bundler-audit 0.8.0.rc1 → 0.8.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94290135207c14256ac6d7251be3f0641619ec1273c562bb9c14a1b8ee8e28d5
-  data.tar.gz: 83d1b6b88e88d5c850d7daadde5d3235389c9620ab35414d78f1be13cd54387d
+  metadata.gz: 5d68852584664d93222c7f24f8d7d2f42038e32addf0b79953e4f9ea41c4a803
+  data.tar.gz: 929bf4dcf07474ce2222d119377e34630572ca68c1d821ff48056d006c6a731c
 SHA512:
-  metadata.gz: 28a461def90014d7d1dea437c17637d342bb8a46a08d1874091effa135a9303b621428ecf57d497867db2a9bda4d76bea032197e447edf8730432558ee1208cd
-  data.tar.gz: 400fb39383074b315b5d2d7e9339da907f24554c99a00358bd309ca7d6101443229997bb49cb54d8d473e4d6acf3793b294c795349dcc3d0615683e283fbd17a
+  metadata.gz: 27f710fb3917beda059a73b41729a1c9ab0d2c4b7472b7ede77c2bbfbd1085deb9cb09eb154c7e4a5a1f41f516f50a27f79110e534d943f56170633c9e2338cc
+  data.tar.gz: 48800f8b91c823b69606b38a172a58ff37a2ad64ead80f087da80efcd6cbd0991cc716cbbaa9efc3925690f9da47c750e9c218624aa0b02fad209b6b092aab7b

data/.github/FUNDING.yml

@@ -0,0 +1,3 @@
+github:
+  - postmodern
+  - reedloden

data/.github/workflows/ruby.yml

@@ -13,8 +13,9 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
+          - 3.0
           - jruby
-          - truffleruby
+          - truffleruby-head
     name: Ruby ${{ matrix.ruby }}
     steps:
       - uses: actions/checkout@v2

data/ChangeLog.md

@@ -37,14 +37,15 @@
 
 #### CLI
 
-* Added `bundle-audit stats`.
-* Added `bundle-audit download`.
-* `bundle-audit check`:
+* Require [thor] ~> 1.0.
+* Added `bundler-audit stats`.
+* Added `bundler-audit download`.
+* `bundler-audit check`:
   * Now accepts a optional `DIR` argument for the project directory.
-    * `bundle-audit check` will now print an explicit error message and exit,
+    * `bundler-audit check` will now print an explicit error message and exit,
       if the given `DIR` does not exist.
-  * Will now auto-download/auto-update [ruby-advisory-db] to
-    ensure the latest advisory information.
+  * Will now auto-download [ruby-advisory-db] to ensure the latest advisory
+    information is used on first run.
   * Now supports a `--database` option for specifying a path
     to an alternative [ruby-advisory-db] copy.
   * Now supports a `--gemfile-lock` option for specifying a
@@ -53,6 +54,9 @@
     desired format. `text` and `json` are supported, but other custom formats
     can be loaded. See {Bundler::Audit::CLI::Formats}.
   * Now supports a `--output` option for writing the report output to a file.
+  * Prints both CVE and GHSA IDs.
+* Print all error messages to stderr.
+* No longer print number of advisories in `bundler-audit version`.
 
 ### 0.7.0.1 / 2020-06-12
 
@@ -91,9 +95,9 @@
 
 #### CLI
 
-* Added the `--update` option to `bundle-audit check`.
-* `bundle-audit update` now returns a non-zero exit status on error.
-* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
+* Added the `--update` option to `bundler-audit check`.
+* `bundler-audit update` now returns a non-zero exit status on error.
+* `bundler-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
   repository.
 
 ### 0.4.0 / 2015-06-30
@@ -131,7 +135,7 @@
 
 #### CLI
 
-* Added the `bundle-audit update` sub-command.
+* Added the `bundler-audit update` sub-command.
 
 ### 0.2.0 / 2013-03-05
 

data/README.md

@@ -159,7 +159,7 @@ bundler-audit also supports a per-project configuration file:
 * [git]
 * [ruby] >= 1.9.3
 * [rubygems] >= 1.8
-* [thor] >= 0.18, < 2
+* [thor] ~> 1.0
 * [bundler] >= 1.2.0, < 3
 
 ## Install

data/gemspec.yml

@@ -10,5 +10,5 @@ required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ">= 0.18, < 2"
+  thor: "~> 1.0"
   bundler: ">= 1.2.0, < 3"

data/lib/bundler/audit/cli.rb

@@ -20,6 +20,7 @@ require 'bundler/audit/version'
 require 'bundler/audit/cli/formats'
 
 require 'thor'
+require 'bundler/audit/cli/thor_ext/shell/basic/say_error'
 require 'bundler'
 
 module Bundler
@@ -42,18 +43,18 @@ module Bundler
 
       def check(dir=Dir.pwd)
         unless File.directory?(dir)
-          say "No such file or directory: #{dir}", :red
+          say_error "No such file or directory: #{dir}", :red
           exit 1
         end
 
         begin
           extend Formats.load(options[:format])
         rescue Formats::FormatNotFound
-          say "Unknown format: #{options[:format]}", :red
+          say_error "Unknown format: #{options[:format]}", :red
           exit 1
         end
 
-        if !Database.exists?
+        if !Database.exists?(options[:database])
           download(options[:database])
         elsif options[:update]
           update(options[:database])
@@ -128,13 +129,14 @@ module Bundler
         when true
           say("Updated ruby-advisory-db", :green) unless options.quiet?
         when false
-          say "Failed updating ruby-advisory-db!", :red
+          say_error "Failed updating ruby-advisory-db!", :red
           exit 1
         when nil
           unless Bundler.git_present?
-            say "Git is not installed!", :red
+            say_error "Git is not installed!", :red
             exit 1
           end
+
           say "Skipping update", :yellow
         end
 
@@ -143,9 +145,7 @@ module Bundler
 
       desc 'version', 'Prints the bundler-audit version'
       def version
-        database = Database.new
-
-        puts "#{File.basename($0)} #{VERSION} (advisories: #{database.size})"
+        puts "bundler-audit #{VERSION}"
       end
 
       protected
@@ -157,11 +157,6 @@ module Bundler
         raise(NotImplementedError,"#{self.class}##{__method__} not defined")
       end
 
-      def say(message="", color=nil)
-        color = nil unless $stdout.tty?
-        super(message.to_s, color)
-      end
-
     end
   end
 end

data/lib/bundler/audit/cli/formats/text.rb

@@ -66,12 +66,14 @@ module Bundler
             say "Version: ", :red
             say gem.version
 
-            say "Advisory: ", :red
-
             if advisory.cve
-              say "CVE-#{advisory.cve}"
-            elsif advisory.osvdb
-              say advisory.osvdb
+              say "CVE: ", :red
+              say advisory.cve_id
+            end
+
+            if advisory.ghsa
+              say "GHSA: ", :red
+              say advisory.ghsa_id
             end
 
             say "Criticality: ", :red

data/lib/bundler/audit/cli/thor_ext/shell/basic/say_error.rb

@@ -0,0 +1,33 @@
+class Thor
+  module Shell
+    class Basic
+      #
+      # Prints an error message to `stderr`.
+      #
+      # @param [String] message
+      #   The message to print to `stderr`.
+      #
+      # @param [Symbol, nil] color
+      #   Optional ANSI color.
+      #
+      # @param [Boolean] force_new_line
+      #   Controls whether a newline character will be appended to the output.
+      #
+      def say_error(message,color=nil,force_new_line=(message.to_s !~ /( |\t)\Z/))
+        return if quiet?
+
+        buffer = prepare_message(message,*color)
+        buffer << $/ if force_new_line && !message.to_s.end_with?($/)
+
+        stderr.print(buffer)
+        stderr.flush
+      end
+    end
+
+    module_eval <<-METHOD, __FILE__, __LINE__ + 1
+      def say_error(*args,&block)
+        shell.say_error(*args,&block)
+      end
+    METHOD
+  end
+end

data/lib/bundler/audit/configuration.rb

@@ -52,6 +52,10 @@ module Bundler
 
         doc = YAML.parse(File.new(file_path))
 
+        unless doc.kind_of?(YAML::Nodes::Document)
+          raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not YAML")
+        end
+
         unless doc.root.kind_of?(YAML::Nodes::Mapping)
           raise(InvalidConfigurationError,"Configuration found in '#{file_path}' is not a Hash")
         end

data/lib/bundler/audit/version.rb

@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.8.0.rc1'
+    VERSION = '0.8.0.rc2'
   end
 end

data/spec/cli/formats/text_spec.rb

@@ -76,8 +76,32 @@ describe Bundler::Audit::CLI::Formats::Text do
           expect(output_lines).to include("Version: #{gem.version}")
         end
 
-        it "must print 'Advisory: CVE-YYYY-NNNN'" do
-          expect(output_lines).to include("Advisory: CVE-#{advisory.cve}")
+        context "when the advisory has a CVE ID" do
+          it "must print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to include("CVE: CVE-#{advisory.cve}")
+          end
+        end
+
+        context "when the advisory does not have a CVE ID" do
+          before { advisory.cve = nil }
+
+          it "must not print 'CVE: CVE-YYYY-NNNN'" do
+            expect(output_lines).to_not include("CVE: CVE-#{advisory.cve}")
+          end
+        end
+
+        context "when the advisory has a GHSA ID" do
+          it "must print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to include("GHSA: GHSA-#{advisory.ghsa}")
+          end
+        end
+
+        context "when the advisory does not have a GHSA ID" do
+          before { advisory.ghsa = nil }
+
+          it "must not print 'GHSA: GHSA-xxxx-xxxx-xxxx'" do
+            expect(output_lines).to_not include("GHSA: GHSA-#{advisory.ghsa}")
+          end
         end
 
         context "when Advisory#criticality is :low" do

data/spec/cli_spec.rb

@@ -45,7 +45,7 @@ describe Bundler::Audit::CLI do
               subject.update
             rescue SystemExit
             end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stdout
+          }.to output(/Failed updating ruby-advisory-db!/).to_stderr
         end
 
         it "exits with error status code" do
@@ -73,7 +73,7 @@ describe Bundler::Audit::CLI do
               subject.update
             rescue SystemExit
             end
-          end.to output(/Git is not installed!/).to_stdout
+          end.to output(/Git is not installed!/).to_stderr
         end
 
         it "exits with error status code" do
@@ -90,8 +90,8 @@ describe Bundler::Audit::CLI do
     end
 
     context "--quiet" do
-      before do
-        allow(subject).to receive(:options).and_return(double("Options", quiet?: true))
+      subject do
+        described_class.new([], {quiet: true})
       end
 
       context "when update succeeds" do
@@ -119,7 +119,7 @@ describe Bundler::Audit::CLI do
               subject.update
             rescue SystemExit
             end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stdout
+          }.to_not output.to_stderr
         end
 
         it "exits with error status code" do

data/spec/configuration_spec.rb

@@ -22,6 +22,14 @@ describe Bundler::Audit::Configuration do
     end
 
     context "validations" do
+      context "when the file is empty" do
+        let(:path) { File.join(fixtures_dir,'bad','empty.yml') }
+
+        it 'raises a validation error' do
+          expect { subject }.to raise_error(described_class::InvalidConfigurationError)
+        end
+      end
+
       context "when ignore is not an array" do
         let(:path) { File.join(fixtures_dir,'bad','ignore_is_not_an_array.yml') }
 

data/spec/fixtures/advisory/CVE-2020-1234.yml

@@ -1,6 +1,7 @@
 ---
 gem: test
 cve: 2020-1234
+ghsa: aaaa-bbbb-cccc
 url: https://example.com/
 title: Test advisory
 date: 2015-06-16

data/spec/integration_spec.rb

@@ -1,117 +1,31 @@
 require 'spec_helper'
 
-describe "CLI" do
-  include Helpers
-
-  let(:command) do
-    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit'))
-  end
-
-  context "when auditing a bundle with unpatched gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print a warning" do
-      expect(subject).to include("Vulnerabilities found!")
-    end
-
-    it "should print advisory information for the vulnerable gems" do
-      advisory_pattern = %r{(Name: [^\n]+
-Version: \d+\.\d+\.\d+(\.\d+)?
-Advisory: CVE-[0-9]{4}-[0-9]{4}
-Criticality: (Critical|High|Medium|Low|None|Unknown)
-URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
-Title: [^\n]*?
-Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}
-
-      expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Vulnerabilities found!")
-    end
-  end
-
-  context "when auditing a bundle with ignored gems" do
-    let(:bundle)    { 'unpatched_gems' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    let(:command) do
-      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -i CVE-2013-0156'))
-    end
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should not print advisory information for ignored gem" do
-      expect(subject).not_to include("CVE-2013-0156")
-    end
-  end
-
-  context "when auditing a bundle with insecure sources" do
-    let(:bundle)    { 'insecure_sources' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print warnings about insecure sources" do
-      expect(subject).to include(%{
-Insecure Source URI found: git://github.com/rails/jquery-rails.git
-Insecure Source URI found: http://rubygems.org/
-      }.strip)
-    end
+describe "bin/bundler-audit" do
+  let(:name) { 'bundler-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(command) }
-    end
+  subject { sh(command) }
 
-    it "should print nothing when everything is fine" do
-      expect(subject.strip).to eq("No vulnerabilities found")
-    end
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
+end
 
-  context "when auditing a non-existent Gemfile.lock file" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:root)      { File.expand_path(directory) }
-
-    let(:gemfile_lock) { 'Gemfile.foo.lock' }
-    let(:command) { "#{super()} --gemfile-lock #{gemfile_lock}" }
-
-    subject do
-      Dir.chdir(directory) { sh(command, :fail => true) }
-    end
-
-    it "should print an error message" do
-      expect(subject.strip).to eq("Could not find #{gemfile_lock.inspect} in #{root.inspect}")
-    end
+describe "bin/bundle-audit" do
+  let(:name) { 'bundle-audit' }
+  let(:path) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin',name))
   end
 
-  describe "update" do
-    let(:update_command) { "#{command} update" }
-    let(:bundle)         { 'secure' }
-    let(:directory)      { File.join('spec','bundle',bundle) }
+  let(:command) { "#{path} version" }
 
-    subject do
-      Dir.chdir(directory) { sh(update_command) }
-    end
+  subject { sh(command) }
 
-    context "when advisories update successfully" do
-      it "should print status" do
-        expect(subject).not_to include("Fail")
-        expect(subject).to include("Updating ruby-advisory-db ...\n")
-        expect(subject).to include("Updated ruby-advisory-db\n")
-        expect(subject).to match(/ruby-advisory-db:\n  advisories:\s+[1-9]\d+ advisories/)
-      end
-    end
+  it "must invoke the CLI class" do
+    expect(subject).to eq("bundler-audit #{Bundler::Audit::VERSION}#{$/}")
   end
 end

metadata

@@ -1,35 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.8.0.rc1
+  version: 0.8.0.rc2
 platform: ruby
 authors:
 - Postmodern
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-23 00:00:00.000000000 Z
+date: 2021-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.18'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0.18'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -62,6 +56,7 @@ extra_rdoc_files:
 - README.md
 files:
 - ".document"
+- ".github/FUNDING.yml"
 - ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rspec"
@@ -81,6 +76,7 @@ files:
 - lib/bundler/audit/cli/formats.rb
 - lib/bundler/audit/cli/formats/json.rb
 - lib/bundler/audit/cli/formats/text.rb
+- lib/bundler/audit/cli/thor_ext/shell/basic/say_error.rb
 - lib/bundler/audit/configuration.rb
 - lib/bundler/audit/database.rb
 - lib/bundler/audit/report.rb
@@ -110,6 +106,7 @@ files:
 - spec/database_spec.rb
 - spec/fixtures/advisory/CVE-2020-1234.yml
 - spec/fixtures/advisory/not_a_hash.yml
+- spec/fixtures/config/bad/empty.yml
 - spec/fixtures/config/bad/ignore_contains_a_non_string.yml
 - spec/fixtures/config/bad/ignore_is_not_an_array.yml
 - spec/fixtures/config/valid.yml