ruby_audit 1.2.0 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: a37c98041a8f0f867ac25c7d9294035612adf005
4
- data.tar.gz: 6315f1277b519e00030dde661ce471eba79366d4
2
+ SHA256:
3
+ metadata.gz: 4485faac81d30e19ca663681964837fdd30273e3c4703be5ef18895628387515
4
+ data.tar.gz: f4e16c5c8a380c4ae5b5633c51a69e3a87528478fb0092d0cef21f7e211a1d27
5
5
  SHA512:
6
- metadata.gz: c5f92890f816a5a5c496081c097051fd7d889db1503fc245893db3029efb7e0da1a1282428f1da45f1db28c09d0c81143e4583d9e42f1655ed0ddea8cf33323c
7
- data.tar.gz: 2814899f17162b460a87751ee2639cf12150c4302de7d9f71e60da7f2e31c4c935fa3ed96b397934ddac6161147cfd8942ceded675999b65056dd8b71e210633
6
+ metadata.gz: 2f5fdde3dde211c594e3f379f1e9cec574483132973cfe9988e3152d66619af116f556238d14301c730c5282b55448049e6968b4ccb072c81d75b1ce7bf13d05
7
+ data.tar.gz: a17daec359fe5bc5998ff5f7102bff63749ca0735373a6036c2659127570efa28eedb41f0e436cec1a762b5c636aa0596ec11ee875da970ae98a6d9cf2cc3db8
@@ -0,0 +1,29 @@
1
+ name: Test
2
+
3
+ on:
4
+ push:
5
+ branches:
6
+ - main
7
+ pull_request:
8
+ branches:
9
+ - main
10
+
11
+ jobs:
12
+ test:
13
+ strategy:
14
+ matrix:
15
+ ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1]
16
+ runs-on: ubuntu-latest
17
+ steps:
18
+ - uses: actions/checkout@v2
19
+ - name: Set up Ruby
20
+ uses: ruby/setup-ruby@v1
21
+ with:
22
+ ruby-version: ${{ matrix.ruby_version }}
23
+ bundler-cache: true
24
+ - name: Install dependencies
25
+ run: bundle install --jobs=3 --retry=3
26
+ - name: Initialize submodule
27
+ run: git submodule update --init
28
+ - name: Run tests
29
+ run: bundle exec rake
data/.rspec CHANGED
@@ -1 +1,2 @@
1
1
  --color
2
+ --warnings
data/.rubocop.yml CHANGED
@@ -1,4 +1,9 @@
1
- Metrics/LineLength:
1
+ AllCops:
2
+ TargetRubyVersion: 2.5
3
+ NewCops: enable
4
+ SuggestExtensions: false
5
+
6
+ Layout/LineLength:
2
7
  Exclude:
3
8
  - 'ruby_audit.gemspec'
4
9
 
@@ -6,7 +11,7 @@ Metrics/MethodLength:
6
11
  Max: 15
7
12
 
8
13
  Metrics/BlockLength:
9
- ExcludedMethods:
14
+ IgnoredMethods:
10
15
  - describe
11
16
 
12
17
  Style/Documentation:
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 2.4.2
1
+ 3.1.0
data/CHANGELOG.md CHANGED
@@ -5,6 +5,47 @@ This project adheres to [Semantic Versioning](http://semver.org/).
5
5
 
6
6
  ## [Unreleased]
7
7
 
8
+ ## [2.1.0] - 2022-02-23
9
+
10
+ ### Added
11
+
12
+ * Support for ruby 3.1
13
+ * Require bundler-audit >= 0.9
14
+
15
+ ## [2.0.0] - 2021-03-22
16
+
17
+ ### Added
18
+
19
+ * Require bundler-audit 0.8
20
+ * Added Ruby 3.0 to the Travis matrix
21
+
22
+ ### Removed
23
+
24
+ * Removed support for bundler-audit 0.7
25
+
26
+ ## [1.3.0] - 2020-07-01
27
+
28
+ ### Added
29
+
30
+ * Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix
31
+ * Added the ability to ignore an advisory by its GHSA identifier
32
+
33
+ ### Changed
34
+
35
+ * Bumped the bundler-audit version to 0.7
36
+ * Bumped the Ruby version for development to 2.7.1
37
+ * Bumped the Pry version for development to 0.13
38
+ * Bumped the Rake version for development to 13
39
+ * Bumped the Rspec version for development to 3.9
40
+ * Bumped the RuboCop version for development to 0.86
41
+ * Bumped the Timecop verison for development to 0.9
42
+ * RuboCop fixes
43
+
44
+ ### Removed
45
+
46
+ * Removed Ruby 2.1 through 2.4 from the Travis matrix
47
+ * Removed the explicit Bundler dependency for development, since it is now included with RubyGems
48
+
8
49
  ## [1.2.0] - 2017-09-21
9
50
 
10
51
  ### Added
@@ -43,7 +84,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
43
84
 
44
85
  * Initial Release
45
86
 
46
- [Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...HEAD
87
+ [Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
88
+ [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
89
+ [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
47
90
  [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
48
91
  [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0
49
92
  [1.0.1]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.0...v1.0.1
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # RubyAudit
2
2
 
3
- [![Build Status](https://travis-ci.org/civisanalytics/ruby_audit.svg?branch=master)](https://travis-ci.org/civisanalytics/ruby_audit)
3
+ ![Build Status](https://github.com/civisanalytics/ruby_audit/actions/workflows/test.yml/badge.svg)
4
4
  [![Gem Version](https://badge.fury.io/rb/ruby_audit.svg)](http://badge.fury.io/rb/ruby_audit)
5
5
 
6
6
  RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version.
@@ -27,6 +27,11 @@ Or install it yourself as:
27
27
 
28
28
  $ gem install ruby_audit
29
29
 
30
+ Because bundler-audit requires bundler, RubyAudit requires bundler as a transitive
31
+ dependency. If you don't intend to run RubyAudit in the production environment, you
32
+ may selectively install it in your development and test environments by using
33
+ [Bundler groups](https://bundler.io/guides/groups.html).
34
+
30
35
  ## Usage
31
36
 
32
37
  To check your current version of Ruby and RubyGems:
@@ -51,7 +56,8 @@ $ ruby-audit check -n
51
56
  ## Development
52
57
 
53
58
  After checking out the repo, run `bin/setup` to install dependencies.
54
- Then, run `rake spec` to run the tests.
59
+ You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
60
+ submodule used for testing. Then, run `rake spec` to run the tests.
55
61
  You can also run `bin/console` for an interactive prompt that will allow you to experiment.
56
62
 
57
63
  To install this gem onto your local machine, run `bundle exec rake install`.
@@ -1,5 +1,10 @@
1
+ require 'thor'
2
+
1
3
  module RubyAudit
2
- class CLI < Bundler::Audit::CLI
4
+ class CLI < ::Thor
5
+ default_task :check
6
+ map '--version' => :version
7
+
3
8
  desc 'check', 'Checks Ruby and RubyGems for insecure versions'
4
9
  method_option :ignore, type: :array, aliases: '-i'
5
10
  method_option :no_update, type: :boolean, aliases: '-n'
@@ -52,9 +57,76 @@ module RubyAudit
52
57
 
53
58
  private
54
59
 
60
+ def say(message = '', color = nil)
61
+ color = nil unless $stdout.tty?
62
+ super(message.to_s, color)
63
+ end
64
+
65
+ # rubocop:disable Metrics/AbcSize
66
+ # rubocop:disable Metrics/CyclomaticComplexity
67
+ # rubocop:disable Metrics/MethodLength
68
+ # rubocop:disable Metrics/PerceivedComplexity
69
+ def print_advisory(gem, advisory)
70
+ say 'Name: ', :red
71
+ say gem.name
72
+
73
+ say 'Version: ', :red
74
+ say gem.version
75
+
76
+ say 'Advisory: ', :red
77
+
78
+ if advisory.cve
79
+ say advisory.cve_id
80
+ elsif advisory.osvdb
81
+ say advisory.osvdb_id
82
+ elsif advisory.ghsa
83
+ say advisory.ghsa_id
84
+ end
85
+
86
+ say 'Criticality: ', :red
87
+ case advisory.criticality
88
+ when :none then say 'None'
89
+ when :low then say 'Low'
90
+ when :medium then say 'Medium', :yellow
91
+ when :high then say 'High', %i[red bold]
92
+ when :critical then say 'Critical', %i[red bold]
93
+ else say 'Unknown'
94
+ end
95
+
96
+ say 'URL: ', :red
97
+ say advisory.url
98
+
99
+ if options.verbose?
100
+ say 'Description:', :red
101
+ say
102
+
103
+ print_wrapped advisory.description, indent: 2
104
+ say
105
+ else
106
+
107
+ say 'Title: ', :red
108
+ say advisory.title
109
+ end
110
+
111
+ if advisory.patched_versions.empty?
112
+ say 'Solution: ', :red
113
+ say 'remove or disable this gem until a patch is available!', %i[red bold]
114
+ else
115
+ say 'Solution: upgrade to ', :red
116
+ say advisory.patched_versions.join(', ')
117
+ end
118
+
119
+ say
120
+ end
121
+ # rubocop:enable Metrics/PerceivedComplexity
122
+ # rubocop:enable Metrics/MethodLength
123
+ # rubocop:enable Metrics/CyclomaticComplexity
124
+ # rubocop:enable Metrics/AbcSize
125
+
55
126
  def check_for_stale_database
56
127
  database = Database.new
57
128
  return unless database.size == 89
129
+
58
130
  # bundler-audit 0.4.0 comes bundled with an old verison of
59
131
  # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
60
132
  # or RubyGems. If #size == 89, the database has never been updated.
@@ -1,3 +1,5 @@
1
+ require 'bundler/audit/database'
2
+
1
3
  module RubyAudit
2
4
  class Database < Bundler::Audit::Database
3
5
  def advisories_for(name, type)
@@ -1,5 +1,8 @@
1
+ require 'bundler/audit/results/unpatched_gem'
2
+ require 'set'
3
+
1
4
  module RubyAudit
2
- class Scanner < Bundler::Audit::Scanner
5
+ class Scanner
3
6
  class Version
4
7
  def initialize(name, version)
5
8
  @name = name
@@ -52,16 +55,15 @@ module RubyAudit
52
55
  end
53
56
 
54
57
  def scan_inner(specs, type, options = {})
55
- return enum_for(__method__, options) unless block_given?
58
+ return enum_for(__method__, specs, type, options) unless block_given?
56
59
 
57
60
  ignore = Set[]
58
61
  ignore += options[:ignore] if options[:ignore]
59
62
 
60
63
  specs.each do |spec|
61
64
  @database.send("check_#{type}".to_sym, spec) do |advisory|
62
- unless ignore.include?(advisory.cve_id) ||
63
- ignore.include?(advisory.osvdb_id)
64
- yield UnpatchedGem.new(spec, advisory)
65
+ unless ignore.intersect?(advisory.identifiers.to_set)
66
+ yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory)
65
67
  end
66
68
  end
67
69
  end
@@ -1,3 +1,3 @@
1
1
  module RubyAudit
2
- VERSION = '1.2.0'.freeze
2
+ VERSION = '2.1.0'.freeze
3
3
  end
data/lib/ruby_audit.rb CHANGED
@@ -1,4 +1,3 @@
1
- require 'bundler/audit/cli'
2
1
  require 'ruby_audit/cli'
3
2
  require 'ruby_audit/database'
4
3
  require 'ruby_audit/scanner'
data/ruby_audit.gemspec CHANGED
@@ -1,11 +1,11 @@
1
- lib = File.expand_path('../lib', __FILE__)
1
+ lib = File.expand_path('lib', __dir__)
2
2
  $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
3
  require 'ruby_audit/version'
4
4
 
5
5
  Gem::Specification.new do |spec|
6
6
  spec.name = 'ruby_audit'
7
7
  spec.version = RubyAudit::VERSION
8
- spec.authors = ['Jeff Cousens']
8
+ spec.authors = ['Jeff Cousens, Mike Saelim', 'John Zhang', 'Cristina Muñoz']
9
9
  spec.email = ['opensource@civisanalytics.com']
10
10
 
11
11
  spec.summary = 'Checks Ruby and RubyGems against known vulnerabilities.'
@@ -15,18 +15,18 @@ Gem::Specification.new do |spec|
15
15
  'version. It complements bundler-audit, providing ' \
16
16
  'complete coverage for your Ruby stack.'
17
17
  spec.homepage = 'https://github.com/civisanalytics/ruby_audit'
18
- spec.license = 'GPLv3'
18
+ spec.license = 'GPL-3.0-or-later'
19
19
 
20
+ spec.required_ruby_version = ['>= 2.5', '< 3.2']
20
21
  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
21
22
  spec.bindir = 'exe'
22
23
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
23
24
  spec.require_paths = ['lib']
24
25
 
25
- spec.add_dependency 'bundler-audit', '~> 0.6.0'
26
- spec.add_development_dependency 'bundler', '~> 1.11'
27
- spec.add_development_dependency 'pry', '~> 0.10.3'
28
- spec.add_development_dependency 'rake', '~> 11.2'
29
- spec.add_development_dependency 'rspec', '~> 3.5'
30
- spec.add_development_dependency 'rubocop', '~> 0.50.0'
31
- spec.add_development_dependency 'timecop', '~> 0.8.0'
26
+ spec.add_dependency 'bundler-audit', '~> 0.9.0'
27
+ spec.add_development_dependency 'pry', '~> 0.13.0'
28
+ spec.add_development_dependency 'rake', '~> 13.0'
29
+ spec.add_development_dependency 'rspec', '~> 3.9'
30
+ spec.add_development_dependency 'rubocop', '~> 1.9.1'
31
+ spec.add_development_dependency 'timecop', '~> 0.9.1'
32
32
  end
metadata CHANGED
@@ -1,14 +1,16 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ruby_audit
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
- - Jeff Cousens
7
+ - Jeff Cousens, Mike Saelim
8
+ - John Zhang
9
+ - Cristina Muñoz
8
10
  autorequire:
9
11
  bindir: exe
10
12
  cert_chain: []
11
- date: 2017-09-21 00:00:00.000000000 Z
13
+ date: 2022-02-24 00:00:00.000000000 Z
12
14
  dependencies:
13
15
  - !ruby/object:Gem::Dependency
14
16
  name: bundler-audit
@@ -16,98 +18,84 @@ dependencies:
16
18
  requirements:
17
19
  - - "~>"
18
20
  - !ruby/object:Gem::Version
19
- version: 0.6.0
21
+ version: 0.9.0
20
22
  type: :runtime
21
23
  prerelease: false
22
24
  version_requirements: !ruby/object:Gem::Requirement
23
25
  requirements:
24
26
  - - "~>"
25
27
  - !ruby/object:Gem::Version
26
- version: 0.6.0
27
- - !ruby/object:Gem::Dependency
28
- name: bundler
29
- requirement: !ruby/object:Gem::Requirement
30
- requirements:
31
- - - "~>"
32
- - !ruby/object:Gem::Version
33
- version: '1.11'
34
- type: :development
35
- prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - "~>"
39
- - !ruby/object:Gem::Version
40
- version: '1.11'
28
+ version: 0.9.0
41
29
  - !ruby/object:Gem::Dependency
42
30
  name: pry
43
31
  requirement: !ruby/object:Gem::Requirement
44
32
  requirements:
45
33
  - - "~>"
46
34
  - !ruby/object:Gem::Version
47
- version: 0.10.3
35
+ version: 0.13.0
48
36
  type: :development
49
37
  prerelease: false
50
38
  version_requirements: !ruby/object:Gem::Requirement
51
39
  requirements:
52
40
  - - "~>"
53
41
  - !ruby/object:Gem::Version
54
- version: 0.10.3
42
+ version: 0.13.0
55
43
  - !ruby/object:Gem::Dependency
56
44
  name: rake
57
45
  requirement: !ruby/object:Gem::Requirement
58
46
  requirements:
59
47
  - - "~>"
60
48
  - !ruby/object:Gem::Version
61
- version: '11.2'
49
+ version: '13.0'
62
50
  type: :development
63
51
  prerelease: false
64
52
  version_requirements: !ruby/object:Gem::Requirement
65
53
  requirements:
66
54
  - - "~>"
67
55
  - !ruby/object:Gem::Version
68
- version: '11.2'
56
+ version: '13.0'
69
57
  - !ruby/object:Gem::Dependency
70
58
  name: rspec
71
59
  requirement: !ruby/object:Gem::Requirement
72
60
  requirements:
73
61
  - - "~>"
74
62
  - !ruby/object:Gem::Version
75
- version: '3.5'
63
+ version: '3.9'
76
64
  type: :development
77
65
  prerelease: false
78
66
  version_requirements: !ruby/object:Gem::Requirement
79
67
  requirements:
80
68
  - - "~>"
81
69
  - !ruby/object:Gem::Version
82
- version: '3.5'
70
+ version: '3.9'
83
71
  - !ruby/object:Gem::Dependency
84
72
  name: rubocop
85
73
  requirement: !ruby/object:Gem::Requirement
86
74
  requirements:
87
75
  - - "~>"
88
76
  - !ruby/object:Gem::Version
89
- version: 0.50.0
77
+ version: 1.9.1
90
78
  type: :development
91
79
  prerelease: false
92
80
  version_requirements: !ruby/object:Gem::Requirement
93
81
  requirements:
94
82
  - - "~>"
95
83
  - !ruby/object:Gem::Version
96
- version: 0.50.0
84
+ version: 1.9.1
97
85
  - !ruby/object:Gem::Dependency
98
86
  name: timecop
99
87
  requirement: !ruby/object:Gem::Requirement
100
88
  requirements:
101
89
  - - "~>"
102
90
  - !ruby/object:Gem::Version
103
- version: 0.8.0
91
+ version: 0.9.1
104
92
  type: :development
105
93
  prerelease: false
106
94
  version_requirements: !ruby/object:Gem::Requirement
107
95
  requirements:
108
96
  - - "~>"
109
97
  - !ruby/object:Gem::Version
110
- version: 0.8.0
98
+ version: 0.9.1
111
99
  description: RubyAudit checks your current version of Ruby and RubyGems against known
112
100
  security vulnerabilities (CVEs), alerting you if you are using an insecure version.
113
101
  It complements bundler-audit, providing complete coverage for your Ruby stack.
@@ -118,12 +106,12 @@ executables:
118
106
  extensions: []
119
107
  extra_rdoc_files: []
120
108
  files:
109
+ - ".github/workflows/test.yml"
121
110
  - ".gitignore"
122
111
  - ".gitmodules"
123
112
  - ".rspec"
124
113
  - ".rubocop.yml"
125
114
  - ".ruby-version"
126
- - ".travis.yml"
127
115
  - CHANGELOG.md
128
116
  - CODE_OF_CONDUCT.md
129
117
  - CONTRIBUTING.md
@@ -142,7 +130,7 @@ files:
142
130
  - ruby_audit.gemspec
143
131
  homepage: https://github.com/civisanalytics/ruby_audit
144
132
  licenses:
145
- - GPLv3
133
+ - GPL-3.0-or-later
146
134
  metadata: {}
147
135
  post_install_message:
148
136
  rdoc_options: []
@@ -152,15 +140,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
152
140
  requirements:
153
141
  - - ">="
154
142
  - !ruby/object:Gem::Version
155
- version: '0'
143
+ version: '2.5'
144
+ - - "<"
145
+ - !ruby/object:Gem::Version
146
+ version: '3.2'
156
147
  required_rubygems_version: !ruby/object:Gem::Requirement
157
148
  requirements:
158
149
  - - ">="
159
150
  - !ruby/object:Gem::Version
160
151
  version: '0'
161
152
  requirements: []
162
- rubyforge_project:
163
- rubygems_version: 2.6.13
153
+ rubygems_version: 3.2.5
164
154
  signing_key:
165
155
  specification_version: 4
166
156
  summary: Checks Ruby and RubyGems against known vulnerabilities.
data/.travis.yml DELETED
@@ -1,10 +0,0 @@
1
- language: ruby
2
- cache: bundler
3
- rvm:
4
- - 2.1.10
5
- - 2.2.8
6
- - 2.3.5
7
- - 2.4.2
8
- branches:
9
- only:
10
- - master