bundler-leak 0.2.0 → 0.3.0

data/spec/integration_spec.rb

@@ -4,7 +4,7 @@ describe "CLI" do
   include Helpers
 
   let(:command) do
-    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-leak'))
+    File.expand_path(File.join(File.dirname(__FILE__),'..','exe','bundler-leak'))
   end
 
   context "when auditing a bundle with unpatched gems" do
@@ -36,7 +36,7 @@ Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+
     let(:directory) { File.join('spec','bundle', bundle) }
 
     let(:command) do
-      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-leak -i celluloid-670'))
+      File.expand_path(File.join(File.dirname(__FILE__),'..','exe','bundler-leak -i celluloid-670'))
     end
 
     subject do

data/spec/spec_helper.rb

@@ -34,7 +34,7 @@ module Helpers
   end
 
   def expect_update_to_update_repo!(quiet: false)
-    with = 'git fetch --all; git reset --hard origin/master'
+    with = 'git fetch --all; git reset --hard origin/main'
     with << " --quiet" if quiet
 
     expect(Bundler::Plumber::Database).

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bundler-leak
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Ombulabs
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2020-04-06 00:00:00.000000000 Z
+date: 2022-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -50,60 +50,53 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
 description: bundler-leak provides memory leak verification for Bundled apps.
 email: hello@ombulabs.com
 executables:
 - bundle-leak
 - bundler-leak
-- setup
 extensions: []
 extra_rdoc_files:
 - COPYING.txt
 - ChangeLog.md
 - README.md
+- code-of-conduct.md
+- pull_request_template.md
 files:
 - ".document"
+- ".github/ISSUE_TEMPLATE/bug_report.md"
+- ".github/ISSUE_TEMPLATE/feature_request.md"
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
-- ".travis.yml"
 - ".yardopts"
 - COPYING.txt
 - ChangeLog.md
 - Gemfile
 - README.md
 - Rakefile
-- bin/bundle-leak
-- bin/bundler-leak
 - bin/setup
 - bundler-leak.gemspec
+- code-of-conduct.md
 - data/ruby-mem-advisory-db.ts
-- data/ruby-mem-advisory-db/.gitignore
-- data/ruby-mem-advisory-db/.rspec
-- data/ruby-mem-advisory-db/.travis.yml
-- data/ruby-mem-advisory-db/CONTRIBUTING.md
-- data/ruby-mem-advisory-db/CONTRIBUTORS.md
-- data/ruby-mem-advisory-db/Gemfile
-- data/ruby-mem-advisory-db/Gemfile.lock
-- data/ruby-mem-advisory-db/LICENSE.txt
-- data/ruby-mem-advisory-db/README.md
-- data/ruby-mem-advisory-db/Rakefile
-- data/ruby-mem-advisory-db/gems/celluloid/670.yml
-- data/ruby-mem-advisory-db/gems/grape/301.yml
-- data/ruby-mem-advisory-db/gems/oj/229.yml
-- data/ruby-mem-advisory-db/gems/redcarpet/516.yml
-- data/ruby-mem-advisory-db/gems/redis/612.yml
-- data/ruby-mem-advisory-db/gems/sidekiq-statistic/73.yml
-- data/ruby-mem-advisory-db/gems/sidekiq/2598.yml
-- data/ruby-mem-advisory-db/gems/therubyracer/336.yml
-- data/ruby-mem-advisory-db/gems/zipruby/PRE-SA-2012-02.yml
-- data/ruby-mem-advisory-db/scripts/post-advisories.sh
-- data/ruby-mem-advisory-db/spec/advisories_spec.rb
-- data/ruby-mem-advisory-db/spec/advisory_example.rb
-- data/ruby-mem-advisory-db/spec/gem_example.rb
-- data/ruby-mem-advisory-db/spec/library_example.rb
-- data/ruby-mem-advisory-db/spec/ruby_example.rb
-- data/ruby-mem-advisory-db/spec/spec_helper.rb
+- exe/bundle-leak
+- exe/bundler-leak
+- fastruby-logo.png
 - gemspec.yml
 - lib/bundler/plumber.rb
 - lib/bundler/plumber/advisory.rb
@@ -112,9 +105,11 @@ files:
 - lib/bundler/plumber/scanner.rb
 - lib/bundler/plumber/task.rb
 - lib/bundler/plumber/version.rb
+- pull_request_template.md
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
 - spec/bundle/unpatched_gems/Gemfile
+- spec/bundle/unpatched_gems/Gemfile.lock
 - spec/cli_spec.rb
 - spec/database_spec.rb
 - spec/fixtures/not_a_hash.yml
@@ -140,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.8.0
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Memory leaks verification for Bundler

data/.travis.yml

@@ -1,13 +0,0 @@
-language: ruby
-rvm:
-  - 2.3.8
-  - 2.4.6
-  - 2.5.5
-  - 2.6.3
-  - jruby
-  - rbx-3
-
-matrix:
-  allow_failures:
-    - rvm: jruby
-    - rvm: rbx-3

data/data/ruby-mem-advisory-db/.gitignore

@@ -1 +0,0 @@
-_site

data/data/ruby-mem-advisory-db/.rspec

@@ -1 +0,0 @@
---colour

data/data/ruby-mem-advisory-db/.travis.yml

@@ -1,12 +0,0 @@
-language: ruby
-
-sudo: false
-
-cache: bundler
-
-notifications:
-  irc: chat.freenode.net#rubysec
-
-env:
-  global:
-  - secure: ZXwsZdbCej15IcIazEIjy12o5v5EI8/Hle/VP1EabfbHsA5Mw+lrliMAV80C8Iy+p4mI66WIO/3Ovm64L1nGDBGs3dKUjtDvNPCKHlK2xK7AhvkcJnzbjWTAzWZY17STJO45DUdr/vuVbvQZ8llLosSOBs+grGsszCSEIOibqjU=

data/data/ruby-mem-advisory-db/CONTRIBUTING.md

@@ -1,69 +0,0 @@
-# Contributing Guidelines
-
-* All text must be within 80 columns.
-* YAML must be indented by 2 spaces.
-* Have any questions? Feel free to open an issue.
-* Prior to submitting a pull request, run the tests:
-
-```
-bundle install
-bundle exec rspec
-```
-
-* Follow the schema. Here is an example advisory:
-
-```yaml
-    ---
-    gem: examplegem
-    cve: 2013-0156
-    url: https://github.com/rubysec/ruby-advisory-db/issues/123456
-    title: |
-      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution
-
-    description: |
-      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
-      The issue is triggered when a type casting error occurs during the parsing
-      of parameters. This may allow a remote attacker to potentially execute
-      arbitrary code.
-
-    cvss_v2: 10.0
-
-    patched_versions:
-      - ~> 2.3.15
-      - ~> 3.0.19
-      - ~> 3.1.10
-      - ">= 3.2.11"
-    unaffected_versions:
-      - ~> 2.4.3
-
-    related:
-      cve:
-        - 2013-1234567
-        - 2013-1234568
-      url:
-        - https://github.com/rubysec/ruby-advisory-db/issues/123457
-
-```
-### Schema
-
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Integer\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `cvss_v3` \[Float\]: The [CVSSv3] score for the vulnerability.
-* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
-  unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
-  patched versions of the Ruby library.
-* `related` \[Hash\<Array\<String\>\>\]: Sometimes an advisory references many urls and cves. Supported keys: `cve` and `url`
-
-
-[CVSSv2]: https://www.first.org/cvss/v2/guide
-[CVSSv3]: https://www.first.org/cvss/user-guide

data/data/ruby-mem-advisory-db/CONTRIBUTORS.md

@@ -1,40 +0,0 @@
-### Acknowledgements
-
-This database would not be possible without volunteers willing to submit pull requests. In no particular order, we'd like to thank:
-
-* [Postmodern](https://github.com/postmodern/)
-* [Max Veytsman](https://twitter.com/mveytsman)
-* [Pietro Monteiro](https://github.com/pietro)
-* [Eric Hodel](https://github.com/drbrain)
-* [Brendon Murphy](https://github.com/bemurphy)
-* [Oliver Legg](https://github.com/olly)
-* [Larry W. Cashdollar](http://vapid.dhs.org/)
-* [Michael Grosser](https://github.com/grosser)
-* [Sascha Korth](https://github.com/skorth)
-* [David Radcliffe](https://github.com/dwradcliffe)
-* [Jörg Schiller](https://github.com/joergschiller)
-* [Derek Prior](https://github.com/derekprior)
-* [Joel Chippindale](https://github.com/mocoso)
-* [Josef Šimánek](https://github.com/simi)
-* [Amiel Martin](https://github.com/amiel)
-* [Jeremy Olliver](https://github.com/jeremyolliver)
-* [Vasily Vasinov](https://github.com/vasinov)
-* [Phill MV](https://twitter.com/phillmv)
-* [Jon Kessler](https://github.com/jonkessler)
-* [James Harton](https://github.com/jamesotron)
-* [Justin Collins](https://github.com/presidentbeef)
-* [Andy Brody](https://github.com/ab)
-* [Alexey Zapparov](https://github.com/ixti)
-* [Toni Reina](https://github.com/areina)
-* [Bernard Lambeau](https://github.com/blambeau)
-* [Don Morrison](https://github.com/elskwid)
-* [John Poulin](https://github.com/forced-request)
-* [Neal Harris](https://github.com/nealharris)
-* [Justin Bull](https://github.com/f3ndot)
-* [Andrew Selder](https://github.com/aselder)
-* [Vanessa Henderson](https://github.com/VanessaHenderson)
-* [Reed Loden](https://github.com/reedloden)
-* [ecneladis](https://github.com/ecneladis)
-* [Brendan Coles](https://github.com/bcoles)
-
-The rubysec.com domain was graciously donated by [Jordi Massaguer](https://github.com/jordimassaguerpla).

data/data/ruby-mem-advisory-db/Gemfile

@@ -1,9 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rspec'
-gem 'rake'
-
-group :development do
-  gem 'pry'
-  gem 'nokogiri'
-end

data/data/ruby-mem-advisory-db/Gemfile.lock

@@ -1,38 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    coderay (1.1.2)
-    diff-lcs (1.3)
-    method_source (0.9.0)
-    mini_portile2 (2.4.0)
-    nokogiri (1.10.3)
-      mini_portile2 (~> 2.4.0)
-    pry (0.11.3)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    rake (12.3.1)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  nokogiri
-  pry
-  rake
-  rspec
-
-BUNDLED WITH
-   1.17.1

data/data/ruby-mem-advisory-db/LICENSE.txt

@@ -1,5 +0,0 @@
-If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
-
-However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-mem-advisory-db/README.md

@@ -1,72 +0,0 @@
-# Ruby Advisory Database
-
-The Ruby Mem Database is a community effort to compile all memory leaks that are relevant to Ruby gems.
-
-You can check your own Gemfile.locks against this database by using [bundler-leak](https://github.com/rubymem/bundler-leak).
-
-## Support Ruby security!
-
-Do you know about a memory leak that isn't listed in this database? Open an issue, submit a PR, or [use this form](https://rubymem.com/advisories/new) which will email the maintainers.
-
-## Directory Structure
-
-The database is a list of directories that match the names of Ruby libraries on
-[rubygems.org]. Within each directory are one or more files
-for the Ruby library. These  files are named using
-the advisories can be named however you want, in this example it is named after the PR number in github.
-
-    gems/:
-      celluloid/:
-        612.yml
-
-
-## Format
-
-Each file contains the information in [YAML] format:
-
-    ---
-    gem: examplegem
-    url: https://github.com/celluloid/celluloid/issues/670
-    title: Memory Leak using Examplegem::Future
-    date: 2015-08-31
-    description: |
-      The ExampleGem::Group::Spawner appears to never clean up the completed Threads
-      that it creates.
-    leaky_versions:
-      - "> 0.16.0, < 0.17.2
-    patched_versions:
-      - "~> 0.17.3"
-    unaffected_versions:
-      - < 0.16.0
-
-
-### Schema
-
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of the framework which the affected
-  gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory or individual vulnerability.
-* `date` \[Date\]: The public disclosure date of the advisory.
-* `description` \[String\]: One or more paragraphs describing the vulnerability.
-* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
-  unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
-  patched versions of the Ruby library.
-
-### Tests
-Prior to submitting a pull request, run the tests:
-
-```
-bundle install
-bundle exec rspec
-```
-
-## Credits
-
-Please see [CONTRIBUTORS.md].
-
-[rubygems.org]: https://rubygems.org/
-[YAML]: http://www.yaml.org/
-[CONTRIBUTORS.md]: https://github.com/rubymem/ruby-mem-advisory-db/blob/master/CONTRIBUTORS.md

data/data/ruby-mem-advisory-db/Rakefile

@@ -1,26 +0,0 @@
-require 'yaml'
-
-namespace :lint do
-  begin
-    require 'rspec/core/rake_task'
-
-    RSpec::Core::RakeTask.new(:yaml)
-  rescue LoadError => e
-    task :spec do
-      abort "Please run `gem install rspec` to install RSpec."
-    end
-  end
-
-  task :cve do
-    Dir.glob('{gems,libraries,rubies}/*/*.yml') do |path|
-      advisory = YAML.load_file(path)
-
-      unless advisory['cve']
-        puts "Missing CVE: #{path}"
-      end
-    end
-  end
-end
-
-task :lint    => ['lint:yaml', 'lint:cve']
-task :default => :lint

data/data/ruby-mem-advisory-db/gems/celluloid/670.yml

@@ -1,13 +0,0 @@
----
-gem: celluloid
-url: https://github.com/celluloid/celluloid/issues/670
-title: Memory Leak using Celluloid::Future
-date: 2015-08-31
-description: |
-  The Celluloid::Group::Spawner appears to never clean up the completed Threads
-  that it creates.
-leaky_versions:
-  - "> 0.16.0, < 0.17.2"
-patched_versions:
-  - ">= 0.17.3"
-

data/data/ruby-mem-advisory-db/gems/grape/301.yml

@@ -1,11 +0,0 @@
----
-gem: grape
-url: https://github.com/ruby-grape/grape/issues/301
-title: Memory leak in formatter middleware
-date: 2012-12-27
-description: |
-  The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
-leaky_versions:
-  - "< 0.2.5"
-patched_versions:
-  - ">= 0.10"

data/data/ruby-mem-advisory-db/gems/oj/229.yml

@@ -1,11 +0,0 @@
----
-gem: oj
-url: https://github.com/ohler55/oj/issues/229
-title: Memory Leak using Oj::Doc.open
-date: 2015-04-18
-description: |
- Oj::Doc.open steadily increases memory usage.
-leaky_versions:
-  - "< 2.12.4"
-patched_versions:
-  - ">= 2.12.4"

data/data/ruby-mem-advisory-db/gems/redcarpet/516.yml

@@ -1,14 +0,0 @@
----
-gem: redcarpet
-url: https://github.com/vmg/redcarpet/pull/516
-title: Memory Leak in Redcarpet::Render::Base
-date: 2015-09-11
-description: |
- rb_redcarpet_rbase_alloc used to allocate a struct rb_redcarpet_rndr instance
- which was never freed.
-
- This caused 312 leaked bytes (on a 64-bit machine) on every render call
-leaky_versions:
-  - "< 3.3.3"
-patched_versions:
-  - ">= 3.3"

data/data/ruby-mem-advisory-db/gems/redis/612.yml

@@ -1,12 +0,0 @@
----
-gem: redis
-url: https://github.com/redis/redis-rb/issues/612
-title: Memory leak due to Timeout creating threads on each invocation.
-date: 2016-04-25
-description: |
- write_timeout results in lots of short-lived threads created, since each timeout block creates a separate thread. Now every write to Redis requires the creation of a new Thread.
-leaky_versions:
-  - "= 3.2.2"
-  - "= 3.3.0"
-patched_versions:
-  - ">= 3.3.1"

data/data/ruby-mem-advisory-db/gems/sidekiq/2598.yml

@@ -1,11 +0,0 @@
----
-gem: sidekiq
-url: https://github.com/mperham/sidekiq/pull/2598
-title: Memory Leak in Sidekiq::Manager#real_thread
-date: 2015-10-09
-description: |
-  Before starting to execute the task, Processor does an async call to Manager (real_thread method) to add processor's thread to @threads hash in Manager
-leaky_versions:
-  - "< 3.5.1"
-patched_versions:
-  - ">= 3.5.1"

data/data/ruby-mem-advisory-db/gems/sidekiq-statistic/73.yml

@@ -1,9 +0,0 @@
----
-gem: sidekiq-statistic
-url: https://github.com/davydovanton/sidekiq-statistic/issues/73
-title: Memory Leak since timeslist does not expire
-date: 2015-09-15
-description: |
-  The timeslist should be expired after some amount of time and the times aggregated into a much more compact form.
-leaky_versions:
-  - "<= 1.2"

data/data/ruby-mem-advisory-db/gems/therubyracer/336.yml

@@ -1,13 +0,0 @@
----
-gem: therubyracer
-url: https://github.com/cowboyd/therubyracer/pull/336
-title: Memory leak in WeakValueMap
-date: 2015-03-31
-description: |
-  Entries were not being cleaned up correctly from the backing store.
-leaky_versions:
-  - "< 0.12.2"
-unaffected_versions:
-  - "~> 0.12.3"
-patched_versions:
-  - "~> 0.12.3"

data/data/ruby-mem-advisory-db/gems/zipruby/PRE-SA-2012-02.yml

@@ -1,9 +0,0 @@
----
-gem: zipruby
-url: https://packetstormsecurity.com/files/111242/libzip-0.10-Heap-Overflow-Information-Leak.html
-title: Heap overflow, information leak
-date: 2012-03-21
-description: |
- libzip  has two vulnerabilities that may lead to a heap overflow or an information leak via corrupted zip files.
-leaky_versions:
-  - "<= 0.3.6"

data/data/ruby-mem-advisory-db/scripts/post-advisories.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -o errexit -o nounset
-
-REPO="https://${GH_TOKEN}@github.com/rubysec/rubysec.github.io.git"
-DIR="_site"
-
-git clone $REPO $DIR
-
-cd $DIR
-
-git config user.name "RubySec CI"
-git config user.email "ci@rubysec.com"
-
-bundle install --jobs=3 --retry=3
-bundle exec rake advisories
-
-git push -q

data/data/ruby-mem-advisory-db/spec/advisories_spec.rb

@@ -1,23 +0,0 @@
-load File.join(File.dirname(__FILE__), 'spec_helper.rb')
-require 'gem_example'
-require 'library_example'
-require 'ruby_example'
-
-describe "gems" do
-  Dir.glob(File.join(File.dirname(__FILE__), '../gems/*/*')) do |path|
-    include_examples 'Gem Advisory', path
-  end
-end
-
-describe "libraries" do
-  Dir.glob(File.join(File.dirname(__FILE__), '../libraries/*/*')) do |path|
-    include_examples 'Libraries Advisory', path
-  end
-end
-
-describe "rubies" do
-  Dir.glob(File.join(File.dirname(__FILE__), '../rubies/*/*')) do |path|
-    include_examples 'Rubies Advisory', path
-  end
-end
-