Merge pull request #35 from mikesaelim/fix-rubygems-check

Fix check for rubygems vulnerabilities

CHANGELOG.md

@@ -5,6 +5,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Fixed
+
+* [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
+Look for rubygems advisories in the correct directory of the ruby-advisory-db
+
+## [2.3.0] - 2024-01-10
+
 ### Added
 
 * Support for Ruby 3.3
@@ -94,8 +101,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
-[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...HEAD
+[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0

lib/ruby_audit/database.rb

@@ -14,8 +14,8 @@ def check_ruby(ruby, &block)
       check(ruby, 'rubies', &block)
     end
 
-    def check_library(library, &block)
-      check(library, 'libraries', &block)
+    def check_rubygems(rubygems, &block)
+      check(rubygems, 'gems', &block)
     end
 
     def check(object, type = 'gems')
@@ -29,8 +29,7 @@ def check(object, type = 'gems')
     protected
 
     def each_advisory_path(&block)
-      Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
-               &block)
+      Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &block)
     end
 
     def each_advisory_path_for(name, type = 'gems', &block)

lib/ruby_audit/scanner.rb

@@ -36,8 +36,8 @@ def scan_ruby(options = {}, &block)
     end
 
     def scan_rubygems(options = {}, &block)
-      specs = [Version.new('rubygems', rubygems_version)]
-      scan_inner(specs, 'library', options, &block)
+      specs = [Version.new('rubygems-update', rubygems_version)]
+      scan_inner(specs, 'rubygems', options, &block)
     end
 
     private

spec/database_spec.rb

@@ -1,14 +1,14 @@
 require 'spec_helper'
 
 describe RubyAudit::Database do
-  describe '#check_library' do
-    let(:library) { RubyAudit::Scanner::Version.new('rubygems', '2.4.5') }
+  describe '#check_rubygems' do
+    let(:rubygems) { RubyAudit::Scanner::Version.new('rubygems-update', '2.4.5') }
 
     context 'when given a block' do
-      it 'should yield every advisory affecting the library' do
+      it 'should yield every advisory affecting the rubygems version' do
         advisories = []
 
-        subject.check_library(library) do |advisory|
+        subject.check_rubygems(rubygems) do |advisory|
           advisories << advisory
         end
 
@@ -17,14 +17,14 @@
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
         expect(advisories.map(&:id)).to include('CVE-2015-3900')
-        expect(advisories.map(&:path).reject { |p| p =~ /libraries/ })
+        expect(advisories.map(&:path).reject { |p| p =~ /rubygems-update/ })
           .to be_empty
       end
     end
 
     context 'when given no block' do
       it 'should return an Enumerator' do
-        expect(subject.check_library(library)).to be_kind_of(Enumerable)
+        expect(subject.check_rubygems(rubygems)).to be_kind_of(Enumerable)
       end
     end
   end
@@ -44,7 +44,7 @@
         expect(advisories.all? do |advisory|
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
-        expect(advisories.map(&:id)).to include('OSVDB-120541')
+        expect(advisories.map(&:id)).to include('CVE-2015-1855')
         expect(advisories.map(&:path).reject { |p| p =~ /rubies/ }).to be_empty
       end
     end

spec/scanner_spec.rb

@@ -18,28 +18,28 @@
       expect(subject.all? do |result|
                result.advisory.vulnerable?(result.gem.version)
              end).to be_truthy
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-1855')
     end
 
     it 'respects patch level' do
       stub_const('RUBY_VERSION', '1.9.3')
       stub_const('RUBY_PATCHLEVEL', 392)
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2014-8080')
     end
 
     it 'handles preview versions' do
       stub_const('RUBY_VERSION', '2.1.0')
       stub_const('RUBY_PATCHLEVEL', -1)
       allow_any_instance_of(RubyAudit::Scanner)
         .to receive(:ruby_version).and_return('2.1.0.dev')
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2013-4164')
     end
 
     context 'when the :ignore option is given' do
-      subject { scanner.scan(ignore: ['OSVDB-120541']) }
+      subject { scanner.scan(ignore: ['CVE-2015-1855']) }
 
       it 'should ignore the specified advisories' do
-        expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541')
+        expect(subject.map { |r| r.advisory.id }).not_to include('CVE-2015-1855')
       end
     end
   end