bundler-organization_audit 0.1.2 → 0.1.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1bbae92ba27efe58d7dcd0815e927cee9ee819af
+  data.tar.gz: 4d282857fa1e954191097cfe40643052c6353747
+SHA512:
+  metadata.gz: 704c1cf251aa4dc836d8b1983a11c2ef11594d265fd396c661a8907511ec6af31ce732c542b2b8f8f06f9300875314743305a6791406f9a71761dccdc120f012
+  data.tar.gz: acd41b3091c673fae50ef1afb120021da6b33d20a3c2bab3df207df88a9e34e31346b74fe824256de175afc48f7a6d6d5b0afc9c0320c51f3d0b1910ba04594f

data/lib/bundler/organization_audit/repo.rb

@@ -13,7 +13,11 @@ module Bundler
       end
 
       def gem?
-        !!content("#{project}.gemspec")
+        !!gemspec_content
+      end
+
+      def gemspec_content
+        content("#{project}.gemspec")
       end
 
       def url
@@ -43,10 +47,13 @@ module Bundler
       end
 
       def content(file)
-        if private?
-          download_content_via_api(file)
-        else
-          download_content_via_raw(file)
+        @content ||= {}
+        @content[file] ||= begin
+          if private?
+            download_content_via_api(file)
+          else
+            download_content_via_raw(file)
+          end
         end
       rescue OpenURI::HTTPError => e
         raise "Error downloading #{file} from #{url} (#{e})" unless e.message.start_with?("404")

data/lib/bundler/organization_audit/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module OrganizationAudit
-    VERSION = "0.1.2"
+    VERSION = "0.1.3"
   end
 end

metadata

@@ -1,57 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: bundler-organization_audit
 version: !ruby/object:Gem::Version
-  version: 0.1.2
-  prerelease: 
+  version: 0.1.3
 platform: ruby
 authors:
 - Michael Grosser
 autorequire: 
 bindir: bin
-cert_chain:
-- !binary |-
-  LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhxZ0F3SUJB
-  Z0lCQURBTkJna3Foa2lHOXcwQkFRVUZBREEvTVJBd0RnWURWUVFEREFkdGFX
-  Tm8KWVdWc01SY3dGUVlLQ1pJbWlaUHlMR1FCR1JZSFozSnZjM05sY2pFU01C
-  QUdDZ21TSm9tVDhpeGtBUmtXQW1sMApNQjRYRFRFek1ESXdNekU0TVRNeE1W
-  b1hEVEUwTURJd016RTRNVE14TVZvd1B6RVFNQTRHQTFVRUF3d0hiV2xqCmFH
-  RmxiREVYTUJVR0NnbVNKb21UOGl4a0FSa1dCMmR5YjNOelpYSXhFakFRQmdv
-  SmtpYUprL0lzWkFFWkZnSnAKZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFB
-  RGdnRVBBRENDQVFvQ2dnRUJBTW9yWG8vaGdiVXE5NytrSUk5SApNc1FjTGRD
-  Lzd3UTFaUDJPc2hWSFBrZVAwcUg4TUJIR2c2ZVlpc09YMnViTmFnRjlZVENa
-  V25ocmRLcndwTE9PCmNQTGFaYmpVamxqSjNjUVIzQjhZbjF2ZVY1SWhHODZR
-  c2VUQmp5bXpKV3NMcHFKMVVaR3BmQjl0WGNzRnR1eE8KNnZIdmNJSGR6dmMv
-  T1VrSUN0dExiSCsxcWI2cnNIVWNlcWgrSnJINEdyc0o1SDRoQWZJZHlTMlhN
-  SzdZUktiaApoK0lCdTZkRldKSkJ5ekZzWW1WMVBEWGxuM1VCbWdBdDY1Y21D
-  dTRxUGZUaGlvQ0dEemJTSnJHREdMbXcvcEZYCkZQcFZDbTF6Z1lTYjF2NlFu
-  ZjNjZ1hhMmYyd1lHbTE3K3pBVnlJRHB3cnlGcnU5eUYvakp4RTM4ei9EUnNk
-  OVIKLzg4Q0F3RUFBYU01TURjd0NRWURWUjBUQkFJd0FEQWRCZ05WSFE0RUZn
-  UVVzaU5uWEh0S2VNWVljcjR5SlZtUQpXT05MK0l3d0N3WURWUjBQQkFRREFn
-  U3dNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUFseU43a0tvL05RQ1EwCkFP
-  elpMWjNXQWVQdlN0a0NGSUo1M3RzdjVLeW80cE1BbGx2K0JnUHp6QnQ3cWk2
-  MDVtRlNMNnpCZDl1TG91K1cKQ28zczQ4cDFkeTdDampBZlZRZG1WTkhGM013
-  WHRmQzJPRXl2U1FQaTR4S1I4aWJhOHdhM3hwOUxWbzFQdUxwdwovNkRzckNo
-  V3c3NEhmc0pONnFKT0s2ODRoSmVUOGxCWUFVZmlDM3dEMG93b1BTZytYdHlB
-  QWRkaXNSK0tWNVkxCk5tVkh1THRRY05UWnkrZ1JodDNhaEpSTXVDNlF5TG1r
-  VHNmKzZNYWVud0FNa0FnSGRzd0dzSnp0T25ObkJhM0YKeTBrQ1NXbUs2RCt4
-  L1NiZlM2cjdLZTA3TVJxemlKZEI5R3VFMSswY0lSdUZoOEVRK0xONkhYQ0tN
-  NXBvbi9HVQp5Y3dNWGZsMAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-date: 2013-03-22 00:00:00.000000000 Z
+cert_chain: []
+date: 2013-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Audit all Gemfiles of a user/organization on github for unpatched versions
@@ -61,51 +31,32 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .travis.yml
-- Gemfile
-- Gemfile.lock
-- Rakefile
-- Readme.md
 - bin/bundle-organization-audit
-- bundler-organization_audit.gemspec
-- gem-public_cert.pem
 - lib/bundler/organization_audit.rb
 - lib/bundler/organization_audit/repo.rb
 - lib/bundler/organization_audit/version.rb
-- spec/bundler/organization_audit/repo_spec.rb
-- spec/bundler/organization_audit_spec.rb
-- spec/private.example.yml
-- spec/spec_helper.rb
 homepage: http://github.com/grosser/bundler-organization_audit
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -3883081273091798118
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -3883081273091798118
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.25
+rubygems_version: 2.0.6
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Audit all Gemfiles of a user/organization on github for unpatched versions
 test_files: []

data.tar.gz.sig

@@ -1 +0,0 @@
-����Q����Kc֚��	�a}�⳪40������RD���dr]�8��W�(���@tByap����'�W?����1�Dm[2������n^=����+���I����+���.r'����N�d}�j�f�L�OզA^������$��:���<�W��FHc7l[������c��Su��{F�Hq,J7I)��_�%�(�LNy���`�T���F�����l3x��t��ϓ.@�8�oov��]4�"�aWI$��

data/.gitignore

@@ -1 +0,0 @@
-spec/private.yml

data/.travis.yml

@@ -1,4 +0,0 @@
-rvm:
-  - ree
-  - 1.9.2
-  - 1.9.3

data/Gemfile

@@ -1,7 +0,0 @@
-source "https://rubygems.org"
-gemspec
-
-gem "bump"
-gem "rake"
-gem "rspec", "~>2"
-gem "bundler-audit", :github => "grosser/bundler-audit", :branch => "ignore-version", :submodules => true

data/Gemfile.lock

@@ -1,40 +0,0 @@
-GIT
-  remote: git://github.com/grosser/bundler-audit.git
-  revision: a2d65124650460f525f62c7302629fee4d697413
-  branch: ignore-version
-  submodules: true
-  specs:
-    bundler-audit (0.1.3)
-      bundler (~> 1.2)
-
-PATH
-  remote: .
-  specs:
-    bundler-organization_audit (0.1.2)
-      json
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    bump (0.3.9)
-    diff-lcs (1.1.3)
-    json (1.7.7)
-    rake (10.0.3)
-    rspec (2.12.0)
-      rspec-core (~> 2.12.0)
-      rspec-expectations (~> 2.12.0)
-      rspec-mocks (~> 2.12.0)
-    rspec-core (2.12.2)
-    rspec-expectations (2.12.1)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.12.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  bump
-  bundler-audit!
-  bundler-organization_audit!
-  rake
-  rspec (~> 2)

data/Rakefile

@@ -1,6 +0,0 @@
-require "bundler/gem_tasks"
-require "bump/tasks"
-
-task :default do
-  sh "rspec spec/"
-end

data/Readme.md

@@ -1,92 +0,0 @@
-Audit all Gemfiles of a user/organization on Github for unpatched versions
-
-    # simple
-    gem install bundler-organization_audit
-
-    # if you want --ignore-cve
-    git clone git://github.com/grosser/bundler-organization_audit.git
-    cd bundler-organization_audit
-    bundle update bundler-audit # get new advisories
-    bundle exec ./bin/bundle-organization-audit ... options ...
-
-Usage
-=====
-
-### Public repos
-For yourself (git config github.user)
-```Bash
-bundle-organization-audit
-parallel
-No Gemfile.lock found
-
-parllel_tests
-bundle-audit
-No unpatched versions found
-
-rails_example_app
-bundle-audit
-Name: rack
-Version: 1.4.4
-CVE: 2013-0263
-Criticality: High
-URL: http://osvdb.org/show/osvdb/89939
-Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
-Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
-
-Vulnerable:
-https://github.com/grosser/rails_example_app -- Peter Last Committer <peter@last-commit-email.com>
-```
-
-For someone else
-```Bash
-bundle-organization-audit --user grosser
-```
-
-Ignore gems (ignores repos that have a %{repo}.gemspec)
-```Bash
-bundle-organization-audit --ignore-gems
-```
-
-Silent:  only show vulnerable repos
-```
-bundle-organization-audit 2>/dev/null
-```
-
-CI: ignore old/unmaintained proejcts, unfixable/unimportant cves and gems
-```
-bundle-organization-audit \
-  --ignore https://github.com/xxx/a \
-  --ignore https://github.com/xxx/b \
-  --ignore-cve 2013-0269@1.5.3 \
-  --ignore-cve '2013-0123@~>3.2.10' \
-  --ignore-cve 2013-0234 \
-  --ignore-gems \
-  --organization xxx \
-  --token yyy
-```
-
-### Private repos
-
-```Bash
-# create a token that has access to your repositories
-curl -v -u your-user-name -X POST https://api.github.com/authorizations --data '{"scopes":["repo"]}'
-enter your password -> TOKEN
-
-bundle-organization-audit --user your-user --token TOKEN --organization your-organization
-```
-
-Related
-=======
- - [holepicker](https://github.com/jsuder/holepicker) does the same check for local projects and running servers
- - [bundler-audit](https://github.com/postmodern/bundler-audit) check a single local project for vulerabilities
-
-Development
-===========
- - test private repo fetching via `cp spec/private{.example,}.yml` and filling it out
-
-Author
-======
-[Michael Grosser](http://grosser.it)<br/>
-michael@grosser.it<br/>
-License: MIT<br/>
-[![Build Status](https://travis-ci.org/grosser/bundler-organization_audit.png)](https://travis-ci.org/grosser/bundler-organization_audit)

data/bundler-organization_audit.gemspec

@@ -1,21 +0,0 @@
-$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
-name = "bundler-organization_audit"
-require "#{name.gsub("-","/")}/version"
-
-Gem::Specification.new name, Bundler::OrganizationAudit::VERSION do |s|
-  s.summary = s.description = "Audit all Gemfiles of a user/organization on github for unpatched versions"
-  s.authors = ["Michael Grosser"]
-  s.email = "michael@grosser.it"
-  s.homepage = "http://github.com/grosser/#{name}"
-  s.files = `git ls-files`.split("\n")
-  s.license = "MIT"
-  key = File.expand_path("~/.ssh/gem-private_key.pem")
-  if File.exist?(key)
-    s.signing_key = key
-    s.cert_chain = ["gem-public_cert.pem"]
-  else
-    puts "No signature"
-  end
-  s.executables = ["bundle-organization-audit"]
-  s.add_runtime_dependency "json"
-end

data/gem-public_cert.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDMjCCAhqgAwIBAgIBADANBgkqhkiG9w0BAQUFADA/MRAwDgYDVQQDDAdtaWNo
-YWVsMRcwFQYKCZImiZPyLGQBGRYHZ3Jvc3NlcjESMBAGCgmSJomT8ixkARkWAml0
-MB4XDTEzMDIwMzE4MTMxMVoXDTE0MDIwMzE4MTMxMVowPzEQMA4GA1UEAwwHbWlj
-aGFlbDEXMBUGCgmSJomT8ixkARkWB2dyb3NzZXIxEjAQBgoJkiaJk/IsZAEZFgJp
-dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMorXo/hgbUq97+kII9H
-MsQcLdC/7wQ1ZP2OshVHPkeP0qH8MBHGg6eYisOX2ubNagF9YTCZWnhrdKrwpLOO
-cPLaZbjUjljJ3cQR3B8Yn1veV5IhG86QseTBjymzJWsLpqJ1UZGpfB9tXcsFtuxO
-6vHvcIHdzvc/OUkICttLbH+1qb6rsHUceqh+JrH4GrsJ5H4hAfIdyS2XMK7YRKbh
-h+IBu6dFWJJByzFsYmV1PDXln3UBmgAt65cmCu4qPfThioCGDzbSJrGDGLmw/pFX
-FPpVCm1zgYSb1v6Qnf3cgXa2f2wYGm17+zAVyIDpwryFru9yF/jJxE38z/DRsd9R
-/88CAwEAAaM5MDcwCQYDVR0TBAIwADAdBgNVHQ4EFgQUsiNnXHtKeMYYcr4yJVmQ
-WONL+IwwCwYDVR0PBAQDAgSwMA0GCSqGSIb3DQEBBQUAA4IBAQAlyN7kKo/NQCQ0
-AOzZLZ3WAePvStkCFIJ53tsv5Kyo4pMAllv+BgPzzBt7qi605mFSL6zBd9uLou+W
-Co3s48p1dy7CjjAfVQdmVNHF3MwXtfC2OEyvSQPi4xKR8iba8wa3xp9LVo1PuLpw
-/6DsrChWw74HfsJN6qJOK684hJeT8lBYAUfiC3wD0owoPSg+XtyAAddisR+KV5Y1
-NmVHuLtQcNTZy+gRht3ahJRMuC6QyLmkTsf+6MaenwAMkAgHdswGsJztOnNnBa3F
-y0kCSWmK6D+x/SbfS6r7Ke07MRqziJdB9GuE1+0cIRuFh8EQ+LN6HXCKM5pon/GU
-ycwMXfl0
------END CERTIFICATE-----

data/spec/bundler/organization_audit/repo_spec.rb

@@ -1,64 +0,0 @@
-require "spec_helper"
-
-describe Bundler::OrganizationAudit::Repo do
-  let(:config){ YAML.load_file("spec/private.yml") }
-  let(:repo) do
-    Bundler::OrganizationAudit::Repo.new(
-      "url" => "https://api.github.com/repos/grosser/parallel"
-    )
-  end
-
-  describe ".all" do
-    it "returns the list of public repositories" do
-      # use a big account -> make sure pagination works
-      list = Bundler::OrganizationAudit::Repo.all(:user => "grosser")
-      list.map(&:url).should include("https://github.com/grosser/parallel")
-    end
-
-    if File.exist?("spec/private.yml")
-      it "returns the list of private repositories from a user" do
-        list = Bundler::OrganizationAudit::Repo.all(:token => config["token"])
-        list.map(&:url).should include("https://github.com/#{config["user"]}/#{config["expected_user"]}")
-      end
-
-      it "returns the list of private repositories from a organization" do
-        list = Bundler::OrganizationAudit::Repo.all(:token => config["token"], :organization => config["organization"])
-        list.map(&:url).should include("https://github.com/#{config["organization"]}/#{config["expected_organization"]}")
-      end
-    end
-  end
-
-  describe "#last_commiter" do
-    it "returns nice info" do
-      repo.last_commiter.should == "grosser <grosser.michael@gmail.com>"
-    end
-  end
-
-  describe "#content" do
-    it "can download a public file" do
-      repo.content("Gemfile.lock").should include('rspec (2')
-    end
-
-    if File.exist?("spec/private.yml")
-      it "can download a private file" do
-        url = "https://api.github.com/repos/#{config["organization"]}/#{config["expected_organization"]}"
-        repo = Bundler::OrganizationAudit::Repo.new(
-          {"url" => url, "private" => true}, config["token"]
-        )
-        content = repo.content("Gemfile.lock")
-        content.should include('i18n (0.')
-      end
-    end
-  end
-
-  describe "#gem?" do
-    it "is a gem if it has a gemspec" do
-      repo.should be_gem
-    end
-
-    it "is not a gem if it has no gemspec" do
-      Bundler::OrganizationAudit::Repo.new("url" => "https://api.github.com/repos/grosser/dotfiles").should_not be_gem
-    end
-  end
-end
-

data/spec/bundler/organization_audit_spec.rb

@@ -1,117 +0,0 @@
-require "spec_helper"
-
-describe Bundler::OrganizationAudit do
-  it "has a VERSION" do
-    Bundler::OrganizationAudit::VERSION.should =~ /^[\.\da-z]+$/
-  end
-
-  describe Bundler::OrganizationAudit do
-    let(:repo) do
-      Bundler::OrganizationAudit::Repo.new(
-        "url" => "https://api.github.com/repos/grosser/parallel"
-      )
-    end
-
-    describe ".audit_repo" do
-      it "audits public repos" do
-        out = record_out do
-          Bundler::OrganizationAudit.send(:audit_repo, repo, {})
-        end
-        out.strip.should == "parallel\nbundle-audit\nNo unpatched versions found"
-      end
-
-      it "does not audit ignored repos" do
-        out = record_out do
-          Bundler::OrganizationAudit.send(:audit_repo, repo, :ignore_gems => true)
-        end
-        out.strip.should == "parallel\nIgnored because it's a gem"
-      end
-    end
-
-    describe ".run" do
-      before do
-        Bundler::OrganizationAudit.stub(:puts)
-      end
-
-      it "is successful when failed are empty" do
-        Bundler::OrganizationAudit.should_receive(:find_vulnerable).and_return([])
-        record_out do
-          Bundler::OrganizationAudit.run({}).should == 0
-        end
-      end
-
-      it "fails with failed" do
-        Bundler::OrganizationAudit.should_receive(:find_vulnerable).and_return([repo])
-        record_out do
-          Bundler::OrganizationAudit.run({}).should == 1
-        end
-      end
-    end
-  end
-
-  context "CLI" do
-    it "can audit a user" do
-      result = audit("--user anamartinez")
-      result.should include "I18N-tools\nNo Gemfile.lock found" # did not use audit when not necessary
-      result.should include "js-cldr-timezones\nbundle-audit\nNo unpatched versions found" # used audit where necessary
-    end
-
-    it "can audit a unpatched user" do
-      result = audit("--user user-with-unpatched-apps", :fail => true)
-      result.should include "unpatched\nbundle-audit\nName: json\nVersion: 1.5.3" # Individual vulnerabilities
-      result.should include "Vulnerable:\nhttps://github.com/user-with-unpatched-apps/unpatched" # Summary
-    end
-
-    it "only shows failed projects on stdout" do
-      result = audit("--user user-with-unpatched-apps 2>/dev/null", :fail => true, :keep_output => true)
-      result.should == "https://github.com/user-with-unpatched-apps/unpatched -- grosser <grosser.michael@gmail.com>\n"
-    end
-
-    it "ignores projects in --ignore" do
-      result = audit("--user user-with-unpatched-apps --ignore https://github.com/user-with-unpatched-apps/unpatched 2>/dev/null", :keep_output => true)
-      result.should == ""
-    end
-
-    it "ignores CVEs via --ignore-cve" do
-      result = audit("--user user-with-unpatched-apps --ignore-cve 2013-0269 2>/dev/null", :keep_output => true)
-      result.should == ""
-    end
-
-    it "shows --version" do
-      audit("--version").should include(Bundler::OrganizationAudit::VERSION)
-    end
-
-    it "shows --help" do
-      audit("--help").should include("Audit all Gemfiles")
-    end
-
-    def audit(command, options={})
-      sh("bin/bundle-organization-audit #{command}", options)
-    end
-
-    def sh(command, options={})
-      result = `#{command} #{"2>&1" unless options[:keep_output]}`
-      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
-      decolorize(result)
-    end
-  end
-
-  def decolorize(string)
-    string.gsub(/\e\[\d+m/, "")
-  end
-
-  def record_out
-    recorder = StringIO.new
-    $stdout, out = recorder, $stdout
-    $stderr, err = recorder, $stderr
-    yield
-    decolorize(recorder.string)
-  ensure
-    $stdout = out
-    $stderr = err
-  end
-
-  def in_temp_dir(&block)
-    Dir.mktmpdir { |dir| Dir.chdir(dir, &block) }
-  end
-end

data/spec/private.example.yml

@@ -1,7 +0,0 @@
-token: your-token-see-readme
-
-user: your-user
-expected_user: your-private-repo
-
-organization: org
-expected_organization: org-private-repo

data/spec/spec_helper.rb

@@ -1,2 +0,0 @@
-require "bundler/organization_audit"
-require "yaml"