ruby_audit 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 51cf3ff827f2fdbe2820e818de13a2218944ce9a
4
+ data.tar.gz: 783bc7959bacd144fd046acf87abb019a2c79dd6
5
+ SHA512:
6
+ metadata.gz: 540ecf36b326b595bf50537d73196fbf4ceb1afa024a32311a4dde8d7ac932453ad60bcc4e80f259bc93d12f4fc4e0529d9e8374756606c16f34c152e769247a
7
+ data.tar.gz: 7e2a5503bfe817c767271dd86b39155a04675e5d2fec28c23708fefd52e816c7cbdd10dee61b492425b3b3a1e8c45636db2c7fcc0d899e8ddd7893a3bbd21a96
data/.gitignore ADDED
@@ -0,0 +1,9 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /Gemfile.lock
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
data/.gitmodules ADDED
@@ -0,0 +1,3 @@
1
+ [submodule "vendor/ruby-advisory-db"]
2
+ path = vendor/ruby-advisory-db
3
+ url = https://github.com/rubysec/ruby-advisory-db
data/.rspec ADDED
@@ -0,0 +1 @@
1
+ --color
data/.rubocop.yml ADDED
@@ -0,0 +1,13 @@
1
+ Metrics/LineLength:
2
+ Exclude:
3
+ - 'ruby_audit.gemspec'
4
+
5
+ Metrics/MethodLength:
6
+ Max: 15
7
+
8
+ Style/Documentation:
9
+ Enabled: false
10
+
11
+ Style/FileName:
12
+ Exclude:
13
+ - 'exe/ruby-audit'
data/.ruby-version ADDED
@@ -0,0 +1 @@
1
+ 2.3.0
data/.travis.yml ADDED
@@ -0,0 +1,5 @@
1
+ language: ruby
2
+ cache: bundler
3
+ branches:
4
+ only:
5
+ - master
data/CHANGELOG.md ADDED
@@ -0,0 +1,5 @@
1
+ # Change Log
2
+
3
+ ## 1.0.0 (2016-02-03)
4
+
5
+ * Initial Release
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,27 @@
1
+ # Contributing to RubyAudit
2
+
3
+ We welcome pull requests from everyone!
4
+
5
+ ## Getting Started
6
+
7
+ 1. Fork it ( https://github.com/civisanalytics/ruby_audit/fork )
8
+ 2. Install the development dependencies (`bundle install`)
9
+ 3. Make sure you are able to run the test suite locally (`rake`)
10
+ 4. Create a feature branch (`git checkout -b my-new-feature`)
11
+ 5. Make your change. Don't forget tests
12
+ 6. Make sure the test suite, including your new tests, passes (`rake`)
13
+ 7. Commit your changes (`git commit -am 'Add some feature'`)
14
+ 8. Push to the branch (`git push origin my-new-feature`)
15
+ 9. Create a new pull request
16
+ 10. If the Travis build fails, address any issues
17
+
18
+ ## Tips
19
+
20
+ - All pull requests must include test coverage. If you’re not sure how to test
21
+ your changes, feel free to ask for help.
22
+ - Contributions must conform to the
23
+ [Ruby Style Guide](https://github.com/bbatsov/ruby-style-guide).
24
+ - Don’t forget to add your change to the [CHANGELOG](CHANGELOG.md). See
25
+ [Keep a CHANGELOG](http://keepachangelog.com/) for guidelines.
26
+
27
+ Thank you for taking the time to contribute to RubyAudit!
data/Gemfile ADDED
@@ -0,0 +1,4 @@
1
+ source 'https://rubygems.org'
2
+
3
+ # Specify your gem's dependencies in ruby_audit.gemspec
4
+ gemspec
data/LICENSE.md ADDED
@@ -0,0 +1,13 @@
1
+ Copyright (C) 2016 Civis Analytics
2
+
3
+ This program is free software: you can redistribute it and/or modify it under
4
+ the terms of the GNU General Public License as published by the Free Software
5
+ Foundation, either version 3 of the License, or (at your option) any later
6
+ version.
7
+
8
+ This program is distributed in the hope that it will be useful, but WITHOUT
9
+ ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
10
+ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
11
+
12
+ You should have received a copy of the GNU General Public License along with
13
+ this program. If not, see <http://www.gnu.org/licenses/>.
data/README.md ADDED
@@ -0,0 +1,67 @@
1
+ # RubyAudit
2
+
3
+ [![Build Status](https://travis-ci.org/civisanalytics/ruby_audit.svg?branch=master)](https://travis-ci.org/civisanalytics/ruby_audit)
4
+ [![Gem Version](https://badge.fury.io/rb/ruby_audit.svg)](http://badge.fury.io/rb/ruby_audit)
5
+ [![Dependency Status](https://gemnasium.com/civisanalytics/ruby_audit.svg)](https://gemnasium.com/civisanalytics/ruby_audit)
6
+
7
+ RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version.
8
+ It complements [bundler-audit](https://github.com/rubysec/bundler-audit), providing complete coverage for your Ruby stack.
9
+ If you use Bundler, you should use both RubyAudit and bundler-audit.
10
+
11
+ RubyAudit is based on and leverages bundler-audit, and would not exist without the hard work of the [rubysec](https://github.com/rubysec) team, specifically bundler-audit and [ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db).
12
+
13
+ "If I have seen further it is by standing on the shoulders of Giants." -- Isaac Newton
14
+
15
+ ## Installation
16
+
17
+ Add this line to your application's Gemfile:
18
+
19
+ ```ruby
20
+ gem 'ruby_audit'
21
+ ```
22
+
23
+ And then execute:
24
+
25
+ $ bundle
26
+
27
+ Or install it yourself as:
28
+
29
+ $ gem install ruby_audit
30
+
31
+ ## Usage
32
+
33
+ To check your current version of Ruby and RubyGems:
34
+
35
+ ```bash
36
+ $ ruby-audit check
37
+ ```
38
+
39
+ You can ignore specific advisories by specifying `-i <advisory>`:
40
+
41
+ ```bash
42
+ $ ruby-audit check -i CVE-2015-7551
43
+ ```
44
+
45
+ By default, RubyAudit will check for updates to the ruby-advisory-db when it runs.
46
+ If you are using RubyAudit offline, you can bypass this check by specifying `-n`:
47
+
48
+ ```bash
49
+ $ ruby-audit check -n
50
+ ```
51
+
52
+ ## Development
53
+
54
+ After checking out the repo, run `bin/setup` to install dependencies.
55
+ Then, run `rake spec` to run the tests.
56
+ You can also run `bin/console` for an interactive prompt that will allow you to experiment.
57
+
58
+ To install this gem onto your local machine, run `bundle exec rake install`.
59
+ To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
60
+
61
+ ## Contributing
62
+
63
+ See [CONTRIBUTING](CONTRIBUTING.md).
64
+
65
+ ## License
66
+
67
+ RubyAudit is released under the [GNU General Public License version 3](LICENSE.md).
data/Rakefile ADDED
@@ -0,0 +1,9 @@
1
+ require 'bundler/gem_tasks'
2
+
3
+ require 'rspec/core/rake_task'
4
+ RSpec::Core::RakeTask.new
5
+
6
+ require 'rubocop/rake_task'
7
+ RuboCop::RakeTask.new
8
+
9
+ task default: [:rubocop, :spec]
data/bin/console ADDED
@@ -0,0 +1,7 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'bundler/setup'
4
+ require 'ruby_audit'
5
+
6
+ require 'pry'
7
+ Pry.start
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
data/exe/ruby-audit ADDED
@@ -0,0 +1,6 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'bundler/setup'
4
+ require 'ruby_audit'
5
+
6
+ RubyAudit::CLI.start
data/lib/ruby_audit.rb ADDED
@@ -0,0 +1,5 @@
1
+ require 'bundler/audit/cli'
2
+ require 'ruby_audit/cli'
3
+ require 'ruby_audit/database'
4
+ require 'ruby_audit/scanner'
5
+ require 'ruby_audit/version'
@@ -0,0 +1,68 @@
1
+ module RubyAudit
2
+ class CLI < Bundler::Audit::CLI
3
+ desc 'check', 'Checks Ruby and RubyGems for insecure versions'
4
+ method_option :ignore, type: :array, aliases: '-i'
5
+ method_option :no_update, type: :boolean, aliases: '-n'
6
+ method_option :verbose, type: :boolean, aliases: '-v'
7
+ def check
8
+ update unless options[:no_update]
9
+
10
+ check_for_stale_database
11
+
12
+ scanner = Scanner.new
13
+ vulnerable = false
14
+
15
+ scanner.scan(ignore: options[:ignore]) do |result|
16
+ vulnerable = true
17
+ print_advisory result.gem, result.advisory
18
+ end
19
+
20
+ if vulnerable
21
+ say 'Vulnerabilities found!', :red
22
+ exit 1
23
+ else
24
+ say 'No vulnerabilities found', :green
25
+ end
26
+ end
27
+
28
+ # Copied from bundler-audit master. Not present in 0.4.0.
29
+ desc 'update', 'Updates the ruby-advisory-db'
30
+ def update
31
+ say 'Updating ruby-advisory-db ...'
32
+
33
+ case Database.update!
34
+ when true
35
+ say 'Updated ruby-advisory-db', :green
36
+ when false
37
+ say 'Failed updating ruby-advisory-db!', :red
38
+ exit 1
39
+ when nil
40
+ say 'Skipping update', :yellow
41
+ end
42
+
43
+ puts "ruby-advisory-db: #{Database.new.size} advisories"
44
+ end
45
+
46
+ desc 'version', 'Prints the ruby-audit version'
47
+ def version
48
+ database = Database.new
49
+ puts "#{File.basename($PROGRAM_NAME)} #{VERSION} "\
50
+ "(advisories: #{database.size})"
51
+ end
52
+
53
+ private
54
+
55
+ def check_for_stale_database
56
+ database = Database.new
57
+ if database.size == 89
58
+ # bundler-audit 0.4.0 comes bundled with an old verison of
59
+ # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
60
+ # or RubyGems. If #size == 89, the database has never been updated.
61
+ say 'The database must be updated before using RubyAudit', :red
62
+ exit 1
63
+ elsif database.stale
64
+ say 'The database has not been updated in over 7 days', :yellow
65
+ end
66
+ end
67
+ end
68
+ end
@@ -0,0 +1,49 @@
1
+ module RubyAudit
2
+ class Database < Bundler::Audit::Database
3
+ def advisories_for(name, type)
4
+ return enum_for(__method__, name, type) unless block_given?
5
+
6
+ each_advisory_path_for(name, type) do |path|
7
+ yield Bundler::Audit::Advisory.load(path)
8
+ end
9
+ end
10
+
11
+ def check_ruby(ruby, &block)
12
+ check(ruby, 'rubies', &block)
13
+ end
14
+
15
+ def check_library(library, &block)
16
+ check(library, 'libraries', &block)
17
+ end
18
+
19
+ def check(object, type = 'gems')
20
+ return enum_for(__method__, object, type) unless block_given?
21
+
22
+ advisories_for(object.name, type) do |advisory|
23
+ yield advisory if advisory.vulnerable?(object.version)
24
+ end
25
+ end
26
+
27
+ def stale
28
+ if File.directory?(USER_PATH) &&
29
+ File.exist?(File.join(USER_PATH, '.git'))
30
+ ts = Time.parse(
31
+ `cd #{USER_PATH} && git log --date=iso8601 --pretty="%cd" -1`).utc
32
+ ts < (Date.today - 7).to_time
33
+ else
34
+ true
35
+ end
36
+ end
37
+
38
+ protected
39
+
40
+ def each_advisory_path(&block)
41
+ Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
42
+ &block)
43
+ end
44
+
45
+ def each_advisory_path_for(name, type = 'gems', &block)
46
+ Dir.glob(File.join(@path, type, name, '*.yml'), &block)
47
+ end
48
+ end
49
+ end
@@ -0,0 +1,80 @@
1
+ module RubyAudit
2
+ class Scanner < Bundler::Audit::Scanner
3
+ class Version
4
+ def initialize(name, version)
5
+ @name = name
6
+ @version = Gem::Version.new(version)
7
+ end
8
+
9
+ attr_reader :name, :version
10
+ end
11
+
12
+ def initialize
13
+ @database = Database.new
14
+ end
15
+
16
+ def scan(options = {}, &block)
17
+ return enum_for(__method__, options) unless block
18
+
19
+ scan_ruby(options, &block)
20
+ scan_rubygems(options, &block)
21
+
22
+ self
23
+ end
24
+
25
+ def scan_ruby(options = {}, &block)
26
+ if RUBY_PATCHLEVEL < 0
27
+ version = ruby_version
28
+ else
29
+ version = "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}"
30
+ end
31
+ specs = [Version.new(RUBY_ENGINE, version)]
32
+ scan_inner(specs, 'ruby', options, &block)
33
+ end
34
+
35
+ def scan_rubygems(options = {}, &block)
36
+ specs = [Version.new('rubygems', rubygems_version)]
37
+ scan_inner(specs, 'library', options, &block)
38
+ end
39
+
40
+ private
41
+
42
+ def ruby_version
43
+ # .gsub to separate strings (e.g., 2.1.0dev -> 2.1.0.dev,
44
+ # 2.2.0preview1 -> 2.2.0.preview.1).
45
+ `ruby --version`.split[1]
46
+ .gsub(/(\d)([a-z]+)/, '\1.\2')
47
+ .gsub(/([a-z]+)(\d)/, '\1.\2')
48
+ end
49
+
50
+ def rubygems_version
51
+ `gem --version`.strip
52
+ end
53
+
54
+ def scan_inner(specs, type, options = {})
55
+ return enum_for(__method__, options) unless block_given?
56
+
57
+ ignore = Set[]
58
+ ignore += options[:ignore] if options[:ignore]
59
+
60
+ specs.each do |spec|
61
+ @database.send("check_#{type}".to_sym, spec) do |advisory|
62
+ unless ignore.include?(cve_id(advisory)) ||
63
+ ignore.include?(osvdb_id(advisory))
64
+ yield UnpatchedGem.new(spec, advisory)
65
+ end
66
+ end
67
+ end
68
+ end
69
+
70
+ # Workaround for advisory.cve_id, present in master but not 0.4.0.
71
+ def cve_id(advisory)
72
+ "CVE-#{advisory.cve}" if advisory.cve
73
+ end
74
+
75
+ # Workaround for advisory.osvdb_id, present in master but not 0.4.0.
76
+ def osvdb_id(advisory)
77
+ "OSVDB-#{advisory.osvdb}" if advisory.osvdb
78
+ end
79
+ end
80
+ end
@@ -0,0 +1,3 @@
1
+ module RubyAudit
2
+ VERSION = '1.0.0'
3
+ end
@@ -0,0 +1,33 @@
1
+ # coding: utf-8
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'ruby_audit/version'
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = 'ruby_audit'
8
+ spec.version = RubyAudit::VERSION
9
+ spec.authors = ['Jeff Cousens']
10
+ spec.email = ['opensource@civisanalytics.com']
11
+
12
+ spec.summary = 'Checks Ruby and RubyGems against known vulnerabilities.'
13
+ spec.description = 'RubyAudit checks your current version of Ruby and ' \
14
+ 'RubyGems against known security vulnerabilities ' \
15
+ '(CVEs), alerting you if you are using an insecure ' \
16
+ 'version. It complements bundler-audit, providing ' \
17
+ 'complete coverage for your Ruby stack.'
18
+ spec.homepage = 'https://github.com/civisanalytics/ruby_audit'
19
+ spec.license = 'GPLv3'
20
+
21
+ spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
22
+ spec.bindir = 'exe'
23
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
24
+ spec.require_paths = ['lib']
25
+
26
+ spec.add_dependency 'bundler-audit', '~> 0.4.0'
27
+ spec.add_development_dependency 'bundler', '~> 1.11'
28
+ spec.add_development_dependency 'pry', '~> 0.10.3'
29
+ spec.add_development_dependency 'rake', '~> 10.5'
30
+ spec.add_development_dependency 'rspec', '~> 3.4'
31
+ spec.add_development_dependency 'rubocop', '~> 0.35.0'
32
+ spec.add_development_dependency 'timecop', '~> 0.8.0'
33
+ end
metadata ADDED
@@ -0,0 +1,166 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: ruby_audit
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Jeff Cousens
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2016-02-03 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler-audit
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 0.4.0
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 0.4.0
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '1.11'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '1.11'
41
+ - !ruby/object:Gem::Dependency
42
+ name: pry
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: 0.10.3
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: 0.10.3
55
+ - !ruby/object:Gem::Dependency
56
+ name: rake
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '10.5'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '10.5'
69
+ - !ruby/object:Gem::Dependency
70
+ name: rspec
71
+ requirement: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - "~>"
74
+ - !ruby/object:Gem::Version
75
+ version: '3.4'
76
+ type: :development
77
+ prerelease: false
78
+ version_requirements: !ruby/object:Gem::Requirement
79
+ requirements:
80
+ - - "~>"
81
+ - !ruby/object:Gem::Version
82
+ version: '3.4'
83
+ - !ruby/object:Gem::Dependency
84
+ name: rubocop
85
+ requirement: !ruby/object:Gem::Requirement
86
+ requirements:
87
+ - - "~>"
88
+ - !ruby/object:Gem::Version
89
+ version: 0.35.0
90
+ type: :development
91
+ prerelease: false
92
+ version_requirements: !ruby/object:Gem::Requirement
93
+ requirements:
94
+ - - "~>"
95
+ - !ruby/object:Gem::Version
96
+ version: 0.35.0
97
+ - !ruby/object:Gem::Dependency
98
+ name: timecop
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - "~>"
102
+ - !ruby/object:Gem::Version
103
+ version: 0.8.0
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - "~>"
109
+ - !ruby/object:Gem::Version
110
+ version: 0.8.0
111
+ description: RubyAudit checks your current version of Ruby and RubyGems against known
112
+ security vulnerabilities (CVEs), alerting you if you are using an insecure version.
113
+ It complements bundler-audit, providing complete coverage for your Ruby stack.
114
+ email:
115
+ - opensource@civisanalytics.com
116
+ executables:
117
+ - ruby-audit
118
+ extensions: []
119
+ extra_rdoc_files: []
120
+ files:
121
+ - ".gitignore"
122
+ - ".gitmodules"
123
+ - ".rspec"
124
+ - ".rubocop.yml"
125
+ - ".ruby-version"
126
+ - ".travis.yml"
127
+ - CHANGELOG.md
128
+ - CONTRIBUTING.md
129
+ - Gemfile
130
+ - LICENSE.md
131
+ - README.md
132
+ - Rakefile
133
+ - bin/console
134
+ - bin/setup
135
+ - exe/ruby-audit
136
+ - lib/ruby_audit.rb
137
+ - lib/ruby_audit/cli.rb
138
+ - lib/ruby_audit/database.rb
139
+ - lib/ruby_audit/scanner.rb
140
+ - lib/ruby_audit/version.rb
141
+ - ruby_audit.gemspec
142
+ homepage: https://github.com/civisanalytics/ruby_audit
143
+ licenses:
144
+ - GPLv3
145
+ metadata: {}
146
+ post_install_message:
147
+ rdoc_options: []
148
+ require_paths:
149
+ - lib
150
+ required_ruby_version: !ruby/object:Gem::Requirement
151
+ requirements:
152
+ - - ">="
153
+ - !ruby/object:Gem::Version
154
+ version: '0'
155
+ required_rubygems_version: !ruby/object:Gem::Requirement
156
+ requirements:
157
+ - - ">="
158
+ - !ruby/object:Gem::Version
159
+ version: '0'
160
+ requirements: []
161
+ rubyforge_project:
162
+ rubygems_version: 2.5.1
163
+ signing_key:
164
+ specification_version: 4
165
+ summary: Checks Ruby and RubyGems against known vulnerabilities.
166
+ test_files: []