bundler-leak 0.0.0

data/lib/bundler/plumber/scanner.rb

@@ -0,0 +1,133 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'bundler'
+require 'bundler/plumber/database'
+require 'bundler/lockfile_parser'
+
+require 'ipaddr'
+require 'resolv'
+require 'set'
+require 'uri'
+
+module Bundler
+  module Plumber
+    class Scanner
+
+      # Represents a gem that is covered by an Advisory
+      UnpatchedGem = Struct.new(:gem, :advisory)
+
+      # The advisory database
+      #
+      # @return [Database]
+      attr_reader :database
+
+      # Project root directory
+      attr_reader :root
+
+      # The parsed `Gemfile.lock` from the project
+      #
+      # @return [Bundler::LockfileParser]
+      attr_reader :lockfile
+
+      #
+      # Initializes a scanner.
+      #
+      # @param [String] root
+      #   The path to the project root.
+      #
+      # @param [String] gemfile_lock
+      #   Alternative name for the `Gemfile.lock` file.
+      #
+      def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock')
+        @root     = File.expand_path(root)
+        @database = Database.new
+        @lockfile = LockfileParser.new(
+          File.read(File.join(@root,gemfile_lock))
+        )
+      end
+
+      #
+      # Scans the project for issues.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def scan(options={},&block)
+        return enum_for(__method__, options) unless block
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        scan_specs(options, &block)
+
+        return self
+      end
+
+      #
+      # Scans the gem sources in the lockfile.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      # @api semipublic
+      #
+      # @since 0.4.0
+      #
+      def scan_specs(options={})
+        return enum_for(__method__, options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        @lockfile.specs.each do |gem|
+          @database.check_gem(gem) do |advisory|
+
+            # TODO this logic should be modified for rubymem
+            #unless (ignore.include?(advisory.cve_id) || ignore.include?(advisory.osvdb_id))
+            #  yield UnpatchedGem.new(gem,advisory)
+            #end
+            yield UnpatchedGem.new(gem, advisory)
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/bundler/plumber/task.rb

@@ -0,0 +1,49 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+require 'rake/tasklib'
+
+module Bundler
+  module Plumber
+    class Task < Rake::TaskLib
+      #
+      # Initializes the task.
+      #
+      def initialize
+        define
+      end
+
+      protected
+
+      #
+      # Defines the `bundle:leak` task.
+      #
+      def define
+        namespace :bundle do
+          desc 'Updates the ruby-mem-advisory-db then runs bundle-leak'
+          task :leak do
+            require 'bundler/plumber/cli'
+            %w(update check).each do |command|
+              Bundler::Plumber::CLI.start [command]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/plumber/version.rb

@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+# Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+#
+# bundler-leak is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# bundler-leak is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+module Bundler
+  module Plumber
+    # bundler-leak version
+    VERSION = '0.0.0'
+  end
+end

data/spec/advisory_spec.rb

@@ -0,0 +1,155 @@
+require 'spec_helper'
+require 'bundler/plumber/database'
+require 'bundler/plumber/advisory'
+
+describe Bundler::Plumber::Advisory do
+  let(:root) { Bundler::Plumber::Database::VENDORED_PATH }
+  let(:gem)  { 'therubyracer' }
+  let(:id)   { '336' }
+  let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
+  let(:an_unaffected_version) do
+    Bundler::Plumber::Advisory.load(path).unaffected_versions.map { |version_rule|
+      # For all the rules, get the individual constraints out and see if we
+      # can find a suitable one...
+      version_rule.requirements.select { |(constraint, gem_version)|
+        # We only want constraints where the version number specified is
+        # one of the unaffected version.  I.E. we don't want ">", "<", or if
+        # such a thing exists, "!=" constraints.
+        ['~>', '>=', '=', '<='].include?(constraint)
+      }.map { |(constraint, gem_version)|
+        # Fetch just the version component, which is a Gem::Version,
+        # and extract the string representation of the version.
+        gem_version.version
+      }
+    }.flatten.first
+  end
+
+  subject { described_class.load(path) }
+
+  describe "load" do
+    let(:data) { YAML.load_file(path) }
+
+    describe '#id' do
+      subject { super().id }
+      it { is_expected.to eq(id) }
+    end
+
+    describe '#url' do
+      subject { super().url }
+      it { is_expected.to eq(data['url']) }
+    end
+
+    describe '#title' do
+      subject { super().title }
+      it { is_expected.to eq(data['title']) }
+    end
+
+    describe '#date' do
+      subject { super().date }
+      it { is_expected.to eq(data['date']) }
+    end
+
+    describe '#description' do
+      subject { super().description }
+      it { is_expected.to eq(data['description']) }
+    end
+
+    context "YAML data not representing a hash" do
+      it "should raise an exception" do
+        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
+        expect {
+          Advisory.load(path)
+        }.to raise_exception("advisory data in #{path.dump} was not a Hash")
+      end
+    end
+
+    describe "#patched_versions" do
+      subject { described_class.load(path).patched_versions }
+
+      it "should all be Gem::Requirement objects" do
+        expect(subject.all? { |version|
+          expect(version).to be_kind_of(Gem::Requirement)
+        }).to be_truthy
+      end
+
+      it "should parse the versions" do
+        expect(subject.map(&:to_s)).to eq(data['patched_versions'])
+      end
+    end
+  end
+
+
+  describe "#unaffected?" do
+    context "when passed a version that matches one unaffected version" do
+      let(:version) { Gem::Version.new(an_unaffected_version) }
+
+      it "should return true" do
+        expect(subject.unaffected?(version)).to be_truthy
+      end
+    end
+
+    context "when passed a version that matches no unaffected version" do
+      let(:version) { Gem::Version.new('3.0.9') }
+
+      it "should return false" do
+        expect(subject.unaffected?(version)).to be_falsey
+      end
+    end
+  end
+
+  describe "#patched?" do
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('0.12.4') }
+
+      it "should return true", doku: true do
+        expect(subject.patched?(version)).to be_truthy
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return false" do
+        expect(subject.patched?(version)).to be_falsey
+      end
+    end
+  end
+
+  describe "#vulnerable?" do
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('0.12.4') }
+
+      it "should return false" do
+        expect(subject.vulnerable?(version)).to be_falsey
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('2.9.0') }
+
+      it "should return true" do
+        expect(subject.vulnerable?(version)).to be_truthy
+      end
+
+      context "when unaffected_versions is not empty" do
+        subject { described_class.load(path) }
+
+        context "when passed a version that matches one unaffected version" do
+          let(:version) { Gem::Version.new(an_unaffected_version) }
+
+          it "should return false" do
+            expect(subject.vulnerable?(version)).to be_falsey
+          end
+        end
+
+        context "when passed a version that matches no unaffected version" do
+          let(:version) { Gem::Version.new('1.2.3') }
+
+          it "should return true" do
+            expect(subject.vulnerable?(version)).to be_truthy
+          end
+        end
+      end
+    end
+  end
+end

data/spec/audit_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'bundler/plumber'
+
+describe Bundler::Plumber do
+  it "should have a VERSION constant" do
+    expect(subject.const_get('VERSION')).not_to be_empty
+  end
+end

data/spec/bundle/insecure_sources/Gemfile

@@ -0,0 +1,39 @@
+source 'http://rubygems.org'
+
+gem 'rails', '3.2.12'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3', platform: [:mri, :rbx]
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
+                    :tag => 'v2.2.1'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/bundle/secure/Gemfile

@@ -0,0 +1,38 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~> 4.2.7.1'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3', platform: [:mri, :rbx]
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'