bundler-audit 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 650484979d4eb765a3c725eb4b31303d24fe5b59
-  data.tar.gz: dfc8d83b2c4488bf7284103276941bd4ab8d5f1c
+  metadata.gz: b0f922ef909402f6b0285e60d2a36e772b2427a2
+  data.tar.gz: ba58dffc77a682e3441b76a1b4ce3983b6d675e3
 SHA512:
-  metadata.gz: 4da6b5b6f801ee56c94b581c2190d0cf0f607c347269b1ad5c5b3ce3bfbfdcf4e8679abc9f4d5f34542587936beede85315ba25ebc78dffe077e52ac670ecc62
-  data.tar.gz: 961867353bb8145023a2f9ab6ba41e609c8594c697adc1c6c3e4e86708e3d39b9c6326a1d8baafeff521101a8109f0b9a9edf15e8ded29383e9e29606f36a523
+  metadata.gz: af61e9d2970568342a984a4dc0b617ed42fb9bff22cb510dda8daac2460bc0023c2a9f1e33b3d36e1f3e7ea92a12fdf0cefc769da3bc302da41e61996b635808
+  data.tar.gz: ae6ef78b2786d7b0da5b90ee8a450116e501ffe5ad4f29094a55c4bcd86b16408a712cbb5f3cc44334b9cc7ef9cd8939ca9abef493f59a7474050bb13c2b4359

data/.travis.yml

@@ -1,7 +1,12 @@
+language: ruby
 rvm:
-  - 1.9.3
-  - 2.0
-  - 2.1
-  - 2.2
-before_install:
-  - gem install rspec
+  - 2.1.8
+  - 2.2.4
+  - 2.3.0
+  - jruby
+  - rbx-3
+
+matrix:
+  allow_failures:
+    - rvm: jruby
+    - rvm: rbx-3

data/ChangeLog.md

@@ -1,4 +1,10 @@
-### 0.5.0 / 2015-02-28
+### 0.6.0 / 2017-07-18
+
+* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
+* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
+  (@vassilevsky).
+
+### 0.5.0 / 2016-02-28
 
 * Added {Bundler::Audit::Task}.
 * Added {Bundler::Audit::Advisory#date}.

data/Gemfile

@@ -3,7 +3,7 @@ source 'https://rubygems.org/'
 gemspec
 
 group :development do
-  gem 'rake',           '~> 10.0'
+  gem 'rake'
   gem 'kramdown',       '~> 0.14'
 
   gem 'rubygems-tasks', '~> 0.2'

data/README.md

@@ -21,9 +21,9 @@ Patch-level verification for [Bundler][bundler].
 
 ## Synopsis
 
-Audit a projects `Gemfile.lock`:
+Audit a project's `Gemfile.lock`:
 
-    $ bundle-audit
+    $ bundle audit
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91452
@@ -82,9 +82,9 @@ Audit a projects `Gemfile.lock`:
 
     Unpatched versions found!
 
-Update the [ruby-advisory-db] that `bundle-audit` uses:
+Update the [ruby-advisory-db] that `bundle audit` uses:
 
-    $ bundle-audit update
+    $ bundle audit update
     Updating ruby-advisory-db ...
     remote: Counting objects: 44, done.
     remote: Compressing objects: 100% (24/24), done.
@@ -110,16 +110,16 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 Update the [ruby-advisory-db] and check `Gemfile.lock` (useful for CI runs):
 
-    $ bundle-audit check --update
+    $ bundle audit check --update
 
 Ignore specific advisories:
 
-    $ bundle-audit check --ignore OSVDB-108664
+    $ bundle audit check --ignore OSVDB-108664
 
 Rake task:
 
 ```ruby
-require_relative 'lib/bundler/audit/task'
+require 'bundler/audit/task'
 Bundler::Audit::Task.new
 
 task default: 'bundle:audit'
@@ -136,6 +136,12 @@ task default: 'bundle:audit'
 
     $ gem install bundler-audit
 
+## Contributing
+
+1. Clone the repo
+1. `git submodule update --init` # To populate data dir.
+1. `bundle exec rake`
+
 ## License
 
 Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)

data/bin/bundler-audit

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+
+load File.expand_path('../bundle-audit', __FILE__)

data/data/ruby-advisory-db.ts

@@ -1 +1 @@
-2016-01-26 04:57:48 UTC
+2017-06-13 16:51:56 UTC

data/data/ruby-advisory-db/.gitignore

@@ -1,2 +1 @@
-Gemfile.lock
 _site

data/data/ruby-advisory-db/.travis.yml

@@ -4,12 +4,6 @@ sudo: false
 
 cache: bundler
 
-deploy:
-  provider: script
-  script: scripts/post-advisories.sh
-  on:
-    branch: master
-
 notifications:
   irc: chat.freenode.net#rubysec
 

data/data/ruby-advisory-db/CONTRIBUTING.md

@@ -10,32 +10,40 @@ bundle install
 bundle exec rspec
 ```
 
-* Follow the schema. Here is a sample advisory:
+* Follow the schema. Here is an example advisory:
 
 ```yaml
     ---
-    gem: activerecord
-    framework: rails
-    cve: 2014-3514
-    url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
-    title: Data Injection Vulnerability in Active Record 
-    date: 2014-08-18
-
-    description: >-
-      The create_with functionality in Active Record was implemented
-      incorrectly and completely bypasses the strong parameters
-      protection. Applications which pass user-controlled values to
-      create_with could allow attackers to set arbitrary attributes on
-      models.
-      
-    cvss_v2: 8.7
+    gem: examplegem
+    cve: 2013-0156
+    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
+    title: |
+      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+      Remote Code Execution
 
-    unaffected_versions:
-      - "< 4.0.0"
+    description: |
+      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
+      The issue is triggered when a type casting error occurs during the parsing
+      of parameters. This may allow a remote attacker to potentially execute
+      arbitrary code.
+
+    cvss_v2: 10.0
 
     patched_versions:
-      - ~> 4.0.9 
-      - ">= 4.1.5"
+      - ~> 2.3.15
+      - ~> 3.0.19
+      - ~> 3.1.10
+      - ">= 3.2.11"
+    unaffected_versions:
+      - ~> 2.4.3
+
+    related:
+      cve:
+        - 2013-1234567
+        - 2013-1234568
+      url:
+        - https://github.com/rubysec/ruby-advisory-db/issues/123457
+
 ```
 ### Schema
 
@@ -43,14 +51,19 @@ bundle exec rspec
 * `framework` \[String\] (optional): Name of framework gem belongs to.
 * `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
 * `cve` \[String\]: CVE id.
-* `osvdb` \[Fixnum\]: OSVDB id.
+* `osvdb` \[Integer\]: OSVDB id.
 * `url` \[String\]: The URL to the full advisory.
 * `title` \[String\]: The title of the advisory.
 * `date` \[Date\]: Disclosure date of the advisory.
 * `description` \[String\]: Multi-paragraph description of the vulnerability.
 * `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
 * `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
   unaffected versions of the Ruby library.
 * `patched_versions` \[Array\<String\>\]: The version requirements for the
   patched versions of the Ruby library.
+* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
+
 
+[CVSSv2]: https://www.first.org/cvss/v2/guide
+[CVSSv3]: https://www.first.org/cvss/user-guide

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -34,5 +34,7 @@ This database would not be possible without volunteers willing to submit pull re
 * [Andrew Selder](https://github.com/aselder)
 * [Vanessa Henderson](https://github.com/VanessaHenderson)
 * [Reed Loden](https://github.com/reedloden)
+* [ecneladis](https://github.com/ecneladis)
+* [Brendan Coles](https://github.com/bcoles)
 
 The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-advisory-db/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rspec', '3.3.0'
+gem 'rspec'
 gem 'rake'
 
 group :development do

data/data/ruby-advisory-db/README.md

@@ -1,53 +1,60 @@
 # Ruby Advisory Database
 
-The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.
+The Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.
 
-## Goals
+You can check your own Gemfile.locks against this database by using [bundler-audit](https://github.com/rubysec/bundler-audit).
 
-1. Provide advisory **metadata** in a **simple** yet **structured** [YAML]
-   schema for automated tools to consume.
-2. Avoid reinventing [CVE]s.
-3. Avoid duplicating the efforts of the [OSVDB].
+## Support Ruby security!
+
+Do you know about a vulnerability that isn't listed in this database? Open an issue, submit a PR, or [use this form](https://rubysec.com/advisories/new) which will email the maintainers.
 
 ## Directory Structure
 
 The database is a list of directories that match the names of Ruby libraries on
 [rubygems.org]. Within each directory are one or more advisory files
-for the Ruby library. These advisory files are typically named using
-the advisories [OSVDB] identifier number.
+for the Ruby library. These advisory files are named using
+the advisories' [CVE] identifier number.
 
     gems/:
       actionpack/:
-        OSVDB-79727.yml  OSVDB-84513.yml  OSVDB-89026.yml  OSVDB-91454.yml
-        OSVDB-84243.yml  OSVDB-84515.yml  OSVDB-91452.yml
+        CVE-2014-0130.yml  CVE-2014-7818.yml  CVE-2014-7829.yml  CVE-2015-7576.yml
+        CVE-2015-7581.yml  CVE-2016-0751.yml  CVE-2016-0752.yml
 
 ## Format
 
 Each advisory file contains the advisory information in [YAML] format:
 
     ---
-    gem: actionpack
-    framework: rails
+    gem: examplegem
     cve: 2013-0156
-    osvdb: 89026
-    url: http://osvdb.org/show/osvdb/89026
+    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
     title: |
       Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution 
-    
+      Remote Code Execution
+
     description: |
       Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
       The issue is triggered when a type casting error occurs during the parsing
       of parameters. This may allow a remote attacker to potentially execute
       arbitrary code.
-    
+
     cvss_v2: 10.0
-    
+
     patched_versions:
       - ~> 2.3.15
       - ~> 3.0.19
       - ~> 3.1.10
       - ">= 3.2.11"
+    unaffected_versions:
+      - ~> 2.4.3
+
+    related:
+      cve:
+        - 2013-1234567
+        - 2013-1234568
+      url:
+        - https://github.com/rubysec/ruby-advisory-db/issues/123457
+
 
 ### Schema
 
@@ -55,16 +62,26 @@ Each advisory file contains the advisory information in [YAML] format:
 * `framework` \[String\] (optional): Name of framework gem belongs to.
 * `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
 * `cve` \[String\]: CVE id.
-* `osvdb` \[Fixnum\]: OSVDB id.
+* `osvdb` \[Integer\]: OSVDB id.
 * `url` \[String\]: The URL to the full advisory.
 * `title` \[String\]: The title of the advisory.
 * `date` \[Date\]: Disclosure date of the advisory.
 * `description` \[String\]: Multi-paragraph description of the vulnerability.
 * `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
 * `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
   unaffected versions of the Ruby library.
 * `patched_versions` \[Array\<String\>\]: The version requirements for the
   patched versions of the Ruby library.
+* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
+
+### Tests
+Prior to submitting a pull request, run the tests:
+
+```
+bundle install
+bundle exec rspec
+```
 
 ## Credits
 
@@ -76,7 +93,7 @@ developed by the Open Security Foundation (OSF) and its contributors.
 [rubygems.org]: https://rubygems.org/
 [CVE]: http://cve.mitre.org/
 [OSVDB]: http://www.osvdb.org/
-[CVSSv2]: http://www.first.org/cvss/cvss-guide.html
-[OSVDB]: http://www.osvdb.org/
+[CVSSv2]: https://www.first.org/cvss/v2/guide
+[CVSSv3]: https://www.first.org/cvss/user-guide
 [YAML]: http://www.yaml.org/
 [CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md

data/data/ruby-advisory-db/gems/RedCloth/{OSVDB-115941.yml → CVE-2012-6684.yml}

@@ -2,7 +2,7 @@
 gem: RedCloth
 cve: 2012-6684
 osvdb: 115941
-url: http://www.osvdb.org/show/osvdb/115941
+url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6684
 title: RedCloth Gem for Ruby Textile Link Parsing XSS
 date: 2012-02-29
 description: |
@@ -14,3 +14,8 @@ description: |
   their browser and the server.
 cvss_v2: 4.3
 patched_versions:
+  - ">= 4.3.0"
+related:
+  url:
+    - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c
+    - http://co3k.org/blog/redcloth-unfixed-xss-en

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml

@@ -8,109 +8,109 @@ url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
 title: Timing attack vulnerability in basic authentication in Action Controller.
 
 description: |
-    There is a timing attack vulnerability in the basic authentication support 
-    in Action Controller. This vulnerability has been assigned the CVE 
-    identifier CVE-2015-7576. 
-
-    Versions Affected:  All. 
-    Not affected:       None. 
-    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
-
-    Impact 
-    ------ 
-    Due to the way that Action Controller compares user names and passwords in 
-    basic authentication authorization code, it is possible for an attacker to 
-    analyze the time taken by a response and intuit the password. 
-
-    For example, this string comparison: 
-
-      "foo" == "bar" 
-
-    is possibly faster than this comparison: 
-
-      "foo" == "fo1" 
-
-    Attackers can use this information to attempt to guess the username and 
-    password used in the basic authentication system. 
-
-    You can tell you application is vulnerable to this attack by looking for 
-    `http_basic_authenticate_with` method calls in your application. 
-
-    All users running an affected release should either upgrade or use one of 
-    the workarounds immediately. 
-
-    Releases 
-    -------- 
-    The FIXED releases are available at the normal locations. 
-
-    Workarounds 
-    ----------- 
-    If you can't upgrade, please use the following monkey patch in an initializer 
-    that is loaded before your application: 
-
-    ``` 
-    $ cat config/initializers/basic_auth_fix.rb 
-    module ActiveSupport 
-      module SecurityUtils 
-        def secure_compare(a, b) 
-          return false unless a.bytesize == b.bytesize 
-
-          l = a.unpack "C#{a.bytesize}" 
-
-          res = 0 
-          b.each_byte { |byte| res |= byte ^ l.shift } 
-          res == 0 
-        end 
-        module_function :secure_compare 
-
-        def variable_size_secure_compare(a, b) 
-          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) 
-        end 
-        module_function :variable_size_secure_compare 
-      end 
-    end 
-
-    module ActionController 
-      class Base 
-        def self.http_basic_authenticate_with(options = {}) 
-          before_action(options.except(:name, :password, :realm)) do 
-            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| 
-              # This comparison uses & so that it doesn't short circuit and 
-              # uses `variable_size_secure_compare` so that length information 
-              # isn't leaked. 
-              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & 
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) 
-            end 
-          end 
-        end 
-      end 
-    end 
-    ``` 
-
-
-    Patches 
-    ------- 
-    To aid users who aren't able to upgrade immediately we have provided patches for 
-    the two supported release series. They are in git-am format and consist of a 
-    single changeset. 
-
-    * 4-1-basic_auth.patch - Patch for 4.1 series 
-    * 4-2-basic_auth.patch - Patch for 4.2 series 
-    * 5-0-basic_auth.patch - Patch for 5.0 series 
-
-    Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
-    of earlier unsupported releases are advised to upgrade as soon as possible as we 
-    cannot guarantee the continued availability of security fixes for unsupported 
-    releases. 
-
-    Credits 
-    ------- 
-
-    Thank you to Daniel Waterworth for reporting the problem and working with us to 
+    There is a timing attack vulnerability in the basic authentication support
+    in Action Controller. This vulnerability has been assigned the CVE
+    identifier CVE-2015-7576.
+
+    Versions Affected:  All.
+    Not affected:       None.
+    Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+
+    Impact
+    ------
+    Due to the way that Action Controller compares user names and passwords in
+    basic authentication authorization code, it is possible for an attacker to
+    analyze the time taken by a response and intuit the password.
+
+    For example, this string comparison:
+
+      "foo" == "bar"
+
+    is possibly faster than this comparison:
+
+      "foo" == "fo1"
+
+    Attackers can use this information to attempt to guess the username and
+    password used in the basic authentication system.
+
+    You can tell you application is vulnerable to this attack by looking for
+    `http_basic_authenticate_with` method calls in your application.
+
+    All users running an affected release should either upgrade or use one of
+    the workarounds immediately.
+
+    Releases
+    --------
+    The FIXED releases are available at the normal locations.
+
+    Workarounds
+    -----------
+    If you can't upgrade, please use the following monkey patch in an initializer
+    that is loaded before your application:
+
+    ```
+    $ cat config/initializers/basic_auth_fix.rb
+    module ActiveSupport
+      module SecurityUtils
+        def secure_compare(a, b)
+          return false unless a.bytesize == b.bytesize
+
+          l = a.unpack "C#{a.bytesize}"
+
+          res = 0
+          b.each_byte { |byte| res |= byte ^ l.shift }
+          res == 0
+        end
+        module_function :secure_compare
+
+        def variable_size_secure_compare(a, b)
+          secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
+        end
+        module_function :variable_size_secure_compare
+      end
+    end
+
+    module ActionController
+      class Base
+        def self.http_basic_authenticate_with(options = {})
+          before_action(options.except(:name, :password, :realm)) do
+            authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
+              # This comparison uses & so that it doesn't short circuit and
+              # uses `variable_size_secure_compare` so that length information
+              # isn't leaked.
+              ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
+                ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+            end
+          end
+        end
+      end
+    end
+    ```
+
+
+    Patches
+    -------
+    To aid users who aren't able to upgrade immediately we have provided patches for
+    the two supported release series. They are in git-am format and consist of a
+    single changeset.
+
+    * 4-1-basic_auth.patch - Patch for 4.1 series
+    * 4-2-basic_auth.patch - Patch for 4.2 series
+    * 5-0-basic_auth.patch - Patch for 5.0 series
+
+    Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+    of earlier unsupported releases are advised to upgrade as soon as possible as we
+    cannot guarantee the continued availability of security fixes for unsupported
+    releases.
+
+    Credits
+    -------
+
+    Thank you to Daniel Waterworth for reporting the problem and working with us to
     fix it.
 
 patched_versions:
-  - "~> 5.0.0.beta1.1"
-  - "~> 4.2.5.1" 
-  - "~> 4.1.14.1"
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"
   - "~> 3.2.22.1"