bundler-audit 0.9.1 → 0.9.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 762980c9b274b19e477ee0be0ae021e452a1e7d63796ceb6da0d667de704dad9
-  data.tar.gz: 3e0fae808a027e677f3d218949c092d8189fc124bb34f61b57fdf982b5ffd6b1
+  metadata.gz: 2e40ebbca24535f65142ee863e6a2acb44802481243959ea75dbaa1f7ab5e33c
+  data.tar.gz: 41d763068c36318312395dfacfd626b95928939d4358a682984aab3fc26287dd
 SHA512:
-  metadata.gz: faa37304223ab40fd5678b6a4fcc1f9edb6d112c418c3a80a38aff6dbfbfacd416481f32f402998ece370d4646fe416e8f9453a5cec98d634845ff7bfd1abc6f
-  data.tar.gz: 7fbd39c761fdee364266207e4f0b52be6347b480b8447d31688428b8d3b5337c7f7403142ef0b2da0bc293ddfbe1ea5df93750b3a70be3920eff37af1d6a7884
+  metadata.gz: 00cee5ad01c98a6933e65b2823ff09ca89b7a2b69a01b0192468c871469121b95df622faa871ac1b62764838f9c263a86eb8180b2f47eab0a94f2823231ba965
+  data.tar.gz: 646566832c37e1a4b65502832bae8452b2c061b24f9caefae55f74b326d2f3f13ac88c742fffcb824d65a48f73f9e667634b86c94fc2c063e30b45225f397630

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -41,4 +41,6 @@ Steps to reproduce the bug:
     ...
     $ ruby --version
     ...
+    $ git --version
+    ...
 

data/.github/workflows/ruby.yml

@@ -9,13 +9,20 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
-          - 2.5
-          - 2.6
-          - 2.7
           - '3.0'
-          - 3.1
+          - '3.1'
+          - '3.2'
+          - '3.3'
+          - '3.4'
+          - '3.5'
+          - '4.0'
           - jruby
-          - truffleruby-head
+          - truffleruby
+        include:
+          - ruby: '3.0'
+            rubygems_version: '3.5.23'
+          - ruby: '3.1'
+            rubygems_version: '3.6.9'
     name: Ruby ${{ matrix.ruby }}
     steps:
       - uses: actions/checkout@v2
@@ -23,6 +30,12 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
+      - name: Update RubyGems
+        env:
+          RUBYGEMS_VERSION: ${{ matrix.rubygems_version }}
+        run: |
+            gem update --system ${RUBYGEMS_VERSION:-}
+            gem -v
       - name: Install dependencies
         run: bundle install --jobs 4 --retry 3
       - name: Run tests

data/.rubocop.yml

@@ -1,5 +1,5 @@
 AllCops:
-  NewCops: enable
+  NewCops: disable
   SuggestExtensions: false
   TargetRubyVersion: 2.7
   Exclude:
@@ -65,6 +65,9 @@ Style/WordArray: { Enabled: false } # Offense count: 1
 Style/Lambda: { Enabled: false } # Offense count: 2
 Style/SafeNavigation: { Enabled: false } # Offense count: 2
 Lint/IneffectiveAccessModifier: { Enabled: false } # Offense count: 1
+Gemspec/RequireMFA:
+  Exclude:
+    - 'bundler-audit.gemspec'
 Gemspec/DuplicatedAssignment:
   Exclude:
     - 'bundler-audit.gemspec'
@@ -84,3 +87,4 @@ Style/ExpandPathArguments: { Enabled: false } # Offense count: 5
 Style/FrozenStringLiteralComment: { Enabled: false } # Offense count: 42
 Style/MixinUsage: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
 Layout/LineLength: { Enabled: false }
+Style/RedundantParentheses: { Enabled: false }

data/ChangeLog.md

@@ -1,5 +1,34 @@
+### 0.9.3 / 2025-11-28
+
+* Officially support Ruby 3.4, 3.5, and 4.0.
+* Added support for Bundler 4.x.
+* Fixed typos in API documentation.
+
+#### CLI
+
+* Ensure that the `bundler-audit check` command honors the
+  `BUNDLER_AUDIT_DB` environment variable.
+
+### 0.9.2 / 2024-08-22
+
+* Officially support Ruby 3.2 and 3.3.
+* Corrected the gemspec license to indicate GPL-3.0 *or* later.
+
+#### CLI
+
+* Correctly handle {Bundler::Audit::Database::UpdateFailed} exceptions in
+  `bundle-audit update`.
+* Changed wording from "upgrade to" to "update to" in `bundle-audit check`
+  output.
+
+#### Rake Task
+
+* Fixed empty `bundle:audit:update` rake task.
+
 ### 0.9.1 / 2022-05-19
 
+* Opt into rubygems.org MFA requirement.
+
 #### CLI
 
 * Improve the readability of the suggested gem versions to upgrade to

data/Gemfile

@@ -4,7 +4,7 @@ gemspec
 
 group :development do
   gem 'rake'
-  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rubygems-tasks', '~> 0.3'
 
   gem 'rubocop',        '~> 1.18'
 

data/README.md

@@ -24,90 +24,94 @@ Patch-level verification for [bundler].
 
 Audit a project's `Gemfile.lock`:
 
-    $ bundle-audit
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-91452
-    Criticality: Medium
-    URL: http://www.osvdb.org/show/osvdb/91452
-    Title: XSS vulnerability in sanitize_css in Action Pack
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-91454
-    Criticality: Medium
-    URL: http://osvdb.org/show/osvdb/91454
-    Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: actionpack
-    Version: 3.2.10
-    Advisory: OSVDB-89026
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/89026
-    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-    Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-91453
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/91453
-    Title: Symbol DoS vulnerability in Active Record
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-90072
-    Criticality: Medium
-    URL: http://direct.osvdb.org/show/osvdb/90072
-    Title: Ruby on Rails Active Record attr_protected Method Bypass
-    Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-
-    Name: activerecord
-    Version: 3.2.10
-    Advisory: OSVDB-89025
-    Criticality: High
-    URL: http://osvdb.org/show/osvdb/89025
-    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-    Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-
-    Name: activesupport
-    Version: 3.2.10
-    Advisory: OSVDB-91451
-    Criticality: High
-    URL: http://www.osvdb.org/show/osvdb/91451
-    Title: XML Parsing Vulnerability affecting JRuby users
-    Solution: upgrade to ~> 3.1.12, >= 3.2.13
-
-    Unpatched versions found!
+```
+$ bundle-audit
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91452
+Criticality: Medium
+URL: http://www.osvdb.org/show/osvdb/91452
+Title: XSS vulnerability in sanitize_css in Action Pack
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-91454
+Criticality: Medium
+URL: http://osvdb.org/show/osvdb/91454
+Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: actionpack
+Version: 3.2.10
+Advisory: OSVDB-89026
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89026
+Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
+Solution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-91453
+Criticality: High
+URL: http://osvdb.org/show/osvdb/91453
+Title: Symbol DoS vulnerability in Active Record
+Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-90072
+Criticality: Medium
+URL: http://direct.osvdb.org/show/osvdb/90072
+Title: Ruby on Rails Active Record attr_protected Method Bypass
+Solution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+Name: activerecord
+Version: 3.2.10
+Advisory: OSVDB-89025
+Criticality: High
+URL: http://osvdb.org/show/osvdb/89025
+Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+Solution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+Name: activesupport
+Version: 3.2.10
+Advisory: OSVDB-91451
+Criticality: High
+URL: http://www.osvdb.org/show/osvdb/91451
+Title: XML Parsing Vulnerability affecting JRuby users
+Solution: update to ~> 3.1.12, >= 3.2.13
+
+Unpatched versions found!
+```
 
 Update the [ruby-advisory-db] that `bundle audit` uses:
 
-    $ bundle-audit update
-    Updating ruby-advisory-db ...
-    remote: Counting objects: 44, done.
-    remote: Compressing objects: 100% (24/24), done.
-    remote: Total 39 (delta 19), reused 29 (delta 10)
-    Unpacking objects: 100% (39/39), done.
-    From https://github.com/rubysec/ruby-advisory-db
-     * branch            master     -> FETCH_HEAD
-    Updating 5f8225e..328ca86
-    Fast-forward
-     CONTRIBUTORS.md                    |  1 +
-     gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
-     gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
-     gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
-     gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
-     gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
-     6 files changed, 73 insertions(+)
-     create mode 100644 gems/actionmailer/OSVDB-98629.yml
-     create mode 100644 gems/cocaine/OSVDB-98835.yml
-     create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
-     create mode 100644 gems/sounder/OSVDB-96278.yml
-     create mode 100644 gems/wicked/OSVDB-98270.yml
-    ruby-advisory-db: 64 advisories
+```
+$ bundle-audit update
+Updating ruby-advisory-db ...
+remote: Counting objects: 44, done.
+remote: Compressing objects: 100% (24/24), done.
+remote: Total 39 (delta 19), reused 29 (delta 10)
+Unpacking objects: 100% (39/39), done.
+From https://github.com/rubysec/ruby-advisory-db
+ * branch            master     -> FETCH_HEAD
+Updating 5f8225e..328ca86
+Fast-forward
+ CONTRIBUTORS.md                    |  1 +
+ gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
+ gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
+ gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
+ gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
+ gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
+ 6 files changed, 73 insertions(+)
+ create mode 100644 gems/actionmailer/OSVDB-98629.yml
+ create mode 100644 gems/cocaine/OSVDB-98835.yml
+ create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
+ create mode 100644 gems/sounder/OSVDB-96278.yml
+ create mode 100644 gems/wicked/OSVDB-98270.yml
+ruby-advisory-db: 64 advisories
+```
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
@@ -147,10 +151,20 @@ $ bundle-audit check --format json --output bundle-audit.json
 
 ## Rake Tasks
 
-Bundler-audit provides Rake tasks for checking the code and for updating
-its vulnerability database:
+Bundler-audit provides `rake` tasks for checking the code and for updating
+its vulnerability database.
+
+Simply add the following code to the `Rakefile`:
 
-```bash
+```ruby
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+```
+
+The following `rake` tasks will then become available:
+
+```
+$ rake -T
 rake bundle:audit
 rake bundle:audit:update
 ```
@@ -231,7 +245,7 @@ $ brew install git
 
 ## License
 
-Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/bundler-audit.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |gem|
   gem.authors     = Array(gemspec['authors'])
   gem.email       = gemspec['email']
   gem.homepage    = gemspec['homepage']
+  gem.metadata    = gemspec['metadata'] if gemspec['metadata']
 
   glob = lambda { |patterns| gem.files & Dir[*patterns] }
 
@@ -30,7 +31,6 @@ Gem::Specification.new do |gem|
   gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
 
   gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
-  gem.test_files       = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
   gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
 
   gem.require_paths = Array(gemspec.fetch('require_paths') {

data/gemspec.yml

@@ -1,16 +1,16 @@
 name: bundler-audit
 summary: Patch-level verification for Bundler
 description: bundler-audit provides patch-level verification for Bundled apps.
-license: GPL-3.0+
+license: GPL-3.0-or-later
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme
 
 metadata:
   documentation_uri: https://rubydoc.info/gems/bundler-audit
-  source_code_uri:   https://github.com/rubysec/bundler-audit.rb
-  bug_tracker_uri:   https://github.com/rubysec/bundler-audit.rb/issues
-  changelog_uri:     https://github.com/rubysec/bundler-audit.rb/blob/master/ChangeLog.md
+  source_code_uri:   https://github.com/rubysec/bundler-audit
+  bug_tracker_uri:   https://github.com/rubysec/bundler-audit/issues
+  changelog_uri:     https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md
   rubygems_mfa_required: 'true'
 
 required_ruby_version: ">= 2.0.0"
@@ -18,4 +18,4 @@ required_rubygems_version: ">= 1.8.0"
 
 dependencies:
   thor: "~> 1.0"
-  bundler: ">= 1.2.0, < 3"
+  bundler: ">= 1.2.0"

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli/formats/json.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli/formats/junit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -101,7 +101,7 @@ module Bundler
 
           def advisory_solution(advisory)
             unless advisory.patched_versions.empty?
-              "upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
+              "update to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
             else
               "remove or disable this gem until a patch is available!"
             end

data/lib/bundler/audit/cli/formats/text.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -104,7 +104,7 @@ module Bundler
             end
 
             unless advisory.patched_versions.empty?
-              say "Solution: upgrade to ", :red
+              say "Solution: update to ", :red
               say advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')
             else
               say "Solution: ", :red

data/lib/bundler/audit/cli/formats.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -39,7 +39,7 @@ module Bundler
       method_option :ignore, type: :array, aliases: '-i'
       method_option :update, type: :boolean, aliases: '-u'
       method_option :database, type: :string, aliases: '-D',
-                               default: Database::USER_PATH
+                               default: Database::DEFAULT_PATH
       method_option :format, type: :string, default: 'text', aliases: '-F'
       method_option :config, type: :string, aliases: '-c', default: '.bundler-audit.yml'
       method_option :gemfile_lock, type: :string, aliases: '-G',
@@ -67,7 +67,7 @@ module Bundler
 
         database = Database.new(options[:database])
         scanner  = begin
-                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
+                     Scanner.new(dir,options[:gemfile_lock],database,options[:config])
                    rescue Bundler::GemfileLockNotFound => exception
                      say exception.message, :red
                      exit 1
@@ -91,7 +91,7 @@ module Bundler
       desc 'stats', 'Prints ruby-advisory-db stats'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def stats(path=Database.path)
+      def stats(path=Database::DEFAULT_PATH)
         database = Database.new(path)
 
         puts "ruby-advisory-db:"
@@ -106,7 +106,7 @@ module Bundler
       desc 'download', 'Downloads ruby-advisory-db'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def download(path=Database.path)
+      def download(path=Database::DEFAULT_PATH)
         if Database.exists?(path)
           say "Database already exists", :yellow
           return
@@ -127,7 +127,7 @@ module Bundler
       desc 'update', 'Updates the ruby-advisory-db'
       method_option :quiet, type: :boolean, aliases: '-q'
 
-      def update(path=Database.path)
+      def update(path=Database::DEFAULT_PATH)
         unless Database.exists?(path)
           download(path)
           return
@@ -137,19 +137,23 @@ module Bundler
 
         database = Database.new(path)
 
-        case database.update!(quiet: options.quiet?)
-        when true
-          say("Updated ruby-advisory-db", :green) unless options.quiet?
-        when false
-          say_error "Failed updating ruby-advisory-db!", :red
-          exit 1
-        when nil
-          unless Bundler.git_present?
-            say_error "Git is not installed!", :red
-            exit 1
+        begin
+          case database.update!(quiet: options.quiet?)
+          when true
+            say("Updated ruby-advisory-db", :green) unless options.quiet?
+          when nil
+            if Bundler.git_present?
+              unless options.quiet?
+                say "Skipping update, ruby-advisory-db is not a git repository", :yellow
+              end
+            else
+              say_error "Git is not installed!", :red
+              exit 1
+            end
           end
-
-          say "Skipping update", :yellow
+        rescue Database::UpdateFailed => error
+          say error.message, :red
+          exit 1
         end
 
         stats(path) unless options.quiet?

data/lib/bundler/audit/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -103,7 +103,7 @@ module Bundler
       # @option options [Boolean] :quiet
       #   Specify whether `git` should be `--quiet`.
       #
-      # @return [Dataase]
+      # @return [Database]
       #   The newly downloaded database.
       #
       # @raise [DownloadFailed]
@@ -141,9 +141,8 @@ module Bundler
       # @option options [Boolean] :quiet
       #   Specify whether `git` should be `--quiet`.
       #
-      # @return [Boolean, nil]
+      # @return [Boolean]
       #   Specifies whether the update was successful.
-      #   A `nil` indicates no update was performed.
       #
       # @raise [ArgumentError]
       #   Invalid options were given.
@@ -192,9 +191,13 @@ module Bundler
       #   Specify whether `git` should be `--quiet`.
       #
       # @return [true, nil]
-      #   `true` indicates that the update was successful.
-      #   `nil` indicates the database is not a git repository, thus not
-      #   capable of being updated.
+      #   * `true` - the ruby-advisory-db git repository was successfully
+      #     updated.
+      #   * `nil` - the ruby-advisory-db is not a git repository or the `git`
+      #     command is not installed.
+      #
+      # @raise [UpdateFailed]
+      #   Could not update the ruby-advisory-db git repository.
       #
       # @since 0.8.0
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/scanner.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/task.rb

@@ -16,33 +16,6 @@ module Bundler
         define
       end
 
-      protected
-
-      #
-      # Defines the `bundle:audit` and `bundle:audit:update` task.
-      #
-      def define
-        namespace :bundle do
-          namespace :audit do
-            desc 'Checks the Gemfile.lock for insecure dependencies'
-            task :check do
-              bundler_audit 'check'
-            end
-
-            desc 'Updates the bundler-audit vulnerability database'
-            task :update do
-              bundler_audit 'update'
-            end
-          end
-
-          task :audit => 'audit:check'
-        end
-
-        task 'bundler:audit'        => 'bundle:audit'
-        task 'bundler:audit:check'  => 'bundle:audit:check'
-        task 'bundler:audit:update' => 'bundle:audit:update'
-      end
-
       #
       # Runs the `bundler-audit` command with the additional arguments.
       #
@@ -59,6 +32,8 @@ module Bundler
       #   If the `bundler-audit` command exits with an error, the rake task
       #   will also exit with the same error code.
       #
+      # @api private
+      #
       def bundler_audit(*arguments)
         case system('bundler-audit',*arguments)
         when false
@@ -69,6 +44,71 @@ module Bundler
           return true
         end
       end
+
+      #
+      # Runs the `bundle-audit check` command.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      # @api private
+      #
+      def check
+        bundler_audit 'check'
+      end
+
+      #
+      # Runs the `bundle-audit update` command.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      # @api private
+      #
+      def update
+        bundler_audit 'update'
+      end
+
+      protected
+
+      #
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
+      #
+      def define
+        namespace :bundle do
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              check
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              update
+            end
+          end
+
+          task :audit => 'audit:check'
+        end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
+      end
     end
   end
 end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.9.1'
+    VERSION = '0.9.3'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -77,7 +77,7 @@ GEM
       activesupport (>= 4.2.0)
     i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.1)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -88,13 +88,13 @@ GEM
     mini_portile2 (2.8.0)
     minitest (5.14.4)
     nio4r (2.5.7)
-    nokogiri (1.13.6)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.6-x86_64-linux)
+    nokogiri (1.13.10-x86_64-linux)
       racc (~> 1.4)
-    racc (1.6.0)
-    rack (2.2.3)
+    racc (1.6.1)
+    rack (2.2.6.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (6.1.3.2)
@@ -115,8 +115,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
     railties (6.1.3.2)
       actionpack (= 6.1.3.2)
       activesupport (= 6.1.3.2)

data/spec/bundle/secure/Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 
 gem 'rails', '~> 5.2'
-gem 'rails-html-sanitizer', '~> 1.0.3'
+gem 'rails-html-sanitizer', '~> 1.4.4'

data/spec/bundle/secure/Gemfile.lock

@@ -47,11 +47,11 @@ GEM
     concurrent-ruby (1.1.10)
     crass (1.0.6)
     erubi (1.10.0)
-    globalid (1.0.0)
+    globalid (1.0.1)
       activesupport (>= 5.0)
-    i18n (1.10.0)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -60,15 +60,15 @@ GEM
     method_source (1.0.0)
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.17.0)
     nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.6-x86_64-linux)
+    nokogiri (1.13.10-x86_64-linux)
       racc (~> 1.4)
-    racc (1.6.0)
-    rack (2.2.3)
+    racc (1.6.1)
+    rack (2.2.6.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.8)
@@ -87,8 +87,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
     railties (5.2.8)
       actionpack (= 5.2.8)
       activesupport (= 5.2.8)
@@ -105,7 +105,7 @@ GEM
       sprockets (>= 3.0.0)
     thor (1.2.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.9)
+    tzinfo (1.2.10)
       thread_safe (~> 0.1)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
@@ -117,7 +117,7 @@ PLATFORMS
 
 DEPENDENCIES
   rails (~> 5.2)
-  rails-html-sanitizer (~> 1.0.3)
+  rails-html-sanitizer (~> 1.4.4)
 
 BUNDLED WITH
    2.3.6

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile.lock

@@ -18,7 +18,7 @@ GEM
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     multi_json (1.15.0)
-    tzinfo (0.3.58)
+    tzinfo (0.3.61)
 
 PLATFORMS
   ruby

data/spec/cli/formats/junit_spec.rb

@@ -240,8 +240,8 @@ describe Bundler::Audit::CLI::Formats::Junit do
         end
 
         context "when Advisory#patched_versions is not empty" do
-          it 'must print "Solution: upgrade to ..."' do
-            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
+          it 'must print "Solution: update to ..."' do
+            expect(output).to include("Solution: update to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
           end
         end
 

data/spec/cli/formats/text_spec.rb

@@ -229,8 +229,8 @@ describe Bundler::Audit::CLI::Formats::Text do
         end
 
         context "when Advisory#patched_versions is not empty" do
-          it 'must print "Solution: upgrade to ..."' do
-            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
+          it 'must print "Solution: update to ..."' do
+            expect(output_lines).to include("Solution: update to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
           end
         end
 

data/spec/cli_spec.rb

@@ -2,6 +2,8 @@ require 'spec_helper'
 require 'bundler/audit/cli'
 
 describe Bundler::Audit::CLI do
+  let(:database_path) { "/path/to/ruby-advisory-db" }
+
   describe ".start" do
     context "with wrong arguments" do
       it "exits with error status code" do
@@ -76,23 +78,17 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect(database).to receive(:update!).and_return(false)
+          expect(database).to receive(:update!).with(quiet: false).and_raise(
+            Bundler::Audit::Database::UpdateFailed,
+            "failed to update #{database_path.inspect}"
+          )
         end
 
-        it "prints failure message" do
+        it "must print an error message and exit with 1" do
           expect {
-            begin
+            expect {
               subject.update
-            rescue SystemExit
-            end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stderr
-        end
-
-        it "exits with error status code" do
-          expect {
-            # Capture output of `update` only to keep spec output clean.
-            # The test regarding specific output is above.
-            expect { subject.update }.to output.to_stdout
+            }.to output("failed to update #{database_path.inspect}").to_stderr
           }.to raise_error(SystemExit) do |error|
             expect(error.success?).to eq(false)
             expect(error.status).to eq(1)
@@ -136,9 +132,7 @@ describe Bundler::Audit::CLI do
 
       context "when update succeeds" do
         before do
-          expect(database).to(
-            receive(:update!).with(quiet: true).and_return(true)
-          )
+          expect(database).to receive(:update!).with(quiet: true).and_return(true)
         end
 
         it "does not print any output" do
@@ -148,25 +142,17 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect(database).to(
-            receive(:update!).with(quiet: true).and_return(false)
+          expect(database).to receive(:update!).with(quiet: true).and_raise(
+            Bundler::Audit::Database::UpdateFailed,
+            "failed to update #{database_path.inspect}"
           )
         end
 
-        it "prints failure message" do
+        it "must print the error message and exit with an error code" do
           expect {
-            begin
+            expect {
               subject.update
-            rescue SystemExit
-            end
-          }.to_not output.to_stderr
-        end
-
-        it "exits with error status code" do
-          expect {
-            # Capture output of `update` only to keep spec output clean.
-            # The test regarding specific output is above.
-            expect { subject.update }.to output.to_stdout
+            }.to output("failed to update: #{database_path.inspect}").to_stderr
           }.to raise_error(SystemExit) do |error|
             expect(error.success?).to eq(false)
             expect(error.status).to eq(1)

data/spec/integration_spec.rb

@@ -11,7 +11,14 @@ describe "bin/bundler-audit" do
   subject { sh(command) }
 
   it "must invoke the CLI class" do
-    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
+    expected = "bundler-audit #{Bundler::Audit::VERSION}#{$/}"
+
+    if RUBY_VERSION.start_with?("3.0") || RUBY_ENGINE == "truffleruby"
+      # Allow `WARN: Unresolved or ambiguous specs during Gem::Specification.reset:` for Ruby 3.0.x and TruffleRuby
+      expect(subject).to include(expected)
+    else
+      expect(subject).to eq(expected)
+    end
   end
 end
 
@@ -26,6 +33,13 @@ describe "bin/bundle-audit" do
   subject { sh(command) }
 
   it "must invoke the CLI class" do
-    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
+    expected = "bundler-audit #{Bundler::Audit::VERSION}#{$/}"
+
+    if RUBY_VERSION.start_with?("3.0") || RUBY_ENGINE == "truffleruby"
+      # Allow `WARN: Unresolved or ambiguous specs during Gem::Specification.reset:` for Ruby 3.0.x and TruffleRuby
+      expect(subject).to include(expected)
+    else
+      expect(subject).to eq(expected)
+    end
   end
 end

data/spec/scanner_spec.rb

@@ -36,12 +36,12 @@ describe Scanner do
       end
 
       context "when the :ignore option is given" do
-        subject { super().scan(ignore: ['OSVDB-89026']) }
+        subject { super().scan(ignore: ['CVE-2013-0156']) }
 
         it "should ignore the specified advisories" do
           ids = subject.map { |result| result.advisory.id }
 
-          expect(ids).not_to include('OSVDB-89026')
+          expect(ids).not_to include('CVE-2013-0156')
         end
       end
     end

data/spec/task_spec.rb

@@ -0,0 +1,141 @@
+require 'spec_helper'
+require 'bundler/audit/task'
+
+require 'rake'
+
+describe Bundler::Audit::Task do
+  before { subject }
+
+  it "must define a 'bundle:audit:check' task" do
+    expect(Rake::Task['bundle:audit:check']).to_not be_nil
+  end
+
+  it "must define a 'bundle:audit:update' task" do
+    expect(Rake::Task['bundle:audit:update']).to_not be_nil
+  end
+
+  it "must define a 'bundle:audit' task" do
+    expect(Rake::Task['bundle:audit']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit:check' task" do
+    expect(Rake::Task['bundler:audit:check']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit:update' task" do
+    expect(Rake::Task['bundler:audit:update']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit' task" do
+    expect(Rake::Task['bundler:audit']).to_not be_nil
+  end
+
+  describe "#bundler_audit" do
+    let(:subcommand) { 'subcommand' }
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.bundler_audit(subcommand)).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.bundler_audit(subcommand)
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.bundler_audit(subcommand)
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+
+  describe "#check" do
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.check).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.check
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.check
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+
+  describe "#update" do
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.update).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.update
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.update
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.3
 platform: ruby
 authors:
 - Postmodern
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -31,9 +30,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -41,9 +37,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.2.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
 description: bundler-audit provides patch-level verification for Bundled apps.
 email: postmodern.mod3@gmail.com
 executables:
@@ -124,12 +117,16 @@ files:
 - spec/results/unpatched_gem_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb
+- spec/task_spec.rb
 homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
-- GPL-3.0+
+- GPL-3.0-or-later
 metadata:
+  documentation_uri: https://rubydoc.info/gems/bundler-audit
+  source_code_uri: https://github.com/rubysec/bundler-audit
+  bug_tracker_uri: https://github.com/rubysec/bundler-audit/issues
+  changelog_uri: https://github.com/rubysec/bundler-audit/blob/master/ChangeLog.md
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -144,23 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
-rubygems_version: 3.2.33
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Patch-level verification for Bundler
-test_files:
-- spec/advisory_spec.rb
-- spec/audit_spec.rb
-- spec/cli/formats/json_spec.rb
-- spec/cli/formats/junit_spec.rb
-- spec/cli/formats/text_spec.rb
-- spec/cli/formats_spec.rb
-- spec/cli_spec.rb
-- spec/configuration_spec.rb
-- spec/database_spec.rb
-- spec/integration_spec.rb
-- spec/report_spec.rb
-- spec/results/insecure_source_spec.rb
-- spec/results/result_spec.rb
-- spec/results/unpatched_gem_spec.rb
-- spec/scanner_spec.rb
+test_files: []