bundler-leak 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e8c500b9cff644ec4d39ec693c7695c90632ee13e71a6e089918dfc96975de23
-  data.tar.gz: 92b10475517b8f8dda0faf6e208a27d0a53f0d3d4a5e0c9b38fa57ae67ead53a
+  metadata.gz: da3d27fec7acee6b26df26e77f7efdb5d4d5c4783bab50a5ffee8c70344c9791
+  data.tar.gz: 16104345f72340b3b14d5106a08c24a3b4627ead89aa4bc48423346c255f483f
 SHA512:
-  metadata.gz: '0500328327647524b1a814ff99cc28e1cf2732425ff49d86ac717702a8364f4eac0c1b613f657b0baac9ecb495b1834ac0e6f0708b58162af383ce73b49f5075'
-  data.tar.gz: c8f80a5bbcc340245d57af38294e733714bd794b2532bbb57cfccc22c69ac564eb0bd90edd4df3ad2df6e2c98cd9b6311af40e2274d8299ad8ded222c75701ad
+  metadata.gz: 2556087c7303334229b4957a28915795b8bc2df3ea05834cac8c3d81f67fee5a17bf454493590131f3a9950e8dc7f26f5c7b8bca0ab06e437c766feed360dda3
+  data.tar.gz: 64f11cfcedce51dafa622b0453f0ce0e77d8a0e48ce0bb3b5d437f0648fba1a775b3116b28d05814ef4b860fa6c7958ff74355fb6ed236cd5cba10dc04114117

data/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,59 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "[BUG]"
+labels: ''
+assignees: ''
+
+---
+
+**IMPORTANT: please make sure you ask yourself all intro questions and fill all sections of the template.**
+
+**Before we start...:**
+
+- [ ] I checked the documentation and found no answer
+- [ ] I checked to make sure that this issue has not already been filed
+- [ ] I'm reporting the issue to the correct repository (for multi-repository projects)
+
+
+**Branch/Commit:**
+
+Inform what branch/commit of bundler-leak you are using.
+
+**Expected behavior:**
+
+Please include a detailed description of the behavior you were expecting when you encountered this issue.
+
+**Actual behavior:**
+
+Please include a detailed description of the actual behavior of the application.
+
+**Steps to reproduce:**
+
+How do I achieve this behavior? Use the following format to provide a step-by-step guide:
+
+1. Step 1: ...
+2. Step 2: ...
+
+**Context and environment:**
+
+Provide any relevant information about your setup (Customize the list accordingly based on what info is relevant to this project)
+
+1. Version of the software the issue is being opened for.
+2. Operating System
+3. Operating System version
+4. Ruby version
+
+_Delete any information that is not relevant._
+
+If you are unable to reproduce the bug, add the **Non-Reproducible** tag and describe the steps you followed leading to the bug to the best of your recollection.
+
+**Screenshots and Videos**
+
+If the issue has an effect in the frontend, include any relevant screenshots and videos here.
+
+**Logs**
+
+Include relevant log snippets or files here.
+
+**I will abide by the [code of conduct] (code_of_conduct.md)**

data/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,47 @@
+---
+name: Feature request
+about: Request a new feature
+title: "[REQUEST]"
+labels: 'enhancement'
+assignees: ''
+
+---
+
+**IMPORTANT: please make sure you ask yourself all intro questions and fill all sections of the template.**
+
+**Before we start...:**
+
+- [ ] I checked the documentation and didn't find this feature
+- [ ] I checked to make sure that this feature has not already been requested
+
+
+**Branch/Commit:**
+
+Inform what branch/commit/version of bundler-leak you are using.
+
+**Describe the feature:**
+
+Please include a detailed description of the feature you are requesting and any detail on it’s expected behavior.
+
+> **As a \<role name\>**
+> **I do \<something\>**
+> **And then I do \<another action\>**
+> **And I see \<some result\>**
+
+**Problem:**
+
+Please include a detailed description of the problem this feature would solve.
+
+> **As a \<role name\>**
+> **I want to \<do something\>**
+> **So that I can achieve a \<goal\>**
+
+**Mockups:**
+
+Include any mockup idea related to the requested feature if it applies.
+
+**Resources:**
+
+If you have resources related to the implementation or research for this feature, add them here.
+
+**I will abide by the [code of conduct] (code_of_conduct.md)**

data/.github/workflows/test.yml

@@ -0,0 +1,27 @@
+name: CI
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        ruby: ['2.6', '2.7', '3.0', '3.1']
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Run tests
+      run: |
+        ./bin/setup
+        bundle exec rspec spec

data/.gitignore

@@ -5,7 +5,6 @@ doc/
 .yardoc/
 coverage/
 pkg/
-spec/bundle/*/Gemfile.lock
-spec/bundle/*/.bundle/
+spec/bundle/unpatched_gems/.bundle/
 vendor/bundle/
 tmp/

data/ChangeLog.md

@@ -1,125 +1,10 @@
-### 0.6.0 / 2017-07-18
+### 0.1.0 / 2019-08-28
 
-* Added `--quiet` option to `check` and `update` commands (@jaredbeck).
-* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran
-  (@vassilevsky).
+* Improve database update logic
 
-### 0.5.0 / 2016-02-28
+### 0.0.0 / 2019-08-26
 
-* Added {Bundler::Audit::Task}.
-* Added {Bundler::Audit::Advisory#date}.
-* Added {Bundler::Audit::Advisory#cve_id}.
-* Added {Bundler::Audit::Advisory#osvdb_id}.
-* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a
-  private network.
+* Initial release
 
-#### CLI
-
-* Added the `--update` option to `bundle-audit check`.
-* `bundle-audit update` now returns a non-zero exit status on error.
-* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git
-  repository.
-
-### 0.4.0 / 2015-06-30
-
-* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
-* Added {Bundler::Audit::Advisory#osvdb}.
-* Resolve the IP addresses of gem sources and ignore intranet gem sources.
-  (PR #90)
-* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
-  (PR #92)
-
-#### CLI
-
-* Print the CVE or OSVDB id.
-* No longer print "Unpatched versions found!" when an insecure gem source
-  is detected. (PR #84)
-
-### 0.3.1 / 2014-04-20
-
-* Added thor ~> 0.18 as a dependency.
-* No longer rely on the vendored version of thor within bundler.
-* Store the timestamp of when `data/ruby-advisory-db` was last updated in
-  `data/ruby-advisory-db.ts`.
-* Use `data/ruby-advisory-db.ts` instead of the creation time of the
-  `dataruby-advisory-db` directory, which is always the install time
-  of the rubygem.
-
-### 0.3.0 / 2013-10-31
-
-* Added {Bundler::Audit::Database.update!} which uses `git` to download
-  [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`.
-* {Bundler::Audit::Database.path} now returns the path to either
-  `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which
-  is more recent.
-
-#### CLI
-
-* Added the `bundle-audit update` sub-command.
-
-### 0.2.0 / 2013-03-05
-
-* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
-  parse approximate version requirements (`~> 1.2.3`).
-* Updated the [ruby-advisory-db].
-* Added {Bundler::Audit::Advisory#unaffected_versions}.
-* Added {Bundler::Audit::Advisory#unaffected?}.
-* Added {Bundler::Audit::Advisory#patched?}.
-* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}.
-
-### 0.1.2 / 2013-02-17
-
-* Require [bundler] ~> 1.2.
-* Vendor a full copy of the [ruby-advisory-db].
-* Added {Bundler::Audit::Advisory#path} for debugging purposes.
-* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
-
-#### CLI
-
-* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
-* Exit with non-zero status on failure (@grosser).
-
-### 0.1.1 / 2013-02-12
-
-* Fixed a Ruby 1.8 syntax error.
-
-### Advisories
-
-* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
-  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
-  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
-  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
-  * [CVE-2012-267](http://osvdb.org/83077)
-  * [CVE-2012-1098](http://osvdb.org/79726)
-  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
-  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
-  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
-  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
-  * [CVE-2012-3463](http://osvdb.org/84515)
-  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
-  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
-
-### CLI
-
-* If the advisory has no `patched_versions`, recommend removing or disabling
-  the gem until a patch is made available.
-
-### 0.1.0 / 2013-02-11
-
-* Initial release:
-  * Checks for vulnerable versions of gems in `Gemfile.lock`.
-  * Prints advisory information.
-  * Does not require a network connection.
-
-#### Advisories
-
-* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074)
-* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939)
-* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025)
-* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026)
-* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
-* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
-* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
-
-[bundler]: http://gembundler.com/
-[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme
+[bundler]: http://bundler.io/
+[ruby-mem-advisory-db]: https://github.com/rubymem/ruby-mem-advisory-db#readme

data/Gemfile

@@ -9,7 +9,7 @@ group :development do
   gem 'rubygems-tasks', '~> 0.2'
   gem 'rspec',          '~> 3.0'
   gem 'yard',           '~> 0.9'
-  gem 'simplecov',      '~> 0.7', :require => false
+  gem 'simplecov',      '~> 0.21.2', :require => false
 end
 
 gem "byebug", "~> 11.0", :groups => [:development, :test]

data/README.md

@@ -3,19 +3,19 @@
 * [Homepage](https://github.com/rubymem/bundler-leak#readme)
 * [Issues](https://github.com/rubymem/bundler-leak/issues)
 * [Documentation](http://rubydoc.info/gems/bundler-leak/frames)
-* [Email](mailto:hello at ombulabs.com)
-* [![Build Status](https://travis-ci.org/rubymem/bundler-leak.svg?branch=master)](https://travis-ci.org/rubymem/bundler-leak)
+* [Email](mailto:oss at ombulabs.com)
+* [![Build Status](https://travis-ci.org/rubymem/bundler-leak.svg?branch=main)](https://travis-ci.org/rubymem/bundler-leak)
 * [![Code Climate](https://codeclimate.com/github/rubymem/bundler-leak.svg)](https://codeclimate.com/github/rubymem/bundler-leak)
 
 ## Description
 
-Patch-level verification for [bundler].
+The best tool to find leaky gems in your dependencies. Make sure memory leaks
+are not in your gem dependencies.
 
 ## Features
 
-* Checks for memory leaks of gems in `Gemfile.lock`.
-* Prints memory leak information.
-* Does not require a network connection.
+* Checks for memory leaks of gems in `Gemfile.lock`
+* Prints memory leak information
 
 ## Synopsis
 
@@ -45,15 +45,15 @@ Update the [ruby-mem-advisory-db] that `bundle leak` uses:
     $ bundle leak update
 
     cd data/ruby-mem-advisory-db
-    git pull origin master
+    git pull origin main
     remote: Enumerating objects: 14, done.
     remote: Counting objects: 100% (14/14), done.
     remote: Compressing objects: 100% (4/4), done.
     remote: Total 9 (delta 5), reused 7 (delta 4), pack-reused 0
     Unpacking objects: 100% (9/9), done.
     From github.com:rubymem/ruby-mem-advisory-db
-     * branch            master     -> FETCH_HEAD
-       3254525..c4fc78e  master     -> origin/master
+     * branch            main     -> FETCH_HEAD
+       3254525..c4fc78e  main     -> origin/main
     Updating 3254525..c4fc78e
     Fast-forward
      README.md                 | 68 ++++++++++++++++++++------------------------------------------------
@@ -88,12 +88,12 @@ task default: 'bundle:leak'
 ## Contributing
 
 1. Clone the repo
-1. `git submodule update --init` # To populate data dir.
+1. `./bin/setup` # To populate data dir.
 1. `bundle exec rake`
 
 ## License
 
-Copyright (c) 2019 Ombulabs (hello at ombulabs.com)
+Copyright (c) 2019 OmbuLabs (hello at ombulabs.com)
 
 Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com)
 
@@ -116,3 +116,12 @@ along with bundler-leak.  If not, see <http://www.gnu.org/licenses/>.
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [ruby-mem-advisory-db]: https://github.com/rubymem/ruby-mem-advisory-db
+
+## Code of Conduct
+
+Everyone interacting in the bundler-leak project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/rubymem/bundler-leak/code-of-conduct.md).
+
+## FastRuby.io
+![fastruby](https://github.com/rubymem/bundler-leak/raw/main/fastruby-logo.png)
+
+`bundler-leak` is maintained and funded by FastRuby.io, inc. The names and logos for FastRuby.io are trademarks of FastRuby.io, inc.

data/Rakefile

@@ -20,7 +20,7 @@ namespace :db do
     timestamp = nil
 
     chdir 'data/ruby-mem-advisory-db' do
-      sh 'git', 'pull', 'origin', 'master'
+      sh 'git', 'pull', 'origin', 'main'
 
       File.open('../ruby-mem-advisory-db.ts','w') do |file|
         file.write Time.parse(`git log --pretty="%cd" -1`).utc
@@ -36,22 +36,9 @@ end
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new
 
-namespace :spec do
-  task :bundle do
-    root = 'spec/bundle'
-
-    %w[secure unpatched_gems insecure_sources].each do |bundle|
-      chdir(File.join(root,bundle)) do
-        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
-      end
-    end
-  end
-end
-task :spec => 'spec:bundle'
-
 task :test    => :spec
 task :default => :spec
 
 require 'yard'
-YARD::Rake::YardocTask.new  
+YARD::Rake::YardocTask.new
 task :doc => :yard

data/bin/setup

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+git submodule update --init
+bundle install

data/bundler-leak.gemspec

@@ -33,8 +33,9 @@ Gem::Specification.new do |gem|
     end
   end
 
+  gem.bindir = "exe"
   gem.executables = gemspec.fetch('executables') do
-    glob['bin/*'].map { |path| File.basename(path) }
+    glob['exe/*'].map { |path| File.basename(path) }
   end
   gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
 

data/code-of-conduct.md

@@ -0,0 +1,77 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to make participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [oss@ombulabs.com]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
+

data/data/ruby-mem-advisory-db.ts

@@ -1 +1 @@
-2019-08-08 21:11:00 UTC
+2019-08-28 18:09:52 UTC

data/gemspec.yml

@@ -10,5 +10,8 @@ required_ruby_version: ">= 1.9.3"
 required_rubygems_version: ">= 1.8.0"
 
 dependencies:
-  thor: ~> 0.18
+  thor: ">= 0.18, < 2"
   bundler:  ">= 1.2.0, < 3"
+
+development_dependencies:
+  byebug: "~> 11.1"

data/lib/bundler/plumber/advisory.rb

@@ -20,14 +20,17 @@ require 'yaml'
 
 module Bundler
   module Plumber
-    class Advisory < Struct.new(:path,
-                                :id,
-                                :url,
-                                :title,
-                                :date,
-                                :description,
-                                :unaffected_versions,
-                                :patched_versions)
+    class Advisory < Struct.new(
+      :gem,
+      :path,
+      :id,
+      :url,
+      :title,
+      :date,
+      :description,
+      :unaffected_versions,
+      :patched_versions
+    )
 
       #
       # Loads the advisory from a YAML file.
@@ -41,7 +44,7 @@ module Bundler
       #
       def self.load(path)
         id   = File.basename(path).chomp('.yml')
-        data = YAML.load_file(path)
+        data = load_advisory_from_yaml(path)
 
         unless data.kind_of?(Hash)
           raise("advisory data in #{path.dump} was not a Hash")
@@ -54,6 +57,7 @@ module Bundler
         }
 
         return new(
+          data['gem'],
           path,
           id,
           data['url'],
@@ -65,6 +69,12 @@ module Bundler
         )
       end
 
+      def self.load_advisory_from_yaml(path)
+        return YAML.load_file(path, permitted_classes: [Date]) if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('4')
+
+        YAML.load_file(path)
+      end
+
       #
       # Checks whether the version is not affected by the advisory.
       #
@@ -100,15 +110,15 @@ module Bundler
       end
 
       #
-      # Checks whether the version is vulnerable to the advisory.
+      # Checks whether the version is leaky to the advisory.
       #
       # @param [Gem::Version] version
       #   The version to compare against {#patched_versions}.
       #
       # @return [Boolean]
-      #   Specifies whether the version is vulnerable to the advisory or not.
+      #   Specifies whether the version is leaky to the advisory or not.
       #
-      def vulnerable?(version)
+      def leaky?(version)
         !patched?(version) && !unaffected?(version)
       end
 

data/lib/bundler/plumber/cli.rb

@@ -30,19 +30,20 @@ module Bundler
       default_task :check
       map '--version' => :version
 
-      desc 'check', 'Checks the Gemfile.lock for insecure dependencies'
+      desc 'check', 'Checks the Gemfile.lock for known memory leaks'
       method_option :quiet, :type => :boolean, :aliases => '-q'
       method_option :verbose, :type => :boolean, :aliases => '-v'
+      method_option :ignore, :type => :array, :aliases => '-i'
       method_option :update, :type => :boolean, :aliases => '-u'
 
       def check
         update if options[:update]
 
         scanner    = Scanner.new
-        vulnerable = false
+        leaky = false
 
-        scanner.scan do |result|
-          vulnerable = true
+        scanner.scan(ignore: options.ignore) do |result|
+          leaky = true
 
           case result
           when Scanner::UnpatchedGem
@@ -50,11 +51,11 @@ module Bundler
           end
         end
 
-        if vulnerable
-          say "Vulnerabilities found!", :red
+        if leaky
+          say "Leaks found!", :red
           exit 1
         else
-          say("No vulnerabilities found", :green) unless options.quiet?
+          say("No leaks found", :green) unless options.quiet?
         end
       end
 
@@ -75,7 +76,7 @@ module Bundler
         end
 
         unless options.quiet?
-          puts("ruby-mem-advisory-db: #{Database.new.size} advisories")
+          say("ruby-mem-advisory-db: #{Database.new.size} advisories", :green)
         end
       end