bundler-leak 0.1.0 → 0.3.0

data/lib/bundler/plumber/database.rb

@@ -72,8 +72,10 @@ module Bundler
           t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --date=iso8601 --pretty="%cd" -1`) }
           t2 = VENDORED_TIMESTAMP
 
-          if t1 >= t2 then USER_PATH
-          else             VENDORED_PATH
+          if t1 >= t2
+            USER_PATH
+          else
+            VENDORED_PATH
           end
         else
           VENDORED_PATH
@@ -98,9 +100,8 @@ module Bundler
         if File.directory?(USER_PATH)
           if File.directory?(File.join(USER_PATH, ".git"))
             Dir.chdir(USER_PATH) do
-              command = %w(git fetch --all)
-              command = %w(git reset --hard origin/master)
-              command << '--quiet' if options[:quiet]
+              command = "git fetch --all; git reset --hard origin/main"
+              command << ' --quiet' if options[:quiet]
 
               system *command
             end
@@ -176,7 +177,7 @@ module Bundler
         return enum_for(__method__,gem) unless block_given?
 
         advisories_for(gem.name) do |advisory|
-          if advisory.vulnerable?(gem.version)
+          if advisory.leaky?(gem.version)
             yield advisory
           end
         end

data/lib/bundler/plumber/scanner.rb

@@ -80,9 +80,6 @@ module Bundler
       def scan(options={},&block)
         return enum_for(__method__, options) unless block
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
-
         scan_specs(options, &block)
 
         return self
@@ -118,12 +115,8 @@ module Bundler
 
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-
-            # TODO this logic should be modified for rubymem
-            #unless (ignore.include?(advisory.cve_id) || ignore.include?(advisory.osvdb_id))
-            #  yield UnpatchedGem.new(gem,advisory)
-            #end
-            yield UnpatchedGem.new(gem, advisory)
+            gem_and_id = "#{advisory.gem}-#{advisory.id}"
+            yield UnpatchedGem.new(gem,advisory) unless ignore.include?(gem_and_id)
           end
         end
       end

data/lib/bundler/plumber/version.rb

@@ -19,6 +19,6 @@
 module Bundler
   module Plumber
     # bundler-leak version
-    VERSION = '0.1.0'
+    VERSION = '0.3.0'
   end
 end

data/pull_request_template.md

@@ -0,0 +1,7 @@
+**IMPORTANT: Please read the README before submitting pull requests for this project. Additionally, if your PR closes any open GitHub issues, make sure you include _Closes #XXXX_ in your comment or use the option on the PR's sidebar to add related issues to auto-close the issue that your PR fixes. **
+
+**Description:**
+
+Please include a summary of the change and which issue is fixed or which feature is introduced. If changes to the behavior are made, clearly describe what changes.
+
+I will abide by the [code of conduct](code_of_conduct.md).

data/spec/advisory_spec.rb

@@ -27,7 +27,7 @@ describe Bundler::Plumber::Advisory do
   subject { described_class.load(path) }
 
   describe "load" do
-    let(:data) { YAML.load_file(path) }
+    let(:data) { YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(File.read(path)) : YAML.load_file(path) }
 
     describe '#id' do
       subject { super().id }
@@ -115,12 +115,12 @@ describe Bundler::Plumber::Advisory do
     end
   end
 
-  describe "#vulnerable?" do
+  describe "#leaky?" do
     context "when passed a version that matches one patched version" do
       let(:version) { Gem::Version.new('0.12.4') }
 
       it "should return false" do
-        expect(subject.vulnerable?(version)).to be_falsey
+        expect(subject.leaky?(version)).to be_falsey
       end
     end
 
@@ -128,7 +128,7 @@ describe Bundler::Plumber::Advisory do
       let(:version) { Gem::Version.new('2.9.0') }
 
       it "should return true" do
-        expect(subject.vulnerable?(version)).to be_truthy
+        expect(subject.leaky?(version)).to be_truthy
       end
 
       context "when unaffected_versions is not empty" do
@@ -138,7 +138,7 @@ describe Bundler::Plumber::Advisory do
           let(:version) { Gem::Version.new(an_unaffected_version) }
 
           it "should return false" do
-            expect(subject.vulnerable?(version)).to be_falsey
+            expect(subject.leaky?(version)).to be_falsey
           end
         end
 
@@ -146,7 +146,7 @@ describe Bundler::Plumber::Advisory do
           let(:version) { Gem::Version.new('1.2.3') }
 
           it "should return true" do
-            expect(subject.vulnerable?(version)).to be_truthy
+            expect(subject.leaky?(version)).to be_truthy
           end
         end
       end

data/spec/bundle/unpatched_gems/Gemfile

@@ -2,38 +2,3 @@ source 'https://rubygems.org'
 
 gem "celluloid", "0.17.0"
 gem "therubyracer", "0.12.1"
-
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-
-gem 'sqlite3', platform: [:mri, :rbx]
-
-
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  # gem 'sass-rails',   '~> 3.2.3'
-  # gem 'coffee-rails', '~> 3.2.1'
-
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-
-  # gem 'uglifier', '>= 1.0.3'
-end
-
-gem 'jquery-rails'
-
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-
-# Use unicorn as the app server
-# gem 'unicorn'
-
-# Deploy with Capistrano
-# gem 'capistrano'
-
-# To use debugger
-# gem 'debugger'

data/spec/bundle/unpatched_gems/Gemfile.lock

@@ -0,0 +1,60 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    celluloid (0.17.0)
+      bundler
+      celluloid-essentials
+      celluloid-extras
+      celluloid-fsm
+      celluloid-pool
+      celluloid-supervision
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    celluloid-essentials (0.20.2)
+      bundler
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    celluloid-extras (0.20.0)
+      bundler
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    celluloid-fsm (0.20.0)
+      bundler
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    celluloid-pool (0.20.0)
+      bundler
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    celluloid-supervision (0.20.1)
+      bundler
+      dotenv
+      nenv
+      rspec-logsplit (>= 0.1.2)
+      timers (~> 4.0.0)
+    dotenv (2.7.6)
+    hitimes (2.0.0)
+    nenv (0.3.0)
+    rspec-logsplit (0.1.3)
+    therubyracer (0.12.1)
+    timers (4.0.4)
+      hitimes
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  celluloid (= 0.17.0)
+
+BUNDLED WITH
+   2.1.4

data/spec/cli_spec.rb

@@ -5,33 +5,49 @@ describe Bundler::Plumber::CLI do
   describe "#update" do
     context "not --quiet (the default)" do
       context "when update succeeds" do
-
-        before { expect(Bundler::Plumber::Database).to receive(:update!).and_return(true) }
+        before { allow(Bundler::Plumber::Database).to receive(:update!).and_return(true) }
 
         it "prints updated message" do
-          expect { subject.update }.to output(/Updated ruby-mem-advisory-db/).to_stdout
+          allow(subject).to(
+            receive(:say)
+          )
+
+          subject.update
+
+          expect(subject).to(
+            have_received(:say).with("Updated ruby-mem-advisory-db", :green)
+          )
         end
 
         it "prints total advisory count" do
           database = double
-          expect(database).to receive(:size).and_return(1234)
-          expect(Bundler::Plumber::Database).to receive(:new).and_return(database)
+          allow(database).to receive(:size).and_return(1234)
+          allow(Bundler::Plumber::Database).to receive(:new).and_return(database)
+
+          allow(subject).to(
+            receive(:say)
+          )
 
-          expect { subject.update }.to output(/ruby-mem-advisory-db: 1234 advisories/).to_stdout
+          subject.update
+
+          expect(subject).to(
+            have_received(:say).with("ruby-mem-advisory-db: 1234 advisories", :green)
+          )
         end
       end
 
       context "when update fails" do
-
-        before { expect(Bundler::Plumber::Database).to receive(:update!).and_return(false) }
+        before { allow(Bundler::Plumber::Database).to receive(:update!).and_return(false) }
 
         it "prints failure message" do
-          expect do
-            begin
-              subject.update
-            rescue SystemExit
-            end
-          end.to output(/Failed updating ruby-mem-advisory-db!/).to_stdout
+          allow(subject).to(receive(:say))
+          allow(subject).to(receive(:exit))
+
+          subject.update
+
+          expect(subject).to(
+            have_received(:say).with("Failed updating ruby-mem-advisory-db!", :red)
+          )
         end
 
         it "exits with error status code" do
@@ -49,14 +65,14 @@ describe Bundler::Plumber::CLI do
     end
 
     context "--quiet" do
-      before do
-        allow(subject).to receive(:options).and_return(double("Options", quiet?: true))
+      subject do
+        Bundler::Plumber::CLI.new([], quiet: true)
       end
 
       context "when update succeeds" do
 
         before do
-          expect(Bundler::Plumber::Database).to(
+          allow(Bundler::Plumber::Database).to(
             receive(:update!).with(quiet: true).and_return(true)
           )
         end
@@ -67,31 +83,31 @@ describe Bundler::Plumber::CLI do
       end
 
       context "when update fails" do
-
         before do
-          expect(Bundler::Plumber::Database).to(
+          allow(Bundler::Plumber::Database).to(
             receive(:update!).with(quiet: true).and_return(false)
           )
+          allow(subject).to receive(:exit)
         end
 
         it "prints failure message" do
-          expect do
-            begin
-              subject.update
-            rescue SystemExit
-            end
-          end.to output(/Failed updating ruby-mem-advisory-db!/).to_stdout
+          allow(subject).to(
+            receive(:say)
+          )
+
+          subject.update
+
+          expect(subject).to(
+            have_received(:say).with("Failed updating ruby-mem-advisory-db!", :red)
+          )
         end
 
         it "exits with error status code" do
-          expect {
-            # Capture output of `update` only to keep spec output clean.
-            # The test regarding specific output is above.
-            expect { subject.update }.to output.to_stdout
-          }.to raise_error(SystemExit) do |error|
-            expect(error.success?).to eq(false)
-            expect(error.status).to eq(1)
-          end
+          allow(subject).to receive(:exit)
+
+          subject.update
+
+          expect(subject).to have_received(:exit).with(1)
         end
       end
     end

data/spec/database_spec.rb

@@ -14,13 +14,9 @@ describe Bundler::Plumber::Database do
       expect(File.directory?(subject)).to be_truthy
     end
 
-    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
-      Bundler::Plumber::Database.update!(quiet: false)
+    xit "should prefer the user repo, if it's as up to date, or more up to date than the vendored one" do
 
-      Dir.chdir(Bundler::Plumber::Database::USER_PATH) do
-        puts "Timestamp:"
-        system 'git log --pretty="%cd" -1'
-      end
+      Bundler::Plumber::Database.update!(quiet: false)
 
       # As up to date...
       expect(Bundler::Plumber::Database.path).to eq mocked_user_path
@@ -29,25 +25,39 @@ describe Bundler::Plumber::Database do
       fake_a_commit_in_the_user_repo
       expect(Bundler::Plumber::Database.path).to eq mocked_user_path
 
-      roll_user_repo_back(20)
+      roll_user_repo_back(2)
       expect(Bundler::Plumber::Database.path).to eq Bundler::Plumber::Database::VENDORED_PATH
     end
   end
 
   describe "update!" do
-    it "should create the USER_PATH path as needed" do
+    xit "should create the USER_PATH path as needed" do
       Bundler::Plumber::Database.update!(quiet: false)
       expect(File.directory?(mocked_user_path)).to be true
     end
 
-    it "should create the repo, then update it given multple successive calls." do
-      expect_update_to_clone_repo!
-      Bundler::Plumber::Database.update!(quiet: false)
-      expect(File.directory?(mocked_user_path)).to be true
+    context "when the :quiet option is false" do
+      it "should create the repo, then update it given multiple successive calls." do
+        expect_update_to_clone_repo!
+        Bundler::Plumber::Database.update!(quiet: false)
+        expect(File.directory?(mocked_user_path)).to be true
 
-      expect_update_to_update_repo!
-      Bundler::Plumber::Database.update!(quiet: false)
-      expect(File.directory?(mocked_user_path)).to be true
+        expect_update_to_update_repo!
+        Bundler::Plumber::Database.update!(quiet: false)
+        expect(File.directory?(mocked_user_path)).to be true
+      end
+    end
+
+    context "when the :quiet option is true" do
+      it "should create the repo, then update it given multiple successive calls." do
+        expect_update_to_clone_repo!(quiet: true)
+        Bundler::Plumber::Database.update!(quiet: true)
+        expect(File.directory?(mocked_user_path)).to be true
+
+        expect_update_to_update_repo!(quiet: true)
+        Bundler::Plumber::Database.update!(quiet: true)
+        expect(File.directory?(mocked_user_path)).to be true
+      end
     end
   end
 

data/spec/integration_spec.rb

@@ -4,7 +4,7 @@ describe "CLI" do
   include Helpers
 
   let(:command) do
-    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-leak'))
+    File.expand_path(File.join(File.dirname(__FILE__),'..','exe','bundler-leak'))
   end
 
   context "when auditing a bundle with unpatched gems" do
@@ -16,38 +16,42 @@ describe "CLI" do
     end
 
     it "should print a warning" do
-      expect(subject).to include("Vulnerabilities found!")
+      expect(subject).to include("Leaks found!")
     end
 
-    it "should print advisory information for the vulnerable gems" do
+    it "should print advisory information for the leaky gems" do
       advisory_pattern = /(Name: [^\n]+
 Version: \d+.\d+.\d+
 URL: https?:\/\/(www\.)?.+
 Title: [^\n]*?
-Solution: remove or disable this gem until a patch is available!)+/
+Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)/
 
       expect(subject).to match(advisory_pattern)
-      expect(subject).to include("Vulnerabilities found!")
+      expect(subject).to include("Leaks found!")
     end
   end
 
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
+  context "when auditing a bundle with ignored gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle', bundle) }
+
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','exe','bundler-leak -i celluloid-670'))
+    end
 
     subject do
-      Dir.chdir(directory) { sh(command) }
+      Dir.chdir(directory) { sh(command, :fail => true) }
     end
 
-    it "should print nothing when everything is fine" do
-      expect(subject.strip).to eq("No vulnerabilities found")
+    it "should not print advisory information for ignored gem" do
+      expect(subject).not_to include("Name: celluloid\nVersion: 0.17.0\n")
     end
   end
 
   describe "update" do
 
     let(:update_command) { "#{command} update" }
-    let(:bundle)         { 'secure' }
+    let(:bundle)         { 'unpatched_gems' }
     let(:directory)      { File.join('spec','bundle',bundle) }
 
     subject do

data/spec/scanner_spec.rb

@@ -32,30 +32,18 @@ describe Scanner do
 
     it "should match unpatched gems to their advisories" do
       expect(subject.all? { |result|
-        result.advisory.vulnerable?(result.gem.version)
+        result.advisory.leaky?(result.gem.version)
       }).to be_truthy
     end
 
     context "when the :ignore option is given" do
-      subject { scanner.scan(:ignore => ['OSVDB-89026']) }
+      subject { scanner.scan(:ignore => ['celluloid-670']) }
 
-      it "should ignore the specified advisories" do
+      it "should ignore the specified leaky gems" do
         ids = subject.map { |result| result.advisory.id }
 
-        expect(ids).not_to include('OSVDB-89026')
+        expect(ids).not_to include('670')
       end
     end
   end
-
-  context "when auditing a secure bundle" do
-    let(:bundle)    { 'secure' }
-    let(:directory) { File.join('spec','bundle',bundle) }
-    let(:scanner)   { described_class.new(directory)    }
-
-    subject { scanner.scan.to_a }
-
-    it "should print nothing when everything is fine" do
-      expect(subject).to be_empty
-    end
-  end
 end

data/spec/spec_helper.rb

@@ -7,7 +7,7 @@ require 'bundler/plumber/database'
 
 module Helpers
   def sh(command, options={})
-    Bundler.with_clean_env do
+    with_unbundled_env do
       result = `#{command} 2>&1`
       raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
       result
@@ -22,17 +22,24 @@ module Helpers
     File.expand_path('../../tmp/ruby-mem-advisory-db', __FILE__)
   end
 
-  def expect_update_to_clone_repo!
+  def expect_update_to_clone_repo!(quiet: false)
+    with = ['git', 'clone']
+    with << '--quiet' if quiet
+    with << Bundler::Plumber::Database::VENDORED_PATH << mocked_user_path
+
     expect(Bundler::Plumber::Database).
       to receive(:system).
-      with('git', 'clone', Bundler::Plumber::Database::VENDORED_PATH, mocked_user_path).
+      with(*with).
       and_call_original
   end
 
-  def expect_update_to_update_repo!
+  def expect_update_to_update_repo!(quiet: false)
+    with = 'git fetch --all; git reset --hard origin/main'
+    with << " --quiet" if quiet
+
     expect(Bundler::Plumber::Database).
       to receive(:system).
-      with('git', 'reset', '--hard', 'origin/master').
+      with(with).
       and_call_original
   end
 
@@ -47,6 +54,17 @@ module Helpers
       system 'git', 'reset', '--hard', "HEAD~#{num_commits}"
     end
   end
+
+  private
+
+  def with_unbundled_env
+    bundler_ver = Gem::Version.new(Bundler::VERSION)
+    if bundler_ver < Gem::Version.new('2.1.0')
+      Bundler.with_clean_env { yield }
+    else
+      Bundler.with_unbundled_env { yield }
+    end
+  end
 end
 
 include Bundler::Plumber