bundler-leak 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e8c500b9cff644ec4d39ec693c7695c90632ee13e71a6e089918dfc96975de23
-  data.tar.gz: 92b10475517b8f8dda0faf6e208a27d0a53f0d3d4a5e0c9b38fa57ae67ead53a
+  metadata.gz: d7c920e493d02e31ba834c6997c45e488e8deb494fdc4a99447372f8ee7fb5ca
+  data.tar.gz: f93ad32dc249b544123d383a6fcde59ab76b8f2db4cf681120a8eac1e397366b
 SHA512:
-  metadata.gz: '0500328327647524b1a814ff99cc28e1cf2732425ff49d86ac717702a8364f4eac0c1b613f657b0baac9ecb495b1834ac0e6f0708b58162af383ce73b49f5075'
-  data.tar.gz: c8f80a5bbcc340245d57af38294e733714bd794b2532bbb57cfccc22c69ac564eb0bd90edd4df3ad2df6e2c98cd9b6311af40e2274d8299ad8ded222c75701ad
+  metadata.gz: be78021ea400192744e91cddf7de982bdd47fec4154dcd6ab7df47445045069a9c49c95ea46e85b0b33d92d300b6db493cb58ed49acd4e3b25fa66d2b1d61daa
+  data.tar.gz: f0931d5cfb7d8219679e67ec45f061f2381874ff6bf4731a949a09b5bbdf9e16783eb54c5e78d244108b683a32c5e21752c05c18f61436de2cff954d661a7363

data/ChangeLog.md

@@ -1,125 +1,10 @@
-### 0.6.0 / 2017-07-18
+### 0.1.0 / 2019-08-28
 
-* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
-* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
-  (@vassilevsky).
+* Improve database update logic
 
-### 0.5.0 / 2016-02-28
+### 0.0.0 / 2019-08-26
 
-* Added {Bundler::Audit::Task}.
-* Added {Bundler::Audit::Advisory#date}.
-* Added {Bundler::Audit::Advisory#cve_id}.
-* Added {Bundler::Audit::Advisory#osvdb_id}.
-* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
-  private network.
+* Initial release
 
-#### CLI
-
-* Added the `--update` option to `bundle-audit check`.
-* `bundle-audit update` now returns a non-zero exit status on error.
-* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
-  repository.
-
-### 0.4.0 / 2015-06-30
-
-* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
-* Added {Bundler::Audit::Advisory#osvdb}.
-* Resolve the IP addresses of gem sources and ignore intranet gem sources.
-  (PR #90)
-* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
-  (PR #92)
-
-#### CLI
-
-* Print the CVE or OSVDB id.
-* No longer print "Unpatched versions found!" when an insecure gem source
-  is detected. (PR #84)
-
-### 0.3.1 / 2014-04-20
-
-* Added thor ~> 0.18 as a dependency.
-* No longer rely on the vendored version of thor within bundler.
-* Store the timestamp of when `data/ruby-advisory-db` was last updated in
-  `data/ruby-advisory-db.ts`.
-* Use `data/ruby-advisory-db.ts` instead of the creation time of the
-  `dataruby-advisory-db` directory, which is always the install time
-  of the rubygem.
-
-### 0.3.0 / 2013-10-31
-
-* Added {Bundler::Audit::Database.update!} which uses `git` to download
-  [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
-* {Bundler::Audit::Database.path} now returns the path to either
-  `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
-  is more recent.
-
-#### CLI
-
-* Added the `bundle-audit update` sub-command.
-
-### 0.2.0 / 2013-03-05
-
-* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
-  parse approximate version requirements (`~> 1.2.3`).
-* Updated the [ruby-advisory-db].
-* Added {Bundler::Audit::Advisory#unaffected_versions}.
-* Added {Bundler::Audit::Advisory#unaffected?}.
-* Added {Bundler::Audit::Advisory#patched?}.
-* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
-
-### 0.1.2 / 2013-02-17
-
-* Require [bundler] ~> 1.2.
-* Vendor a full copy of the [ruby-advisory-db].
-* Added {Bundler::Audit::Advisory#path} for debugging purposes.
-* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
-
-#### CLI
-
-* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
-* Exit with non-zero status on failure (@grosser).
-
-### 0.1.1 / 2013-02-12
-
-* Fixed a Ruby 1.8 syntax error.
-
-### Advisories
-
-* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
-  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
-  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
-  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
-  * [CVE-2012-267](http://osvdb.org/83077)
-  * [CVE-2012-1098](http://osvdb.org/79726)
-  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
-  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
-  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
-  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
-  * [CVE-2012-3463](http://osvdb.org/84515)
-  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
-  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
-
-### CLI
-
-* If the advisory has no `patched_versions`, recommend removing or disabling
-  the gem until a patch is made available.
-
-### 0.1.0 / 2013-02-11
-
-* Initial release:
-  * Checks for vulnerable versions of gems in `Gemfile.lock`.
-  * Prints advisory information.
-  * Does not require a network connection.
-
-#### Advisories
-
-* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074)
-* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939)
-* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025)
-* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026)
-* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
-* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
-* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
-
-[bundler]: http://gembundler.com/
-[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme
+[bundler]: http://bundler.io/
+[ruby-mem-advisory-db]: https://github.com/rubymem/ruby-mem-advisory-db#readme

data/README.md

@@ -9,13 +9,13 @@
 
 ## Description
 
-Patch-level verification for [bundler].
+The best tool to find leaky gems in your dependencies. Make sure memory leaks
+are not in your gem dependencies.
 
 ## Features
 
-* Checks for memory leaks of gems in `Gemfile.lock`.
-* Prints memory leak information.
-* Does not require a network connection.
+* Checks for memory leaks of gems in `Gemfile.lock`
+* Prints memory leak information
 
 ## Synopsis
 
@@ -88,12 +88,12 @@ task default: 'bundle:leak'
 ## Contributing
 
 1. Clone the repo
-1. `git submodule update --init` # To populate data dir.
+1. `./bin/setup` # To populate data dir.
 1. `bundle exec rake`
 
 ## License
 
-Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+Copyright (c) 2019 OmbuLabs (hello at ombulabs.com)
 
 Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 

data/Rakefile

@@ -40,7 +40,7 @@ namespace :spec do
   task :bundle do
     root = 'spec/bundle'
 
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
+    %w[unpatched_gems].each do |bundle|
       chdir(File.join(root,bundle)) do
         sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
       end
@@ -53,5 +53,5 @@ task :test    => :spec
 task :default => :spec
 
 require 'yard'
-YARD::Rake::YardocTask.new  
+YARD::Rake::YardocTask.new
 task :doc => :yard

data/bin/setup

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+git submodule update --init
+bundle install

data/data/ruby-mem-advisory-db.ts

@@ -1 +1 @@
-2019-08-08 21:11:00 UTC
+2019-08-28 18:09:52 UTC

data/data/ruby-mem-advisory-db/gems/celluloid/670.yml

@@ -8,3 +8,6 @@ description: |
   that it creates.
 leaky_versions:
   - "> 0.16.0, < 0.17.2"
+patched_versions:
+  - ">= 0.17.3"
+

data/data/ruby-mem-advisory-db/gems/grape/301.yml

@@ -7,3 +7,5 @@ description: |
   The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
 leaky_versions:
   - "< 0.2.5"
+patched_versions:
+  - ">= 0.10"

data/data/ruby-mem-advisory-db/gems/oj/229.yml

@@ -7,3 +7,5 @@ description: |
  Oj::Doc.open steadily increases memory usage.
 leaky_versions:
   - "< 2.12.4"
+patched_versions:
+  - ">= 2.12.4"

data/data/ruby-mem-advisory-db/gems/redcarpet/516.yml

@@ -10,3 +10,5 @@ description: |
  This caused 312 leaked bytes (on a 64-bit machine) on every render call
 leaky_versions:
   - "< 3.3.3"
+patched_versions:
+  - ">= 3.3"

data/data/ruby-mem-advisory-db/gems/redis/612.yml

@@ -1,9 +1,12 @@
 ---
 gem: redis
 url: https://github.com/redis/redis-rb/issues/612
-title: Memory Leak using Celluloid::Future
+title: Memory leak due to Timeout creating threads on each invocation.
 date: 2016-04-25
 description: |
  write_timeout results in lots of short-lived threads created, since each timeout block creates a separate thread. Now every write to Redis requires the creation of a new Thread.
 leaky_versions:
+  - "= 3.2.2"
   - "= 3.3.0"
+patched_versions:
+  - ">= 3.3.1"

data/data/ruby-mem-advisory-db/gems/sidekiq/2598.yml

@@ -7,3 +7,5 @@ description: |
   Before starting to execute the task, Processor does an async call to Manager (real_thread method) to add processor's thread to @threads hash in Manager
 leaky_versions:
   - "< 3.5.1"
+patched_versions:
+  - ">= 3.5.1"

data/lib/bundler/plumber/advisory.rb

@@ -100,15 +100,15 @@ module Bundler
       end
 
       #
-      # Checks whether the version is vulnerable to the advisory.
+      # Checks whether the version is leaky to the advisory.
       #
       # @param [Gem::Version] version
       #   The version to compare against {#patched_versions}.
       #
       # @return [Boolean]
-      #   Specifies whether the version is vulnerable to the advisory or not.
+      #   Specifies whether the version is leaky to the advisory or not.
       #
-      def vulnerable?(version)
+      def leaky?(version)
         !patched?(version) && !unaffected?(version)
       end
 

data/lib/bundler/plumber/cli.rb

@@ -30,7 +30,7 @@ module Bundler
       default_task :check
       map '--version' => :version
 
-      desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      desc 'check', 'Checks the Gemfile.lock for known memory leaks'
       method_option :quiet, :type => :boolean, :aliases => '-q'
       method_option :verbose, :type => :boolean, :aliases => '-v'
       method_option :update, :type => :boolean, :aliases => '-u'
@@ -39,10 +39,10 @@ module Bundler
         update if options[:update]
 
         scanner    = Scanner.new
-        vulnerable = false
+        leaky = false
 
         scanner.scan do |result|
-          vulnerable = true
+          leaky = true
 
           case result
           when Scanner::UnpatchedGem
@@ -50,11 +50,11 @@ module Bundler
           end
         end
 
-        if vulnerable
-          say "Vulnerabilities found!", :red
+        if leaky
+          say "Leaks found!", :red
           exit 1
         else
-          say("No vulnerabilities found", :green) unless options.quiet?
+          say("No leaks found", :green) unless options.quiet?
         end
       end
 

data/lib/bundler/plumber/database.rb

@@ -72,8 +72,10 @@ module Bundler
           t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
           t2 = VENDORED_TIMESTAMP
 
-          if t1 >= t2 then USER_PATH
-          else             VENDORED_PATH
+          if t1 >= t2
+            USER_PATH
+          else
+            VENDORED_PATH
           end
         else
           VENDORED_PATH
@@ -98,8 +100,7 @@ module Bundler
         if File.directory?(USER_PATH)
           if File.directory?(File.join(USER_PATH, ".git"))
             Dir.chdir(USER_PATH) do
-              command = %w(git fetch --all)
-              command = %w(git reset --hard origin/master)
+              command = "git fetch --all; git reset --hard origin/master"
               command << '--quiet' if options[:quiet]
 
               system *command
@@ -176,7 +177,7 @@ module Bundler
         return enum_for(__method__,gem) unless block_given?
 
         advisories_for(gem.name) do |advisory|
-          if advisory.vulnerable?(gem.version)
+          if advisory.leaky?(gem.version)
             yield advisory
           end
         end

data/lib/bundler/plumber/version.rb

@@ -19,6 +19,6 @@
 module Bundler
   module Plumber
     # bundler-leak version
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

data/spec/advisory_spec.rb

@@ -115,12 +115,12 @@ describe Bundler::Plumber::Advisory do
     end
   end
 
-  describe "#vulnerable?" do
+  describe "#leaky?" do
     context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('0.12.4') }
 
       it "should return false" do
-        expect(subject.vulnerable?(version)).to be_falsey
+        expect(subject.leaky?(version)).to be_falsey
       end
     end
 
@@ -128,7 +128,7 @@ describe Bundler::Plumber::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
-        expect(subject.vulnerable?(version)).to be_truthy
+        expect(subject.leaky?(version)).to be_truthy
       end
 
       context "when unaffected_versions is not empty" do
@@ -138,7 +138,7 @@ describe Bundler::Plumber::Advisory do
           let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
-            expect(subject.vulnerable?(version)).to be_falsey
+            expect(subject.leaky?(version)).to be_falsey
           end
         end
 
@@ -146,7 +146,7 @@ describe Bundler::Plumber::Advisory do
           let(:version) { Gem::Version.new('1.2.3') }
 
           it "should return true" do
-            expect(subject.vulnerable?(version)).to be_truthy
+            expect(subject.leaky?(version)).to be_truthy
           end
         end
       end

data/spec/database_spec.rb

@@ -14,7 +14,8 @@ describe Bundler::Plumber::Database do
       expect(File.directory?(subject)).to be_truthy
     end
 
-    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+    it "should prefer the user repo, if it's as up to date, or more up to date than the vendored one" do
+
       Bundler::Plumber::Database.update!(quiet: false)
 
       Dir.chdir(Bundler::Plumber::Database::USER_PATH) do
@@ -29,7 +30,7 @@ describe Bundler::Plumber::Database do
       fake_a_commit_in_the_user_repo
       expect(Bundler::Plumber::Database.path).to eq mocked_user_path
 
-      roll_user_repo_back(20)
+      roll_user_repo_back(2)
       expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH
     end
   end

data/spec/integration_spec.rb

@@ -16,38 +16,25 @@ describe "CLI" do
     end
 
     it "should print a warning" do
-      expect(subject).to include("Vulnerabilities found!")
+      expect(subject).to include("Leaks found!")
     end
 
-    it "should print advisory information for the vulnerable gems" do
+    it "should print advisory information for the leaky gems" do
       advisory_pattern = /(Name: [^\n]+
 Version: \d+.\d+.\d+
 URL: https?:\/\/(www\.)?.+
 Title: [^\n]*?
-Solution: remove or disable this gem until a patch is available!)+/
+Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)/
 
       expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Vulnerabilities found!")
-    end
-  end
-
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-
-    subject do
-      Dir.chdir(directory) { sh(command) }
-    end
-
-    it "should print nothing when everything is fine" do
-      expect(subject.strip).to eq("No vulnerabilities found")
+      expect(subject).to include("Leaks found!")
     end
   end
 
   describe "update" do
 
     let(:update_command) { "#{command} update" }
-    let(:bundle)         { 'secure' }
+    let(:bundle)         { 'unpatched_gems' }
     let(:directory)      { File.join('spec','bundle',bundle) }
 
     subject do

data/spec/scanner_spec.rb

@@ -32,7 +32,7 @@ describe Scanner do
 
     it "should match unpatched gems to their advisories" do
       expect(subject.all? { |result|
-        result.advisory.vulnerable?(result.gem.version)
+        result.advisory.leaky?(result.gem.version)
       }).to be_truthy
     end
 
@@ -46,16 +46,4 @@ describe Scanner do
       end
     end
   end
-
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:scanner)   { described_class.new(directory)    }
-
-    subject { scanner.scan.to_a }
-
-    it "should print nothing when everything is fine" do
-      expect(subject).to be_empty
-    end
-  end
 end

data/spec/spec_helper.rb

@@ -32,7 +32,7 @@ module Helpers
   def expect_update_to_update_repo!
     expect(Bundler::Plumber::Database).
       to receive(:system).
-      with('git', 'reset', '--hard', 'origin/master').
+      with("git fetch --all; git reset --hard origin/master").
       and_call_original
   end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-leak
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Ombulabs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-28 00:00:00.000000000 Z
+date: 2019-10-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -49,6 +49,7 @@ email: hello@ombulabs.com
 executables:
 - bundle-leak
 - bundler-leak
+- setup
 extensions: []
 extra_rdoc_files:
 - COPYING.txt
@@ -68,6 +69,7 @@ files:
 - Rakefile
 - bin/bundle-leak
 - bin/bundler-leak
+- bin/setup
 - bundler-leak.gemspec
 - data/ruby-mem-advisory-db.ts
 - data/ruby-mem-advisory-db/.gitignore
@@ -106,8 +108,6 @@ files:
 - lib/bundler/plumber/version.rb
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
-- spec/bundle/insecure_sources/Gemfile
-- spec/bundle/secure/Gemfile
 - spec/bundle/unpatched_gems/Gemfile
 - spec/cli_spec.rb
 - spec/database_spec.rb

data/spec/bundle/insecure_sources/Gemfile

@@ -1,39 +0,0 @@
-source 'http://rubygems.org'
-
-gem 'rails', '3.2.12'
-
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-
-gem 'sqlite3', platform: [:mri, :rbx]
-
-
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-
-  # gem 'uglifier', '>= 1.0.3'
-end
-
-gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
-                    :tag => 'v2.2.1'
-
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-
-# Use unicorn as the app server
-# gem 'unicorn'
-
-# Deploy with Capistrano
-# gem 'capistrano'
-
-# To use debugger
-# gem 'debugger'

data/spec/bundle/secure/Gemfile

@@ -1,38 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '~> 4.2.7.1'
-
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-
-gem 'sqlite3', platform: [:mri, :rbx]
-
-
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-
-  # gem 'uglifier', '>= 1.0.3'
-end
-
-gem 'jquery-rails'
-
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-
-# Use unicorn as the app server
-# gem 'unicorn'
-
-# Deploy with Capistrano
-# gem 'capistrano'
-
-# To use debugger
-# gem 'debugger'