bundler-leak 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/ISSUE_TEMPLATE/bug_report.md +59 -0
- data/.github/ISSUE_TEMPLATE/feature_request.md +47 -0
- data/.github/workflows/test.yml +27 -0
- data/.gitignore +1 -2
- data/Gemfile +1 -1
- data/README.md +13 -4
- data/Rakefile +1 -14
- data/bundler-leak.gemspec +2 -1
- data/code-of-conduct.md +77 -0
- data/{bin → exe}/bundle-leak +0 -0
- data/{bin → exe}/bundler-leak +0 -0
- data/fastruby-logo.png +0 -0
- data/gemspec.yml +3 -0
- data/lib/bundler/plumber/advisory.rb +7 -1
- data/lib/bundler/plumber/cli.rb +1 -1
- data/lib/bundler/plumber/database.rb +1 -1
- data/lib/bundler/plumber/version.rb +1 -1
- data/pull_request_template.md +7 -0
- data/spec/advisory_spec.rb +1 -1
- data/spec/bundle/unpatched_gems/Gemfile +0 -35
- data/spec/bundle/unpatched_gems/Gemfile.lock +60 -0
- data/spec/cli_spec.rb +49 -33
- data/spec/database_spec.rb +2 -7
- data/spec/integration_spec.rb +2 -2
- data/spec/spec_helper.rb +1 -1
- metadata +29 -34
- data/.travis.yml +0 -13
- data/data/ruby-mem-advisory-db/.gitignore +0 -1
- data/data/ruby-mem-advisory-db/.rspec +0 -1
- data/data/ruby-mem-advisory-db/.travis.yml +0 -12
- data/data/ruby-mem-advisory-db/CONTRIBUTING.md +0 -69
- data/data/ruby-mem-advisory-db/CONTRIBUTORS.md +0 -40
- data/data/ruby-mem-advisory-db/Gemfile +0 -9
- data/data/ruby-mem-advisory-db/Gemfile.lock +0 -38
- data/data/ruby-mem-advisory-db/LICENSE.txt +0 -5
- data/data/ruby-mem-advisory-db/README.md +0 -72
- data/data/ruby-mem-advisory-db/Rakefile +0 -26
- data/data/ruby-mem-advisory-db/gems/celluloid/670.yml +0 -13
- data/data/ruby-mem-advisory-db/gems/grape/301.yml +0 -11
- data/data/ruby-mem-advisory-db/gems/oj/229.yml +0 -11
- data/data/ruby-mem-advisory-db/gems/redcarpet/516.yml +0 -14
- data/data/ruby-mem-advisory-db/gems/redis/612.yml +0 -12
- data/data/ruby-mem-advisory-db/gems/sidekiq/2598.yml +0 -11
- data/data/ruby-mem-advisory-db/gems/sidekiq-statistic/73.yml +0 -9
- data/data/ruby-mem-advisory-db/gems/therubyracer/336.yml +0 -13
- data/data/ruby-mem-advisory-db/gems/zipruby/PRE-SA-2012-02.yml +0 -9
- data/data/ruby-mem-advisory-db/scripts/post-advisories.sh +0 -18
- data/data/ruby-mem-advisory-db/spec/advisories_spec.rb +0 -23
- data/data/ruby-mem-advisory-db/spec/advisory_example.rb +0 -209
- data/data/ruby-mem-advisory-db/spec/gem_example.rb +0 -37
- data/data/ruby-mem-advisory-db/spec/library_example.rb +0 -21
- data/data/ruby-mem-advisory-db/spec/ruby_example.rb +0 -22
- data/data/ruby-mem-advisory-db/spec/spec_helper.rb +0 -1
|
@@ -1,209 +0,0 @@
|
|
|
1
|
-
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
|
2
|
-
require 'yaml'
|
|
3
|
-
|
|
4
|
-
shared_examples_for 'Advisory' do |path|
|
|
5
|
-
advisory = YAML.load_file(path)
|
|
6
|
-
|
|
7
|
-
describe path do
|
|
8
|
-
let(:filename) { File.basename(path) }
|
|
9
|
-
|
|
10
|
-
let(:filename_cve) do
|
|
11
|
-
if filename.start_with?('CVE-')
|
|
12
|
-
filename.gsub('CVE-','')
|
|
13
|
-
end
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
let(:filename_osvdb) do
|
|
17
|
-
if filename.start_with?('OSVDB-')
|
|
18
|
-
filename.gsub('OSVDB-','')
|
|
19
|
-
end
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
it "should be correctly named CVE-XXX or OSVDB-XXX" do
|
|
23
|
-
expect(filename).
|
|
24
|
-
to match(/^(CVE-\d{4}-(0\d{3}|[1-9]\d{3,})|OSVDB-\d+)\.yml$/)
|
|
25
|
-
end
|
|
26
|
-
|
|
27
|
-
it "should have CVE or OSVDB" do
|
|
28
|
-
expect(advisory['cve'] || advisory['osvdb']).not_to be_nil
|
|
29
|
-
end
|
|
30
|
-
|
|
31
|
-
describe "framework" do
|
|
32
|
-
subject { advisory['framework'] }
|
|
33
|
-
|
|
34
|
-
it "may be nil or a String" do
|
|
35
|
-
expect(subject).to be_kind_of(String).or(be_nil)
|
|
36
|
-
end
|
|
37
|
-
end
|
|
38
|
-
|
|
39
|
-
describe "platform" do
|
|
40
|
-
subject { advisory['platform'] }
|
|
41
|
-
|
|
42
|
-
it "may be nil or a String" do
|
|
43
|
-
expect(subject).to be_kind_of(String).or(be_nil)
|
|
44
|
-
end
|
|
45
|
-
end
|
|
46
|
-
|
|
47
|
-
describe "cve" do
|
|
48
|
-
subject { advisory['cve'] }
|
|
49
|
-
|
|
50
|
-
it "may be nil or a String" do
|
|
51
|
-
expect(subject).to be_kind_of(String).or(be_nil)
|
|
52
|
-
end
|
|
53
|
-
it "should be id in filename if filename is CVE-XXX" do
|
|
54
|
-
if filename_cve
|
|
55
|
-
is_expected.to eq(filename_cve.chomp('.yml'))
|
|
56
|
-
end
|
|
57
|
-
end
|
|
58
|
-
end
|
|
59
|
-
|
|
60
|
-
describe "osvdb" do
|
|
61
|
-
subject { advisory['osvdb'] }
|
|
62
|
-
|
|
63
|
-
it "may be nil or a Integer" do
|
|
64
|
-
expect(subject).to be_kind_of(Integer).or(be_nil)
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
it "should be id in filename if filename is OSVDB-XXX" do
|
|
68
|
-
if filename_osvdb
|
|
69
|
-
is_expected.to eq(filename_osvdb.to_i)
|
|
70
|
-
end
|
|
71
|
-
end
|
|
72
|
-
end
|
|
73
|
-
|
|
74
|
-
describe "url" do
|
|
75
|
-
subject { advisory['url'] }
|
|
76
|
-
|
|
77
|
-
it { is_expected.to be_kind_of(String) }
|
|
78
|
-
it { is_expected.not_to be_empty }
|
|
79
|
-
end
|
|
80
|
-
|
|
81
|
-
describe "title" do
|
|
82
|
-
subject { advisory['title'] }
|
|
83
|
-
|
|
84
|
-
it { is_expected.to be_kind_of(String) }
|
|
85
|
-
it { is_expected.not_to be_empty }
|
|
86
|
-
end
|
|
87
|
-
|
|
88
|
-
describe "date" do
|
|
89
|
-
subject { advisory['date'] }
|
|
90
|
-
|
|
91
|
-
it { is_expected.to be_kind_of(Date) }
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
describe "description" do
|
|
95
|
-
subject { advisory['description'] }
|
|
96
|
-
|
|
97
|
-
it { is_expected.to be_kind_of(String) }
|
|
98
|
-
it { is_expected.not_to be_empty }
|
|
99
|
-
end
|
|
100
|
-
|
|
101
|
-
describe "cvss_v2" do
|
|
102
|
-
subject { advisory['cvss_v2'] }
|
|
103
|
-
|
|
104
|
-
it "may be nil or a Float" do
|
|
105
|
-
expect(subject).to be_kind_of(Float).or(be_nil)
|
|
106
|
-
end
|
|
107
|
-
|
|
108
|
-
case advisory['cvss_v2']
|
|
109
|
-
when Float
|
|
110
|
-
context "when a Float" do
|
|
111
|
-
it { expect((0.0)..(10.0)).to include(subject) }
|
|
112
|
-
end
|
|
113
|
-
end
|
|
114
|
-
end
|
|
115
|
-
|
|
116
|
-
describe "cvss_v3" do
|
|
117
|
-
subject { advisory['cvss_v3'] }
|
|
118
|
-
|
|
119
|
-
it "may be nil or a Float" do
|
|
120
|
-
expect(subject).to be_kind_of(Float).or(be_nil)
|
|
121
|
-
end
|
|
122
|
-
|
|
123
|
-
case advisory['cvss_v3']
|
|
124
|
-
when Float
|
|
125
|
-
context "when a Float" do
|
|
126
|
-
it { expect((0.0)..(10.0)).to include(subject) }
|
|
127
|
-
end
|
|
128
|
-
end
|
|
129
|
-
|
|
130
|
-
if advisory['cvss_v2']
|
|
131
|
-
it "should also provide a cvss_v2 score" do
|
|
132
|
-
expect(advisory['cvss_v2']).to_not be_nil
|
|
133
|
-
end
|
|
134
|
-
end
|
|
135
|
-
end
|
|
136
|
-
|
|
137
|
-
describe "patched_versions" do
|
|
138
|
-
subject { advisory['patched_versions'] }
|
|
139
|
-
|
|
140
|
-
it "may be nil or an Array" do
|
|
141
|
-
expect(subject).to be_kind_of(Array).or(be_nil)
|
|
142
|
-
end
|
|
143
|
-
|
|
144
|
-
describe "each patched version" do
|
|
145
|
-
if advisory['patched_versions']
|
|
146
|
-
advisory['patched_versions'].each do |version|
|
|
147
|
-
describe version do
|
|
148
|
-
subject { version.split(', ') }
|
|
149
|
-
|
|
150
|
-
it "should contain valid RubyGem version requirements" do
|
|
151
|
-
expect {
|
|
152
|
-
Gem::Requirement.new(*subject)
|
|
153
|
-
}.not_to raise_error
|
|
154
|
-
end
|
|
155
|
-
end
|
|
156
|
-
end
|
|
157
|
-
end
|
|
158
|
-
end
|
|
159
|
-
end
|
|
160
|
-
|
|
161
|
-
describe "unaffected_versions" do
|
|
162
|
-
subject { advisory['unaffected_versions'] }
|
|
163
|
-
|
|
164
|
-
it "may be nil or an Array" do
|
|
165
|
-
expect(subject).to be_kind_of(Array).or(be_nil)
|
|
166
|
-
end
|
|
167
|
-
|
|
168
|
-
case advisory['unaffected_versions']
|
|
169
|
-
when Array
|
|
170
|
-
advisory['unaffected_versions'].each do |version|
|
|
171
|
-
describe version do
|
|
172
|
-
subject { version.split(', ') }
|
|
173
|
-
|
|
174
|
-
it "should contain valid RubyGem version requirements" do
|
|
175
|
-
expect {
|
|
176
|
-
Gem::Requirement.new(*subject)
|
|
177
|
-
}.not_to raise_error
|
|
178
|
-
end
|
|
179
|
-
end
|
|
180
|
-
end
|
|
181
|
-
end
|
|
182
|
-
end
|
|
183
|
-
|
|
184
|
-
describe "related" do
|
|
185
|
-
subject { advisory['related'] }
|
|
186
|
-
|
|
187
|
-
it "may be nil or a Hash" do
|
|
188
|
-
expect(subject).to be_kind_of(Hash).or(be_nil)
|
|
189
|
-
end
|
|
190
|
-
|
|
191
|
-
case advisory["related"]
|
|
192
|
-
when Hash
|
|
193
|
-
advisory["related"].each_pair do |name, values|
|
|
194
|
-
describe name do
|
|
195
|
-
it "should be either a cve, an osvdb or a url" do
|
|
196
|
-
expect(["cve", "osvdb", "url"]).to include(name)
|
|
197
|
-
end
|
|
198
|
-
|
|
199
|
-
it "should always contain an array" do
|
|
200
|
-
expect(values).to be_kind_of(Array)
|
|
201
|
-
end
|
|
202
|
-
end
|
|
203
|
-
end
|
|
204
|
-
end
|
|
205
|
-
end
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
end
|
|
209
|
-
end
|
|
@@ -1,37 +0,0 @@
|
|
|
1
|
-
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
|
2
|
-
require 'advisory_example'
|
|
3
|
-
|
|
4
|
-
shared_examples_for "Gem Advisory" do |path|
|
|
5
|
-
include_examples 'Advisory', path
|
|
6
|
-
|
|
7
|
-
advisory = YAML.load_file(path)
|
|
8
|
-
|
|
9
|
-
describe path do
|
|
10
|
-
let(:gem) { File.basename(File.dirname(path)) }
|
|
11
|
-
|
|
12
|
-
describe "gem" do
|
|
13
|
-
subject { advisory['gem'] }
|
|
14
|
-
|
|
15
|
-
it { is_expected.to be_kind_of(String) }
|
|
16
|
-
it "should be equal to filename (case-insensitive)" do
|
|
17
|
-
expect(subject.downcase).to eq(gem.downcase)
|
|
18
|
-
end
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
describe "versions" do
|
|
22
|
-
it "assumes that future versions will be patched" do
|
|
23
|
-
unaffected_versions = advisory['unaffected_versions'] || []
|
|
24
|
-
patched_versions = advisory['patched_versions'] || []
|
|
25
|
-
|
|
26
|
-
versions = (unaffected_versions + patched_versions).sort_by do |v|
|
|
27
|
-
Gem::Version.new(v.match(/[0-9.]+\.\d+/)[0])
|
|
28
|
-
end
|
|
29
|
-
|
|
30
|
-
# If a gem is unpatched this test makes no sense
|
|
31
|
-
unless patched_versions.none?
|
|
32
|
-
expect(versions.last.match(/^>=|^>/)).to be_truthy
|
|
33
|
-
end
|
|
34
|
-
end
|
|
35
|
-
end
|
|
36
|
-
end
|
|
37
|
-
end
|
|
@@ -1,21 +0,0 @@
|
|
|
1
|
-
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
|
2
|
-
require 'advisory_example'
|
|
3
|
-
|
|
4
|
-
shared_examples_for "Libraries Advisory" do |path|
|
|
5
|
-
include_examples 'Advisory', path
|
|
6
|
-
|
|
7
|
-
advisory = YAML.load_file(path)
|
|
8
|
-
|
|
9
|
-
describe path do
|
|
10
|
-
let(:library) { File.basename(File.dirname(path)) }
|
|
11
|
-
|
|
12
|
-
describe "library" do
|
|
13
|
-
subject { advisory['library'] }
|
|
14
|
-
|
|
15
|
-
it { is_expected.to be_kind_of(String) }
|
|
16
|
-
it "should be equal to filename (case-insensitive)" do
|
|
17
|
-
expect(subject.downcase).to eq(library.downcase)
|
|
18
|
-
end
|
|
19
|
-
end
|
|
20
|
-
end
|
|
21
|
-
end
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
load File.join(File.dirname(__FILE__), 'spec_helper.rb')
|
|
2
|
-
require 'advisory_example'
|
|
3
|
-
|
|
4
|
-
shared_examples_for "Rubies Advisory" do |path|
|
|
5
|
-
include_examples 'Advisory', path
|
|
6
|
-
|
|
7
|
-
advisory = YAML.load_file(path)
|
|
8
|
-
|
|
9
|
-
describe path do
|
|
10
|
-
let(:engine) { File.basename(File.dirname(path)) }
|
|
11
|
-
|
|
12
|
-
describe "engine" do
|
|
13
|
-
subject { advisory['engine'] }
|
|
14
|
-
|
|
15
|
-
it { is_expected.to be_kind_of(String) }
|
|
16
|
-
it "should be equal to filename (case-insensitive)" do
|
|
17
|
-
expect(subject.downcase).to eq(engine.downcase)
|
|
18
|
-
end
|
|
19
|
-
end
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
require 'rspec'
|