ruby_audit 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 51cf3ff827f2fdbe2820e818de13a2218944ce9a
-  data.tar.gz: 783bc7959bacd144fd046acf87abb019a2c79dd6
+SHA256:
+  metadata.gz: b939a8de9d5f33649faf17b6181580235b4c40566e5582d99220bcf36588afb2
+  data.tar.gz: 22d2f224e26baac967f47a402f971175c3c7489af24720f31edc2d3d301efa5e
 SHA512:
-  metadata.gz: 540ecf36b326b595bf50537d73196fbf4ceb1afa024a32311a4dde8d7ac932453ad60bcc4e80f259bc93d12f4fc4e0529d9e8374756606c16f34c152e769247a
-  data.tar.gz: 7e2a5503bfe817c767271dd86b39155a04675e5d2fec28c23708fefd52e816c7cbdd10dee61b492425b3b3a1e8c45636db2c7fcc0d899e8ddd7893a3bbd21a96
+  metadata.gz: c04e0bf277cbb8ad80690abb7adb4680c811479e952e08257a9ae7a89792fb33e08acc7a1674195a88592c01a865fd47a2d71501b9642c37330dcd1f71bbca12
+  data.tar.gz: 5c54e924a470a1d9ecc7e8f913ddd50aa3e5d8f4540a70afa8e9636187cac3d9ecd4993d62f3bb6936d791bcc259c3bebf2ebe305e492905950c9709cc4a9d26

data/.rspec

@@ -1 +1,2 @@
 --color
+--warnings  

data/.rubocop.yml

@@ -1,13 +1,28 @@
-Metrics/LineLength:
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: enable
+  SuggestExtensions: false
+
+Layout/LineLength:
   Exclude:
     - 'ruby_audit.gemspec'
 
 Metrics/MethodLength:
   Max: 15
 
+Metrics/BlockLength:
+  IgnoredMethods:
+    - describe
+
 Style/Documentation:
   Enabled: false
 
-Style/FileName:
+Naming/FileName:
   Exclude:
     - 'exe/ruby-audit'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/NumericPredicate:
+  Enabled: false

data/.ruby-version

@@ -1 +1 @@
-2.3.0
+3.0.0

data/.travis.yml

@@ -1,5 +1,10 @@
 language: ruby
 cache: bundler
+rvm:
+  - 2.5.8
+  - 2.6.6
+  - 2.7.2
+  - 3.0.0
 branches:
   only:
     - master

data/CHANGELOG.md

@@ -1,5 +1,88 @@
 # Change Log
 
+All notable changes to this project will be documented in this file.
+This project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased]
+
+## [2.0.0] - 2021-03-22
+
+### Added
+
+* Require bundler-audit 0.8
+* Added Ruby 3.0 to the Travis matrix
+
+### Removed
+
+* Removed support for bundler-audit 0.7
+
+## [1.3.0] - 2020-07-01
+
+### Added
+
+* Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix
+* Added the ability to ignore an advisory by its GHSA identifier
+
+### Changed
+
+* Bumped the bundler-audit version to 0.7
+* Bumped the Ruby version for development to 2.7.1
+* Bumped the Pry version for development to 0.13
+* Bumped the Rake version for development to 13
+* Bumped the Rspec version for development to 3.9
+* Bumped the RuboCop version for development to 0.86
+* Bumped the Timecop verison for development to 0.9
+* RuboCop fixes
+
+### Removed
+
+* Removed Ruby 2.1 through 2.4 from the Travis matrix
+* Removed the explicit Bundler dependency for development, since it is now included with RubyGems
+
+## [1.2.0] - 2017-09-21
+
+### Added
+
+* Added 2.4 to the Travis matrix ([@errm])
+
+### Changed
+
+* Bumped the bundler-audit version to 0.6 ([@errm])
+* Bumped the RuboCop version for development to 0.50 ([@errm])
+* Bumped the Ruby version for development to 2.4.2 ([@errm])
+
+## [1.1.0] - 2016-09-15
+
+### Added
+
+* Added a matrix build of 2.1, 2.2, and 2.3 to Travis
+
+### Changed
+
+* Added a [Code of Conduct](CODE_OF_CONDUCT.md)
+* Bumped the bundler-audit version to 0.5
+* Bumped the RSpec version for development to 3.5
+* Bumped the Rake version for development to 11.2
+* Bumped the RuboCop version for development to 0.42
+* Bumped the Ruby version for development to 2.3.1
+
+## [1.0.1] - 2016-02-03
+
+### Fixed
+
+* [#1](https://github.com/civisanalytics/ruby_audit/pull/1)
+  removing unreliable last-update check
+
 ## 1.0.0 (2016-02-03)
 
 * Initial Release
+
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
+[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
+[1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0
+[1.0.1]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.0...v1.0.1
+[1.0.0]: https://github.com/civisanalytics/ruby_audit/commit/7535b70412641c888c80d99514b27ba254fb8316
+
+[@errm]: https://github.com/errm

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,50 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at opensource@civisanalytics.com.
+All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/CONTRIBUTING.md

@@ -1,6 +1,7 @@
 # Contributing to RubyAudit
 
-We welcome pull requests from everyone!
+We welcome bug reports and pull requests from everyone!
+This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ## Getting Started
 

data/README.md

@@ -1,8 +1,7 @@
 # RubyAudit
 
-[![Build Status](https://travis-ci.org/civisanalytics/ruby_audit.svg?branch=master)](https://travis-ci.org/civisanalytics/ruby_audit)
+[![Build Status](https://travis-ci.com/civisanalytics/ruby_audit.svg?branch=master)](https://travis-ci.com/civisanalytics/ruby_audit)
 [![Gem Version](https://badge.fury.io/rb/ruby_audit.svg)](http://badge.fury.io/rb/ruby_audit)
-[![Dependency Status](https://gemnasium.com/civisanalytics/ruby_audit.svg)](https://gemnasium.com/civisanalytics/ruby_audit)
 
 RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version.
 It complements [bundler-audit](https://github.com/rubysec/bundler-audit), providing complete coverage for your Ruby stack.
@@ -52,7 +51,8 @@ $ ruby-audit check -n
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies.
-Then, run `rake spec` to run the tests.
+You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
+submodule used for testing. Then, run `rake spec` to run the tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.

data/Rakefile

@@ -6,4 +6,4 @@ RSpec::Core::RakeTask.new
 require 'rubocop/rake_task'
 RuboCop::RakeTask.new
 
-task default: [:rubocop, :spec]
+task default: %i[rubocop spec]

data/lib/ruby_audit.rb

@@ -1,4 +1,3 @@
-require 'bundler/audit/cli'
 require 'ruby_audit/cli'
 require 'ruby_audit/database'
 require 'ruby_audit/scanner'

data/lib/ruby_audit/cli.rb

@@ -1,5 +1,10 @@
+require 'thor'
+
 module RubyAudit
-  class CLI < Bundler::Audit::CLI
+  class CLI < ::Thor
+    default_task :check
+    map '--version' => :version
+
     desc 'check', 'Checks Ruby and RubyGems for insecure versions'
     method_option :ignore, type: :array, aliases: '-i'
     method_option :no_update, type: :boolean, aliases: '-n'
@@ -52,17 +57,81 @@ module RubyAudit
 
     private
 
+    def say(message = '', color = nil)
+      color = nil unless $stdout.tty?
+      super(message.to_s, color)
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/PerceivedComplexity
+    def print_advisory(gem, advisory)
+      say 'Name: ', :red
+      say gem.name
+
+      say 'Version: ', :red
+      say gem.version
+
+      say 'Advisory: ', :red
+
+      if advisory.cve
+        say advisory.cve_id
+      elsif advisory.osvdb
+        say advisory.osvdb_id
+      elsif advisory.ghsa
+        say advisory.ghsa_id
+      end
+
+      say 'Criticality: ', :red
+      case advisory.criticality
+      when :none     then say 'None'
+      when :low      then say 'Low'
+      when :medium   then say 'Medium', :yellow
+      when :high     then say 'High', %i[red bold]
+      when :critical then say 'Critical', %i[red bold]
+      else                say 'Unknown'
+      end
+
+      say 'URL: ', :red
+      say advisory.url
+
+      if options.verbose?
+        say 'Description:', :red
+        say
+
+        print_wrapped advisory.description, indent: 2
+        say
+      else
+
+        say 'Title: ', :red
+        say advisory.title
+      end
+
+      if advisory.patched_versions.empty?
+        say 'Solution: ', :red
+        say 'remove or disable this gem until a patch is available!', %i[red bold]
+      else
+        say 'Solution: upgrade to ', :red
+        say advisory.patched_versions.join(', ')
+      end
+
+      say
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+    # rubocop:enable Metrics/MethodLength
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+
     def check_for_stale_database
       database = Database.new
-      if database.size == 89
-        # bundler-audit 0.4.0 comes bundled with an old verison of
-        # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
-        # or RubyGems. If #size == 89, the database has never been updated.
-        say 'The database must be updated before using RubyAudit', :red
-        exit 1
-      elsif database.stale
-        say 'The database has not been updated in over 7 days', :yellow
-      end
+      return unless database.size == 89
+
+      # bundler-audit 0.4.0 comes bundled with an old verison of
+      # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
+      # or RubyGems. If #size == 89, the database has never been updated.
+      say 'The database must be updated before using RubyAudit', :red
+      exit 1
     end
   end
 end

data/lib/ruby_audit/database.rb

@@ -1,3 +1,5 @@
+require 'bundler/audit/database'
+
 module RubyAudit
   class Database < Bundler::Audit::Database
     def advisories_for(name, type)
@@ -24,17 +26,6 @@ module RubyAudit
       end
     end
 
-    def stale
-      if File.directory?(USER_PATH) &&
-         File.exist?(File.join(USER_PATH, '.git'))
-        ts = Time.parse(
-          `cd #{USER_PATH} && git log --date=iso8601 --pretty="%cd" -1`).utc
-        ts < (Date.today - 7).to_time
-      else
-        true
-      end
-    end
-
     protected
 
     def each_advisory_path(&block)

data/lib/ruby_audit/scanner.rb

@@ -1,5 +1,8 @@
+require 'bundler/audit/results/unpatched_gem'
+require 'set'
+
 module RubyAudit
-  class Scanner < Bundler::Audit::Scanner
+  class Scanner
     class Version
       def initialize(name, version)
         @name = name
@@ -23,11 +26,11 @@ module RubyAudit
     end
 
     def scan_ruby(options = {}, &block)
-      if RUBY_PATCHLEVEL < 0
-        version = ruby_version
-      else
-        version = "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}"
-      end
+      version = if RUBY_PATCHLEVEL < 0
+                  ruby_version
+                else
+                  "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}"
+                end
       specs = [Version.new(RUBY_ENGINE, version)]
       scan_inner(specs, 'ruby', options, &block)
     end
@@ -43,8 +46,8 @@ module RubyAudit
       # .gsub to separate strings (e.g., 2.1.0dev -> 2.1.0.dev,
       # 2.2.0preview1 -> 2.2.0.preview.1).
       `ruby --version`.split[1]
-        .gsub(/(\d)([a-z]+)/, '\1.\2')
-        .gsub(/([a-z]+)(\d)/, '\1.\2')
+                      .gsub(/(\d)([a-z]+)/, '\1.\2')
+                      .gsub(/([a-z]+)(\d)/, '\1.\2')
     end
 
     def rubygems_version
@@ -52,29 +55,18 @@ module RubyAudit
     end
 
     def scan_inner(specs, type, options = {})
-      return enum_for(__method__, options) unless block_given?
+      return enum_for(__method__, specs, type, options) unless block_given?
 
       ignore = Set[]
       ignore += options[:ignore] if options[:ignore]
 
       specs.each do |spec|
         @database.send("check_#{type}".to_sym, spec) do |advisory|
-          unless ignore.include?(cve_id(advisory)) ||
-                 ignore.include?(osvdb_id(advisory))
-            yield UnpatchedGem.new(spec, advisory)
+          unless ignore.intersect?(advisory.identifiers.to_set)
+            yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory)
           end
         end
       end
     end
-
-    # Workaround for advisory.cve_id, present in master but not 0.4.0.
-    def cve_id(advisory)
-      "CVE-#{advisory.cve}" if advisory.cve
-    end
-
-    # Workaround for advisory.osvdb_id, present in master but not 0.4.0.
-    def osvdb_id(advisory)
-      "OSVDB-#{advisory.osvdb}" if advisory.osvdb
-    end
   end
 end

data/lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '1.0.0'
+  VERSION = '2.0.0'.freeze
 end

data/ruby_audit.gemspec

@@ -1,12 +1,11 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'ruby_audit/version'
 
 Gem::Specification.new do |spec|
   spec.name          = 'ruby_audit'
   spec.version       = RubyAudit::VERSION
-  spec.authors       = ['Jeff Cousens']
+  spec.authors       = ['Jeff Cousens, Mike Saelim']
   spec.email         = ['opensource@civisanalytics.com']
 
   spec.summary       = 'Checks Ruby and RubyGems against known vulnerabilities.'
@@ -16,18 +15,18 @@ Gem::Specification.new do |spec|
                        'version. It complements bundler-audit, providing ' \
                        'complete coverage for your Ruby stack.'
   spec.homepage      = 'https://github.com/civisanalytics/ruby_audit'
-  spec.license       = 'GPLv3'
+  spec.license       = 'GPL-3.0-or-later'
 
+  spec.required_ruby_version = ['>= 2.5', '< 3.1']
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'bundler-audit', '~> 0.4.0'
-  spec.add_development_dependency 'bundler', '~> 1.11'
-  spec.add_development_dependency 'pry', '~> 0.10.3'
-  spec.add_development_dependency 'rake', '~> 10.5'
-  spec.add_development_dependency 'rspec', '~> 3.4'
-  spec.add_development_dependency 'rubocop', '~> 0.35.0'
-  spec.add_development_dependency 'timecop', '~> 0.8.0'
+  spec.add_dependency 'bundler-audit', '~> 0.8.0'
+  spec.add_development_dependency 'pry', '~> 0.13.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rspec', '~> 3.9'
+  spec.add_development_dependency 'rubocop', '~> 1.9.1'
+  spec.add_development_dependency 'timecop', '~> 0.9.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruby_audit
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
-- Jeff Cousens
-autorequire: 
+- Jeff Cousens, Mike Saelim
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-02-03 00:00:00.000000000 Z
+date: 2021-03-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -16,98 +16,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.3
+        version: 0.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.3
+        version: 0.13.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.5'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.5'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.35.0
+        version: 1.9.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.35.0
+        version: 1.9.1
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.9.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.9.1
 description: RubyAudit checks your current version of Ruby and RubyGems against known
   security vulnerabilities (CVEs), alerting you if you are using an insecure version.
   It complements bundler-audit, providing complete coverage for your Ruby stack.
@@ -125,6 +111,7 @@ files:
 - ".ruby-version"
 - ".travis.yml"
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE.md
@@ -141,9 +128,9 @@ files:
 - ruby_audit.gemspec
 homepage: https://github.com/civisanalytics/ruby_audit
 licenses:
-- GPLv3
+- GPL-3.0-or-later
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -151,16 +138,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Checks Ruby and RubyGems against known vulnerabilities.
 test_files: []