mrjoy-bundler-audit 0.1.4 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: f3158abba4c10eb30410fb2a42be018476dbe210
4
- data.tar.gz: 256bb1a01ddca3973064d3e0f4a1c2091f8daab3
3
+ metadata.gz: 86bf3607b18010fe5a5a8eea50c278a4972fa133
4
+ data.tar.gz: bc8390e22500c5f02f45d19f0cfa541d3f1a86bc
5
5
  SHA512:
6
- metadata.gz: 643fa34a290d6a86bad7beb7586c64b389658d1acbd875b0b64448071ebe957e5b3c652caa437a049215c96d83fdd59195086079332087776eead2a3053f72a0
7
- data.tar.gz: 507160bdf0d38683b685802b09e336992d2776dcce1f869fda77e2ed8e5124131a72b1df21e3fac1aa337ad78ea29cec0a741ff6ec021124d664b554c7eab729
6
+ metadata.gz: abaf90aff0656335877ef86c57058dfbeef7edfc35f2a961531673d2e096f82e3072eba07de2a32bd48e8eb8c1c45d90cb80ce26824e9c787f6df54fcc85d768
7
+ data.tar.gz: 2a44ca737667dbbbf86435c1a84999ac36f6ad8c45d5c3cdd958d6cba889e678f3fe63aed0bf54d699eb88b8ba0686455497cf0923dc401e5da3fc186ecddb3c
data/.document CHANGED
@@ -1,3 +1,3 @@
1
- -
1
+ -
2
2
  ChangeLog.md
3
3
  COPYING.txt
data/ChangeLog.md CHANGED
@@ -1,4 +1,21 @@
1
- ### 0.1.4 / 2013-08-15
1
+ ### mrjoy-0.2.1 / 2013-09-13
2
+
3
+ * Integrate upstream changes from 0.2.0, with local changes from 0.1.4.
4
+ * Make specs automatically refresh `.gitignore`'d `Gemfile.lock` in spec
5
+ scenarios when the Gemfile has changed in a way that `bundle install` isn't
6
+ happy about (e.g. version bump on a gem previously listed in the `Gemfile`.)
7
+
8
+ ### 0.2.0 / 2013-03-05
9
+
10
+ * Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
11
+ parse approximate version requirements (`~> 1.2.3`).
12
+ * Updated the [ruby-advisory-db].
13
+ * Added {Bundle::Audit::Advisory#unaffected_versions}.
14
+ * Added {Bundle::Audit::Advisory#unaffected?}.
15
+ * Added {Bundle::Audit::Advisory#patched?}.
16
+ * Renamed `Advisory#cve` to {Bundle::Audit::Advisory#id}.
17
+
18
+ ### mrjoy-0.1.4 / 2013-08-15
2
19
 
3
20
  * RVM compartmentalization for the project (only relevant to people hacking on
4
21
  it).
@@ -12,7 +29,7 @@
12
29
  * Add ability for individual spec files to be called individually.
13
30
  * Rename gem so this can be installed via Rubygems.
14
31
 
15
- ### 0.1.3 / 2013-03-05
32
+ ### mrjoy-0.1.3 / 2013-03-05
16
33
 
17
34
  * Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
18
35
  parse approximate version requirements (`~> 1.2.3`).
data/README.md CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  * [Homepage](https://github.com/MrJoy/mrjoy-bundler-audit#readme)
4
4
  * [Issues](https://github.com/MrJoy/mrjoy-bundler-audit/issues)
5
+ * [Documentation](http://rubydoc.info/gems/mrjoy-bundler-audit/frames)
5
6
  * [Email](mailto:jfrisby@mrjoy.com)
6
7
  * [![Build Status](https://travis-ci.org/MrJoy/mrjoy-bundler-audit.png)](https://travis-ci.org/MrJoy/mrjoy-bundler-audit)
7
8
  * [![Code Climate](https://codeclimate.com/github/MrJoy/mrjoy-bundler-audit.png)](https://codeclimate.com/github/MrJoy/mrjoy-bundler-audit)
@@ -13,6 +14,8 @@ Patch-level verification for [Bundler][bundler].
13
14
  ## Features
14
15
 
15
16
  * Checks for vulnerable versions of gems in `Gemfile.lock`.
17
+ * Checks for insecure gem sources (`http://`).
18
+ * Allows ignoring certain advisories that have been manually worked around.
16
19
  * Prints advisory information.
17
20
  * Does not require a network connection.
18
21
 
@@ -21,47 +24,62 @@ Patch-level verification for [Bundler][bundler].
21
24
  Audit a projects `Gemfile.lock`:
22
25
 
23
26
  $ bundle-audit
24
- Name: rack
25
- Version: 1.4.4
26
- CVE: 2013-0263
27
- Criticality: High
28
- URL: http://osvdb.org/show/osvdb/89939
29
- Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
30
- Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
31
-
32
- Name: json
33
- Version: 1.7.6
34
- CVE: 2013-0269
35
- Criticality: High
36
- URL: http://direct.osvdb.org/show/osvdb/90074
37
- Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
38
- Patched Versions: ~> 1.5.4, ~> 1.6.7, >= 1.7.7
39
-
40
- Name: rails
27
+ Name: actionpack
41
28
  Version: 3.2.10
42
- CVE: 2013-0155
43
- Criticality: High
44
- URL: http://osvdb.org/show/osvdb/89025
45
- Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
46
- Patched Versions: ~> 3.0.19, ~> 3.1.10, >= 3.2.11
47
-
48
- Name: rails
29
+ Advisory: OSVDB-91452
30
+ Criticality: Medium
31
+ URL: http://www.osvdb.org/show/osvdb/91452
32
+ Title: XSS vulnerability in sanitize_css in Action Pack
33
+ Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
34
+
35
+ Name: actionpack
36
+ Version: 3.2.10
37
+ Advisory: OSVDB-91454
38
+ Criticality: Medium
39
+ URL: http://osvdb.org/show/osvdb/91454
40
+ Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
41
+ Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
42
+
43
+ Name: actionpack
49
44
  Version: 3.2.10
50
- CVE: 2013-0156
45
+ Advisory: OSVDB-89026
51
46
  Criticality: High
52
47
  URL: http://osvdb.org/show/osvdb/89026
53
- Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
54
- Remote Code Execution
55
- Patched Versions: ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
56
-
57
- Name: rails
48
+ Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
49
+ Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
50
+
51
+ Name: activerecord
52
+ Version: 3.2.10
53
+ Advisory: OSVDB-91453
54
+ Criticality: High
55
+ URL: http://osvdb.org/show/osvdb/91453
56
+ Title: Symbol DoS vulnerability in Active Record
57
+ Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
58
+
59
+ Name: activerecord
58
60
  Version: 3.2.10
59
- CVE: 2013-0276
61
+ Advisory: OSVDB-90072
60
62
  Criticality: Medium
61
63
  URL: http://direct.osvdb.org/show/osvdb/90072
62
64
  Title: Ruby on Rails Active Record attr_protected Method Bypass
63
- Patched Versions: ~> 2.3.17, ~> 3.1.11, >= 3.2.12
64
-
65
+ Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
66
+
67
+ Name: activerecord
68
+ Version: 3.2.10
69
+ Advisory: OSVDB-89025
70
+ Criticality: High
71
+ URL: http://osvdb.org/show/osvdb/89025
72
+ Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
73
+ Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
74
+
75
+ Name: activesupport
76
+ Version: 3.2.10
77
+ Advisory: OSVDB-91451
78
+ Criticality: High
79
+ URL: http://www.osvdb.org/show/osvdb/91451
80
+ Title: XML Parsing Vulnerability affecting JRuby users
81
+ Solution: upgrade to ~> 3.1.12, >= 3.2.13
82
+
65
83
  Unpatched versions found!
66
84
 
67
85
  ## Requirements
data/Rakefile CHANGED
@@ -23,6 +23,15 @@ require 'rake'
23
23
  require 'rubygems/tasks'
24
24
  Gem::Tasks.new
25
25
 
26
+ desc 'Updates data/ruby-advisory-db'
27
+ task :update do
28
+ chdir 'data/ruby-advisory-db' do
29
+ sh 'git', 'pull', 'origin', 'master'
30
+ end
31
+
32
+ sh 'git', 'commit', 'data/ruby-advisory-db', '-m', 'Updated ruby-advisory-db'
33
+ end
34
+
26
35
  require 'rspec/core/rake_task'
27
36
  RSpec::Core::RakeTask.new
28
37
 
@@ -32,7 +41,15 @@ namespace :spec do
32
41
 
33
42
  %w[secure unpatched_gems insecure_sources].each do |bundle|
34
43
  chdir(File.join(root,bundle)) do
35
- sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
44
+ # rm_f "Gemfile.lock" if(File.exist?("Gemfile.lock"))
45
+ begin
46
+ sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
47
+ rescue
48
+ if(File.exist?("Gemfile.lock"))
49
+ puts "Looks like Gemfile may have been updated. Attempting to update things."
50
+ sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle update'
51
+ end
52
+ end
36
53
  end
37
54
  end
38
55
  end
@@ -43,5 +60,5 @@ task :test => :spec
43
60
  task :default => :spec
44
61
 
45
62
  require 'yard'
46
- YARD::Rake::YardocTask.new
63
+ YARD::Rake::YardocTask.new
47
64
  task :doc => :yard
@@ -22,7 +22,7 @@ require 'yaml'
22
22
  module Bundler
23
23
  module Audit
24
24
  class Advisory < Struct.new(:path,
25
- :cve,
25
+ :id,
26
26
  :url,
27
27
  :title,
28
28
  :description,
@@ -41,8 +41,8 @@ module Bundler
41
41
  # @api semipublic
42
42
  #
43
43
  def self.load(path)
44
+ id = File.basename(path).chomp('.yml')
44
45
  data = YAML.load_file(path)
45
- cve = data['cve']
46
46
 
47
47
  unless data.kind_of?(Hash)
48
48
  raise("advisory data in #{path.dump} was not a Hash")
@@ -56,7 +56,7 @@ module Bundler
56
56
 
57
57
  return new(
58
58
  path,
59
- cve,
59
+ id,
60
60
  data['url'],
61
61
  data['title'],
62
62
  data['description'],
@@ -127,15 +127,7 @@ module Bundler
127
127
  !patched?(version) && !unaffected?(version)
128
128
  end
129
129
 
130
- #
131
- # Converts the advisory to a String.
132
- #
133
- # @return [String]
134
- # The CVE identifier.
135
- #
136
- def to_s
137
- "CVE-#{cve}"
138
- end
130
+ alias to_s id
139
131
 
140
132
  end
141
133
  end
@@ -83,7 +83,7 @@ module Bundler
83
83
  say gem.version
84
84
 
85
85
  say "Advisory: ", :red
86
- say "CVE-#{advisory.cve}"
86
+ say advisory.id
87
87
 
88
88
  say "Criticality: ", :red
89
89
  case advisory.criticality
@@ -83,7 +83,7 @@ module Bundler
83
83
 
84
84
  @lockfile.specs.each do |gem|
85
85
  @database.check_gem(gem) do |advisory|
86
- unless ignore.include?("CVE-#{advisory.cve}")
86
+ unless ignore.include?(advisory.id)
87
87
  yield UnpatchedGem.new(gem,advisory)
88
88
  end
89
89
  end
@@ -20,6 +20,6 @@
20
20
  module Bundler
21
21
  module Audit
22
22
  # bundler-audit version
23
- VERSION = '0.1.4'
23
+ VERSION = '0.2.1'
24
24
  end
25
25
  end
@@ -5,10 +5,16 @@ require 'bundler/audit/advisory'
5
5
  describe Bundler::Audit::Advisory do
6
6
  let(:root) { Bundler::Audit::Database::PATH }
7
7
  let(:gem) { 'actionpack' }
8
- let(:path) { File.join(root,gem,"OSVDB-89026.yml") }
9
- let(:cve) { YAML.load(File.read(path))['cve'] }
8
+ let(:id) { 'OSVDB-84243' }
9
+ let(:path) { File.join(root,gem,"#{id}.yml") }
10
10
  let(:an_unaffected_version) do
11
- YAML.load(File.read(path))['unaffected_versions'].first.sub(/^.*?(~>|>=|>|=)\s+/, '')
11
+ YAML.
12
+ load(File.read(path))['unaffected_versions'].
13
+ map { |item| item.split(/\s*,\s*/) }.
14
+ flatten.
15
+ select { |ver| ver =~ /^(~>|>=|=|<=)/ }.
16
+ first.
17
+ sub(/^.*?(~>|>=|=|<=)\s+/, '')
12
18
  end
13
19
 
14
20
  describe "load" do
@@ -16,7 +22,7 @@ describe Bundler::Audit::Advisory do
16
22
 
17
23
  subject { described_class.load(path) }
18
24
 
19
- its(:cve) { should == cve }
25
+ its(:id) { should == id }
20
26
  its(:url) { should == data['url'] }
21
27
  its(:title) { should == data['title'] }
22
28
  its(:cvss_v2) { should == data['cvss_v2'] }
@@ -58,9 +64,6 @@ describe Bundler::Audit::Advisory do
58
64
  end
59
65
 
60
66
  describe "#unaffected?" do
61
- let(:gem) { 'activerecord' }
62
- let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
63
-
64
67
  subject { described_class.load(path) }
65
68
 
66
69
  context "when passed a version that matches one unaffected version" do
@@ -92,7 +95,7 @@ describe Bundler::Audit::Advisory do
92
95
  end
93
96
 
94
97
  context "when passed a version that matches no patched version" do
95
- let(:version) { Gem::Version.new('3.1.9') }
98
+ let(:version) { Gem::Version.new('2.9.0') }
96
99
 
97
100
  it "should return false" do
98
101
  subject.patched?(version).should be_false
@@ -112,16 +115,13 @@ describe Bundler::Audit::Advisory do
112
115
  end
113
116
 
114
117
  context "when passed a version that matches no patched version" do
115
- let(:version) { Gem::Version.new('3.1.9') }
118
+ let(:version) { Gem::Version.new('2.9.0') }
116
119
 
117
120
  it "should return true" do
118
121
  subject.vulnerable?(version).should be_true
119
122
  end
120
123
 
121
124
  context "when unaffected_versions is not empty" do
122
- let(:gem) { 'activerecord' }
123
- let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
124
-
125
125
  subject { described_class.load(path) }
126
126
 
127
127
  context "when passed a version that matches one unaffected version" do
@@ -1,6 +1,6 @@
1
1
  source 'https://rubygems.org'
2
2
 
3
- gem 'rails', '3.2.13'
3
+ gem 'rails', '3.2.14'
4
4
 
5
5
  # Bundle edge Rails instead:
6
6
  # gem 'rails', :git => 'git://github.com/rails/rails.git'
@@ -22,7 +22,7 @@ describe "CLI" do
22
22
  it "should print advisory information for the vulnerable gems" do
23
23
  advisory_pattern = /(Name: [^\n]+
24
24
  Version: \d+.\d+.\d+
25
- Advisory: CVE-\d+-\d+
25
+ Advisory: OSVDB-\d+
26
26
  Criticality: (High|Medium)
27
27
  URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
28
28
  Title: [^\n]*?
@@ -38,7 +38,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
38
38
  let(:directory) { File.join('spec','bundle',bundle) }
39
39
 
40
40
  let(:command) do
41
- File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i CVE-2013-0156'))
41
+ File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i OSVDB-89026'))
42
42
  end
43
43
 
44
44
  subject do
@@ -46,7 +46,7 @@ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
46
46
  end
47
47
 
48
48
  it "should not print advisory information for ignored gem" do
49
- subject.should_not include("CVE-2013-0156")
49
+ subject.should_not include("OSVDB-89026")
50
50
  end
51
51
  end
52
52
 
data/spec/scanner_spec.rb CHANGED
@@ -31,18 +31,18 @@ describe Scanner do
31
31
  subject { scanner.scan.to_a }
32
32
 
33
33
  it "should match unpatched gems to their advisories" do
34
- subject[0].gem.name.should == 'actionpack'
35
- subject[0].gem.version.to_s.should == '3.2.10'
36
- subject[0].advisory.cve.should == '2013-0156'
34
+ subject.all? { |result|
35
+ result.advisory.vulnerable?(result.gem.version)
36
+ }.should be_true
37
37
  end
38
38
 
39
39
  context "when the :ignore option is given" do
40
- subject { scanner.scan(:ignore => ['CVE-2013-0156']) }
40
+ subject { scanner.scan(:ignore => ['OSVDB-89026']) }
41
41
 
42
42
  it "should ignore the specified advisories" do
43
- cves = subject.map { |result| result.advisory.cve }
43
+ ids = subject.map { |result| result.advisory.id }
44
44
 
45
- cves.should_not include('2013-0156')
45
+ ids.should_not include('OSVDB-89026')
46
46
  end
47
47
  end
48
48
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mrjoy-bundler-audit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.4
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Postmodern
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-08-15 00:00:00.000000000 Z
12
+ date: 2013-09-13 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler