mrjoy-bundler-audit 0.3.1 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 797e11ab94369f9ca56d1ebec7b486b739ef76a0
-  data.tar.gz: f86b4d43b7bc27285b9da49494d7f9bcb6d3da2d
+  metadata.gz: 37d67a169ac19c5c1b329c949c4af7dd044876bd
+  data.tar.gz: efbdd7e8335a6f685f77f45bfa6e4d3f4f10804f
 SHA512:
-  metadata.gz: ecbadf97664bc14844269e91b523feb2bf17dfd569af3621a8a015b40c4c7e5b69bad171497bb950616df115f0c8fd752dda12e8551c5c8caea3571b8e100d08
-  data.tar.gz: 39df3b13657c0069d7739b600dc8c1feac26a51fe790438b3284d46d32a8f9a6dd2b31d9ad05e1edaed20d948d44835d0e0763b7ca0b05737eb0a7cf20ce1465
+  metadata.gz: c09b134df68524a62017773ca38bfb95cb10a9cd91a46fde8ba3686fd85910231cc85e9a463b9cd1fb925084311780121b1564e213b108aa2729e5d67f87ca2c
+  data.tar.gz: 966ebb4387b593babd08f303530c7f2f32d7771e622d0371dd687222ee4f12d8f49167c8dcff091ce3c6534fe1fcdb200cdbe0b1cfa5e865cb67ceb078ee6abc

data/.gitignore

@@ -1,6 +1,9 @@
 Gemfile.lock
 doc/
+coverage/
+.yardoc/
 pkg/
 spec/bundle/*/Gemfile.lock
 spec/bundle/*/.bundle/
 vendor/bundle/
+tmp/

data/ChangeLog.md

@@ -1,3 +1,12 @@
+### mrjoy-0.3.2 / 2013-11-04
+
+* Fix for [serious issue](https://github.com/rubysec/bundler-audit/issues/48)
+  that would cause bundle-audit to ignore a locally installed cache of the
+  vulnerability database in favor of its vendored version.
+* Simplified code according to ABC metric, getting CodeClimate results to 4.0.
+* Added SimpleCov to ensure reasonable test coverage.
+* Updated docs to explain differentiation of this fork vs. upstream.
+
 ### mrjoy-0.3.1 / 2013-11-04
 
 * Integrated upstream 0.3.0 changes.
@@ -53,9 +62,9 @@
 * Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
   parse approximate version requirements (`~> 1.2.3`).
 * Updated the [ruby-advisory-db].
-* Added {Bundle::Audit::Advisory#unaffected_versions}.
-* Added {Bundle::Audit::Advisory#unaffected?}.
-* Added {Bundle::Audit::Advisory#patched?}.
+* Added {Bundler::Audit::Advisory#unaffected_versions}.
+* Added {Bundler::Audit::Advisory#unaffected?}.
+* Added {Bundler::Audit::Advisory#patched?}.
 
 ### 0.1.2 / 2013-02-17
 

data/Gemfile

@@ -5,10 +5,11 @@ source 'https://rubygems.org/'
 gemspec
 
 group :development do
-  gem 'rake',           '~> 10.0'
+  gem 'rake',           '~> 10.0', :require => false
   gem 'kramdown',       '~> 0.14'
 
   gem 'rubygems-tasks', '~> 0.2'
-  gem 'rspec',          '~> 2.4'
-  gem 'yard',           '~> 0.8'
+  gem 'rspec',          '~> 2.4', :require => false
+  gem 'yard',           '~> 0.8', :require => false
+  gem 'simplecov',      '~> 0.7', :require => false
 end

data/README.md

@@ -19,6 +19,18 @@ Patch-level verification for [Bundler][bundler].
 * Prints advisory information.
 * Does not require a network connection.
 
+## Benefits of This Fork
+
+* **IMPORTANT**: At present, the upstream repository (v0.3.0) will tend to use
+  an *older* vendored copy of the vulnerability database despite the user
+  installing a local cache!  As of v0.3.2, this fork is *not* susceptible to
+  this problem.  [Read here for more info.](https://github.com/rubysec/bundler-audit/issues/48)
+* Kept up to date with upstream frequently.
+* Simpler, more robust testing infrastructure for greater assurance of code
+  quality, and easier contribution.
+* Simplified code (see CodeClimate results) to enable more easily reasoning
+  about the code.
+
 ## Synopsis
 
 Audit a projects `Gemfile.lock`:
@@ -31,7 +43,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91452
     Title: XSS vulnerability in sanitize_css in Action Pack
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-91454
@@ -39,7 +51,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91454
     Title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: actionpack
     Version: 3.2.10
     Advisory: OSVDB-89026
@@ -47,7 +59,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89026
     Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution
     Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-91453
@@ -55,7 +67,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/91453
     Title: Symbol DoS vulnerability in Active Record
     Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-90072
@@ -63,7 +75,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://direct.osvdb.org/show/osvdb/90072
     Title: Ruby on Rails Active Record attr_protected Method Bypass
     Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
-    
+
     Name: activerecord
     Version: 3.2.10
     Advisory: OSVDB-89025
@@ -71,7 +83,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://osvdb.org/show/osvdb/89025
     Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
     Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
-    
+
     Name: activesupport
     Version: 3.2.10
     Advisory: OSVDB-91451
@@ -79,7 +91,7 @@ Audit a projects `Gemfile.lock`:
     URL: http://www.osvdb.org/show/osvdb/91451
     Title: XML Parsing Vulnerability affecting JRuby users
     Solution: upgrade to ~> 3.1.12, >= 3.2.13
-    
+
     Unpatched versions found!
 
 Update the [ruby-advisory-db] that `bundle-audit` uses:

data/Rakefile

@@ -26,8 +26,22 @@ Gem::Tasks.new
 namespace :db do
   desc 'Updates data/ruby-advisory-db'
   task :update do
+    vendored_ctime = nil
     chdir 'data/ruby-advisory-db' do
       sh 'git', 'pull', 'origin', 'master'
+      vendored_ctime = `git log --pretty="%cd" -1`.chomp
+    end
+    File.open("lib/bundler/audit/vendored_time.rb", "w") do |fh|
+      fh.write(%Q{
+# WARNING: DO NOT EDIT THIS FILE BY HAND.  IT IS AUTO-GENERATED!
+module Bundler
+  module Audit
+    class Database
+      VENDORED_REPO_CTIME = Time.parse("#{vendored_ctime}")
+    end
+  end
+end
+})
     end
 
     sh 'git', 'commit', 'data/ruby-advisory-db',

data/lib/bundler/audit/cli.rb

@@ -84,26 +84,33 @@ module Bundler
       end
 
       def print_advisory(gem, advisory)
-        say "Name: ", :red
-        say gem.name
-
-        say "Version: ", :red
-        say gem.version
+        print_affected_gem(gem)
 
         say "Advisory: ", :red
         say advisory.id
 
         say "Criticality: ", :red
-        case advisory.criticality
-        when :low    then say "Low"
-        when :medium then say "Medium", :yellow
-        when :high   then say "High", [:red, :bold]
-        else              say "Unknown"
-        end
+        say *CRITICALITY_MAP[advisory.criticality]
 
         say "URL: ", :red
         say advisory.url
 
+        print_advisory_details advisory
+        print_advisory_solution advisory
+
+        say
+      end
+
+    protected
+      def print_affected_gem(gem)
+        say "Name: ", :red
+        say gem.name
+
+        say "Version: ", :red
+        say gem.version
+      end
+
+      def print_advisory_details(advisory)
         if options.verbose?
           say "Description:", :red
           say
@@ -111,11 +118,12 @@ module Bundler
           print_wrapped advisory.description, :indent => 2
           say
         else
-
           say "Title: ", :red
           say advisory.title
         end
+      end
 
+      def print_advisory_solution(advisory)
         unless advisory.patched_versions.empty?
           say "Solution: upgrade to ", :red
           say advisory.patched_versions.join(', ')
@@ -123,10 +131,15 @@ module Bundler
           say "Solution: ", :red
           say "remove or disable this gem until a patch is available!", [:red, :bold]
         end
-
-        say
       end
 
+      CRITICALITY_MAP = Hash({
+        :low    => ["Low"],
+        :medium => ["Medium", :yellow],
+        :high   => ["High", [:red, :bold]],
+      }) do |data, key|
+        "Unknown"
+      end
     end
   end
 end

data/lib/bundler/audit/database.rb

@@ -17,11 +17,12 @@
 # along with mrjoy-bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-require 'bundler/audit/advisory'
-
 require 'time'
 require 'yaml'
 
+require 'bundler/audit/advisory'
+require 'bundler/audit/vendored_time'
+
 module Bundler
   module Audit
     #
@@ -68,7 +69,7 @@ module Bundler
       def self.path
         if File.directory?(USER_PATH)
           t1 = Dir.chdir(USER_PATH) { Time.parse(`git log --pretty="%cd" -1`) }
-          t2 = File.ctime(VENDORED_PATH)
+          t2 = VENDORED_REPO_CTIME
 
           if t1 >= t2 then USER_PATH
           else             VENDORED_PATH

data/lib/bundler/audit/scanner.rb

@@ -62,36 +62,48 @@ module Bundler
       def scan(options={})
         return enum_for(__method__,options) unless block_given?
 
-        ignore = Set[]
-        ignore += options[:ignore] if options[:ignore]
+        get_insecure_sources.each { |source| yield source }
+        get_unpatched_gems(options[:ignore]).each { |gem| yield gem }
 
-        @lockfile.sources.map do |source|
+        return self
+      end
+
+    protected
+
+      def get_insecure_sources
+        insecure = []
+        @lockfile.sources.each do |source|
           case source
           when Source::Git
-            case source.uri
-            when /^git:/, /^http:/
-              yield InsecureSource.new(source.uri)
-            end
+            next unless(source.uri =~ /^(git|http):/)
+
+            insecure << InsecureSource.new(source.uri)
           when Source::Rubygems
-            source.remotes.each do |uri|
-              if uri.scheme == 'http'
-                yield InsecureSource.new(uri.to_s)
-              end
+            source.remotes.map do |uri|
+              next unless uri.scheme == 'http'
+
+              insecure << InsecureSource.new(uri.to_s)
             end
           end
         end
 
+        return insecure
+      end
+
+      def get_unpatched_gems(ignore)
+        ignore = Set.new(ignore) # If ignore is empty the Set will contain nil,
+                                 # but since we should never have a nil version
+                                 # that's a non-issue.
+        unpatched = []
         @lockfile.specs.each do |gem|
           @database.check_gem(gem) do |advisory|
-            unless ignore.include?(advisory.id)
-              yield UnpatchedGem.new(gem,advisory)
-            end
+            next if ignore.include?(advisory.id)
+
+            unpatched << UnpatchedGem.new(gem,advisory)
           end
         end
-
-        return self
+        return unpatched
       end
-
     end
   end
 end

data/lib/bundler/audit/vendored_time.rb

@@ -0,0 +1,9 @@
+
+# WARNING: DO NOT EDIT THIS FILE BY HAND.  IT IS AUTO-GENERATED!
+module Bundler
+  module Audit
+    class Database
+      VENDORED_REPO_CTIME = Time.parse("Wed Oct 23 11:22:06 2013 -0400")
+    end
+  end
+end

data/lib/bundler/audit/version.rb

@@ -20,6 +20,6 @@
 module Bundler
   module Audit
     # bundler-audit version
-    VERSION = '0.3.1'
+    VERSION = '0.3.2'
   end
 end

data/spec/advisory_spec.rb

@@ -8,13 +8,13 @@ describe Bundler::Audit::Advisory do
   let(:id)   { 'OSVDB-84243' }
   let(:path) { File.join(root,'gems',gem,"#{id}.yml") }
   let(:an_unaffected_version) do
-    YAML.
-      load(File.read(path))['unaffected_versions'].
-      map { |item| item.split(/\s*,\s*/) }.
-      flatten.
-      select { |ver| ver =~ /^(~>|>=|=|<=)/ }.
-      first.
-      sub(/^.*?(~>|>=|=|<=)\s+/, '')
+    Advisory.load(path).
+      unaffected_versions. # Only care about unaffected versions...
+      first.               # And even then, any will do.
+      requirements.        # This is where we find versions...
+      first.               # Again, any will do.
+      last.                # We don't care about the bound, just the version number.
+      to_s                 # And we'd like it as a string.
   end
 
   describe "load" do
@@ -28,6 +28,15 @@ describe Bundler::Audit::Advisory do
     its(:cvss_v2)     { should == data['cvss_v2']     }
     its(:description) { should == data['description'] }
 
+    context "YAML data not representing a hash" do
+      it "should raise an exception" do
+        path = File.expand_path('../fixtures/not_a_hash.yml', __FILE__)
+        expect {
+          Advisory.load(path)
+        }.to raise_exception("advisory data in #{path.dump} was not a Hash")
+      end
+    end
+
     describe "#patched_versions" do
       subject { described_class.load(path).patched_versions }
 

data/spec/database_spec.rb

@@ -9,6 +9,37 @@ describe Bundler::Audit::Database do
     it "it should be a directory" do
       File.directory?(subject).should be_true
     end
+
+    it "should prefer the user repo, iff it's as up to date, or more up to date than the vendored one" do
+      Bundler::Audit::Database.update!
+
+      # As up to date...
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      # More up to date...
+      fake_a_commit_in_the_user_repo
+      expect(Bundler::Audit::Database.path).to eq mocked_user_path
+
+      roll_user_repo_back(2)
+      expect(Bundler::Audit::Database.path).to eq Bundler::Audit::Database::VENDORED_PATH
+    end
+  end
+
+  describe "update!" do
+    it "should create the USER_PATH path as needed" do
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
+
+    it "should create the repo, then update it given multple successive calls." do
+      expect_update_to_clone_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+
+      expect_update_to_update_repo!
+      Bundler::Audit::Database.update!
+      expect(File.directory?(mocked_user_path)).to be true
+    end
   end
 
   describe "#initialize" do

data/spec/fixtures/not_a_hash.yml

@@ -0,0 +1,2 @@
+---
+"Just a string."

data/spec/integration_spec.rb

@@ -1,8 +1,6 @@
 require 'spec_helper'
 
 describe "CLI" do
-  include Helpers
-
   let(:directory) { File.join('spec','bundle',bundle) }
 
   context "when auditing a vulnerable bundle" do
@@ -16,8 +14,9 @@ describe "CLI" do
                                                     # zero-width prefix before
                                                     # the first match.
 
-      # Note the "{8,}" below indicates the minimum number of advisories that
-      # we should see matches for -- as a particular version of code will never
+      # Note the "{vuln_count}" below indicates the minimum number of
+      # advisories that we should see matches for -- as a particular version of
+      # code will never
       advisory_pattern = /(Name: [^\n]+
 Version: \d+\.\d+\.\d+
 Advisory: OSVDB-\d+

data/spec/spec_helper.rb

@@ -1,3 +1,7 @@
+require 'simplecov'
+require 'json'
+SimpleCov.start
+
 require 'rspec'
 require 'bundler/audit/version'
 
@@ -21,6 +25,48 @@ module Helpers
   def audit_in_directory(additions, directory, options={})
     Dir.chdir(directory) { decolorize(sh([executable, additions].compact.join(' '), options)) }
   end
+
+  def mocked_user_path
+    File.expand_path('../../tmp/data', __FILE__)
+  end
+
+  def expect_update_to_clone_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'clone', Bundler::Audit::Database::VENDORED_PATH, mocked_user_path).
+      and_call_original
+  end
+
+  def expect_update_to_update_repo!
+    Bundler::Audit::Database.
+      should_receive(:system).
+      with('git', 'pull', 'origin', 'master').
+      and_call_original
+  end
+
+  def fake_a_commit_in_the_user_repo
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'commit', '--allow-empty', '-m', 'Dummy commit.'
+    end
+  end
+
+  def roll_user_repo_back(num_commits)
+    Dir.chdir(mocked_user_path) do
+      system 'git', 'checkout', "HEAD~#{num_commits}"
+      system 'git', 'branch', '-f', 'master', 'HEAD'
+      system 'git', 'checkout', 'master'
+    end
+  end
 end
 
 include Bundler::Audit
+
+RSpec.configure do |config|
+  include Helpers
+
+  config.before(:each) do
+    stub_const("Bundler::Audit::Database::URL", Bundler::Audit::Database::VENDORED_PATH)
+    stub_const("Bundler::Audit::Database::USER_PATH", mocked_user_path)
+    FileUtils.rm_rf mocked_user_path if(File.exist?(mocked_user_path))
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mrjoy-bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.3.2
 platform: ruby
 authors:
 - Postmodern
@@ -55,6 +55,7 @@ files:
 - lib/bundler/audit/cli.rb
 - lib/bundler/audit/database.rb
 - lib/bundler/audit/scanner.rb
+- lib/bundler/audit/vendored_time.rb
 - lib/bundler/audit/version.rb
 - mrjoy-bundler-audit.gemspec
 - spec/advisory_spec.rb
@@ -63,6 +64,7 @@ files:
 - spec/bundle/secure/Gemfile
 - spec/bundle/unpatched_gems/Gemfile
 - spec/database_spec.rb
+- spec/fixtures/not_a_hash.yml
 - spec/integration_spec.rb
 - spec/scanner_spec.rb
 - spec/spec_helper.rb