From 73b938f7c74188a2ceb709149bf3f4098e98169f Mon Sep 17 00:00:00 2001
From: Mike Saelim <mike.saelim@gmail.com>
Date: Mon, 6 May 2024 17:01:51 -0500
Subject: [PATCH 1/4] fix broken rubygems check

---
 lib/ruby_audit/database.rb | 7 +++----
 lib/ruby_audit/scanner.rb  | 4 ++--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/lib/ruby_audit/database.rb b/lib/ruby_audit/database.rb
index cc337f4..2304220 100644
--- a/lib/ruby_audit/database.rb
+++ b/lib/ruby_audit/database.rb
@@ -14,8 +14,8 @@ def check_ruby(ruby, &block)
       check(ruby, 'rubies', &block)
     end
 
-    def check_library(library, &block)
-      check(library, 'libraries', &block)
+    def check_rubygems(rubygems, &block)
+      check(rubygems, 'gems', &block)
     end
 
     def check(object, type = 'gems')
@@ -29,8 +29,7 @@ def check(object, type = 'gems')
     protected
 
     def each_advisory_path(&block)
-      Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
-               &block)
+      Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &block)
     end
 
     def each_advisory_path_for(name, type = 'gems', &block)
diff --git a/lib/ruby_audit/scanner.rb b/lib/ruby_audit/scanner.rb
index 2586d30..71c8d62 100644
--- a/lib/ruby_audit/scanner.rb
+++ b/lib/ruby_audit/scanner.rb
@@ -36,8 +36,8 @@ def scan_ruby(options = {}, &block)
     end
 
     def scan_rubygems(options = {}, &block)
-      specs = [Version.new('rubygems', rubygems_version)]
-      scan_inner(specs, 'library', options, &block)
+      specs = [Version.new('rubygems-update', rubygems_version)]
+      scan_inner(specs, 'rubygems', options, &block)
     end
 
     private

From aa0118993bce5f6d7c0f8469a4306605dd83a824 Mon Sep 17 00:00:00 2001
From: Mike Saelim <mike.saelim@gmail.com>
Date: Mon, 6 May 2024 17:05:13 -0500
Subject: [PATCH 2/4] update vendored ruby-advisory-db used for specs

---
 vendor/ruby-advisory-db | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vendor/ruby-advisory-db b/vendor/ruby-advisory-db
index 4dc8057..7ef0ac6 160000
--- a/vendor/ruby-advisory-db
+++ b/vendor/ruby-advisory-db
@@ -1 +1 @@
-Subproject commit 4dc8057443f2c331ac3ce5b497e4b37587f56264
+Subproject commit 7ef0ac6eeaedc63eb3a43ac7039ab195b958feaa

From d2a81a002335cf583cb73e81800d5442b80816c5 Mon Sep 17 00:00:00 2001
From: Mike Saelim <mike.saelim@gmail.com>
Date: Mon, 6 May 2024 17:18:29 -0500
Subject: [PATCH 3/4] update specs

---
 spec/database_spec.rb | 14 +++++++-------
 spec/scanner_spec.rb  | 10 +++++-----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/spec/database_spec.rb b/spec/database_spec.rb
index 8472803..f9d5eec 100644
--- a/spec/database_spec.rb
+++ b/spec/database_spec.rb
@@ -1,14 +1,14 @@
 require 'spec_helper'
 
 describe RubyAudit::Database do
-  describe '#check_library' do
-    let(:library) { RubyAudit::Scanner::Version.new('rubygems', '2.4.5') }
+  describe '#check_rubygems' do
+    let(:rubygems) { RubyAudit::Scanner::Version.new('rubygems-update', '2.4.5') }
 
     context 'when given a block' do
-      it 'should yield every advisory affecting the library' do
+      it 'should yield every advisory affecting the rubygems version' do
         advisories = []
 
-        subject.check_library(library) do |advisory|
+        subject.check_rubygems(rubygems) do |advisory|
           advisories << advisory
         end
 
@@ -17,14 +17,14 @@
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
         expect(advisories.map(&:id)).to include('CVE-2015-3900')
-        expect(advisories.map(&:path).reject { |p| p =~ /libraries/ })
+        expect(advisories.map(&:path).reject { |p| p =~ /rubygems-update/ })
           .to be_empty
       end
     end
 
     context 'when given no block' do
       it 'should return an Enumerator' do
-        expect(subject.check_library(library)).to be_kind_of(Enumerable)
+        expect(subject.check_rubygems(rubygems)).to be_kind_of(Enumerable)
       end
     end
   end
@@ -44,7 +44,7 @@
         expect(advisories.all? do |advisory|
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
-        expect(advisories.map(&:id)).to include('OSVDB-120541')
+        expect(advisories.map(&:id)).to include('CVE-2015-1855')
         expect(advisories.map(&:path).reject { |p| p =~ /rubies/ }).to be_empty
       end
     end
diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb
index 0f40cdc..65f3bfa 100644
--- a/spec/scanner_spec.rb
+++ b/spec/scanner_spec.rb
@@ -18,13 +18,13 @@
       expect(subject.all? do |result|
                result.advisory.vulnerable?(result.gem.version)
              end).to be_truthy
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-1855')
     end
 
     it 'respects patch level' do
       stub_const('RUBY_VERSION', '1.9.3')
       stub_const('RUBY_PATCHLEVEL', 392)
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2014-8080')
     end
 
     it 'handles preview versions' do
@@ -32,14 +32,14 @@
       stub_const('RUBY_PATCHLEVEL', -1)
       allow_any_instance_of(RubyAudit::Scanner)
         .to receive(:ruby_version).and_return('2.1.0.dev')
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2013-4164')
     end
 
     context 'when the :ignore option is given' do
-      subject { scanner.scan(ignore: ['OSVDB-120541']) }
+      subject { scanner.scan(ignore: ['CVE-2015-1855']) }
 
       it 'should ignore the specified advisories' do
-        expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541')
+        expect(subject.map { |r| r.advisory.id }).not_to include('CVE-2015-1855')
       end
     end
   end

From e7f3f242561ec4d83d75b7d0e13fcbbaa6a412bd Mon Sep 17 00:00:00 2001
From: Mike Saelim <mike.saelim@gmail.com>
Date: Thu, 9 May 2024 05:33:04 -0500
Subject: [PATCH 4/4] update changelog

---
 CHANGELOG.md | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81b9d8a..3a20f97 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Fixed
+
+* [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
+Look for rubygems advisories in the correct directory of the ruby-advisory-db
+
+## [2.3.0] - 2024-01-10
+
 ### Added
 
 * Support for Ruby 3.3
@@ -94,8 +101,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
-[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...HEAD
+[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0