bundler-audit 0.8.0 → 0.9.1

data/spec/cli/formats/junit_spec.rb

@@ -0,0 +1,284 @@
+require 'spec_helper'
+require 'bundler/audit/cli/formats'
+require 'bundler/audit/cli/formats/junit'
+require 'bundler/audit/report'
+
+describe Bundler::Audit::CLI::Formats::Junit do
+  it "must register the 'junit' format" do
+    expect(Bundler::Audit::CLI::Formats[:junit]).to be described_class
+  end
+
+  let(:options) { {} }
+
+  subject do
+    Bundler::Audit::CLI.new([],options).tap do |obj|
+      obj.extend described_class
+    end
+  end
+
+  describe "#print_report" do
+    let(:report) { Bundler::Audit::Report.new }
+    let(:stdout) { StringIO.new }
+
+    before { subject.print_report(report,stdout) }
+
+    let(:output) { stdout.string }
+
+    context "when vulnerabilities were found" do
+      context "when the report contains InsecureSources" do
+        let(:uri) { URI('git://github.com/foo/bar.git') }
+        let(:insecure_source) do
+          Bundler::Audit::Results::InsecureSource.new(uri)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << insecure_source
+          end
+        end
+
+        it 'must print "Insecure Source URI found: ..."' do
+          expect(output).to include("Insecure Source URI found: #{uri}")
+        end
+
+        it 'must print have a positive number of failures' do
+          expect(output).to match(/failures="[1-9][0-9]*"/)
+        end
+      end
+
+      context "when the report contains UnpatchedGems" do
+        let(:gem) do
+          Gem::Specification.new do |spec|
+            spec.name = 'test'
+            spec.version = '0.1.0'
+          end
+        end
+
+        let(:advisory) do
+          Bundler::Audit::Advisory.load(Fixtures.join('advisory','CVE-2020-1234.yml'))
+        end
+        let(:unpatched_gem) do
+          Bundler::Audit::Results::UnpatchedGem.new(gem,advisory)
+        end
+
+        let(:report) do
+          super().tap do |report|
+            report << unpatched_gem
+          end
+        end
+
+        it "must print 'Name: ...'" do
+          expect(output).to include("Name: #{gem.name}")
+        end
+
+        it "must print 'Version: ...'" do
+          expect(output).to include("Version: #{gem.version}")
+        end
+
+        context "when the advisory has a CVE ID" do
+          it "must print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output).to include("Advisory: CVE-#{advisory.cve} GHSA-aaaa-bbbb-cccc")
+          end
+        end
+
+        context "when the advisory does not have a CVE ID" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.cve = nil
+            end
+          end
+
+          it "must not print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output).to_not include("CVE-")
+          end
+        end
+
+        context "when the advisory has a GHSA ID" do
+          it "must print 'GHSA-xxxx-xxxx-xxxx'" do
+            expect(output).to include("GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when the advisory does not have a GHSA ID" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.ghsa = nil
+            end
+          end
+
+          it "must not print 'GHSA-xxxx-xxxx-xxxx'" do
+            expect(output).to_not include("GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when CVSS v3 is present" do
+          context "when Advisory#criticality is :none (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: None'" do
+              expect(output).to include("Criticality: None")
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.1
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: High")
+            end
+          end
+
+          context "when Advisory#criticality is :critical (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 9.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: Critical")
+            end
+          end
+        end
+
+        context "when CVSS v2 is present" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.cvss_v3 = nil
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output).to include("Criticality: Low")
+            end
+          end
+
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output).to include("Criticality: High")
+            end
+          end
+        end
+
+        it "must print 'URL: ...'" do
+          expect(output).to include("URL: #{advisory.url}")
+        end
+
+        context "when :verbose is not enabled" do
+          it 'must print "Title:" and the advisory description' do
+            expect(output).to include("Title: #{advisory.title}")
+          end
+        end
+
+        context "when Advisory#title contains XML special chars" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.title = '<entity id="one">One</entity>'
+            end
+          end
+
+          it 'must print "Title:" with escaped characters' do
+            expect(output).to include("Title: #{CGI.escapeHTML(advisory.title)}")
+          end
+        end
+
+        context "when Advisory#patched_versions is not empty" do
+          it 'must print "Solution: upgrade to ..."' do
+            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
+          end
+        end
+
+        context "when Advisory#patched_versions is empty" do
+          let(:advisory) do
+            super().tap do |advisory|
+              advisory.patched_versions = []
+            end
+          end
+
+          it 'must print "Solution: remove or disable this gem until a patch is available!"' do
+            expect(output).to include("Solution: remove or disable this gem until a patch is available!")
+          end
+        end
+
+        it 'must print have a positive number of failures' do
+          expect(output).to match(/failures="[1-9][0-9]*"/)
+        end
+      end
+    end
+
+    context "when no vulnerabilities were found" do
+      it 'must print an empty testsuite' do
+        expect(output).to include('failures="0"')
+      end
+
+      context "when :quiet is enabled" do
+        let(:options) { {quiet: true} }
+
+        it "should print nothing" do
+          expect(output).to be_empty
+        end
+      end
+    end
+
+    it "must restore $stdout" do
+      expect($stdout).to_not be(stdout)
+    end
+  end
+end

data/spec/cli/formats/text_spec.rb

@@ -104,39 +104,109 @@ describe Bundler::Audit::CLI::Formats::Text do
           end
         end
 
-        context "when Advisory#criticality is :low" do
-          let(:advisory) do
-            super().tap do |advisory|
-              advisory.cvss_v2 = 0.0
+        context "when CVSS v3 is present" do
+          context "when Advisory#criticality is :none (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: None'" do
+              expect(output_lines).to include("Criticality: None")
             end
           end
 
-          it "must print 'Criticality: Low'" do
-            expect(output_lines).to include("Criticality: Low")
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 0.1
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
+            end
           end
-        end
 
-        context "when Advisory#criticality is :medium" do
-          let(:advisory) do
-            super().tap do |advisory|
-              advisory.cvss_v2 = 6.9
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
             end
           end
 
-          it "must print 'Criticality: Medium'" do
-            expect(output_lines).to include("Criticality: Medium")
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
+          end
+
+          context "when Advisory#criticality is :critical (cvss_v3 only)" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v3 = 9.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: Critical")
+            end
           end
         end
 
-        context "when Advisory#criticality is :high" do
+        context "when CVSS v2 is present" do
           let(:advisory) do
             super().tap do |advisory|
-              advisory.cvss_v2 = 10.0
+              advisory.cvss_v3 = nil
+            end
+          end
+
+          context "when Advisory#criticality is :low" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 0.0
+              end
+            end
+
+            it "must print 'Criticality: Low'" do
+              expect(output_lines).to include("Criticality: Low")
             end
           end
 
-          it "must print 'Criticality: High'" do
-            expect(output_lines).to include("Criticality: High")
+          context "when Advisory#criticality is :medium" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 4.0
+              end
+            end
+
+            it "must print 'Criticality: Medium'" do
+              expect(output_lines).to include("Criticality: Medium")
+            end
+          end
+
+          context "when Advisory#criticality is :high" do
+            let(:advisory) do
+              super().tap do |advisory|
+                advisory.cvss_v2 = 7.0
+              end
+            end
+
+            it "must print 'Criticality: High'" do
+              expect(output_lines).to include("Criticality: High")
+            end
           end
         end
 
@@ -160,7 +230,7 @@ describe Bundler::Audit::CLI::Formats::Text do
 
         context "when Advisory#patched_versions is not empty" do
           it 'must print "Solution: upgrade to ..."' do
-            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.join(', ')}")
+            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
           end
         end
 

data/spec/cli_spec.rb

@@ -15,28 +15,68 @@ describe Bundler::Audit::CLI do
     end
   end
 
+  describe "#stats" do
+    let(:size) { 1234 }
+    let(:last_updated_at) { Time.now }
+    let(:commit_id) { 'f0f97c4c493b853319e029d226e96f2c2f0dc539' }
+
+    let(:database) { double(Bundler::Audit::Database) }
+
+    before do
+      expect(Bundler::Audit::Database).to receive(:new).and_return(database)
+
+      expect(database).to receive(:size).and_return(size)
+      expect(database).to receive(:last_updated_at).and_return(last_updated_at)
+      expect(database).to receive(:commit_id).and_return(commit_id)
+    end
+
+    it "prints total advisory count" do
+      expect { subject.stats }.to output(
+        include(
+          "advisories:\t#{size} advisories",
+          "last updated:\t#{last_updated_at}",
+          "commit:\t#{commit_id}"
+        )
+      ).to_stdout
+    end
+  end
+
   describe "#update" do
+    let(:database) { double(Bundler::Audit::Database) }
+
+    before do
+      allow(Bundler::Audit::Database).to receive(:new).and_return(database)
+    end
+
     context "not --quiet (the default)" do
       context "when update succeeds" do
+        let(:size) { 1234 }
+        let(:last_updated_at) { Time.now }
+        let(:commit_id) { 'f0f97c4c493b853319e029d226e96f2c2f0dc539' }
+
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(true)
+          expect(database).to receive(:update!).and_return(true)
+          expect(database).to receive(:size).and_return(size)
+          expect(database).to receive(:last_updated_at).and_return(last_updated_at)
+          expect(database).to receive(:commit_id).and_return(commit_id)
         end
 
-        it "prints updated message" do
-          expect { subject.update }.to output(/Updated ruby-advisory-db/).to_stdout
-        end
-
-        it "prints total advisory count" do
-          size = 1234
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:size).and_return(size)
-
-          expect { subject.update }.to output(/advisories:\t#{size} advisories/).to_stdout
+        it "prints updated message and then the stats" do
+          expect { subject.update }.to output(
+            include(
+              "Updated ruby-advisory-db",
+              "ruby-advisory-db:",
+              "  advisories:\t#{size} advisories",
+              "  last updated:\t#{last_updated_at}",
+              "  commit:\t#{commit_id}"
+            )
+          ).to_stdout
         end
       end
 
       context "when update fails" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(false)
+          expect(database).to receive(:update!).and_return(false)
         end
 
         it "prints failure message" do
@@ -58,22 +98,22 @@ describe Bundler::Audit::CLI do
             expect(error.status).to eq(1)
           end
         end
-
       end
 
       context "when git is not installed" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to receive(:update!).and_return(nil)
+          expect(database).to receive(:update!).and_return(nil)
+
           expect(Bundler).to receive(:git_present?).and_return(false)
         end
 
         it "prints failure message" do
-          expect do
+          expect {
             begin
               subject.update
             rescue SystemExit
             end
-          end.to output(/Git is not installed!/).to_stderr
+          }.to output(/Git is not installed!/).to_stderr
         end
 
         it "exits with error status code" do
@@ -96,7 +136,7 @@ describe Bundler::Audit::CLI do
 
       context "when update succeeds" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to(
+          expect(database).to(
             receive(:update!).with(quiet: true).and_return(true)
           )
         end
@@ -108,7 +148,7 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect_any_instance_of(Bundler::Audit::Database).to(
+          expect(database).to(
             receive(:update!).with(quiet: true).and_return(false)
           )
         end

data/spec/database_spec.rb

@@ -174,7 +174,7 @@ describe Bundler::Audit::Database do
     end
 
     context "when given a directory" do
-      let(:path ) { Dir.tmpdir }
+      let(:path) { Dir.tmpdir }
 
       subject { described_class.new(path) }
 
@@ -263,12 +263,36 @@ describe Bundler::Audit::Database do
     end
   end
 
+  describe "#commit_id" do
+    context "when the database is a git repository" do
+      let(:last_commit) { Fixtures::Database::COMMIT }
+
+      it "should return the last commit ID" do
+        expect(subject.commit_id).to be == last_commit
+      end
+    end
+
+    context "when the database is a bare directory" do
+      let(:path) { Fixtures.join('mock-database-dir') }
+
+      before { FileUtils.mkdir(path) }
+
+      subject { described_class.new(path) }
+
+      it "should return the mtime of the directory" do
+        expect(subject.commit_id).to be(nil)
+      end
+
+      after { FileUtils.rmdir(path) }
+    end
+  end
+
   describe "#last_updated_at" do
     context "when the database is a git repository" do
       let(:last_commit) { Fixtures::Database::COMMIT }
       let(:last_commit_timestamp) do
         Dir.chdir(Fixtures::Database::PATH) do
-          Time.parse(`git log --date=iso8601 --pretty="%cd" #{last_commit}`)
+          Time.parse(`git log -n 2 --date=iso8601 --pretty="%cd" #{last_commit}`)
         end
       end
 

data/spec/fixtures/advisory/CVE-2020-1234.yml

@@ -10,6 +10,7 @@ description: |
   This is a test advisory.
 
 cvss_v2: 10.0
+cvss_v3: 9.8
 
 unaffected_versions:
   - "< 0.1.0"

data/spec/fixtures/lib/bundler/audit/cli/formats/bad.rb

@@ -5,11 +5,9 @@ module Bundler
     class CLI < ::Thor
       module Formats
         module Bad
-
           def print_report(report,output=$stdout)
             say "I am a bad format!", :red
           end
-
         end
 
         Formats.register :incorrect, Bad

data/spec/fixtures/lib/bundler/audit/cli/formats/good.rb

@@ -5,11 +5,9 @@ module Bundler
     class CLI < ::Thor
       module Formats
         module Good
-
           def print_report(report,output=$stdout)
             say "I am a good format.", :green
           end
-
         end
 
         Formats.register :good, Good

data/spec/results/unpatched_gem_spec.rb

@@ -89,9 +89,10 @@ describe Bundler::Audit::Results::UnpatchedGem do
     subject { super().to_h }
 
     let(:advisory_hash) { {id: advisory.id} }
+
     before { expect(advisory).to receive(:to_h).and_return(advisory_hash) }
 
-    it "must inclide type: :unpatched_gem" do
+    it "must include type: :unpatched_gem" do
       expect(subject[:type]).to be :unpatched_gem
     end
 
@@ -110,7 +111,6 @@ describe Bundler::Audit::Results::UnpatchedGem do
     end
 
     it "must include a :advisory key containing a Hash of the advisory" do
-
       expect(subject[:advisory]).to be == advisory_hash
     end
   end

data/spec/scanner_spec.rb

@@ -36,7 +36,7 @@ describe Scanner do
       end
 
       context "when the :ignore option is given" do
-        subject { super().scan(:ignore => ['OSVDB-89026']) }
+        subject { super().scan(ignore: ['OSVDB-89026']) }
 
         it "should ignore the specified advisories" do
           ids = subject.map { |result| result.advisory.id }
@@ -79,6 +79,30 @@ describe Scanner do
 
         expect(ids).not_to include('OSVDB-89025')
       end
+
+      context "when config path is absolute" do
+        let(:bundle) { 'unpatched_gems' }
+        let(:absolute_config_path) { File.absolute_path(File.join('spec','bundle','unpatched_gems_with_dot_configuration', '.bundler-audit.yml')) }
+        let(:scanner) { described_class.new(directory,'Gemfile.lock',Database.new,absolute_config_path) }
+
+        it "should read the config just fine" do
+          ids = subject.map { |result| result.advisory.id }
+
+          expect(ids).not_to include('OSVDB-89025')
+        end
+      end
+
+      context "when config path is relative" do
+        let(:bundle) { 'unpatched_gems' }
+        let(:relative_config_path) { File.join('..', 'unpatched_gems_with_dot_configuration', '.bundler-audit.yml') }
+        let(:scanner) { described_class.new(directory,'Gemfile.lock',Database.new,relative_config_path) }
+
+        it "should read the config just fine" do
+          ids = subject.map { |result| result.advisory.id }
+
+          expect(ids).not_to include('OSVDB-89025')
+        end
+      end
     end
   end