mrjoy-bundler-audit 0.1.4

data/ChangeLog.md

@@ -0,0 +1,79 @@
+### 0.1.4 / 2013-08-15
+
+* RVM compartmentalization for the project (only relevant to people hacking on
+  it).
+* Adding Ruby 2.0.0 to Travis config.
+* Updated the [ruby-advisory-db] from [ffce5a2](https://github.com/rubysec/ruby-advisory-db/commit/ffce5a27f239191e22bd47bb62c5a3121952b8d0)
+  to [ee2ff0b](https://github.com/rubysec/ruby-advisory-db/commit/ee2ff0b6c971d0eb295595dc1cd48a777d8829bb).
+* Update `Advisory` class to compensate for change in naming convention in
+  [ruby-advisory-db].
+* Make some tests less brittle, and get them passing again after the
+  [ruby-advisory-db] update.
+* Add ability for individual spec files to be called individually.
+* Rename gem so this can be installed via Rubygems.
+
+### 0.1.3 / 2013-03-05
+
+* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
+  parse approximate version requirements (`~> 1.2.3`).
+* Updated the [ruby-advisory-db].
+* Added {Bundle::Audit::Advisory#unaffected_versions}.
+* Added {Bundle::Audit::Advisory#unaffected?}.
+* Added {Bundle::Audit::Advisory#patched?}.
+
+### 0.1.2 / 2013-02-17
+
+* Require [bundler] ~> 1.2.
+* Vendor a full copy of the [ruby-advisory-db].
+* Added {Bundler::Audit::Advisory#path} for debugging purposes.
+* Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
+
+#### CLI
+
+* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser).
+* Exit with non-zero status on failure (@grosser).
+
+### 0.1.1 / 2013-02-12
+
+* Fixed a Ruby 1.8 syntax error.
+
+### Advisories
+
+* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db].
+  * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667)
+  * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631)
+  * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632)
+  * [CVE-2012-267](http://osvdb.org/83077)
+  * [CVE-2012-1098](http://osvdb.org/79726)
+  * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727)
+  * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610)
+  * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403)
+  * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243)
+  * [CVE-2012-3463](http://osvdb.org/84515)
+  * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516)
+  * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513)
+
+### CLI
+
+* If the advisory has no `patched_versions`, recommend removing or disabling
+  the gem until a patch is made available.
+
+### 0.1.0 / 2013-02-11
+
+* Initial release:
+  * Checks for vulnerable versions of gems in `Gemfile.lock`.
+  * Prints advisory information.
+  * Does not require a network connection.
+
+#### Advisories
+
+* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074)
+* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939)
+* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025)
+* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026)
+* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072)
+* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073)
+* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594)
+
+[bundler]: http://gembundler.com/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme

data/Gemfile

@@ -0,0 +1,14 @@
+#ruby=ruby-2.0.0-p195
+#ruby-gemset=bundler-audit
+source 'https://rubygems.org/'
+
+gemspec
+
+group :development do
+  gem 'rake',           '~> 10.0'
+  gem 'kramdown',       '~> 0.14'
+
+  gem 'rubygems-tasks', '~> 0.2'
+  gem 'rspec',          '~> 2.4'
+  gem 'yard',           '~> 0.8'
+end

data/README.md

@@ -0,0 +1,105 @@
+# mrjoy-bundler-audit
+
+* [Homepage](https://github.com/MrJoy/mrjoy-bundler-audit#readme)
+* [Issues](https://github.com/MrJoy/mrjoy-bundler-audit/issues)
+* [Email](mailto:jfrisby@mrjoy.com)
+* [![Build Status](https://travis-ci.org/MrJoy/mrjoy-bundler-audit.png)](https://travis-ci.org/MrJoy/mrjoy-bundler-audit)
+* [![Code Climate](https://codeclimate.com/github/MrJoy/mrjoy-bundler-audit.png)](https://codeclimate.com/github/MrJoy/mrjoy-bundler-audit)
+
+## Description
+
+Patch-level verification for [Bundler][bundler].
+
+## Features
+
+* Checks for vulnerable versions of gems in `Gemfile.lock`.
+* Prints advisory information.
+* Does not require a network connection.
+
+## Synopsis
+
+Audit a projects `Gemfile.lock`:
+
+    $ bundle-audit
+    Name: rack
+    Version: 1.4.4
+    CVE: 2013-0263
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89939
+    Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
+    Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
+
+    Name: json
+    Version: 1.7.6
+    CVE: 2013-0269
+    Criticality: High
+    URL: http://direct.osvdb.org/show/osvdb/90074
+    Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
+    Patched Versions: ~> 1.5.4, ~> 1.6.7, >= 1.7.7
+
+    Name: rails
+    Version: 3.2.10
+    CVE: 2013-0155
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89025
+    Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+    Patched Versions: ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+    Name: rails
+    Version: 3.2.10
+    CVE: 2013-0156
+    Criticality: High
+    URL: http://osvdb.org/show/osvdb/89026
+    Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+    Remote Code Execution
+    Patched Versions: ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
+
+    Name: rails
+    Version: 3.2.10
+    CVE: 2013-0276
+    Criticality: Medium
+    URL: http://direct.osvdb.org/show/osvdb/90072
+    Title: Ruby on Rails Active Record attr_protected Method Bypass
+    Patched Versions: ~> 2.3.17, ~> 3.1.11, >= 3.2.12
+
+    Unpatched versions found!
+
+## Requirements
+
+* [bundler] ~> 1.2
+* [RubyGems] >= 1.8
+
+## Install
+
+    $ gem install mrjoy-bundler-audit
+
+Or in your Gemfile:
+
+```ruby
+gem 'mrjoy-bundler-audit', :require => nil
+```
+
+## License
+
+Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+Modifications Copyright (c) 2013 Jon Frisby (jfrisby@mrjoy.com), or their
+respective authors.
+
+mrjoy-bundler-audit is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+mrjoy-bundler-audit is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with mrjoy-bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+
+[bundler]: https://github.com/carlhuda/bundler#readme
+
+[OSVDB]: http://osvdb.org/
+
+[RubyGems]: https://rubygems.org

data/Rakefile

@@ -0,0 +1,47 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler'
+rescue LoadError => e
+  warn e.message
+  warn "Run `gem install bundler` to install Bundler."
+  exit -1
+end
+
+begin
+  Bundler.setup(:development)
+rescue Bundler::BundlerError => e
+  warn e.message
+  warn "Run `bundle install` to install missing gems."
+  exit e.status_code
+end
+
+require 'rake'
+
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+namespace :spec do
+  task :bundle do
+    root = 'spec/bundle'
+
+    %w[secure unpatched_gems insecure_sources].each do |bundle|
+      chdir(File.join(root,bundle)) do
+        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
+      end
+    end
+  end
+end
+task :spec => 'spec:bundle'
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new  
+task :doc => :yard

data/bin/bundle-audit

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'bundler/audit/cli'
+
+Bundler::Audit::CLI.start

data/data/ruby-advisory-db/.rspec

@@ -0,0 +1 @@
+--colour

data/data/ruby-advisory-db/CONTRIBUTING.md

@@ -0,0 +1,6 @@
+# Contributing Guidelines
+
+## Style
+
+1. All text must be within 80 columns.
+2. YAML must be indented by 2 spaces.

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -0,0 +1,13 @@
+### Acknowledgements
+
+This database would not be possible without volunteers willing to submit pull requests.
+
+Thanks,
+* [Postmodern](https://github.com/postmodern/)
+* [Max Veytsman](https://twitter.com/mveytsman)
+* [Pietro Monteiro](https://github.com/pietro)
+* [Eric Hodel](https://github.com/drbrain)
+* [Brendon Murphy](https://github.com/bemurphy)
+* [Oliver Legg](https://github.com/olly)
+* [Larry W. Cashdollar](http://vapid.dhs.org/)
+* [Michael Grosser](https://github.com/grosser)

data/data/ruby-advisory-db/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gem 'pry'
+gem 'mechanize'

data/data/ruby-advisory-db/LICENSE.txt

@@ -0,0 +1,5 @@
+If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
+
+However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-advisory-db/README.md

@@ -0,0 +1,86 @@
+# Ruby Advisory Database
+
+The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.
+
+## Goals
+
+1. Provide advisory **metadata** in a **simple** yet **structured** [YAML]
+   schema for automated tools to consume.
+2. Avoid reinventing [CVE]s.
+3. Avoid duplicating the efforts of the [OSVDB].
+
+## Directory Structure
+
+The database is a list of directories that match the names of Ruby libraries on
+[rubygems.org]. Within each directory are one or more advisory files
+for the Ruby library. These advisory files are typically named using
+the advisories [CVE] identifier number.
+
+    gems/:
+      actionpack/:
+        CVE-2012-1099.yml  CVE-2012-3463.yml  CVE-2013-0156.yml
+        CVE-2013-1857.yml  CVE-2012-3424.yml  CVE-2012-3465.yml
+        CVE-2013-1855.yml
+
+If an advisory does not yet have a [CVE], [requesting a CVE][1] is easy.
+
+## Format
+
+Each advisory file contains the advisory information in [YAML] format:
+
+    ---
+    gem: actionpack
+    framework: rails
+    cve: 2013-0156
+    osvdb: 89026
+    url: http://osvdb.org/show/osvdb/89026
+    title: |
+      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+      Remote Code Execution 
+    
+    description: |
+      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
+      The issue is triggered when a type casting error occurs during the parsing
+      of parameters. This may allow a remote attacker to potentially execute
+      arbitrary code.
+    
+    cvss_v2: 10.0
+    
+    patched_versions:
+      - ~> 2.3.15
+      - ~> 3.0.19
+      - ~> 3.1.10
+      - ">= 3.2.11"
+
+### Schema
+
+* `gem` \[String\]: Name of the affected gem.
+* `framework` \[String\] (optional): Name of framework gem belongs to.
+* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
+* `cve` \[String\]: CVE id.
+* `osvdb` \[Fixnum\]: OSVDB id.
+* `url` \[String\]: The URL to the full advisory.
+* `title` \[String\]: The title of the advisory.
+* `date` \[Date\]: Disclosure date of the advisory.
+* `description` \[String\]: Multi-paragraph description of the vulnerability.
+* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
+* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
+  unaffected versions of the Ruby library.
+* `patched_versions` \[Array\<String\>\]: The version requirements for the
+  patched versions of the Ruby library.
+
+## Credits
+
+Please see [CONTRIBUTORS.md].
+
+This database also includes data from the [Open Source Vulnerability Database][OSVDB]
+developed by the Open Security Foundation (OSF) and its contributors.
+
+[rubygems.org]: https://rubygems.org/
+[CVE]: http://cve.mitre.org/
+[CVSSv2]: http://www.first.org/cvss/cvss-guide.html
+[OSVDB]: http://www.osvdb.org/
+[YAML]: http://www.yaml.org/
+[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md
+
+[1]: http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

data/data/ruby-advisory-db/Rakefile

@@ -0,0 +1,27 @@
+require 'yaml'
+
+namespace :lint do
+  begin
+    gem 'rspec', '~> 2.4'
+    require 'rspec/core/rake_task'
+
+    RSpec::Core::RakeTask.new(:yaml)
+  rescue LoadError => e
+    task :spec do
+      abort "Please run `gem install rspec` to install RSpec."
+    end
+  end
+
+  task :cve do
+    Dir.glob('gems/*/*.yml') do |path|
+      advisory = YAML.load_file(path)
+
+      unless advisory['cve']
+        puts "Missing CVE: #{path}"
+      end
+    end
+  end
+end
+
+task :lint    => ['lint:yaml', 'lint:cve']
+task :default => :lint

data/data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml

@@ -0,0 +1,26 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2012-1099
+osvdb: 79727
+url: http://www.osvdb.org/show/osvdb/79727
+title:
+  Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
+  Manually Generated Select Tag Options XSS
+date: 2012-03-01
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) 
+  attack. This flaw exists because the application does not validate manually
+  generated 'select tag options' upon submission to
+  actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a
+  user to create a specially crafted request that would execute arbitrary
+  script code in a user's browser within the trust relationship between their
+  browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml

@@ -0,0 +1,28 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2012-3424
+osvdb: 84243
+url: http://www.osvdb.org/show/osvdb/84243
+title: 
+  Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
+  with_http_digest Helper Method Remote DoS
+date: 2012-07-26
+
+description: |
+  Ruby on Rails contains a flaw that may allow a remote denial of service.
+  The issue is triggered when an error occurs in
+  actionpack/lib/action_controller/metal/http_authentication.rb when the
+  with_http_digest helper method is being used. This may allow a remote
+  attacker to cause a loss of availability for the program.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+  - ">= 2.3.5, <= 2.3.14"
+
+patched_versions: 
+  - ~> 3.0.16
+  - ~> 3.1.7
+  - ">= 3.2.7"
+