ruby_audit 2.3.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03b8220013a541f8b113b8b6fababafecdd92de4badea9df13147d5ecc8df68a
-  data.tar.gz: 0c873a6f538b774268df8c7e670a21e28eab51348337b36bffa62aa91df09850
+  metadata.gz: 3c7d4dd1d68e8876981650f3fa3aac753b1ba2c3751da011c1ac3958c7e0bd7d
+  data.tar.gz: 964d04790d84d33c9d58ff074ddb259b67b2a95de951b72768a57a571949ab13
 SHA512:
-  metadata.gz: 3e1c97decf4d3acf3b742f3d5697d9c629160f96102fc596cdc296fd52a1847d66dc3dd7f118f3084e929b93ec8b8eff04bad1b6360130052987da2c0a9015f2
-  data.tar.gz: 329e52e574282fd6b40ba7a046c8f5dfe9e2fa8680e7237abc8b936032efa86e9cf11c60b6dea4f9521c3633d8721dcdc8afb51df347d177021171496b47dbc1
+  metadata.gz: 4201365adab2c239a9d213d938405882a49913f578f89192b280135fc5ea0db9196e9b7b9d1eda0c8f96588a6af753042655fbf8ad117d9a91bd1beaf61b5ef7
+  data.tar.gz: 64e180ec574c6f3a9306df3588c926871e736d5279bf1a17fa7eb220d5ebfc92d60f26093dabedb6230a43e27f7da0e290e9889277d4da62e007d90005162750

data/.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
   test:
     strategy:
       matrix:
-        ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, 3.3]
+        ruby_version: [3.1, 3.2, 3.3, 3.4]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -21,8 +21,6 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby_version }}
           bundler-cache: true
-      - name: Install dependencies
-        run: bundle install --jobs=3 --retry=3
       - name: Initialize submodule
         run: git submodule update --init
       - name: Run tests

data/.rubocop.yml

@@ -1,8 +1,11 @@
 AllCops:
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 3.1
   NewCops: enable
   SuggestExtensions: false
 
+Gemspec/DevelopmentDependencies:
+  EnforcedStyle: gemspec
+
 Layout/LineLength:
   Exclude:
     - 'ruby_audit.gemspec'
@@ -11,7 +14,7 @@ Metrics/MethodLength:
   Max: 15
 
 Metrics/BlockLength:
-  IgnoredMethods:
+  AllowedMethods:
     - describe
 
 Style/Documentation:

data/.ruby-version

@@ -1 +1 @@
-3.3.0
+3.4.1

data/CHANGELOG.md

@@ -5,101 +5,130 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## 3.0.0 - 2025-01-09
+
+### Changed
+
+- Bumped Rubocop dependency to 1.64.0
+- Require MFA for rubygems operations
+
+### Removed
+
+- Removed support for Ruby 2.5 through 3.0
+- Removed Timecop dependency
+
+## [2.3.1] - 2024-05-17
+
+### Removed
+
+- [#34](https://github.com/civisanalytics/ruby_audit/pull/34)
+  Removed check for stale database that no longer does anything
+
+### Fixed
+
+- [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
+  Look for rubygems advisories in the correct directory of the ruby-advisory-db
+
+## [2.3.0] - 2024-01-10
+
 ### Added
 
-* Support for Ruby 3.3
+- Support for Ruby 3.3
 
 ## [2.2.0] - 2023-01-05
 
 ### Added
 
-* Support for Ruby 3.2
+- Support for Ruby 3.2
 
 ## [2.1.0] - 2022-02-23
 
 ### Added
 
-* Support for ruby 3.1
-* Require bundler-audit >= 0.9
+- Support for ruby 3.1
+- Require bundler-audit >= 0.9
 
 ## [2.0.0] - 2021-03-22
 
 ### Added
 
-* Require bundler-audit 0.8
-* Added Ruby 3.0 to the Travis matrix
+- Require bundler-audit 0.8
+- Added Ruby 3.0 to the Travis matrix
 
 ### Removed
 
-* Removed support for bundler-audit 0.7
+- Removed support for bundler-audit 0.7
 
 ## [1.3.0] - 2020-07-01
 
 ### Added
 
-* Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix
-* Added the ability to ignore an advisory by its GHSA identifier
+- Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix
+- Added the ability to ignore an advisory by its GHSA identifier
 
 ### Changed
 
-* Bumped the bundler-audit version to 0.7
-* Bumped the Ruby version for development to 2.7.1
-* Bumped the Pry version for development to 0.13
-* Bumped the Rake version for development to 13
-* Bumped the Rspec version for development to 3.9
-* Bumped the RuboCop version for development to 0.86
-* Bumped the Timecop verison for development to 0.9
-* RuboCop fixes
+- Bumped the bundler-audit version to 0.7
+- Bumped the Ruby version for development to 2.7.1
+- Bumped the Pry version for development to 0.13
+- Bumped the Rake version for development to 13
+- Bumped the Rspec version for development to 3.9
+- Bumped the RuboCop version for development to 0.86
+- Bumped the Timecop verison for development to 0.9
+- RuboCop fixes
 
 ### Removed
 
-* Removed Ruby 2.1 through 2.4 from the Travis matrix
-* Removed the explicit Bundler dependency for development, since it is now included with RubyGems
+- Removed Ruby 2.1 through 2.4 from the Travis matrix
+- Removed the explicit Bundler dependency for development, since it is now included with RubyGems
 
 ## [1.2.0] - 2017-09-21
 
 ### Added
 
-* Added 2.4 to the Travis matrix ([@errm])
+- Added 2.4 to the Travis matrix ([@errm])
 
 ### Changed
 
-* Bumped the bundler-audit version to 0.6 ([@errm])
-* Bumped the RuboCop version for development to 0.50 ([@errm])
-* Bumped the Ruby version for development to 2.4.2 ([@errm])
+- Bumped the bundler-audit version to 0.6 ([@errm])
+- Bumped the RuboCop version for development to 0.50 ([@errm])
+- Bumped the Ruby version for development to 2.4.2 ([@errm])
 
 ## [1.1.0] - 2016-09-15
 
 ### Added
 
-* Added a matrix build of 2.1, 2.2, and 2.3 to Travis
+- Added a matrix build of 2.1, 2.2, and 2.3 to Travis
 
 ### Changed
 
-* Added a [Code of Conduct](CODE_OF_CONDUCT.md)
-* Bumped the bundler-audit version to 0.5
-* Bumped the RSpec version for development to 3.5
-* Bumped the Rake version for development to 11.2
-* Bumped the RuboCop version for development to 0.42
-* Bumped the Ruby version for development to 2.3.1
+- Added a [Code of Conduct](CODE_OF_CONDUCT.md)
+- Bumped the bundler-audit version to 0.5
+- Bumped the RSpec version for development to 3.5
+- Bumped the Rake version for development to 11.2
+- Bumped the RuboCop version for development to 0.42
+- Bumped the Ruby version for development to 2.3.1
 
 ## [1.0.1] - 2016-02-03
 
 ### Fixed
 
-* [#1](https://github.com/civisanalytics/ruby_audit/pull/1)
+- [#1](https://github.com/civisanalytics/ruby_audit/pull/1)
   removing unreliable last-update check
 
 ## 1.0.0 (2016-02-03)
 
-* Initial Release
+- Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
-[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.1...HEAD
+[2.3.1]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...v2.3.1
+[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/civisanalytics/ruby_audit/commit/7535b70412641c888c80d99514b27ba254fb8316
-
 [@errm]: https://github.com/errm

data/Gemfile

@@ -2,3 +2,10 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in ruby_audit.gemspec
 gemspec
+
+gem 'base64', '~> 0.2.0'
+gem 'ostruct', '~> 0.6.1'
+gem 'pry', '~> 0.14.1'
+gem 'rake', '~> 13.0'
+gem 'rspec', '~> 3.9'
+gem 'rubocop', '~> 1.69.2'

data/README.md

@@ -57,9 +57,12 @@ $ ruby-audit check -n
 
 After checking out the repo, run `bin/setup` to install dependencies.
 You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
-submodule used for testing. Then, run `rake spec` to run the tests.
+submodule in `/vendor` that is used for testing. Then, run `rake` to run linting and tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
+The database in `/vendor/ruby-advisory-db` is only used as a fixture for unit tests.
+By default, the database used for actual vulnerability checks is stored at `~/.local/share/ruby-advisory-db`.
+
 To install this gem onto your local machine, run `bundle exec rake install`.
 To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/lib/ruby_audit/cli.rb

@@ -12,8 +12,6 @@ module RubyAudit
     def check
       update unless options[:no_update]
 
-      check_for_stale_database
-
       scanner = Scanner.new
       vulnerable = false
 
@@ -30,7 +28,6 @@ module RubyAudit
       end
     end
 
-    # Copied from bundler-audit master. Not present in 0.4.0.
     desc 'update', 'Updates the ruby-advisory-db'
     def update
       say 'Updating ruby-advisory-db ...'
@@ -45,14 +42,16 @@ module RubyAudit
         say 'Skipping update', :yellow
       end
 
-      puts "ruby-advisory-db: #{Database.new.size} advisories"
+      database = Database.new
+      puts "ruby-advisory-db: #{database.size} advisories, " \
+           "last updated #{database.last_updated_at.utc}"
     end
 
     desc 'version', 'Prints the ruby-audit version'
     def version
       database = Database.new
-      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} "\
-           "(advisories: #{database.size})"
+      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} " \
+           "(advisories: #{database.size}, last updated: #{database.last_updated_at.utc})"
     end
 
     private
@@ -122,16 +121,5 @@ module RubyAudit
     # rubocop:enable Metrics/MethodLength
     # rubocop:enable Metrics/CyclomaticComplexity
     # rubocop:enable Metrics/AbcSize
-
-    def check_for_stale_database
-      database = Database.new
-      return unless database.size == 89
-
-      # bundler-audit 0.4.0 comes bundled with an old verison of
-      # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
-      # or RubyGems. If #size == 89, the database has never been updated.
-      say 'The database must be updated before using RubyAudit', :red
-      exit 1
-    end
   end
 end

data/lib/ruby_audit/database.rb

@@ -10,12 +10,12 @@ module RubyAudit
       end
     end
 
-    def check_ruby(ruby, &block)
-      check(ruby, 'rubies', &block)
+    def check_ruby(ruby, &)
+      check(ruby, 'rubies', &)
     end
 
-    def check_library(library, &block)
-      check(library, 'libraries', &block)
+    def check_rubygems(rubygems, &)
+      check(rubygems, 'gems', &)
     end
 
     def check(object, type = 'gems')
@@ -28,13 +28,12 @@ module RubyAudit
 
     protected
 
-    def each_advisory_path(&block)
-      Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
-               &block)
+    def each_advisory_path(&)
+      Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &)
     end
 
-    def each_advisory_path_for(name, type = 'gems', &block)
-      Dir.glob(File.join(@path, type, name, '*.yml'), &block)
+    def each_advisory_path_for(name, type = 'gems', &)
+      Dir.glob(File.join(@path, type, name, '*.yml'), &)
     end
   end
 end

data/lib/ruby_audit/scanner.rb

@@ -25,19 +25,19 @@ module RubyAudit
       self
     end
 
-    def scan_ruby(options = {}, &block)
+    def scan_ruby(options = {}, &)
       version = if RUBY_PATCHLEVEL < 0
                   ruby_version
                 else
                   "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}"
                 end
       specs = [Version.new(RUBY_ENGINE, version)]
-      scan_inner(specs, 'ruby', options, &block)
+      scan_inner(specs, 'ruby', options, &)
     end
 
-    def scan_rubygems(options = {}, &block)
-      specs = [Version.new('rubygems', rubygems_version)]
-      scan_inner(specs, 'library', options, &block)
+    def scan_rubygems(options = {}, &)
+      specs = [Version.new('rubygems-update', rubygems_version)]
+      scan_inner(specs, 'rubygems', options, &)
     end
 
     private
@@ -61,7 +61,7 @@ module RubyAudit
       ignore += options[:ignore] if options[:ignore]
 
       specs.each do |spec|
-        @database.send("check_#{type}".to_sym, spec) do |advisory|
+        @database.send(:"check_#{type}", spec) do |advisory|
           unless ignore.intersect?(advisory.identifiers.to_set)
             yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory)
           end

data/lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '2.3.0'.freeze
+  VERSION = '3.0.0'.freeze
 end

data/ruby_audit.gemspec

@@ -7,6 +7,7 @@ Gem::Specification.new do |spec|
   spec.version       = RubyAudit::VERSION
   spec.authors       = ['Jeff Cousens, Mike Saelim', 'John Zhang', 'Cristina Muñoz']
   spec.email         = ['opensource@civisanalytics.com']
+  spec.metadata['rubygems_mfa_required'] = 'true'
 
   spec.summary       = 'Checks Ruby and RubyGems against known vulnerabilities.'
   spec.description   = 'RubyAudit checks your current version of Ruby and ' \
@@ -17,16 +18,11 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/civisanalytics/ruby_audit'
   spec.license       = 'GPL-3.0-or-later'
 
-  spec.required_ruby_version = ['>= 2.5', '< 3.4']
+  spec.required_ruby_version = ['>= 3.1', '< 3.5']
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
   spec.add_dependency 'bundler-audit', '~> 0.9.0'
-  spec.add_development_dependency 'pry', '~> 0.14.1'
-  spec.add_development_dependency 'rake', '~> 13.0'
-  spec.add_development_dependency 'rspec', '~> 3.9'
-  spec.add_development_dependency 'rubocop', '~> 1.9.1'
-  spec.add_development_dependency 'timecop', '~> 0.9.1'
 end

metadata

@@ -1,16 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: ruby_audit
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Jeff Cousens, Mike Saelim
 - John Zhang
 - Cristina Muñoz
-autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-01-10 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -26,76 +25,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.9.0
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.14.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.14.1
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.9'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.9.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.9.1
-- !ruby/object:Gem::Dependency
-  name: timecop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.9.1
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.9.1
 description: RubyAudit checks your current version of Ruby and RubyGems against known
   security vulnerabilities (CVEs), alerting you if you are using an insecure version.
   It complements bundler-audit, providing complete coverage for your Ruby stack.
@@ -131,8 +60,8 @@ files:
 homepage: https://github.com/civisanalytics/ruby_audit
 licenses:
 - GPL-3.0-or-later
-metadata: {}
-post_install_message: 
+metadata:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -140,18 +69,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '3.1'
   - - "<"
     - !ruby/object:Gem::Version
-      version: '3.4'
+      version: '3.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Checks Ruby and RubyGems against known vulnerabilities.
 test_files: []