bundler-audit 0.9.1 → 0.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 762980c9b274b19e477ee0be0ae021e452a1e7d63796ceb6da0d667de704dad9
-  data.tar.gz: 3e0fae808a027e677f3d218949c092d8189fc124bb34f61b57fdf982b5ffd6b1
+  metadata.gz: 91fab22bb836ac9e1b56f525051f80003c4c0515a8d01e779b9ba71f079ba05d
+  data.tar.gz: f312f73a62453f2002d58465002ab7bb8396f53ba5d51ca363e84b422f0216a1
 SHA512:
-  metadata.gz: faa37304223ab40fd5678b6a4fcc1f9edb6d112c418c3a80a38aff6dbfbfacd416481f32f402998ece370d4646fe416e8f9453a5cec98d634845ff7bfd1abc6f
-  data.tar.gz: 7fbd39c761fdee364266207e4f0b52be6347b480b8447d31688428b8d3b5337c7f7403142ef0b2da0bc293ddfbe1ea5df93750b3a70be3920eff37af1d6a7884
+  metadata.gz: 2067a4b037050d7f928e805335ea6cf053a83978888477af56d3e44199409bbf9923f46dec0963bf40906c6e8afeec39aba32722daecdfe8576410d1431733a7
+  data.tar.gz: 88c4b7e6c8a5d390743706dafb90ce3431df698bca07348185f0ebf0d28c3842b922d52936e743911bd56d9c4db373cdf19e309f955a44e0d1c7d7b388c7eb31

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -41,4 +41,6 @@ Steps to reproduce the bug:
     ...
     $ ruby --version
     ...
+    $ git --version
+    ...
 

data/.github/workflows/ruby.yml

@@ -9,13 +9,12 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
-          - 2.5
-          - 2.6
-          - 2.7
           - '3.0'
-          - 3.1
+          - '3.1'
+          - '3.2'
+          - '3.3'
           - jruby
-          - truffleruby-head
+          - truffleruby
     name: Ruby ${{ matrix.ruby }}
     steps:
       - uses: actions/checkout@v2

data/.rubocop.yml

@@ -84,3 +84,4 @@ Style/ExpandPathArguments: { Enabled: false } # Offense count: 5
 Style/FrozenStringLiteralComment: { Enabled: false } # Offense count: 42
 Style/MixinUsage: { Exclude: ['spec/spec_helper.rb'] } # Offense count: 1
 Layout/LineLength: { Enabled: false }
+Style/RedundantParentheses: { Enabled: false }

data/ChangeLog.md

@@ -1,5 +1,23 @@
+### 0.9.2 / 2024-08-22
+
+* Officially support Ruby 3.2 and 3.3.
+* Corrected the gemspec license to indicate GPL-3.0 *or* later.
+
+#### CLI
+
+* Correctly handle {Bundler::Audit::Database::UpdateFailed} exceptions in
+  `bundle-audit update`.
+* Changed wording from "upgrade to" to "update to" in `bundle-audit check`
+  output.
+
+#### Rake Task
+
+* Fixed empty `bundle:audit:update` rake task.
+
 ### 0.9.1 / 2022-05-19
 
+* Opt into rubygems.org MFA requirement.
+
 #### CLI
 
 * Improve the readability of the suggested gem versions to upgrade to

data/README.md

@@ -31,7 +31,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: Medium
     URL: http://www.osvdb.org/show/osvdb/91452
     Title: XSS vulnerability in sanitize_css in Action Pack
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
 
     Name: actionpack
     Version: 3.2.10
@@ -39,7 +39,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: Medium
     URL: http://osvdb.org/show/osvdb/91454
     Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
 
     Name: actionpack
     Version: 3.2.10
@@ -47,7 +47,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: High
     URL: http://osvdb.org/show/osvdb/89026
     Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
-    Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+    Solution: update to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
 
     Name: activerecord
     Version: 3.2.10
@@ -55,7 +55,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: High
     URL: http://osvdb.org/show/osvdb/91453
     Title: Symbol DoS vulnerability in Active Record
-    Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
+    Solution: update to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
 
     Name: activerecord
     Version: 3.2.10
@@ -63,7 +63,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: Medium
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
-    Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+    Solution: update to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
 
     Name: activerecord
     Version: 3.2.10
@@ -71,7 +71,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: High
     URL: http://osvdb.org/show/osvdb/89025
     Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-    Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+    Solution: update to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
 
     Name: activesupport
     Version: 3.2.10
@@ -79,7 +79,7 @@ Audit a project's `Gemfile.lock`:
     Criticality: High
     URL: http://www.osvdb.org/show/osvdb/91451
     Title: XML Parsing Vulnerability affecting JRuby users
-    Solution: upgrade to ~> 3.1.12, >= 3.2.13
+    Solution: update to ~> 3.1.12, >= 3.2.13
 
     Unpatched versions found!
 
@@ -147,10 +147,20 @@ $ bundle-audit check --format json --output bundle-audit.json
 
 ## Rake Tasks
 
-Bundler-audit provides Rake tasks for checking the code and for updating
-its vulnerability database:
+Bundler-audit provides `rake` tasks for checking the code and for updating
+its vulnerability database.
+
+Simply add the following code to the `Rakefile`:
+
+```ruby
+require 'bundler/audit/task'
+Bundler::Audit::Task.new
+```
+
+The following `rake` tasks will then become available:
 
 ```bash
+$ rake -T
 rake bundle:audit
 rake bundle:audit:update
 ```
@@ -231,7 +241,7 @@ $ brew install git
 
 ## License
 
-Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/bundler-audit.gemspec

@@ -30,7 +30,6 @@ Gem::Specification.new do |gem|
   gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
 
   gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
-  gem.test_files       = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
   gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
 
   gem.require_paths = Array(gemspec.fetch('require_paths') {

data/gemspec.yml

@@ -1,7 +1,7 @@
 name: bundler-audit
 summary: Patch-level verification for Bundler
 description: bundler-audit provides patch-level verification for Bundled apps.
-license: GPL-3.0+
+license: GPL-3.0-or-later
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/rubysec/bundler-audit#readme

data/lib/bundler/audit/advisory.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli/formats/json.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli/formats/junit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -101,7 +101,7 @@ module Bundler
 
           def advisory_solution(advisory)
             unless advisory.patched_versions.empty?
-              "upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
+              "update to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}"
             else
               "remove or disable this gem until a patch is available!"
             end

data/lib/bundler/audit/cli/formats/text.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -104,7 +104,7 @@ module Bundler
             end
 
             unless advisory.patched_versions.empty?
-              say "Solution: upgrade to ", :red
+              say "Solution: update to ", :red
               say advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')
             else
               say "Solution: ", :red

data/lib/bundler/audit/cli/formats.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/cli.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -67,7 +67,7 @@ module Bundler
 
         database = Database.new(options[:database])
         scanner  = begin
-                     Scanner.new(dir,options[:gemfile_lock],database, options[:config])
+                     Scanner.new(dir,options[:gemfile_lock],database,options[:config])
                    rescue Bundler::GemfileLockNotFound => exception
                      say exception.message, :red
                      exit 1
@@ -137,19 +137,23 @@ module Bundler
 
         database = Database.new(path)
 
-        case database.update!(quiet: options.quiet?)
-        when true
-          say("Updated ruby-advisory-db", :green) unless options.quiet?
-        when false
-          say_error "Failed updating ruby-advisory-db!", :red
-          exit 1
-        when nil
-          unless Bundler.git_present?
-            say_error "Git is not installed!", :red
-            exit 1
+        begin
+          case database.update!(quiet: options.quiet?)
+          when true
+            say("Updated ruby-advisory-db", :green) unless options.quiet?
+          when nil
+            if Bundler.git_present?
+              unless options.quiet?
+                say "Skipping update, ruby-advisory-db is not a git repository", :yellow
+              end
+            else
+              say_error "Git is not installed!", :red
+              exit 1
+            end
           end
-
-          say "Skipping update", :yellow
+        rescue Database::UpdateFailed => error
+          say error.message, :red
+          exit 1
         end
 
         stats(path) unless options.quiet?

data/lib/bundler/audit/configuration.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/database.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -141,9 +141,8 @@ module Bundler
       # @option options [Boolean] :quiet
       #   Specify whether `git` should be `--quiet`.
       #
-      # @return [Boolean, nil]
+      # @return [Boolean]
       #   Specifies whether the update was successful.
-      #   A `nil` indicates no update was performed.
       #
       # @raise [ArgumentError]
       #   Invalid options were given.
@@ -192,9 +191,13 @@ module Bundler
       #   Specify whether `git` should be `--quiet`.
       #
       # @return [true, nil]
-      #   `true` indicates that the update was successful.
-      #   `nil` indicates the database is not a git repository, thus not
-      #   capable of being updated.
+      #   * `true` - the ruby-advisory-db git repository was successfully
+      #     updated.
+      #   * `nil` - the ruby-advisory-db is not a git repository or the `git`
+      #     command is not installed.
+      #
+      # @raise [UpdateFailed]
+      #   Could not update the ruby-advisory-db git repository.
       #
       # @since 0.8.0
       #

data/lib/bundler/audit/results/insecure_source.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results/unpatched_gem.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/results.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/scanner.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/lib/bundler/audit/task.rb

@@ -16,33 +16,6 @@ module Bundler
         define
       end
 
-      protected
-
-      #
-      # Defines the `bundle:audit` and `bundle:audit:update` task.
-      #
-      def define
-        namespace :bundle do
-          namespace :audit do
-            desc 'Checks the Gemfile.lock for insecure dependencies'
-            task :check do
-              bundler_audit 'check'
-            end
-
-            desc 'Updates the bundler-audit vulnerability database'
-            task :update do
-              bundler_audit 'update'
-            end
-          end
-
-          task :audit => 'audit:check'
-        end
-
-        task 'bundler:audit'        => 'bundle:audit'
-        task 'bundler:audit:check'  => 'bundle:audit:check'
-        task 'bundler:audit:update' => 'bundle:audit:update'
-      end
-
       #
       # Runs the `bundler-audit` command with the additional arguments.
       #
@@ -59,6 +32,8 @@ module Bundler
       #   If the `bundler-audit` command exits with an error, the rake task
       #   will also exit with the same error code.
       #
+      # @api private
+      #
       def bundler_audit(*arguments)
         case system('bundler-audit',*arguments)
         when false
@@ -69,6 +44,71 @@ module Bundler
           return true
         end
       end
+
+      #
+      # Runs the `bundle-audit check` command.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      # @api private
+      #
+      def check
+        bundler_audit 'check'
+      end
+
+      #
+      # Runs the `bundle-audit update` command.
+      #
+      # @return [true]
+      #   The `bundler-audit` command successfully exited.
+      #
+      # @raise [CommandNotFound]
+      #   The `bundler-audit` command could not be executed or was not found.
+      #
+      # @note
+      #   If the `bundler-audit` command exits with an error, the rake task
+      #   will also exit with the same error code.
+      #
+      # @api private
+      #
+      def update
+        bundler_audit 'update'
+      end
+
+      protected
+
+      #
+      # Defines the `bundle:audit` and `bundle:audit:update` task.
+      #
+      def define
+        namespace :bundle do
+          namespace :audit do
+            desc 'Checks the Gemfile.lock for insecure dependencies'
+            task :check do
+              check
+            end
+
+            desc 'Updates the bundler-audit vulnerability database'
+            task :update do
+              update
+            end
+          end
+
+          task :audit => 'audit:check'
+        end
+
+        task 'bundler:audit'        => 'bundle:audit'
+        task 'bundler:audit:check'  => 'bundle:audit:check'
+        task 'bundler:audit:update' => 'bundle:audit:update'
+      end
     end
   end
 end

data/lib/bundler/audit/version.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -18,6 +18,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.9.1'
+    VERSION = '0.9.2'
   end
 end

data/lib/bundler/audit.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2013-2024 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # bundler-audit is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by

data/spec/bundle/insecure_sources/Gemfile.lock

@@ -77,7 +77,7 @@ GEM
       activesupport (>= 4.2.0)
     i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.1)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -88,13 +88,13 @@ GEM
     mini_portile2 (2.8.0)
     minitest (5.14.4)
     nio4r (2.5.7)
-    nokogiri (1.13.6)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.6-x86_64-linux)
+    nokogiri (1.13.10-x86_64-linux)
       racc (~> 1.4)
-    racc (1.6.0)
-    rack (2.2.3)
+    racc (1.6.1)
+    rack (2.2.6.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (6.1.3.2)
@@ -115,8 +115,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
     railties (6.1.3.2)
       actionpack (= 6.1.3.2)
       activesupport (= 6.1.3.2)

data/spec/bundle/secure/Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 
 gem 'rails', '~> 5.2'
-gem 'rails-html-sanitizer', '~> 1.0.3'
+gem 'rails-html-sanitizer', '~> 1.4.4'

data/spec/bundle/secure/Gemfile.lock

@@ -47,11 +47,11 @@ GEM
     concurrent-ruby (1.1.10)
     crass (1.0.6)
     erubi (1.10.0)
-    globalid (1.0.0)
+    globalid (1.0.1)
       activesupport (>= 5.0)
-    i18n (1.10.0)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -60,15 +60,15 @@ GEM
     method_source (1.0.0)
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.17.0)
     nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.6-x86_64-linux)
+    nokogiri (1.13.10-x86_64-linux)
       racc (~> 1.4)
-    racc (1.6.0)
-    rack (2.2.3)
+    racc (1.6.1)
+    rack (2.2.6.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.8)
@@ -87,8 +87,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
     railties (5.2.8)
       actionpack (= 5.2.8)
       activesupport (= 5.2.8)
@@ -105,7 +105,7 @@ GEM
       sprockets (>= 3.0.0)
     thor (1.2.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.9)
+    tzinfo (1.2.10)
       thread_safe (~> 0.1)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
@@ -117,7 +117,7 @@ PLATFORMS
 
 DEPENDENCIES
   rails (~> 5.2)
-  rails-html-sanitizer (~> 1.0.3)
+  rails-html-sanitizer (~> 1.4.4)
 
 BUNDLED WITH
    2.3.6

data/spec/bundle/unpatched_gems_with_dot_configuration/Gemfile.lock

@@ -18,7 +18,7 @@ GEM
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     multi_json (1.15.0)
-    tzinfo (0.3.58)
+    tzinfo (0.3.61)
 
 PLATFORMS
   ruby

data/spec/cli/formats/junit_spec.rb

@@ -240,8 +240,8 @@ describe Bundler::Audit::CLI::Formats::Junit do
         end
 
         context "when Advisory#patched_versions is not empty" do
-          it 'must print "Solution: upgrade to ..."' do
-            expect(output).to include("Solution: upgrade to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
+          it 'must print "Solution: update to ..."' do
+            expect(output).to include("Solution: update to #{CGI.escapeHTML(advisory.patched_versions.map { |v| "'#{v}'" }.join(', '))}")
           end
         end
 

data/spec/cli/formats/text_spec.rb

@@ -229,8 +229,8 @@ describe Bundler::Audit::CLI::Formats::Text do
         end
 
         context "when Advisory#patched_versions is not empty" do
-          it 'must print "Solution: upgrade to ..."' do
-            expect(output_lines).to include("Solution: upgrade to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
+          it 'must print "Solution: update to ..."' do
+            expect(output_lines).to include("Solution: update to #{advisory.patched_versions.map { |v| "'#{v}'" }.join(', ')}")
           end
         end
 

data/spec/cli_spec.rb

@@ -2,6 +2,8 @@ require 'spec_helper'
 require 'bundler/audit/cli'
 
 describe Bundler::Audit::CLI do
+  let(:database_path) { "/path/to/ruby-advisory-db" }
+
   describe ".start" do
     context "with wrong arguments" do
       it "exits with error status code" do
@@ -76,23 +78,17 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect(database).to receive(:update!).and_return(false)
+          expect(database).to receive(:update!).with(quiet: false).and_raise(
+            Bundler::Audit::Database::UpdateFailed,
+            "failed to update #{database_path.inspect}"
+          )
         end
 
-        it "prints failure message" do
+        it "must print an error message and exit with 1" do
           expect {
-            begin
+            expect {
               subject.update
-            rescue SystemExit
-            end
-          }.to output(/Failed updating ruby-advisory-db!/).to_stderr
-        end
-
-        it "exits with error status code" do
-          expect {
-            # Capture output of `update` only to keep spec output clean.
-            # The test regarding specific output is above.
-            expect { subject.update }.to output.to_stdout
+            }.to output("failed to update #{database_path.inspect}").to_stderr
           }.to raise_error(SystemExit) do |error|
             expect(error.success?).to eq(false)
             expect(error.status).to eq(1)
@@ -136,9 +132,7 @@ describe Bundler::Audit::CLI do
 
       context "when update succeeds" do
         before do
-          expect(database).to(
-            receive(:update!).with(quiet: true).and_return(true)
-          )
+          expect(database).to receive(:update!).with(quiet: true).and_return(true)
         end
 
         it "does not print any output" do
@@ -148,25 +142,17 @@ describe Bundler::Audit::CLI do
 
       context "when update fails" do
         before do
-          expect(database).to(
-            receive(:update!).with(quiet: true).and_return(false)
+          expect(database).to receive(:update!).with(quiet: true).and_raise(
+            Bundler::Audit::Database::UpdateFailed,
+            "failed to update #{database_path.inspect}"
           )
         end
 
-        it "prints failure message" do
+        it "must print the error message and exit with an error code" do
           expect {
-            begin
+            expect {
               subject.update
-            rescue SystemExit
-            end
-          }.to_not output.to_stderr
-        end
-
-        it "exits with error status code" do
-          expect {
-            # Capture output of `update` only to keep spec output clean.
-            # The test regarding specific output is above.
-            expect { subject.update }.to output.to_stdout
+            }.to output("failed to update: #{database_path.inspect}").to_stderr
           }.to raise_error(SystemExit) do |error|
             expect(error.success?).to eq(false)
             expect(error.status).to eq(1)

data/spec/scanner_spec.rb

@@ -36,12 +36,12 @@ describe Scanner do
       end
 
       context "when the :ignore option is given" do
-        subject { super().scan(ignore: ['OSVDB-89026']) }
+        subject { super().scan(ignore: ['CVE-2013-0156']) }
 
         it "should ignore the specified advisories" do
           ids = subject.map { |result| result.advisory.id }
 
-          expect(ids).not_to include('OSVDB-89026')
+          expect(ids).not_to include('CVE-2013-0156')
         end
       end
     end

data/spec/task_spec.rb

@@ -0,0 +1,141 @@
+require 'spec_helper'
+require 'bundler/audit/task'
+
+require 'rake'
+
+describe Bundler::Audit::Task do
+  before { subject }
+
+  it "must define a 'bundle:audit:check' task" do
+    expect(Rake::Task['bundle:audit:check']).to_not be_nil
+  end
+
+  it "must define a 'bundle:audit:update' task" do
+    expect(Rake::Task['bundle:audit:update']).to_not be_nil
+  end
+
+  it "must define a 'bundle:audit' task" do
+    expect(Rake::Task['bundle:audit']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit:check' task" do
+    expect(Rake::Task['bundler:audit:check']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit:update' task" do
+    expect(Rake::Task['bundler:audit:update']).to_not be_nil
+  end
+
+  it "must define a 'bundler:audit' task" do
+    expect(Rake::Task['bundler:audit']).to_not be_nil
+  end
+
+  describe "#bundler_audit" do
+    let(:subcommand) { 'subcommand' }
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.bundler_audit(subcommand)).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.bundler_audit(subcommand)
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit',subcommand).and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.bundler_audit(subcommand)
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+
+  describe "#check" do
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.check).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.check
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','check').and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.check
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+
+  describe "#update" do
+    context "when the command exits successfully" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(true)
+      end
+
+      it "must return true" do
+        expect(subject.update).to be(true)
+      end
+    end
+
+    context "when there vulnerabilities are found" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(false)
+      end
+
+      it "must exit with a non-zero error code" do
+        expect(subject).to receive(:exit).with($?.exitstatus)
+
+        subject.update
+      end
+    end
+
+    context "when the bundler-audit command cannot be executed" do
+      before do
+        allow(subject).to receive(:system).with('bundler-audit','update').and_return(nil)
+      end
+
+      it do
+        expect {
+          subject.update
+        }.to raise_error(described_class::CommandNotFound,"bundler-audit could not be executed")
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.9.1
+  version: 0.9.2
 platform: ruby
 authors:
 - Postmodern
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-20 00:00:00.000000000 Z
+date: 2024-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -124,9 +124,10 @@ files:
 - spec/results/unpatched_gem_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb
+- spec/task_spec.rb
 homepage: https://github.com/rubysec/bundler-audit#readme
 licenses:
-- GPL-3.0+
+- GPL-3.0-or-later
 metadata:
   rubygems_mfa_required: 'true'
 post_install_message:
@@ -144,23 +145,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Patch-level verification for Bundler
-test_files:
-- spec/advisory_spec.rb
-- spec/audit_spec.rb
-- spec/cli/formats/json_spec.rb
-- spec/cli/formats/junit_spec.rb
-- spec/cli/formats/text_spec.rb
-- spec/cli/formats_spec.rb
-- spec/cli_spec.rb
-- spec/configuration_spec.rb
-- spec/database_spec.rb
-- spec/integration_spec.rb
-- spec/report_spec.rb
-- spec/results/insecure_source_spec.rb
-- spec/results/result_spec.rb
-- spec/results/unpatched_gem_spec.rb
-- spec/scanner_spec.rb
+test_files: []