mrjoy-bundler-audit 0.1.4

data/lib/bundler/audit/scanner.rb

@@ -0,0 +1,97 @@
+require 'bundler'
+require 'bundler/audit/database'
+require 'bundler/lockfile_parser'
+
+require 'set'
+
+module Bundler
+  module Audit
+    class Scanner
+
+      # Represents a plain-text source
+      InsecureSource = Struct.new(:source)
+
+      # Represents a gem that is covered by an Advisory
+      UnpatchedGem = Struct.new(:gem, :advisory)
+
+      # The advisory database
+      #
+      # @return [Database]
+      attr_reader :database
+
+      # Project root directory
+      attr_reader :root
+
+      # The parsed `Gemfile.lock` from the project
+      #
+      # @return [Bundler::LockfileParser]
+      attr_reader :lockfile
+
+      #
+      # Initializes a scanner.
+      #
+      # @param [String] root
+      #   The path to the project root.
+      #
+      def initialize(root=Dir.pwd)
+        @root     = File.expand_path(root)
+        @database = Database.new
+        @lockfile = LockfileParser.new(
+          File.read(File.join(@root,'Gemfile.lock'))
+        )
+      end
+
+      #
+      # Scans the project for issues.
+      #
+      # @param [Hash] options
+      #   Additional options.
+      #
+      # @option options [Array<String>] :ignore
+      #   The advisories to ignore.
+      #
+      # @yield [result]
+      #   The given block will be passed the results of the scan.
+      #
+      # @yieldparam [InsecureSource, UnpatchedGem] result
+      #   A result from the scan.
+      #
+      # @return [Enumerator]
+      #   If no block is given, an Enumerator will be returned.
+      #
+      def scan(options={})
+        return enum_for(__method__,options) unless block_given?
+
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
+        @lockfile.sources.map do |source|
+          case source
+          when Source::Git
+            case source.uri
+            when /^git:/, /^http:/
+              yield InsecureSource.new(source.uri)
+            end
+          when Source::Rubygems
+            source.remotes.each do |uri|
+              if uri.scheme == 'http'
+                yield InsecureSource.new(uri.to_s)
+              end
+            end
+          end
+        end
+
+        @lockfile.specs.each do |gem|
+          @database.check_gem(gem) do |advisory|
+            unless ignore.include?("CVE-#{advisory.cve}")
+              yield UnpatchedGem.new(gem,advisory)
+            end
+          end
+        end
+
+        return self
+      end
+
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -0,0 +1,25 @@
+#
+# Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Modifications Copyright (c) 2013 Jon Frisby (jfrisby@mrjoy.com), or their
+# respective authors.
+#
+# mrjoy-bundler-audit is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# mrjoy-bundler-audit is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with mrjoy-bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+module Bundler
+  module Audit
+    # bundler-audit version
+    VERSION = '0.1.4'
+  end
+end

data/mrjoy-bundler-audit.gemspec

@@ -0,0 +1,66 @@
+# encoding: utf-8
+
+require 'yaml'
+
+Gem::Specification.new do |gem|
+  gemspec = YAML.load_file('gemspec.yml')
+
+  gem.name    = gemspec.fetch('name')
+  gem.version = gemspec.fetch('version') do
+                  lib_dir = File.join(File.dirname(__FILE__),'lib')
+                  $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+                  require 'bundler/audit/version'
+                  Bundler::Audit::VERSION
+                end
+
+  gem.summary     = gemspec['summary']
+  gem.description = gemspec['description']
+  gem.licenses    = Array(gemspec['license'])
+  gem.authors     = Array(gemspec['authors'])
+  gem.email       = gemspec['email']
+  gem.homepage    = gemspec['homepage']
+
+  glob = lambda { |patterns| gem.files & Dir[*patterns] }
+
+  gem.files = `git ls-files`.split($/)
+  gem.files = glob[gemspec['files']] if gemspec['files']
+
+  # add paths from data/ruby-advisory-db/
+  gem.files += Dir.chdir('data/ruby-advisory-db') do
+    `git ls-files`.split($/).map do |sub_path|
+      File.join('data','ruby-advisory-db',sub_path)
+    end
+  end
+
+  gem.executables = gemspec.fetch('executables') do
+    glob['bin/*'].map { |path| File.basename(path) }
+  end
+
+  gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
+  gem.test_files       = glob[gemspec['test_files'] || '{test/{**/}*_test.rb']
+  gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
+
+  gem.require_paths = Array(gemspec.fetch('require_paths') {
+    %w[ext lib].select { |dir| File.directory?(dir) }
+  })
+
+  gem.requirements              = gemspec['requirements']
+  gem.required_ruby_version     = gemspec['required_ruby_version']
+  gem.required_rubygems_version = gemspec['required_rubygems_version']
+  gem.post_install_message      = gemspec['post_install_message']
+
+  split = lambda { |string| string.split(/,\s*/) }
+
+  if gemspec['dependencies']
+    gemspec['dependencies'].each do |name,versions|
+      gem.add_dependency(name,split[versions])
+    end
+  end
+
+  if gemspec['development_dependencies']
+    gemspec['development_dependencies'].each do |name,versions|
+      gem.add_development_dependency(name,split[versions])
+    end
+  end
+end

data/spec/advisory_spec.rb

@@ -0,0 +1,145 @@
+require 'spec_helper'
+require 'bundler/audit/database'
+require 'bundler/audit/advisory'
+
+describe Bundler::Audit::Advisory do
+  let(:root) { Bundler::Audit::Database::PATH }
+  let(:gem)  { 'actionpack' }
+  let(:path) { File.join(root,gem,"OSVDB-89026.yml") }
+  let(:cve)  { YAML.load(File.read(path))['cve'] }
+  let(:an_unaffected_version) do
+    YAML.load(File.read(path))['unaffected_versions'].first.sub(/^.*?(~>|>=|>|=)\s+/, '')
+  end
+
+  describe "load" do
+    let(:data) { YAML.load_file(path) }
+
+    subject { described_class.load(path) }
+
+    its(:cve)         { should == cve                 }
+    its(:url)         { should == data['url']         }
+    its(:title)       { should == data['title']       }
+    its(:cvss_v2)     { should == data['cvss_v2']     }
+    its(:description) { should == data['description'] }
+
+    describe "#patched_versions" do
+      subject { described_class.load(path).patched_versions }
+
+      it "should all be Gem::Requirement objects" do
+        subject.all? { |version|
+          version.should be_kind_of(Gem::Requirement)
+        }.should be_true
+      end
+
+      it "should parse the versions" do
+        subject.map(&:to_s).should == data['patched_versions']
+      end
+    end
+  end
+
+  describe "#criticality" do
+    context "when cvss_v2 is between 0.0 and 3.3" do
+      before { subject.stub(:cvss_v2).and_return(3.3) }
+
+      its(:criticality) { should == :low }
+    end
+
+    context "when cvss_v2 is between 3.3 and 6.6" do
+      before { subject.stub(:cvss_v2).and_return(6.6) }
+
+      its(:criticality) { should == :medium }
+    end
+
+    context "when cvss_v2 is between 6.6 and 10.0" do
+      before { subject.stub(:cvss_v2).and_return(10.0) }
+
+      its(:criticality) { should == :high }
+    end
+  end
+
+  describe "#unaffected?" do
+    let(:gem)  { 'activerecord' }
+    let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
+
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one unaffected version" do
+      let(:version) { Gem::Version.new(an_unaffected_version) }
+
+      it "should return true" do
+        subject.unaffected?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no unaffected version" do
+      let(:version) { Gem::Version.new('3.0.9') }
+
+      it "should return false" do
+        subject.unaffected?(version).should be_false
+      end
+    end
+  end
+
+  describe "#patched?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return true" do
+        subject.patched?(version).should be_true
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('3.1.9') }
+
+      it "should return false" do
+        subject.patched?(version).should be_false
+      end
+    end
+  end
+
+  describe "#vulnerable?" do
+    subject { described_class.load(path) }
+
+    context "when passed a version that matches one patched version" do
+      let(:version) { Gem::Version.new('3.1.11') }
+
+      it "should return false" do
+        subject.vulnerable?(version).should be_false
+      end
+    end
+
+    context "when passed a version that matches no patched version" do
+      let(:version) { Gem::Version.new('3.1.9') }
+
+      it "should return true" do
+        subject.vulnerable?(version).should be_true
+      end
+
+      context "when unaffected_versions is not empty" do
+        let(:gem)  { 'activerecord' }
+        let(:path) { File.join(root,gem,"OSVDB-82403.yml") }
+
+        subject { described_class.load(path) }
+
+        context "when passed a version that matches one unaffected version" do
+          let(:version) { Gem::Version.new(an_unaffected_version) }
+
+          it "should return false" do
+            subject.vulnerable?(version).should be_false
+          end
+        end
+
+        context "when passed a version that matches no unaffected version" do
+          let(:version) { Gem::Version.new('1.2.3') }
+
+          it "should return true" do
+            subject.vulnerable?(version).should be_true
+          end
+        end
+      end
+    end
+  end
+end

data/spec/audit_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'bundler/audit'
+
+describe Bundler::Audit do
+  it "should have a VERSION constant" do
+    subject.const_get('VERSION').should_not be_empty
+  end
+end

data/spec/bundle/insecure_sources/Gemfile

@@ -0,0 +1,39 @@
+source 'http://rubygems.org'
+
+gem 'rails', '3.2.12'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
+                    :tag => 'v2.2.1'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/bundle/secure/Gemfile

@@ -0,0 +1,38 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.13'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'

data/spec/bundle/unpatched_gems/Gemfile

@@ -0,0 +1,38 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.10'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  # gem 'sass-rails',   '~> 3.2.3'
+  # gem 'coffee-rails', '~> 3.2.1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', :platforms => :ruby
+
+  # gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# To use Jbuilder templates for JSON
+# gem 'jbuilder'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano'
+
+# To use debugger
+# gem 'debugger'