RubyGems - mrjoy-bundler-audit - Versions diffs - 0.3.3 → 0.3.4 - Mend

mrjoy-bundler-audit 0.3.3 → 0.3.4

Files changed (121) hide show

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mrjoy-bundler-audit
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.3.4
 platform: ruby
 authors:
 - Postmodern
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-04-16 00:00:00.000000000 Z
+date: 2014-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -54,7 +54,6 @@ extra_rdoc_files:
 files:
 - ".document"
 - ".gitignore"
-- ".gitmodules"
 - ".rspec"
 - ".ruby-gemset"
 - ".ruby-version"
@@ -66,107 +65,6 @@ files:
 - README.md
 - Rakefile
 - bin/bundle-audit
-- data/ruby-advisory-db.ts
-- data/ruby-advisory-db/.gitignore
-- data/ruby-advisory-db/.rspec
-- data/ruby-advisory-db/CONTRIBUTING.md
-- data/ruby-advisory-db/CONTRIBUTORS.md
-- data/ruby-advisory-db/Gemfile
-- data/ruby-advisory-db/LICENSE.txt
-- data/ruby-advisory-db/README.md
-- data/ruby-advisory-db/Rakefile
-- data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-79727.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml
-- data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml
-- data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml
-- data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml
-- data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml
-- data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml
-- data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml
-- data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml
-- data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml
-- data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml
-- data/ruby-advisory-db/gems/crack/OSVDB-90742.yml
-- data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml
-- data/ruby-advisory-db/gems/curl/OSVDB-91230.yml
-- data/ruby-advisory-db/gems/devise/OSVDB-89642.yml
-- data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml
-- data/ruby-advisory-db/gems/echor/OSVDB-102129.yml
-- data/ruby-advisory-db/gems/echor/OSVDB-102130.yml
-- data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml
-- data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml
-- data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml
-- data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml
-- data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml
-- data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml
-- data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml
-- data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml
-- data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml
-- data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml
-- data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml
-- data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml
-- data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml
-- data/ruby-advisory-db/gems/json/OSVDB-90074.yml
-- data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml
-- data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml
-- data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml
-- data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
-- data/ruby-advisory-db/gems/mail/OSVDB-70667.yml
-- data/ruby-advisory-db/gems/mail/OSVDB-81631.yml
-- data/ruby-advisory-db/gems/mail/OSVDB-81632.yml
-- data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml
-- data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml
-- data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml
-- data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml
-- data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml
-- data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml
-- data/ruby-advisory-db/gems/nori/OSVDB-90196.yml
-- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml
-- data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml
-- data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml
-- data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml
-- data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml
-- data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml
-- data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml
-- data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml
-- data/ruby-advisory-db/gems/rack/OSVDB-89939.yml
-- data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml
-- data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml
-- data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml
-- data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml
-- data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml
-- data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml
-- data/ruby-advisory-db/gems/spree/OSVDB-91216.yml
-- data/ruby-advisory-db/gems/spree/OSVDB-91217.yml
-- data/ruby-advisory-db/gems/spree/OSVDB-91218.yml
-- data/ruby-advisory-db/gems/spree/OSVDB-91219.yml
-- data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml
-- data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml
-- data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml
-- data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml
-- data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml
-- data/ruby-advisory-db/lib/scrape.rb
-- data/ruby-advisory-db/spec/advisory_example.rb
-- data/ruby-advisory-db/spec/gems_spec.rb
-- data/ruby-advisory-db/spec/spec_helper.rb
 - gemspec.yml
 - lib/bundler/audit.rb
 - lib/bundler/audit/advisory.rb
@@ -179,9 +77,14 @@ files:
 - spec/advisory_spec.rb
 - spec/audit_spec.rb
 - spec/bundle/insecure_sources/Gemfile
+- spec/bundle/insecure_sources/Gemfile.lock
 - spec/bundle/secure/Gemfile
+- spec/bundle/secure/Gemfile.lock
 - spec/bundle/unpatched_gems/Gemfile
+- spec/bundle/unpatched_gems/Gemfile.lock
+- spec/bundle/wrapper.rb
 - spec/database_spec.rb
+- spec/fixtures/OSVDB-84243.yml
 - spec/fixtures/not_a_hash.yml
 - spec/integration_spec.rb
 - spec/rake_task_spec.rb

data/.gitmodules DELETED Viewed

@@ -1,3 +0,0 @@
-[submodule "data/ruby-advisory-db"]
-	path = data/ruby-advisory-db
-	url = https://github.com/rubysec/ruby-advisory-db.git

data/data/ruby-advisory-db.ts DELETED Viewed

	@@ -1 +0,0 @@
1	- 2014-04-10 19:47:28 UTC

data/data/ruby-advisory-db/.gitignore DELETED Viewed

	@@ -1 +0,0 @@
1	- Gemfile.lock

data/data/ruby-advisory-db/.rspec DELETED Viewed

	@@ -1 +0,0 @@
1	- --colour

data/data/ruby-advisory-db/CONTRIBUTING.md DELETED Viewed

@@ -1,6 +0,0 @@
-# Contributing Guidelines
-## Style
-1. All text must be within 80 columns.
-2. YAML must be indented by 2 spaces.

data/data/ruby-advisory-db/CONTRIBUTORS.md DELETED Viewed

@@ -1,24 +0,0 @@
-### Acknowledgements
-This database would not be possible without volunteers willing to submit pull requests.
-Thanks,
-* [Postmodern](https://github.com/postmodern/)
-* [Max Veytsman](https://twitter.com/mveytsman)
-* [Pietro Monteiro](https://github.com/pietro)
-* [Eric Hodel](https://github.com/drbrain)
-* [Brendon Murphy](https://github.com/bemurphy)
-* [Oliver Legg](https://github.com/olly)
-* [Larry W. Cashdollar](http://vapid.dhs.org/)
-* [Michael Grosser](https://github.com/grosser)
-* [Sascha Korth](https://github.com/skorth)
-* [David Radcliffe](https://github.com/dwradcliffe)
-* [Jörg Schiller](https://github.com/joergschiller)
-* [Derek Prior](https://github.com/derekprior)
-* [Joel Chippindale](https://github.com/mocoso)
-* [Josef Šimánek](https://github.com/simi)
-* [Amiel Martin](https://github.com/amiel)
-* [Eric Hodel](https://github.com/drbrain)
-* [Jeremy Olliver](https://github.com/jeremyolliver)
-* [Vasily Vasinov](https://github.com/vasinov)
-* [Phill MV](https://twitter.com/phillmv)

data/data/ruby-advisory-db/Gemfile DELETED Viewed

@@ -1,3 +0,0 @@
-source 'https://rubygems.org'
-gem 'pry'
-gem 'mechanize'

data/data/ruby-advisory-db/LICENSE.txt DELETED Viewed

@@ -1,5 +0,0 @@
-If you submit code or data to the ruby-advisory-db that is copyrighted by yourself, upon submission you hereby agree to release it into the public domain.
-However, not all of the ruby-advisory-db can be considered public domain. The ruby-advisory-db may contain some information copyrighted by the Open Source Vulnerability Database (http://osvdb.org). If you use ruby-advisory-db data to build a product or a service, it is your responsibility to familiarize yourself with the terms of their license: http://www.osvdb.org/osvdb_license
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/data/ruby-advisory-db/README.md DELETED Viewed

@@ -1,82 +0,0 @@
-# Ruby Advisory Database
-The Ruby Advisory Database aims to compile all advisories that are relevant to Ruby libraries.
-## Goals
-1. Provide advisory **metadata** in a **simple** yet **structured** [YAML]
-   schema for automated tools to consume.
-2. Avoid reinventing [CVE]s.
-3. Avoid duplicating the efforts of the [OSVDB].
-## Directory Structure
-The database is a list of directories that match the names of Ruby libraries on
-[rubygems.org]. Within each directory are one or more advisory files
-for the Ruby library. These advisory files are typically named using
-the advisories [OSVDB] identifier number.
-    gems/:
-      actionpack/:
-        OSVDB-79727.yml  OSVDB-84513.yml  OSVDB-89026.yml  OSVDB-91454.yml
-        OSVDB-84243.yml  OSVDB-84515.yml  OSVDB-91452.yml
-## Format
-Each advisory file contains the advisory information in [YAML] format:
-    ---
-    gem: actionpack
-    framework: rails
-    cve: 2013-0156
-    osvdb: 89026
-    url: http://osvdb.org/show/osvdb/89026
-    title: |
-      Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-      Remote Code Execution
-    description: |
-      Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
-      The issue is triggered when a type casting error occurs during the parsing
-      of parameters. This may allow a remote attacker to potentially execute
-      arbitrary code.
-    cvss_v2: 10.0
-    patched_versions:
-      - ~> 2.3.15
-      - ~> 3.0.19
-      - ~> 3.1.10
-      - ">= 3.2.11"
-### Schema
-* `gem` \[String\]: Name of the affected gem.
-* `framework` \[String\] (optional): Name of framework gem belongs to.
-* `platform` \[String\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. JRuby)
-* `cve` \[String\]: CVE id.
-* `osvdb` \[Fixnum\]: OSVDB id.
-* `url` \[String\]: The URL to the full advisory.
-* `title` \[String\]: The title of the advisory.
-* `date` \[Date\]: Disclosure date of the advisory.
-* `description` \[String\]: Multi-paragraph description of the vulnerability.
-* `cvss_v2` \[Float\]: The [CVSSv2] score for the vulnerability.
-* `unaffected_versions` \[Array\<String\>\] (optional): The version requirements for the
-  unaffected versions of the Ruby library.
-* `patched_versions` \[Array\<String\>\]: The version requirements for the
-  patched versions of the Ruby library.
-## Credits
-Please see [CONTRIBUTORS.md].
-This database also includes data from the [Open Source Vulnerability Database][OSVDB]
-developed by the Open Security Foundation (OSF) and its contributors.
-[rubygems.org]: https://rubygems.org/
-[CVE]: http://cve.mitre.org/
-[OSVDB]: http://www.osvdb.org/
-[CVSSv2]: http://www.first.org/cvss/cvss-guide.html
-[OSVDB]: http://www.osvdb.org/
-[YAML]: http://www.yaml.org/
-[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md

data/data/ruby-advisory-db/Rakefile DELETED Viewed

@@ -1,27 +0,0 @@
-require 'yaml'
-namespace :lint do
-  begin
-    gem 'rspec', '~> 2.4'
-    require 'rspec/core/rake_task'
-    RSpec::Core::RakeTask.new(:yaml)
-  rescue LoadError => e
-    task :spec do
-      abort "Please run `gem install rspec` to install RSpec."
-    end
-  end
-  task :cve do
-    Dir.glob('gems/*/*.yml') do |path|
-      advisory = YAML.load_file(path)
-      unless advisory['cve']
-        puts "Missing CVE: #{path}"
-      end
-    end
-  end
-end
-task :lint    => ['lint:yaml', 'lint:cve']
-task :default => :lint

data/data/ruby-advisory-db/gems/actionmailer/OSVDB-98629.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: actionmailer
-cve: 2013-4389
-osvdb: 98629
-url: http://www.osvdb.org/show/osvdb/98629
-title: Action Mailer Gem for Ruby contains a possible DoS Vulnerability
-date: 2013-10-16
-description: Action Mailer Gem for Ruby contains a format string flaw in
-  the Log Subscriber component. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied
-  input when handling email addresses. This may allow a remote attacker
-  to cause a denial of service
-cvss_v2: 4.3
-unaffected_versions:
-  - ~> 2.3.2
-patched_versions:
-  - '>= 3.2.15'

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6415
-osvdb: 100524
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
-title: XSS Vulnerability in number_to_currency
-date: 2013-12-03
-description: |
-  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
-  The number_to_currency helper allows users to nicely format a numeric value. One
-  of the parameters to the helper (unit) is not escaped correctly.  Applications
-  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
-cvss_v2:
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6414
-osvdb: 100525
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
-title: Denial of Service Vulnerability in Action View
-date: 2013-12-03
-description: |
-  There is a denial of service vulnerability in the header handling component of
-  Action View.
-cvss_v2:
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6416
-osvdb: 100526
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
-title: XSS Vulnerability in simple_format helper
-date: 2013-12-03
-description: |
-  There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text
-  which is intended to be safe for display. A change made to the
-  implementation of this helper means that any user provided HTML
-  attributes will not be escaped correctly. As a result of this error,
-  applications which pass user-controlled data to be included as html
-  attributes will be vulnerable to an XSS attack.
-cvss_v2:
-unaffected_versions:
-  - ~> 2.3.0
-  - ~> 3.1.0
-  - ~> 3.2.0
-patched_versions:
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6417
-osvdb: 100527
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
-title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
-date: 2013-12-03
-description: |
-  The prior fix to CVE-2013-0155 was incomplete and the use of common
-  3rd party libraries can accidentally circumvent the protection. Due
-  to the way that Rack::Request and Rails::Request interact, it is
-  possible for a 3rd party or custom rack middleware to parse the
-  parameters insecurely and store them in the same key that Rails uses
-  for its own parameters.  In the event that happens the application
-  will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability.
-cvss_v2:
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-4491
-osvdb: 100528
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
-title: Reflective XSS Vulnerability in Ruby on Rails
-date: 2013-12-03
-description: |
-  There is a vulnerability in the internationalization component of Ruby on
-  Rails. Under certain common configurations an attacker can provide specially
-  crafted input which will execute a reflective XSS attack.
-  The root cause of this issue is a vulnerability in the i18n gem which has
-  been assigned the identifier CVE-2013-4492.
-cvss_v2:
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"