ruby_audit 1.2.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a37c98041a8f0f867ac25c7d9294035612adf005
-  data.tar.gz: 6315f1277b519e00030dde661ce471eba79366d4
+SHA256:
+  metadata.gz: 4485faac81d30e19ca663681964837fdd30273e3c4703be5ef18895628387515
+  data.tar.gz: f4e16c5c8a380c4ae5b5633c51a69e3a87528478fb0092d0cef21f7e211a1d27
 SHA512:
-  metadata.gz: c5f92890f816a5a5c496081c097051fd7d889db1503fc245893db3029efb7e0da1a1282428f1da45f1db28c09d0c81143e4583d9e42f1655ed0ddea8cf33323c
-  data.tar.gz: 2814899f17162b460a87751ee2639cf12150c4302de7d9f71e60da7f2e31c4c935fa3ed96b397934ddac6161147cfd8942ceded675999b65056dd8b71e210633
+  metadata.gz: 2f5fdde3dde211c594e3f379f1e9cec574483132973cfe9988e3152d66619af116f556238d14301c730c5282b55448049e6968b4ccb072c81d75b1ce7bf13d05
+  data.tar.gz: a17daec359fe5bc5998ff5f7102bff63749ca0735373a6036c2659127570efa28eedb41f0e436cec1a762b5c636aa0596ec11ee875da970ae98a6d9cf2cc3db8

data/.github/workflows/test.yml

@@ -0,0 +1,29 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby_version }}
+          bundler-cache: true
+      - name: Install dependencies
+        run: bundle install --jobs=3 --retry=3
+      - name: Initialize submodule
+        run: git submodule update --init
+      - name: Run tests
+        run: bundle exec rake

data/.rspec

@@ -1 +1,2 @@
 --color
+--warnings  

data/.rubocop.yml

@@ -1,4 +1,9 @@
-Metrics/LineLength:
+AllCops:
+  TargetRubyVersion: 2.5
+  NewCops: enable
+  SuggestExtensions: false
+
+Layout/LineLength:
   Exclude:
     - 'ruby_audit.gemspec'
 
@@ -6,7 +11,7 @@ Metrics/MethodLength:
   Max: 15
 
 Metrics/BlockLength:
-  ExcludedMethods:
+  IgnoredMethods:
     - describe
 
 Style/Documentation:

data/.ruby-version

@@ -1 +1 @@
-2.4.2
+3.1.0

data/CHANGELOG.md

@@ -5,6 +5,47 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [2.1.0] - 2022-02-23
+
+### Added
+
+* Support for ruby 3.1
+* Require bundler-audit >= 0.9
+
+## [2.0.0] - 2021-03-22
+
+### Added
+
+* Require bundler-audit 0.8
+* Added Ruby 3.0 to the Travis matrix
+
+### Removed
+
+* Removed support for bundler-audit 0.7
+
+## [1.3.0] - 2020-07-01
+
+### Added
+
+* Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix
+* Added the ability to ignore an advisory by its GHSA identifier
+
+### Changed
+
+* Bumped the bundler-audit version to 0.7
+* Bumped the Ruby version for development to 2.7.1
+* Bumped the Pry version for development to 0.13
+* Bumped the Rake version for development to 13
+* Bumped the Rspec version for development to 3.9
+* Bumped the RuboCop version for development to 0.86
+* Bumped the Timecop verison for development to 0.9
+* RuboCop fixes
+
+### Removed
+
+* Removed Ruby 2.1 through 2.4 from the Travis matrix
+* Removed the explicit Bundler dependency for development, since it is now included with RubyGems
+
 ## [1.2.0] - 2017-09-21
 
 ### Added
@@ -43,7 +84,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...HEAD
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
+[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.0...v1.0.1

data/README.md

@@ -1,6 +1,6 @@
 # RubyAudit
 
-[![Build Status](https://travis-ci.org/civisanalytics/ruby_audit.svg?branch=master)](https://travis-ci.org/civisanalytics/ruby_audit)
+![Build Status](https://github.com/civisanalytics/ruby_audit/actions/workflows/test.yml/badge.svg)
 [![Gem Version](https://badge.fury.io/rb/ruby_audit.svg)](http://badge.fury.io/rb/ruby_audit)
 
 RubyAudit checks your current version of Ruby and RubyGems against known security vulnerabilities (CVEs), alerting you if you are using an insecure version.
@@ -27,6 +27,11 @@ Or install it yourself as:
 
     $ gem install ruby_audit
 
+Because bundler-audit requires bundler, RubyAudit requires bundler as a transitive
+dependency.  If you don't intend to run RubyAudit in the production environment, you
+may selectively install it in your development and test environments by using
+[Bundler groups](https://bundler.io/guides/groups.html).
+
 ## Usage
 
 To check your current version of Ruby and RubyGems:
@@ -51,7 +56,8 @@ $ ruby-audit check -n
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies.
-Then, run `rake spec` to run the tests.
+You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
+submodule used for testing. Then, run `rake spec` to run the tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.

data/lib/ruby_audit/cli.rb

@@ -1,5 +1,10 @@
+require 'thor'
+
 module RubyAudit
-  class CLI < Bundler::Audit::CLI
+  class CLI < ::Thor
+    default_task :check
+    map '--version' => :version
+
     desc 'check', 'Checks Ruby and RubyGems for insecure versions'
     method_option :ignore, type: :array, aliases: '-i'
     method_option :no_update, type: :boolean, aliases: '-n'
@@ -52,9 +57,76 @@ module RubyAudit
 
     private
 
+    def say(message = '', color = nil)
+      color = nil unless $stdout.tty?
+      super(message.to_s, color)
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/PerceivedComplexity
+    def print_advisory(gem, advisory)
+      say 'Name: ', :red
+      say gem.name
+
+      say 'Version: ', :red
+      say gem.version
+
+      say 'Advisory: ', :red
+
+      if advisory.cve
+        say advisory.cve_id
+      elsif advisory.osvdb
+        say advisory.osvdb_id
+      elsif advisory.ghsa
+        say advisory.ghsa_id
+      end
+
+      say 'Criticality: ', :red
+      case advisory.criticality
+      when :none     then say 'None'
+      when :low      then say 'Low'
+      when :medium   then say 'Medium', :yellow
+      when :high     then say 'High', %i[red bold]
+      when :critical then say 'Critical', %i[red bold]
+      else                say 'Unknown'
+      end
+
+      say 'URL: ', :red
+      say advisory.url
+
+      if options.verbose?
+        say 'Description:', :red
+        say
+
+        print_wrapped advisory.description, indent: 2
+        say
+      else
+
+        say 'Title: ', :red
+        say advisory.title
+      end
+
+      if advisory.patched_versions.empty?
+        say 'Solution: ', :red
+        say 'remove or disable this gem until a patch is available!', %i[red bold]
+      else
+        say 'Solution: upgrade to ', :red
+        say advisory.patched_versions.join(', ')
+      end
+
+      say
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+    # rubocop:enable Metrics/MethodLength
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+
     def check_for_stale_database
       database = Database.new
       return unless database.size == 89
+
       # bundler-audit 0.4.0 comes bundled with an old verison of
       # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
       # or RubyGems. If #size == 89, the database has never been updated.

data/lib/ruby_audit/database.rb

@@ -1,3 +1,5 @@
+require 'bundler/audit/database'
+
 module RubyAudit
   class Database < Bundler::Audit::Database
     def advisories_for(name, type)

data/lib/ruby_audit/scanner.rb

@@ -1,5 +1,8 @@
+require 'bundler/audit/results/unpatched_gem'
+require 'set'
+
 module RubyAudit
-  class Scanner < Bundler::Audit::Scanner
+  class Scanner
     class Version
       def initialize(name, version)
         @name = name
@@ -52,16 +55,15 @@ module RubyAudit
     end
 
     def scan_inner(specs, type, options = {})
-      return enum_for(__method__, options) unless block_given?
+      return enum_for(__method__, specs, type, options) unless block_given?
 
       ignore = Set[]
       ignore += options[:ignore] if options[:ignore]
 
       specs.each do |spec|
         @database.send("check_#{type}".to_sym, spec) do |advisory|
-          unless ignore.include?(advisory.cve_id) ||
-                 ignore.include?(advisory.osvdb_id)
-            yield UnpatchedGem.new(spec, advisory)
+          unless ignore.intersect?(advisory.identifiers.to_set)
+            yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory)
           end
         end
       end

data/lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '1.2.0'.freeze
+  VERSION = '2.1.0'.freeze
 end

data/lib/ruby_audit.rb

@@ -1,4 +1,3 @@
-require 'bundler/audit/cli'
 require 'ruby_audit/cli'
 require 'ruby_audit/database'
 require 'ruby_audit/scanner'

data/ruby_audit.gemspec

@@ -1,11 +1,11 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'ruby_audit/version'
 
 Gem::Specification.new do |spec|
   spec.name          = 'ruby_audit'
   spec.version       = RubyAudit::VERSION
-  spec.authors       = ['Jeff Cousens']
+  spec.authors       = ['Jeff Cousens, Mike Saelim', 'John Zhang', 'Cristina Muñoz']
   spec.email         = ['opensource@civisanalytics.com']
 
   spec.summary       = 'Checks Ruby and RubyGems against known vulnerabilities.'
@@ -15,18 +15,18 @@ Gem::Specification.new do |spec|
                        'version. It complements bundler-audit, providing ' \
                        'complete coverage for your Ruby stack.'
   spec.homepage      = 'https://github.com/civisanalytics/ruby_audit'
-  spec.license       = 'GPLv3'
+  spec.license       = 'GPL-3.0-or-later'
 
+  spec.required_ruby_version = ['>= 2.5', '< 3.2']
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'bundler-audit', '~> 0.6.0'
-  spec.add_development_dependency 'bundler', '~> 1.11'
-  spec.add_development_dependency 'pry', '~> 0.10.3'
-  spec.add_development_dependency 'rake', '~> 11.2'
-  spec.add_development_dependency 'rspec', '~> 3.5'
-  spec.add_development_dependency 'rubocop', '~> 0.50.0'
-  spec.add_development_dependency 'timecop', '~> 0.8.0'
+  spec.add_dependency 'bundler-audit', '~> 0.9.0'
+  spec.add_development_dependency 'pry', '~> 0.13.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
+  spec.add_development_dependency 'rspec', '~> 3.9'
+  spec.add_development_dependency 'rubocop', '~> 1.9.1'
+  spec.add_development_dependency 'timecop', '~> 0.9.1'
 end

metadata

@@ -1,14 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: ruby_audit
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.1.0
 platform: ruby
 authors:
-- Jeff Cousens
+- Jeff Cousens, Mike Saelim
+- John Zhang
+- Cristina Muñoz
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-09-21 00:00:00.000000000 Z
+date: 2022-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -16,98 +18,84 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.9.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.11'
+        version: 0.9.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.3
+        version: 0.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.10.3
+        version: 0.13.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '11.2'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '11.2'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.50.0
+        version: 1.9.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.50.0
+        version: 1.9.1
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.9.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: 0.9.1
 description: RubyAudit checks your current version of Ruby and RubyGems against known
   security vulnerabilities (CVEs), alerting you if you are using an insecure version.
   It complements bundler-audit, providing complete coverage for your Ruby stack.
@@ -118,12 +106,12 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/test.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rspec"
 - ".rubocop.yml"
 - ".ruby-version"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -142,7 +130,7 @@ files:
 - ruby_audit.gemspec
 homepage: https://github.com/civisanalytics/ruby_audit
 licenses:
-- GPLv3
+- GPL-3.0-or-later
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -152,15 +140,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.2.5
 signing_key: 
 specification_version: 4
 summary: Checks Ruby and RubyGems against known vulnerabilities.

data/.travis.yml

@@ -1,10 +0,0 @@
-language: ruby
-cache: bundler
-rvm:
-  - 2.1.10
-  - 2.2.8
-  - 2.3.5
-  - 2.4.2
-branches:
-  only:
-    - master