ruby_audit 2.3.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03b8220013a541f8b113b8b6fababafecdd92de4badea9df13147d5ecc8df68a
-  data.tar.gz: 0c873a6f538b774268df8c7e670a21e28eab51348337b36bffa62aa91df09850
+  metadata.gz: f279cf36dd7235aecac769d5179ac4dd4bd827aeb63091f656a8b28a840856e8
+  data.tar.gz: f9e74e7dc700d31d521df493659379baf922957c9727f79efb57f9166d95cf64
 SHA512:
-  metadata.gz: 3e1c97decf4d3acf3b742f3d5697d9c629160f96102fc596cdc296fd52a1847d66dc3dd7f118f3084e929b93ec8b8eff04bad1b6360130052987da2c0a9015f2
-  data.tar.gz: 329e52e574282fd6b40ba7a046c8f5dfe9e2fa8680e7237abc8b936032efa86e9cf11c60b6dea4f9521c3633d8721dcdc8afb51df347d177021171496b47dbc1
+  metadata.gz: d0e764605a9362ba2af5e0ae830625a3496091c00d436fd655c9f582f410a00f5ecf5787bf51c2feb7c460d88bb26564d62baeaaa1c0126936c2c48c6c79828b
+  data.tar.gz: b0192910cf78633adb5b82a8b5cb9e43b725d3d829c240b6507e583e387f19fd1eb0bd64d317a72fcc571ec9bc1983eb5f37ec85b151c052ba6e6fa781610f37

data/CHANGELOG.md

@@ -5,6 +5,20 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [2.3.1] - 2024-05-17
+
+### Removed
+
+* [#34](https://github.com/civisanalytics/ruby_audit/pull/34)
+Removed check for stale database that no longer does anything
+
+### Fixed
+
+* [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
+Look for rubygems advisories in the correct directory of the ruby-advisory-db
+
+## [2.3.0] - 2024-01-10
+
 ### Added
 
 * Support for Ruby 3.3
@@ -94,8 +108,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
-[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...HEAD
+[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0

data/README.md

@@ -57,9 +57,12 @@ $ ruby-audit check -n
 
 After checking out the repo, run `bin/setup` to install dependencies.
 You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
-submodule used for testing. Then, run `rake spec` to run the tests.
+submodule in `/vendor` that is used for testing. Then, run `rake spec` to run the tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
+The database in `/vendor/ruby-advisory-db` is only used as a fixture for unit tests.
+By default, the database used for actual vulnerability checks is stored at `~/.local/share/ruby-advisory-db`.
+
 To install this gem onto your local machine, run `bundle exec rake install`.
 To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

data/lib/ruby_audit/cli.rb

@@ -12,8 +12,6 @@ module RubyAudit
     def check
       update unless options[:no_update]
 
-      check_for_stale_database
-
       scanner = Scanner.new
       vulnerable = false
 
@@ -30,7 +28,6 @@ module RubyAudit
       end
     end
 
-    # Copied from bundler-audit master. Not present in 0.4.0.
     desc 'update', 'Updates the ruby-advisory-db'
     def update
       say 'Updating ruby-advisory-db ...'
@@ -45,14 +42,16 @@ module RubyAudit
         say 'Skipping update', :yellow
       end
 
-      puts "ruby-advisory-db: #{Database.new.size} advisories"
+      database = Database.new
+      puts "ruby-advisory-db: #{database.size} advisories, " \
+           "last updated #{database.last_updated_at.utc}"
     end
 
     desc 'version', 'Prints the ruby-audit version'
     def version
       database = Database.new
-      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} "\
-           "(advisories: #{database.size})"
+      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} " \
+           "(advisories: #{database.size}, last updated: #{database.last_updated_at.utc})"
     end
 
     private
@@ -122,16 +121,5 @@ module RubyAudit
     # rubocop:enable Metrics/MethodLength
     # rubocop:enable Metrics/CyclomaticComplexity
     # rubocop:enable Metrics/AbcSize
-
-    def check_for_stale_database
-      database = Database.new
-      return unless database.size == 89
-
-      # bundler-audit 0.4.0 comes bundled with an old verison of
-      # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
-      # or RubyGems. If #size == 89, the database has never been updated.
-      say 'The database must be updated before using RubyAudit', :red
-      exit 1
-    end
   end
 end

data/lib/ruby_audit/database.rb

@@ -14,8 +14,8 @@ module RubyAudit
       check(ruby, 'rubies', &block)
     end
 
-    def check_library(library, &block)
-      check(library, 'libraries', &block)
+    def check_rubygems(rubygems, &block)
+      check(rubygems, 'gems', &block)
     end
 
     def check(object, type = 'gems')
@@ -29,8 +29,7 @@ module RubyAudit
     protected
 
     def each_advisory_path(&block)
-      Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
-               &block)
+      Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &block)
     end
 
     def each_advisory_path_for(name, type = 'gems', &block)

data/lib/ruby_audit/scanner.rb

@@ -36,8 +36,8 @@ module RubyAudit
     end
 
     def scan_rubygems(options = {}, &block)
-      specs = [Version.new('rubygems', rubygems_version)]
-      scan_inner(specs, 'library', options, &block)
+      specs = [Version.new('rubygems-update', rubygems_version)]
+      scan_inner(specs, 'rubygems', options, &block)
     end
 
     private

data/lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '2.3.0'.freeze
+  VERSION = '2.3.1'.freeze
 end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: ruby_audit
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Jeff Cousens, Mike Saelim
 - John Zhang
 - Cristina Muñoz
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-01-10 00:00:00.000000000 Z
+date: 2024-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler-audit
@@ -132,7 +132,7 @@ homepage: https://github.com/civisanalytics/ruby_audit
 licenses:
 - GPL-3.0-or-later
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -150,8 +150,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.4.10
+signing_key:
 specification_version: 4
 summary: Checks Ruby and RubyGems against known vulnerabilities.
 test_files: []