RubyGems - mrjoy-bundler-audit - Versions diffs - 0.1.4 - Mend

mrjoy-bundler-audit 0.1.4

Files changed (100) hide show

checksums.yaml +7 -0
data/.document +3 -0
data/.gitignore +6 -0
data/.gitmodules +3 -0
data/.rspec +1 -0
data/.travis.yml +5 -0
data/.yardopts +1 -0
data/COPYING.txt +674 -0
data/ChangeLog.md +79 -0
data/Gemfile +14 -0
data/README.md +105 -0
data/Rakefile +47 -0
data/bin/bundle-audit +10 -0
data/data/ruby-advisory-db/.rspec +1 -0
data/data/ruby-advisory-db/CONTRIBUTING.md +6 -0
data/data/ruby-advisory-db/CONTRIBUTORS.md +13 -0
data/data/ruby-advisory-db/Gemfile +3 -0
data/data/ruby-advisory-db/LICENSE.txt +5 -0
data/data/ruby-advisory-db/README.md +86 -0
data/data/ruby-advisory-db/Rakefile +27 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml +26 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml +28 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml +23 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml +26 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml +24 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml +20 -0
data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml +23 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml +25 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml +24 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml +24 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml +21 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml +23 -0
data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml +26 -0
data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml +26 -0
data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml +23 -0
data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml +25 -0
data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml +28 -0
data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml +10 -0
data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +17 -0
data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml +11 -0
data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +12 -0
data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml +20 -0
data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml +19 -0
data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml +9 -0
data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml +18 -0
data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml +12 -0
data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml +10 -0
data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml +10 -0
data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml +10 -0
data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml +9 -0
data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml +18 -0
data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml +20 -0
data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +19 -0
data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml +23 -0
data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml +10 -0
data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml +10 -0
data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml +10 -0
data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml +21 -0
data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml +21 -0
data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml +14 -0
data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml +16 -0
data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml +10 -0
data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml +15 -0
data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml +16 -0
data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml +17 -0
data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +19 -0
data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml +16 -0
data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml +11 -0
data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml +18 -0
data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +23 -0
data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml +27 -0
data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +13 -0
data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml +11 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +10 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +10 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +10 -0
data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +10 -0
data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml +10 -0
data/data/ruby-advisory-db/lib/scrape.rb +87 -0
data/data/ruby-advisory-db/spec/advisory_example.rb +165 -0
data/data/ruby-advisory-db/spec/gems_spec.rb +8 -0
data/data/ruby-advisory-db/spec/spec_helper.rb +1 -0
data/gemspec.yml +16 -0
data/lib/bundler/audit.rb +21 -0
data/lib/bundler/audit/advisory.rb +142 -0
data/lib/bundler/audit/cli.rb +124 -0
data/lib/bundler/audit/database.rb +187 -0
data/lib/bundler/audit/scanner.rb +97 -0
data/lib/bundler/audit/version.rb +25 -0
data/mrjoy-bundler-audit.gemspec +66 -0
data/spec/advisory_spec.rb +145 -0
data/spec/audit_spec.rb +8 -0
data/spec/bundle/insecure_sources/Gemfile +39 -0
data/spec/bundle/secure/Gemfile +38 -0
data/spec/bundle/unpatched_gems/Gemfile +38 -0
data/spec/database_spec.rb +81 -0
data/spec/integration_spec.rb +81 -0
data/spec/scanner_spec.rb +74 -0
data/spec/spec_helper.rb +21 -0
metadata +162 -0

data/spec/database_spec.rb ADDED Viewed

@@ -0,0 +1,81 @@
+require 'spec_helper'
+require 'bundler/audit/database'
+require 'tmpdir'
+describe Bundler::Audit::Database do
+  describe "PATH" do
+    subject { described_class::PATH }
+    it "it should be a directory" do
+      File.directory?(subject).should be_true
+    end
+  end
+  describe "#initialize" do
+    context "when given no arguments" do
+      subject { described_class.new }
+      it "should default path to PATH" do
+        subject.path.should == described_class::PATH
+      end
+    end
+    context "when given a directory" do
+      let(:path ) { Dir.tmpdir }
+      subject { described_class.new(path) }
+      it "should set #path" do
+        subject.path.should == path
+      end
+    end
+    context "when given an invalid directory" do
+      it "should raise an ArgumentError" do
+        lambda {
+          described_class.new('/foo/bar/baz')
+        }.should raise_error(ArgumentError)
+      end
+    end
+  end
+  describe "#check_gem" do
+    let(:gem) do
+      Gem::Specification.new do |s|
+        s.name    = 'actionpack'
+        s.version = '3.1.9'
+      end
+    end
+    context "when given a block" do
+      it "should yield every advisory effecting the gem" do
+        advisories = []
+        subject.check_gem(gem) do |advisory|
+          advisories << advisory
+        end
+        advisories.should_not be_empty
+        advisories.all? { |advisory|
+          advisory.kind_of?(Bundler::Audit::Advisory)
+        }.should be_true
+      end
+    end
+    context "when given no block" do
+      it "should return an Enumerator" do
+        subject.check_gem(gem).should be_kind_of(Enumerable)
+      end
+    end
+  end
+  describe "#size" do
+    it { subject.size.should > 0 }
+  end
+  describe "#to_s" do
+    it "should return the Database path" do
+      subject.to_s.should == subject.path
+    end
+  end
+end

data/spec/integration_spec.rb ADDED Viewed

@@ -0,0 +1,81 @@
+require 'spec_helper'
+describe "CLI" do
+  include Helpers
+  let(:command) do
+    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit'))
+  end
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+    it "should print a warning" do
+      subject.should include("Unpatched versions found!")
+    end
+    it "should print advisory information for the vulnerable gems" do
+      advisory_pattern = /(Name: [^\n]+
+Version: \d+.\d+.\d+
+Advisory: CVE-\d+-\d+
+Criticality: (High|Medium)
+URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+
+Title: [^\n]*?
+Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/
+      expect(subject).to match(advisory_pattern)
+      expect(subject).to include("Unpatched versions found!")
+    end
+  end
+  context "when auditing a bundle with ignored gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:command) do
+      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundle-audit -i CVE-2013-0156'))
+    end
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+    it "should not print advisory information for ignored gem" do
+      subject.should_not include("CVE-2013-0156")
+    end
+  end
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    subject do
+      Dir.chdir(directory) { sh(command, :fail => true) }
+    end
+    it "should print warnings about insecure sources" do
+      subject.should include(%{
+Insecure Source URI found: git://github.com/rails/jquery-rails.git
+Insecure Source URI found: http://rubygems.org/
+      }.strip)
+    end
+  end
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    subject do
+      Dir.chdir(directory) { sh(command) }
+    end
+    it "should print nothing when everything is fine" do
+      subject.strip.should == "No unpatched versions found"
+    end
+  end
+end

data/spec/scanner_spec.rb ADDED Viewed

@@ -0,0 +1,74 @@
+require 'spec_helper'
+require 'bundler/audit/scanner'
+describe Scanner do
+  describe "#scan" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    subject { described_class.new(directory) }
+    it "should yield results" do
+      results = []
+      subject.scan { |result| results << result }
+      results.should_not be_empty
+    end
+    context "when not called with a block" do
+      it "should return an Enumerator" do
+        subject.scan.should be_kind_of(Enumerable)
+      end
+    end
+  end
+  context "when auditing a bundle with unpatched gems" do
+    let(:bundle)    { 'unpatched_gems' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)  { described_class.new(directory)    }
+    subject { scanner.scan.to_a }
+    it "should match unpatched gems to their advisories" do
+      subject[0].gem.name.should == 'actionpack'
+      subject[0].gem.version.to_s.should == '3.2.10'
+      subject[0].advisory.cve.should == '2013-0156'
+    end
+    context "when the :ignore option is given" do
+      subject { scanner.scan(:ignore => ['CVE-2013-0156']) }
+      it "should ignore the specified advisories" do
+        cves = subject.map { |result| result.advisory.cve }
+        cves.should_not include('2013-0156')
+      end
+    end
+  end
+  context "when auditing a bundle with insecure sources" do
+    let(:bundle)    { 'insecure_sources' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+    subject { scanner.scan.to_a }
+    it "should match unpatched gems to their advisories" do
+      subject[0].source.should == 'git://github.com/rails/jquery-rails.git'
+      subject[1].source.should == 'http://rubygems.org/'
+    end
+  end
+  context "when auditing a secure bundle" do
+    let(:bundle)    { 'secure' }
+    let(:directory) { File.join('spec','bundle',bundle) }
+    let(:scanner)   { described_class.new(directory)    }
+    subject { scanner.scan.to_a }
+    it "should print nothing when everything is fine" do
+      subject.should be_empty
+    end
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'rubygems'
+require 'bundler'
+Bundler.require
+require 'rspec'
+require 'bundler/audit/version'
+module Helpers
+  def sh(command, options={})
+    Bundler.with_clean_env do
+      result = `#{command} 2>&1`
+      raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
+      result
+    end
+  end
+  def decolorize(string)
+    string.gsub(/\e\[\d+m/, "")
+  end
+end
+include Bundler::Audit

metadata ADDED Viewed

@@ -0,0 +1,162 @@
+--- !ruby/object:Gem::Specification
+name: mrjoy-bundler-audit
+version: !ruby/object:Gem::Version
+  version: 0.1.4
+platform: ruby
+authors:
+- Postmodern
+- MrJoy
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2013-08-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: bundler-audit provides patch-level verification for Bundled apps.
+email:
+- postmodern.mod3@gmail.com
+- jfrisby@mrjoy.com
+executables:
+- bundle-audit
+extensions: []
+extra_rdoc_files:
+- COPYING.txt
+- ChangeLog.md
+- README.md
+files:
+- .document
+- .gitignore
+- .gitmodules
+- .rspec
+- .travis.yml
+- .yardopts
+- COPYING.txt
+- ChangeLog.md
+- Gemfile
+- README.md
+- Rakefile
+- bin/bundle-audit
+- gemspec.yml
+- lib/bundler/audit.rb
+- lib/bundler/audit/advisory.rb
+- lib/bundler/audit/cli.rb
+- lib/bundler/audit/database.rb
+- lib/bundler/audit/scanner.rb
+- lib/bundler/audit/version.rb
+- mrjoy-bundler-audit.gemspec
+- spec/advisory_spec.rb
+- spec/audit_spec.rb
+- spec/bundle/insecure_sources/Gemfile
+- spec/bundle/secure/Gemfile
+- spec/bundle/unpatched_gems/Gemfile
+- spec/database_spec.rb
+- spec/integration_spec.rb
+- spec/scanner_spec.rb
+- spec/spec_helper.rb
+- data/ruby-advisory-db/.rspec
+- data/ruby-advisory-db/CONTRIBUTING.md
+- data/ruby-advisory-db/CONTRIBUTORS.md
+- data/ruby-advisory-db/Gemfile
+- data/ruby-advisory-db/LICENSE.txt
+- data/ruby-advisory-db/README.md
+- data/ruby-advisory-db/Rakefile
+- data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
+- data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
+- data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
+- data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
+- data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
+- data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
+- data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml
+- data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
+- data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
+- data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
+- data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
+- data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
+- data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml
+- data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml
+- data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
+- data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
+- data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
+- data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
+- data/ruby-advisory-db/gems/json/OSVDB-90074.yml
+- data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
+- data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
+- data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml
+- data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-70667.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81631.yml
+- data/ruby-advisory-db/gems/mail/OSVDB-81632.yml
+- data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml
+- data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
+- data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
+- data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
+- data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
+- data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
+- data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
+- data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
+- data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
+- data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
+- data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
+- data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
+- data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
+- data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
+- data/ruby-advisory-db/lib/scrape.rb
+- data/ruby-advisory-db/spec/advisory_example.rb
+- data/ruby-advisory-db/spec/gems_spec.rb
+- data/ruby-advisory-db/spec/spec_helper.rb
+homepage: https://github.com/MrJoy/mrjoy-bundler-audit#readme
+licenses:
+- GPLv3
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.8.0
+requirements: []
+rubyforge_project:
+rubygems_version: 2.0.5
+signing_key:
+specification_version: 4
+summary: Patch-level verification for Bundler
+test_files: []