisory/not_a_hash.yml', __FILE__)
       end
 
@@ -353,4 +362,12 @@ describe Bundler::Audit::Advisory do
       end
     end
   end
+
+  describe "#to_h" do
+    subject { super().to_h }
+
+    it "must include criticality: :critical" do
+      expect(subject[:criticality]).to be :critical
+    end
+  end
 end

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -10,122 +10,120 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    actioncable (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    actioncable (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailbox (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (>= 2.7.1)
-    actionmailer (6.1.0)
-      actionpack (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionmailer (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.0)
-      actionview (= 6.1.0)
-      activesupport (= 6.1.0)
+    actionpack (6.1.3.2)
+      actionview (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.1.0)
-      actionpack (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    actiontext (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       nokogiri (>= 1.8.5)
-    actionview (6.1.0)
-      activesupport (= 6.1.0)
+    actionview (6.1.3.2)
+      activesupport (= 6.1.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.0)
-      activesupport (= 6.1.0)
+    activejob (6.1.3.2)
+      activesupport (= 6.1.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.1.0)
-      activesupport (= 6.1.0)
-    activerecord (6.1.0)
-      activemodel (= 6.1.0)
-      activesupport (= 6.1.0)
-    activestorage (6.1.0)
-      actionpack (= 6.1.0)
-      activejob (= 6.1.0)
-      activerecord (= 6.1.0)
-      activesupport (= 6.1.0)
-      marcel (~> 0.3.1)
-      mimemagic (~> 0.3.2)
-    activesupport (6.1.0)
+    activemodel (6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activerecord (6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+    activestorage (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
     builder (3.2.4)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.8)
     crass (1.0.6)
     erubi (1.10.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.8.5)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.8.0)
+    loofah (2.9.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.5.0)
-    minitest (5.14.2)
-    nio4r (2.5.4)
-    nokogiri (1.11.1)
-      mini_portile2 (~> 2.5.0)
+    mini_mime (1.0.3)
+    mini_portile2 (2.8.0)
+    minitest (5.14.4)
+    nio4r (2.5.7)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.11.1-x86_64-linux)
+    nokogiri (1.13.6-x86_64-linux)
       racc (~> 1.4)
-    racc (1.5.2)
+    racc (1.6.0)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.1.0)
-      actioncable (= 6.1.0)
-      actionmailbox (= 6.1.0)
-      actionmailer (= 6.1.0)
-      actionpack (= 6.1.0)
-      actiontext (= 6.1.0)
-      actionview (= 6.1.0)
-      activejob (= 6.1.0)
-      activemodel (= 6.1.0)
-      activerecord (= 6.1.0)
-      activestorage (= 6.1.0)
-      activesupport (= 6.1.0)
+    rails (6.1.3.2)
+      actioncable (= 6.1.3.2)
+      actionmailbox (= 6.1.3.2)
+      actionmailer (= 6.1.3.2)
+      actionpack (= 6.1.3.2)
+      actiontext (= 6.1.3.2)
+      actionview (= 6.1.3.2)
+      activejob (= 6.1.3.2)
+      activemodel (= 6.1.3.2)
+      activerecord (= 6.1.3.2)
+      activestorage (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       bundler (>= 1.15.0)
-      railties (= 6.1.0)
+      railties (= 6.1.3.2)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.1.0)
-      actionpack (= 6.1.0)
-      activesupport (= 6.1.0)
+    railties (6.1.3.2)
+      actionpack (= 6.1.3.2)
+      activesupport (= 6.1.3.2)
       method_source
       rake (>= 0.8.7)
       thor (~> 1.0)
-    rake (13.0.1)
+    rake (13.0.3)
     sprockets (4.0.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -133,10 +131,10 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    thor (1.0.1)
-    tzinfo (2.0.3)
+    thor (1.1.0)
+    tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.4)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     zeitwerk (2.4.2)

data/spec/bundle/secure/Gemfile.lock

@@ -1,115 +1,113 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (5.2.4.4)
-      actionpack (= 5.2.4.4)
+    actioncable (5.2.8)
+      actionpack (= 5.2.8)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailer (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      actionview (= 5.2.4.4)
-      activejob (= 5.2.4.4)
+    actionmailer (5.2.8)
+      actionpack (= 5.2.8)
+      actionview (= 5.2.8)
+      activejob (= 5.2.8)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.4.4)
-      actionview (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    actionpack (5.2.8)
+      actionview (= 5.2.8)
+      activesupport (= 5.2.8)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.4.4)
-      activesupport (= 5.2.4.4)
+    actionview (5.2.8)
+      activesupport (= 5.2.8)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.4.4)
-      activesupport (= 5.2.4.4)
+    activejob (5.2.8)
+      activesupport (= 5.2.8)
       globalid (>= 0.3.6)
-    activemodel (5.2.4.4)
-      activesupport (= 5.2.4.4)
-    activerecord (5.2.4.4)
-      activemodel (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    activemodel (5.2.8)
+      activesupport (= 5.2.8)
+    activerecord (5.2.8)
+      activemodel (= 5.2.8)
+      activesupport (= 5.2.8)
       arel (>= 9.0)
-    activestorage (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      activerecord (= 5.2.4.4)
-      marcel (~> 0.3.1)
-    activesupport (5.2.4.4)
+    activestorage (5.2.8)
+      actionpack (= 5.2.8)
+      activerecord (= 5.2.8)
+      marcel (~> 1.0.0)
+    activesupport (5.2.8)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
     arel (9.0.0)
     builder (3.2.4)
-    concurrent-ruby (1.1.7)
+    concurrent-ruby (1.1.10)
     crass (1.0.6)
     erubi (1.10.0)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    i18n (1.8.5)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.8.0)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.2)
     method_source (1.0.0)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
-    mini_portile2 (2.5.0)
-    minitest (5.14.2)
-    nio4r (2.5.4)
-    nokogiri (1.11.1)
-      mini_portile2 (~> 2.5.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
+    minitest (5.15.0)
+    nio4r (2.5.8)
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.11.1-x86_64-linux)
+    nokogiri (1.13.6-x86_64-linux)
       racc (~> 1.4)
-    racc (1.5.2)
+    racc (1.6.0)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (5.2.4.4)
-      actioncable (= 5.2.4.4)
-      actionmailer (= 5.2.4.4)
-      actionpack (= 5.2.4.4)
-      actionview (= 5.2.4.4)
-      activejob (= 5.2.4.4)
-      activemodel (= 5.2.4.4)
-      activerecord (= 5.2.4.4)
-      activestorage (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    rails (5.2.8)
+      actioncable (= 5.2.8)
+      actionmailer (= 5.2.8)
+      actionpack (= 5.2.8)
+      actionview (= 5.2.8)
+      activejob (= 5.2.8)
+      activemodel (= 5.2.8)
+      activerecord (= 5.2.8)
+      activestorage (= 5.2.8)
+      activesupport (= 5.2.8)
       bundler (>= 1.3.0)
-      railties (= 5.2.4.4)
+      railties (= 5.2.8)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.4.4)
-      actionpack (= 5.2.4.4)
-      activesupport (= 5.2.4.4)
+    railties (5.2.8)
+      actionpack (= 5.2.8)
+      activesupport (= 5.2.8)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.19.0, < 2.0)
-    rake (13.0.1)
-    sprockets (4.0.2)
+    rake (13.0.6)
+    sprockets (4.0.3)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.2)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
+    sprockets-rails (3.4.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    thor (1.0.1)
+    thor (1.2.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.8)
+    tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    websocket-driver (0.7.3)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
 
@@ -122,4 +120,4 @@ DEPENDENCIES
   rails-html-sanitizer (~> 1.0.3)
 
 BUNDLED WITH
-   2.2.0
+   2.3.6

data/spec/cli/formats/json_spec.rb

@@ -97,6 +97,7 @@ describe Bundler::Audit::CLI::Formats::JSON do
           expect(output_json[:results][0][:advisory][:cve]).to be == advisory.cve
           expect(output_json[:results][0][:advisory][:osvdb]).to be == advisory.osvdb
           expect(output_json[:results][0][:advisory][:ghsa]).to be == advisory.ghsa
+          expect(output_json[:results][0][:advisory][:criticality]).to be == advisory.criticality.to_s.downcase
           expect(output_json[:results][0][:advisory][:unaffected_versions]).to be == advisory.unaffected_versions.map(&:to_s)
           expect(output_json[:results][0][:advisory][:patched_versions]).to be == advisory.patched_versions.map(&:to_s)
         end