bundler-audit 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0a34b6a79c055b51422c7c3225428947ca6b587e
-  data.tar.gz: 724414726507e87d679a561759e9dcbdd90aecfc
+  metadata.gz: 679e11f046f11e432067d55398791fdbf03536b3
+  data.tar.gz: ad6bb67d40dae3ee0346ffe18caa11ee19e142e6
 SHA512:
-  metadata.gz: b3c59aadb9c0f2ed1b8d3a91bf6866e54295ed78105531ff1362c5ef65f264ac02699c53d3e8e3d08f025ebc9e38ef5917de4fa9906b66e2e209131a14665e42
-  data.tar.gz: f82127fe64b6bb856483ee82f5ab642fee371d4c84695e05beef44414857e4c95dd7f5a1e27244af9b2c81e9364a16027bb333ab123a547ab1a9bf6654a5f3df
+  metadata.gz: 48e2f1e83c0122d4629e4ddd02d448f90578527b40a1a0fccf331903413fbb2f3df7952399723914c0e0450f6682187af4301404b98bacc61ad794b5633a3023
+  data.tar.gz: 2c868a8106f74e45ffe9bcf02d1578d7326c4bea0a12baddf79ab7bd9dc059b599b39e0a41d167a0bc6d0bbbf01a8dc7e5f28a53849fea88a7214da400f5b52a

data/ChangeLog.md

@@ -1,12 +1,24 @@
+### 0.3.0 / 2013-10-31
+
+* Added {Bundler::Audit::Database.update!} which uses `git` to download
+  [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
+* {Bundler::Audit::Database.path} now returns the path to either
+  `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
+  is more recent.
+
+#### CLI
+
+* Added the `bundle-audit update` sub-command.
+
 ### 0.2.0 / 2013-03-05
 
 * Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
   parse approximate version requirements (`~> 1.2.3`).
 * Updated the [ruby-advisory-db].
-* Added {Bundle::Audit::Advisory#unaffected_versions}.
-* Added {Bundle::Audit::Advisory#unaffected?}.
-* Added {Bundle::Audit::Advisory#patched?}.
-* Renamed `Advisory#cve` to {Bundle::Audit::Advisory#id}.
+* Added {Bundler::Audit::Advisory#unaffected_versions}.
+* Added {Bundler::Audit::Advisory#unaffected?}.
+* Added {Bundler::Audit::Advisory#patched?}.
+* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
 
 ### 0.1.2 / 2013-02-17
 

data/README.md

@@ -23,6 +23,7 @@ Patch-level verification for [Bundler][bundler].
 
 Audit a projects `Gemfile.lock`:
 
+    $ bundle-audit
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91452
@@ -81,6 +82,32 @@ Audit a projects `Gemfile.lock`:
     
     Unpatched versions found!
 
+Update the [ruby-advisory-db] that `bundle-audit` uses:
+
+    $ bundle-audit update
+    Updating ruby-advisory-db ...
+    remote: Counting objects: 44, done.
+    remote: Compressing objects: 100% (24/24), done.
+    remote: Total 39 (delta 19), reused 29 (delta 10)
+    Unpacking objects: 100% (39/39), done.
+    From https://github.com/rubysec/ruby-advisory-db
+     * branch            master     -> FETCH_HEAD
+    Updating 5f8225e..328ca86
+    Fast-forward
+     CONTRIBUTORS.md                    |  1 +
+     gems/actionmailer/OSVDB-98629.yml  | 17 +++++++++++++++++
+     gems/cocaine/OSVDB-98835.yml       | 15 +++++++++++++++
+     gems/fog-dragonfly/OSVDB-96798.yml | 13 +++++++++++++
+     gems/sounder/OSVDB-96278.yml       | 13 +++++++++++++
+     gems/wicked/OSVDB-98270.yml        | 14 ++++++++++++++
+     6 files changed, 73 insertions(+)
+     create mode 100644 gems/actionmailer/OSVDB-98629.yml
+     create mode 100644 gems/cocaine/OSVDB-98835.yml
+     create mode 100644 gems/fog-dragonfly/OSVDB-96798.yml
+     create mode 100644 gems/sounder/OSVDB-96278.yml
+     create mode 100644 gems/wicked/OSVDB-98270.yml
+    ruby-advisory-db: 64 advisories
+
 ## Requirements
 
 * [bundler] ~> 1.2

data/Rakefile

@@ -23,13 +23,16 @@ require 'rake'
 require 'rubygems/tasks'
 Gem::Tasks.new
 
-desc 'Updates data/ruby-advisory-db'
-task :update do
-  chdir 'data/ruby-advisory-db' do
-    sh 'git', 'pull', 'origin', 'master'
-  end
+namespace :db do
+  desc 'Updates data/ruby-advisory-db'
+  task :update do
+    chdir 'data/ruby-advisory-db' do
+      sh 'git', 'pull', 'origin', 'master'
+    end
 
-  sh 'git', 'commit', 'data/ruby-advisory-db', '-m', 'Updated ruby-advisory-db'
+    sh 'git', 'commit', 'data/ruby-advisory-db',
+                        '-m', 'Updated ruby-advisory-db'
+  end
 end
 
 require 'rspec/core/rake_task'

data/data/ruby-advisory-db/.gitignore

@@ -0,0 +1 @@
+Gemfile.lock

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -11,3 +11,4 @@ Thanks,
 * [Oliver Legg](https://github.com/olly)
 * [Larry W. Cashdollar](http://vapid.dhs.org/)
 * [Michael Grosser](https://github.com/grosser)
+* [Sascha Korth](https://github.com/skorth)

data/data/ruby-advisory-db/README.md

@@ -14,15 +14,12 @@ The Ruby Advisory Database aims to compile all advisories that are relevant to R
 The database is a list of directories that match the names of Ruby libraries on
 [rubygems.org]. Within each directory are one or more advisory files
 for the Ruby library. These advisory files are typically named using
-the advisories [CVE] identifier number.
+the advisories [OSVDB] identifier number.
 
     gems/:
       actionpack/:
-        CVE-2012-1099.yml  CVE-2012-3463.yml  CVE-2013-0156.yml
-        CVE-2013-1857.yml  CVE-2012-3424.yml  CVE-2012-3465.yml
-        CVE-2013-1855.yml
-
-If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
+        OSVDB-79727.yml  OSVDB-84513.yml  OSVDB-89026.yml  OSVDB-91454.yml
+        OSVDB-84243.yml  OSVDB-84515.yml  OSVDB-91452.yml
 
 ## Format
 
@@ -78,9 +75,8 @@ developed by the Open Security Foundation (OSF) and its contributors.
 
 [rubygems.org]: https://rubygems.org/
 [CVE]: http://cve.mitre.org/
+[OSVDB]: http://www.osvdb.org/
 [CVSSv2]: http://www.first.org/cvss/cvss-guide.html
 [OSVDB]: http://www.osvdb.org/
 [YAML]: http://www.yaml.org/
 [CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md
-
-[1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml

@@ -0,0 +1,17 @@
+---
+gem: actionmailer
+cve: 2013-4389
+osvdb: 98629
+url: http://www.osvdb.org/show/osvdb/98629
+title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
+date: 2013-10-16
+description: Action Mailer Gem for Ruby contains a format string flaw in
+  the Log Subscriber component. The issue is triggered as format string
+  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied
+  input when handling email addresses. This may allow a remote attacker
+  to cause a denial of service
+cvss_v2: 4.3
+unaffected_versions:
+  - ~> 2.3.2
+patched_versions: 
+  - '>= 3.2.15'

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml

@@ -0,0 +1,15 @@
+---
+gem: cocaine
+cve: 2013-4457
+osvdb: 98835
+url: http://www.osvdb.org/show/osvdb/98835
+title: Cocaine Gem for Ruby contains a flaw
+date: 2013-10-22
+description: Cocaine Gem for Ruby contains a flaw that is due to the method
+  of variable interpolation used by the program. With a specially crafted
+  object, a context-dependent attacker can execute arbitrary commands.
+cvss_v2:
+unaffected_versions:
+  - ~> 0.3.0
+patched_versions: 
+  - '>= 0.5.3'

data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml

@@ -0,0 +1,13 @@
+---
+gem: fog-dragonfly
+cve: 2013-5671
+osvdb: 96798
+url: http://www.osvdb.org/show/osvdb/96798
+title: fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution
+date: 2013-09-03
+description: fog-dragonfly Gem for Ruby contains a flaw that is due to the program
+  failing to properly sanitize input passed via the imagemagickutils.rb script. This
+  may allow a remote attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions:
+- ">= 0.8.4"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml

@@ -0,0 +1,16 @@
+--- 
+gem: redis-namespace
+osvdb: 96425
+url: http://www.osvdb.org/show/osvdb/96425
+title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
+date: 2013-08-03
+description: |
+  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
+  The issue is triggered when handling exec commands called via send(). This may allow a
+  remote attacker to execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - ">= 1.3.1"
+  - ">= 1.2.2"
+  - ">= 1.1.1"
+  - ">= 1.0.4"

data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml

@@ -0,0 +1,13 @@
+---
+gem: sounder
+cve: 2013-5647
+osvdb: 96278
+url: http://www.osvdb.org/show/osvdb/96278
+title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
+date: 2013-08-14
+description: Sounder Gem for Ruby contains a flaw that is triggered during the handling
+  of file names. This may allow a context-dependent attacker to execute arbitrary
+  commands.
+cvss_v2: 7.5
+patched_versions: 
+- '>= 1.0.2'

data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml

@@ -0,0 +1,14 @@
+---
+gem: wicked
+cve: 2013-4413
+osvdb: 98270
+url: http://www.osvdb.org/show/osvdb/98270
+title: Wicked Gem for Ruby contains a flaw
+date: 2013-10-08
+description: Wicked Gem for Ruby contains a flaw that is due to the program
+  failing to properly sanitize input passed via the 'the_step' parameter
+  upon submission to the render_redirect.rb script.
+  This may allow a remote attacker to gain access to arbitrary files.
+cvss_v2:
+patched_versions: 
+  - '>= 1.0.1'

data/lib/bundler/audit/advisory.rb

@@ -82,7 +82,7 @@ module Bundler
       # Checks whether the version is not affected by the advisory.
       #
       # @param [Gem::Version] version
-      #   The version to compare against {#unaffected_version}.
+      #   The version to compare against {#unaffected_versions}.
       #
       # @return [Boolean]
       #   Specifies whether the version is not affected by the advisory.
@@ -99,7 +99,7 @@ module Bundler
       # Checks whether the version is patched against the advisory.
       #
       # @param [Gem::Version] version
-      #   The version to compare against {#patched_version}.
+      #   The version to compare against {#patched_versions}.
       #
       # @return [Boolean]
       #   Specifies whether the version is patched against the advisory.

data/lib/bundler/audit/cli.rb

@@ -55,6 +55,14 @@ module Bundler
         end
       end
 
+      desc 'update', 'Updates the ruby-advisory-db'
+      def update
+        say "Updating ruby-advisory-db ..."
+
+        Database.update!
+        puts "ruby-advisory-db: #{Database.new.size} advisories"
+      end
+
       desc 'version', 'Prints the bundler-audit version'
       def version
         database = Database.new

data/lib/bundler/audit/database.rb

@@ -17,6 +17,7 @@
 
 require 'bundler/audit/advisory'
 
+require 'time'
 require 'yaml'
 
 module Bundler
@@ -27,8 +28,14 @@ module Bundler
     #
     class Database
 
-      # directory containing advisories
-      PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db','gems'))
+      # Git URL of the ruby-advisory-db
+      URL = 'https://github.com/rubysec/ruby-advisory-db.git'
+
+      # Default path to the ruby-advisory-db
+      VENDORED_PATH =  File.expand_path(File.join(File.dirname(__FILE__),'..','..','..','data','ruby-advisory-db'))
+
+      # Path to the user's copy of the ruby-advisory-db
+      USER_PATH = File.join(Gem.user_home,'.local','share','ruby-advisory-db')
 
       # The path to the advisory database
       attr_reader :path
@@ -42,7 +49,7 @@ module Bundler
       # @raise [ArgumentError]
       #   The path was not a directory.
       #
-      def initialize(path=PATH)
+      def initialize(path=self.class.path)
         unless File.directory?(path)
           raise(ArgumentError,"#{path.dump} is not a directory")
         end
@@ -50,6 +57,46 @@ module Bundler
         @path = path
       end
 
+      #
+      # The default path for the database.
+      #
+      # @return [String]
+      #   The path to the database directory.
+      #
+      def self.path
+        if File.directory?(USER_PATH)
+          t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
+          t2 = File.ctime(VENDORED_PATH)
+
+          if t1 >= t2 then USER_PATH
+          else             VENDORED_PATH
+          end
+        else
+          VENDORED_PATH
+        end
+      end
+
+      #
+      # Updates the ruby-advisory-db.
+      #
+      # @return [Boolean]
+      #   Specifies whether the update was successful.
+      #
+      # @note
+      #   Requires network access.
+      #
+      # @since 0.3.0
+      #
+      def self.update!
+        if File.directory?(USER_PATH)
+          Dir.chdir(USER_PATH) do
+            system 'git', 'pull', 'origin', 'master'
+          end
+        else
+          system 'git', 'clone', URL, USER_PATH
+        end
+      end
+
       #
       # Enumerates over every advisory in the database.
       #
@@ -161,7 +208,7 @@ module Bundler
       #   A path to an advisory `.yml` file.
       #
       def each_advisory_path(&block)
-        Dir.glob(File.join(@path,'*','*.yml'),&block)
+        Dir.glob(File.join(@path,'gems','*','*.yml'),&block)
       end
 
       #
@@ -177,7 +224,7 @@ module Bundler
       #   A path to an advisory `.yml` file.
       #
       def each_advisory_path_for(name,&block)
-        Dir.glob(File.join(@path,name,'*.yml'),&block)
+        Dir.glob(File.join(@path,'gems',name,'*.yml'),&block)
       end
 
     end

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.2.0'
+    VERSION = '0.3.0'
   end
 end

data/spec/advisory_spec.rb

@@ -3,10 +3,10 @@ require 'bundler/audit/database'
 require 'bundler/audit/advisory'
 
 describe Bundler::Audit::Advisory do
-  let(:root) { Bundler::Audit::Database::PATH }
+  let(:root) { Bundler::Audit::Database::VENDORED_PATH }
   let(:gem)  { 'actionpack' }
   let(:id)   { 'OSVDB-84243' }
-  let(:path) { File.join(root,gem,"#{id}.yml") }
+  let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
 
   describe "load" do
     let(:data) { YAML.load_file(path) }

data/spec/bundle/secure/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.14'
+gem 'rails', '3.2.15'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'

data/spec/database_spec.rb

@@ -3,8 +3,8 @@ require 'bundler/audit/database'
 require 'tmpdir'
 
 describe Bundler::Audit::Database do
-  describe "PATH" do
-    subject { described_class::PATH }
+  describe "path" do
+    subject { described_class.path }
 
     it "it should be a directory" do
       File.directory?(subject).should be_true
@@ -15,8 +15,8 @@ describe Bundler::Audit::Database do
     context "when given no arguments" do
       subject { described_class.new }
 
-      it "should default path to PATH" do
-        subject.path.should == described_class::PATH
+      it "should default path to path" do
+        subject.path.should == described_class.path
       end
     end
 

data/spec/integration_spec.rb

@@ -21,6 +21,14 @@ describe "CLI" do
 
     it "should print advisory information for the vulnerable gems" do
       expect = %{
+Name: actionmailer
+Version: 3.2.10
+Advisory: OSVDB-98629
+Criticality: Medium
+URL: http://www.osvdb.org/show/osvdb/98629
+Title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
+Solution: upgrade to >= 3.2.15
+
 Name: actionpack
 Version: 3.2.10
 Advisory: OSVDB-91452

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-08-27 00:00:00.000000000 Z
+date: 2013-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -63,6 +63,7 @@ files:
 - spec/integration_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb
+- data/ruby-advisory-db/.gitignore
 - data/ruby-advisory-db/.rspec
 - data/ruby-advisory-db/CONTRIBUTING.md
 - data/ruby-advisory-db/CONTRIBUTORS.md
@@ -70,6 +71,7 @@ files:
 - data/ruby-advisory-db/LICENSE.txt
 - data/ruby-advisory-db/README.md
 - data/ruby-advisory-db/Rakefile
+- data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
 - data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
@@ -87,6 +89,7 @@ files:
 - data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
 - data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml
 - data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
 - data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
 - data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml
@@ -100,6 +103,7 @@ files:
 - data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml
 - data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml
 - data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
+- data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml
 - data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
 - data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
 - data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
@@ -121,13 +125,16 @@ files:
 - data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
 - data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
 - data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
+- data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml
 - data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
 - data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
 - data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
 - data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml
 - data/ruby-advisory-db/lib/scrape.rb
 - data/ruby-advisory-db/spec/advisory_example.rb
 - data/ruby-advisory-db/spec/gems_spec.rb
@@ -152,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.0
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.5
+rubygems_version: 2.0.12
 signing_key: 
 specification_version: 4
 summary: Patch-level verification for Bundler