From 24cf1a1c9ed1b4b4f23c1ac0761d74f54318e198 Mon Sep 17 00:00:00 2001 From: Yoann Lecuyer Date: Fri, 16 Sep 2022 11:36:42 +0200 Subject: [PATCH 1/3] Use correct version for jruby --- lib/ruby_audit/scanner.rb | 4 +- spec/scanner_spec.rb | 97 +++++++++++++++++++++++---------------- 2 files changed, 60 insertions(+), 41 deletions(-) diff --git a/lib/ruby_audit/scanner.rb b/lib/ruby_audit/scanner.rb index 2586d30..8535681 100644 --- a/lib/ruby_audit/scanner.rb +++ b/lib/ruby_audit/scanner.rb @@ -26,7 +26,9 @@ def scan(options = {}, &block) end def scan_ruby(options = {}, &block) - version = if RUBY_PATCHLEVEL < 0 + version = if RUBY_ENGINE == "jruby" + "#{JRUBY_VERSION}" + elsif RUBY_PATCHLEVEL < 0 ruby_version else "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}" diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb index 0f40cdc..66a0f20 100644 --- a/spec/scanner_spec.rb +++ b/spec/scanner_spec.rb @@ -5,59 +5,76 @@ subject { scanner.scan.to_a } - before(:each) do - stub_const('RUBY_VERSION', '2.2.1') - stub_const('RUBY_ENGINE', 'ruby') - stub_const('RUBY_PATCHLEVEL', 85) - allow_any_instance_of(RubyAudit::Scanner) - .to receive(:rubygems_version).and_return('2.4.5') - end - - context 'when auditing an unpatched Ruby' do - it 'should match an unpatched Ruby to its advisories' do - expect(subject.all? do |result| - result.advisory.vulnerable?(result.gem.version) - end).to be_truthy - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541') + context 'jruby' do + before(:each) do + stub_const('RUBY_ENGINE', 'jruby') + stub_const('JRUBY_VERSION', '1.4.0') + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:rubygems_version).and_return('2.4.5') end - it 'respects patch level' do - stub_const('RUBY_VERSION', '1.9.3') - stub_const('RUBY_PATCHLEVEL', 392) - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747') + it 'handles jruby versions' do + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:ruby_version).and_return('1.4.0') + expect(subject.map { |r| r.advisory.id }).to include('CVE-2010-1330') end + end - it 'handles preview versions' do - stub_const('RUBY_VERSION', '2.1.0') - stub_const('RUBY_PATCHLEVEL', -1) + context 'ruby' do + before(:each) do + stub_const('RUBY_VERSION', '2.2.1') + stub_const('RUBY_ENGINE', 'ruby') + stub_const('RUBY_PATCHLEVEL', 85) allow_any_instance_of(RubyAudit::Scanner) - .to receive(:ruby_version).and_return('2.1.0.dev') - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113') + .to receive(:rubygems_version).and_return('2.4.5') end - context 'when the :ignore option is given' do - subject { scanner.scan(ignore: ['OSVDB-120541']) } + context 'when auditing an unpatched Ruby' do + it 'should match an unpatched Ruby to its advisories' do + expect(subject.all? do |result| + result.advisory.vulnerable?(result.gem.version) + end).to be_truthy + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541') + end - it 'should ignore the specified advisories' do - expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541') + it 'respects patch level' do + stub_const('RUBY_VERSION', '1.9.3') + stub_const('RUBY_PATCHLEVEL', 392) + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747') end - end - end - context 'when auditing an unpatched RubyGems' do - it 'should match an unpatched RubyGems to its advisories' do - expect(subject.all? do |result| - result.advisory.vulnerable?(result.gem.version) - end).to be_truthy - expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-3900') + it 'handles preview versions' do + stub_const('RUBY_VERSION', '2.1.0') + stub_const('RUBY_PATCHLEVEL', -1) + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:ruby_version).and_return('2.1.0.dev') + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113') + end + + context 'when the :ignore option is given' do + subject { scanner.scan(ignore: ['OSVDB-120541']) } + + it 'should ignore the specified advisories' do + expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541') + end + end end - context 'when the :ignore option is given' do - subject { scanner.scan(ignore: ['CVE-2015-3900']) } + context 'when auditing an unpatched RubyGems' do + it 'should match an unpatched RubyGems to its advisories' do + expect(subject.all? do |result| + result.advisory.vulnerable?(result.gem.version) + end).to be_truthy + expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-3900') + end + + context 'when the :ignore option is given' do + subject { scanner.scan(ignore: ['CVE-2015-3900']) } - it 'should ignore the specified advisories' do - expect(subject.map { |r| r.advisory.id }) - .not_to include('CVE-2015-3900') + it 'should ignore the specified advisories' do + expect(subject.map { |r| r.advisory.id }) + .not_to include('CVE-2015-3900') + end end end end From e3942f608965efee9ff0eb3e1d547b1a04ee432b Mon Sep 17 00:00:00 2001 From: Yoann Lecuyer Date: Fri, 16 Sep 2022 11:43:31 +0200 Subject: [PATCH 2/3] add changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fed42b0..6030734 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] +### Changed + +* Use JRUBY_VERSION when checking jruby engine + ## [2.1.0] - 2022-02-23 ### Added From a921363576dbe753d28afcf5a77781f518e2678f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20IOP?= Date: Mon, 16 Mar 2026 16:20:34 +0100 Subject: [PATCH 3/3] Update to main --- .github/workflows/test.yml | 4 +- .gitignore | 1 + .rubocop.yml | 7 ++- .ruby-version | 2 +- CHANGELOG.md | 114 ++++++++++++++++++++++++++----------- Gemfile | 7 +++ README.md | 5 +- lib/ruby_audit/cli.rb | 22 ++----- lib/ruby_audit/database.rb | 17 +++--- lib/ruby_audit/scanner.rb | 10 ++-- lib/ruby_audit/version.rb | 2 +- ruby_audit.gemspec | 8 +-- spec/cli_spec.rb | 18 ------ spec/database_spec.rb | 16 +++--- spec/scanner_spec.rb | 54 +++++++----------- spec/spec_helper.rb | 1 - vendor/ruby-advisory-db | 2 +- 17 files changed, 152 insertions(+), 138 deletions(-) delete mode 100644 spec/cli_spec.rb diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index afd52b7..62a92b5 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: test: strategy: matrix: - ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1] + ruby_version: [3.1, 3.2, 3.3, 3.4, 4.0] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -21,8 +21,6 @@ jobs: with: ruby-version: ${{ matrix.ruby_version }} bundler-cache: true - - name: Install dependencies - run: bundle install --jobs=3 --retry=3 - name: Initialize submodule run: git submodule update --init - name: Run tests diff --git a/.gitignore b/.gitignore index 0cb6eeb..755a45f 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /pkg/ /spec/reports/ /tmp/ +ruby_audit-*.gem diff --git a/.rubocop.yml b/.rubocop.yml index 9d0dfa3..69666bb 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,8 +1,11 @@ AllCops: - TargetRubyVersion: 2.5 + TargetRubyVersion: 3.1 NewCops: enable SuggestExtensions: false +Gemspec/DevelopmentDependencies: + EnforcedStyle: gemspec + Layout/LineLength: Exclude: - 'ruby_audit.gemspec' @@ -11,7 +14,7 @@ Metrics/MethodLength: Max: 15 Metrics/BlockLength: - IgnoredMethods: + AllowedMethods: - describe Style/Documentation: diff --git a/.ruby-version b/.ruby-version index fd2a018..fcdb2e1 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -3.1.0 +4.0.0 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6030734..4262a5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,91 +9,139 @@ This project adheres to [Semantic Versioning](http://semver.org/). * Use JRUBY_VERSION when checking jruby engine +## [3.1.0] - 2026-01-07 + +### Added + +- Support for Ruby 3.4 +- Support for Ruby 4.0 + +## [3.0.0] - 2025-01-09 + +### Changed + +- Bumped Rubocop dependency to 1.64.0 +- Require MFA for rubygems operations + +### Removed + +- Removed support for Ruby 2.5 through 3.0 +- Removed Timecop dependency + +## [2.3.1] - 2024-05-17 + +### Removed + +- [#34](https://github.com/civisanalytics/ruby_audit/pull/34) + Removed check for stale database that no longer does anything + +### Fixed + +- [#35](https://github.com/civisanalytics/ruby_audit/pull/35) + Look for rubygems advisories in the correct directory of the ruby-advisory-db + +## [2.3.0] - 2024-01-10 + +### Added + +- Support for Ruby 3.3 + +## [2.2.0] - 2023-01-05 + +### Added + +- Support for Ruby 3.2 + ## [2.1.0] - 2022-02-23 ### Added -* Support for ruby 3.1 -* Require bundler-audit >= 0.9 +- Support for ruby 3.1 +- Require bundler-audit >= 0.9 ## [2.0.0] - 2021-03-22 ### Added -* Require bundler-audit 0.8 -* Added Ruby 3.0 to the Travis matrix +- Require bundler-audit 0.8 +- Added Ruby 3.0 to the Travis matrix ### Removed -* Removed support for bundler-audit 0.7 +- Removed support for bundler-audit 0.7 ## [1.3.0] - 2020-07-01 ### Added -* Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix -* Added the ability to ignore an advisory by its GHSA identifier +- Added Ruby 2.5, 2.6, and 2.7 to the Travis matrix +- Added the ability to ignore an advisory by its GHSA identifier ### Changed -* Bumped the bundler-audit version to 0.7 -* Bumped the Ruby version for development to 2.7.1 -* Bumped the Pry version for development to 0.13 -* Bumped the Rake version for development to 13 -* Bumped the Rspec version for development to 3.9 -* Bumped the RuboCop version for development to 0.86 -* Bumped the Timecop verison for development to 0.9 -* RuboCop fixes +- Bumped the bundler-audit version to 0.7 +- Bumped the Ruby version for development to 2.7.1 +- Bumped the Pry version for development to 0.13 +- Bumped the Rake version for development to 13 +- Bumped the Rspec version for development to 3.9 +- Bumped the RuboCop version for development to 0.86 +- Bumped the Timecop verison for development to 0.9 +- RuboCop fixes ### Removed -* Removed Ruby 2.1 through 2.4 from the Travis matrix -* Removed the explicit Bundler dependency for development, since it is now included with RubyGems +- Removed Ruby 2.1 through 2.4 from the Travis matrix +- Removed the explicit Bundler dependency for development, since it is now included with RubyGems ## [1.2.0] - 2017-09-21 ### Added -* Added 2.4 to the Travis matrix ([@errm]) +- Added 2.4 to the Travis matrix ([@errm]) ### Changed -* Bumped the bundler-audit version to 0.6 ([@errm]) -* Bumped the RuboCop version for development to 0.50 ([@errm]) -* Bumped the Ruby version for development to 2.4.2 ([@errm]) +- Bumped the bundler-audit version to 0.6 ([@errm]) +- Bumped the RuboCop version for development to 0.50 ([@errm]) +- Bumped the Ruby version for development to 2.4.2 ([@errm]) ## [1.1.0] - 2016-09-15 ### Added -* Added a matrix build of 2.1, 2.2, and 2.3 to Travis +- Added a matrix build of 2.1, 2.2, and 2.3 to Travis ### Changed -* Added a [Code of Conduct](CODE_OF_CONDUCT.md) -* Bumped the bundler-audit version to 0.5 -* Bumped the RSpec version for development to 3.5 -* Bumped the Rake version for development to 11.2 -* Bumped the RuboCop version for development to 0.42 -* Bumped the Ruby version for development to 2.3.1 +- Added a [Code of Conduct](CODE_OF_CONDUCT.md) +- Bumped the bundler-audit version to 0.5 +- Bumped the RSpec version for development to 3.5 +- Bumped the Rake version for development to 11.2 +- Bumped the RuboCop version for development to 0.42 +- Bumped the Ruby version for development to 2.3.1 ## [1.0.1] - 2016-02-03 ### Fixed -* [#1](https://github.com/civisanalytics/ruby_audit/pull/1) +- [#1](https://github.com/civisanalytics/ruby_audit/pull/1) removing unreliable last-update check ## 1.0.0 (2016-02-03) -* Initial Release +- Initial Release -[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD -[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0 +[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v3.1.0...HEAD +[3.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v3.0.0...v3.1.0 +[3.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.1...v3.0.0 +[2.3.1]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...v2.3.1 +[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0 +[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0 +[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0 +[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0 [1.0.1]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.0...v1.0.1 [1.0.0]: https://github.com/civisanalytics/ruby_audit/commit/7535b70412641c888c80d99514b27ba254fb8316 - [@errm]: https://github.com/errm diff --git a/Gemfile b/Gemfile index 79e23ab..12b38ee 100644 --- a/Gemfile +++ b/Gemfile @@ -2,3 +2,10 @@ source 'https://rubygems.org' # Specify your gem's dependencies in ruby_audit.gemspec gemspec + +gem 'base64', '~> 0.2.0' +gem 'ostruct', '~> 0.6.1' +gem 'pry', '~> 0.14.1' +gem 'rake', '~> 13.0' +gem 'rspec', '~> 3.9' +gem 'rubocop', '~> 1.69.2' diff --git a/README.md b/README.md index c31bea5..89ecff3 100644 --- a/README.md +++ b/README.md @@ -57,9 +57,12 @@ $ ruby-audit check -n After checking out the repo, run `bin/setup` to install dependencies. You'll also want to run `git submodule update --init` to populate the ruby-advisory-db -submodule used for testing. Then, run `rake spec` to run the tests. +submodule in `/vendor` that is used for testing. Then, run `rake` to run linting and tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. +The database in `/vendor/ruby-advisory-db` is only used as a fixture for unit tests. +By default, the database used for actual vulnerability checks is stored at `~/.local/share/ruby-advisory-db`. + To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org). diff --git a/lib/ruby_audit/cli.rb b/lib/ruby_audit/cli.rb index 1beb271..94de94c 100644 --- a/lib/ruby_audit/cli.rb +++ b/lib/ruby_audit/cli.rb @@ -12,8 +12,6 @@ class CLI < ::Thor def check update unless options[:no_update] - check_for_stale_database - scanner = Scanner.new vulnerable = false @@ -30,7 +28,6 @@ def check end end - # Copied from bundler-audit master. Not present in 0.4.0. desc 'update', 'Updates the ruby-advisory-db' def update say 'Updating ruby-advisory-db ...' @@ -45,14 +42,16 @@ def update say 'Skipping update', :yellow end - puts "ruby-advisory-db: #{Database.new.size} advisories" + database = Database.new + puts "ruby-advisory-db: #{database.size} advisories, " \ + "last updated #{database.last_updated_at.utc}" end desc 'version', 'Prints the ruby-audit version' def version database = Database.new - puts "#{File.basename($PROGRAM_NAME)} #{VERSION} "\ - "(advisories: #{database.size})" + puts "#{File.basename($PROGRAM_NAME)} #{VERSION} " \ + "(advisories: #{database.size}, last updated: #{database.last_updated_at.utc})" end private @@ -122,16 +121,5 @@ def print_advisory(gem, advisory) # rubocop:enable Metrics/MethodLength # rubocop:enable Metrics/CyclomaticComplexity # rubocop:enable Metrics/AbcSize - - def check_for_stale_database - database = Database.new - return unless database.size == 89 - - # bundler-audit 0.4.0 comes bundled with an old verison of - # ruby-advisory-db that has 89 advisories and NO advisories for Ruby - # or RubyGems. If #size == 89, the database has never been updated. - say 'The database must be updated before using RubyAudit', :red - exit 1 - end end end diff --git a/lib/ruby_audit/database.rb b/lib/ruby_audit/database.rb index cc337f4..9eaea49 100644 --- a/lib/ruby_audit/database.rb +++ b/lib/ruby_audit/database.rb @@ -10,12 +10,12 @@ def advisories_for(name, type) end end - def check_ruby(ruby, &block) - check(ruby, 'rubies', &block) + def check_ruby(ruby, &) + check(ruby, 'rubies', &) end - def check_library(library, &block) - check(library, 'libraries', &block) + def check_rubygems(rubygems, &) + check(rubygems, 'gems', &) end def check(object, type = 'gems') @@ -28,13 +28,12 @@ def check(object, type = 'gems') protected - def each_advisory_path(&block) - Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'), - &block) + def each_advisory_path(&) + Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &) end - def each_advisory_path_for(name, type = 'gems', &block) - Dir.glob(File.join(@path, type, name, '*.yml'), &block) + def each_advisory_path_for(name, type = 'gems', &) + Dir.glob(File.join(@path, type, name, '*.yml'), &) end end end diff --git a/lib/ruby_audit/scanner.rb b/lib/ruby_audit/scanner.rb index 8535681..041c294 100644 --- a/lib/ruby_audit/scanner.rb +++ b/lib/ruby_audit/scanner.rb @@ -34,12 +34,12 @@ def scan_ruby(options = {}, &block) "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}" end specs = [Version.new(RUBY_ENGINE, version)] - scan_inner(specs, 'ruby', options, &block) + scan_inner(specs, 'ruby', options, &) end - def scan_rubygems(options = {}, &block) - specs = [Version.new('rubygems', rubygems_version)] - scan_inner(specs, 'library', options, &block) + def scan_rubygems(options = {}, &) + specs = [Version.new('rubygems-update', rubygems_version)] + scan_inner(specs, 'rubygems', options, &) end private @@ -63,7 +63,7 @@ def scan_inner(specs, type, options = {}) ignore += options[:ignore] if options[:ignore] specs.each do |spec| - @database.send("check_#{type}".to_sym, spec) do |advisory| + @database.send(:"check_#{type}", spec) do |advisory| unless ignore.intersect?(advisory.identifiers.to_set) yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory) end diff --git a/lib/ruby_audit/version.rb b/lib/ruby_audit/version.rb index d83e288..20de3fd 100644 --- a/lib/ruby_audit/version.rb +++ b/lib/ruby_audit/version.rb @@ -1,3 +1,3 @@ module RubyAudit - VERSION = '2.1.0'.freeze + VERSION = '3.1.0'.freeze end diff --git a/ruby_audit.gemspec b/ruby_audit.gemspec index d05b4cc..f0a3007 100644 --- a/ruby_audit.gemspec +++ b/ruby_audit.gemspec @@ -7,6 +7,7 @@ Gem::Specification.new do |spec| spec.version = RubyAudit::VERSION spec.authors = ['Jeff Cousens, Mike Saelim', 'John Zhang', 'Cristina Muñoz'] spec.email = ['opensource@civisanalytics.com'] + spec.metadata['rubygems_mfa_required'] = 'true' spec.summary = 'Checks Ruby and RubyGems against known vulnerabilities.' spec.description = 'RubyAudit checks your current version of Ruby and ' \ @@ -17,16 +18,11 @@ Gem::Specification.new do |spec| spec.homepage = 'https://github.com/civisanalytics/ruby_audit' spec.license = 'GPL-3.0-or-later' - spec.required_ruby_version = ['>= 2.5', '< 3.2'] + spec.required_ruby_version = ['>= 3.1', '< 4.1'] spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) } spec.bindir = 'exe' spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) } spec.require_paths = ['lib'] spec.add_dependency 'bundler-audit', '~> 0.9.0' - spec.add_development_dependency 'pry', '~> 0.13.0' - spec.add_development_dependency 'rake', '~> 13.0' - spec.add_development_dependency 'rspec', '~> 3.9' - spec.add_development_dependency 'rubocop', '~> 1.9.1' - spec.add_development_dependency 'timecop', '~> 0.9.1' end diff --git a/spec/cli_spec.rb b/spec/cli_spec.rb deleted file mode 100644 index de2fb76..0000000 --- a/spec/cli_spec.rb +++ /dev/null @@ -1,18 +0,0 @@ -require 'spec_helper' - -describe RubyAudit::CLI do - context 'when the database has never been updated' do - before(:each) do - allow_any_instance_of(RubyAudit::Database) - .to receive(:size).and_return(89) - end - - it 'prints a failure message and exit' do - subject.options = { no_update: true } - expect do - expect { subject.check }.to raise_error(SystemExit) - end.to output(/The database must be updated before using RubyAudit/) - .to_stdout - end - end -end diff --git a/spec/database_spec.rb b/spec/database_spec.rb index 8472803..d23e0c5 100644 --- a/spec/database_spec.rb +++ b/spec/database_spec.rb @@ -1,14 +1,14 @@ require 'spec_helper' describe RubyAudit::Database do - describe '#check_library' do - let(:library) { RubyAudit::Scanner::Version.new('rubygems', '2.4.5') } + describe '#check_rubygems' do + let(:rubygems) { RubyAudit::Scanner::Version.new('rubygems-update', '2.4.5') } context 'when given a block' do - it 'should yield every advisory affecting the library' do + it 'should yield every advisory affecting the rubygems version' do advisories = [] - subject.check_library(library) do |advisory| + subject.check_rubygems(rubygems) do |advisory| advisories << advisory end @@ -17,14 +17,14 @@ advisory.is_a?(Bundler::Audit::Advisory) end).to be_truthy expect(advisories.map(&:id)).to include('CVE-2015-3900') - expect(advisories.map(&:path).reject { |p| p =~ /libraries/ }) + expect(advisories.map(&:path).grep_v(/rubygems-update/)) .to be_empty end end context 'when given no block' do it 'should return an Enumerator' do - expect(subject.check_library(library)).to be_kind_of(Enumerable) + expect(subject.check_rubygems(rubygems)).to be_kind_of(Enumerable) end end end @@ -44,8 +44,8 @@ expect(advisories.all? do |advisory| advisory.is_a?(Bundler::Audit::Advisory) end).to be_truthy - expect(advisories.map(&:id)).to include('OSVDB-120541') - expect(advisories.map(&:path).reject { |p| p =~ /rubies/ }).to be_empty + expect(advisories.map(&:id)).to include('CVE-2015-1855') + expect(advisories.map(&:path).grep_v(/rubies/)).to be_empty end end diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb index 66a0f20..587f277 100644 --- a/spec/scanner_spec.rb +++ b/spec/scanner_spec.rb @@ -20,43 +20,33 @@ end end - context 'ruby' do - before(:each) do - stub_const('RUBY_VERSION', '2.2.1') - stub_const('RUBY_ENGINE', 'ruby') - stub_const('RUBY_PATCHLEVEL', 85) - allow_any_instance_of(RubyAudit::Scanner) - .to receive(:rubygems_version).and_return('2.4.5') + context 'when auditing an unpatched Ruby' do + it 'should match an unpatched Ruby to its advisories' do + expect(subject.all? do |result| + result.advisory.vulnerable?(result.gem.version) + end).to be_truthy + expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-1855') end - context 'when auditing an unpatched Ruby' do - it 'should match an unpatched Ruby to its advisories' do - expect(subject.all? do |result| - result.advisory.vulnerable?(result.gem.version) - end).to be_truthy - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541') - end - - it 'respects patch level' do - stub_const('RUBY_VERSION', '1.9.3') - stub_const('RUBY_PATCHLEVEL', 392) - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747') - end + it 'respects patch level' do + stub_const('RUBY_VERSION', '1.9.3') + stub_const('RUBY_PATCHLEVEL', 392) + expect(subject.map { |r| r.advisory.id }).to include('CVE-2014-8080') + end - it 'handles preview versions' do - stub_const('RUBY_VERSION', '2.1.0') - stub_const('RUBY_PATCHLEVEL', -1) - allow_any_instance_of(RubyAudit::Scanner) - .to receive(:ruby_version).and_return('2.1.0.dev') - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113') - end + it 'handles preview versions' do + stub_const('RUBY_VERSION', '2.1.0') + stub_const('RUBY_PATCHLEVEL', -1) + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:ruby_version).and_return('2.1.0.dev') + expect(subject.map { |r| r.advisory.id }).to include('CVE-2013-4164') + end - context 'when the :ignore option is given' do - subject { scanner.scan(ignore: ['OSVDB-120541']) } + context 'when the :ignore option is given' do + subject { scanner.scan(ignore: ['CVE-2015-1855']) } - it 'should ignore the specified advisories' do - expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541') - end + it 'should ignore the specified advisories' do + expect(subject.map { |r| r.advisory.id }).not_to include('CVE-2015-1855') end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 8dc5436..4763932 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,7 +1,6 @@ $LOAD_PATH.unshift File.expand_path('../lib', __dir__) require 'pry' require 'ruby_audit' -require 'timecop' RSpec.configure do |config| config.before(:each) do diff --git a/vendor/ruby-advisory-db b/vendor/ruby-advisory-db index 4dc8057..161d6cf 160000 --- a/vendor/ruby-advisory-db +++ b/vendor/ruby-advisory-db @@ -1 +1 @@ -Subproject commit 4dc8057443f2c331ac3ce5b497e4b37587f56264 +Subproject commit 161d6cf3899524565a22d8b83d861856ccb0af15