Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix check for rubygems vulnerabilities #35

Merged
merged 4 commits into from
May 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ This project adheres to [Semantic Versioning](http://semver.org/).

## [Unreleased]

### Fixed

* [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
Look for rubygems advisories in the correct directory of the ruby-advisory-db

## [2.3.0] - 2024-01-10

### Added

* Support for Ruby 3.3
Expand Down Expand Up @@ -94,8 +101,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).

* Initial Release

[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...HEAD
[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
[1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
[1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0
Expand Down
7 changes: 3 additions & 4 deletions lib/ruby_audit/database.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ def check_ruby(ruby, &block)
check(ruby, 'rubies', &block)
end

def check_library(library, &block)
check(library, 'libraries', &block)
def check_rubygems(rubygems, &block)
check(rubygems, 'gems', &block)
end

def check(object, type = 'gems')
Expand All @@ -29,8 +29,7 @@ def check(object, type = 'gems')
protected

def each_advisory_path(&block)
Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
&block)
Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &block)
end

def each_advisory_path_for(name, type = 'gems', &block)
Expand Down
4 changes: 2 additions & 2 deletions lib/ruby_audit/scanner.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ def scan_ruby(options = {}, &block)
end

def scan_rubygems(options = {}, &block)
specs = [Version.new('rubygems', rubygems_version)]
scan_inner(specs, 'library', options, &block)
specs = [Version.new('rubygems-update', rubygems_version)]
scan_inner(specs, 'rubygems', options, &block)
end

private
Expand Down
14 changes: 7 additions & 7 deletions spec/database_spec.rb
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
require 'spec_helper'

describe RubyAudit::Database do
describe '#check_library' do
let(:library) { RubyAudit::Scanner::Version.new('rubygems', '2.4.5') }
describe '#check_rubygems' do
let(:rubygems) { RubyAudit::Scanner::Version.new('rubygems-update', '2.4.5') }

context 'when given a block' do
it 'should yield every advisory affecting the library' do
it 'should yield every advisory affecting the rubygems version' do
advisories = []

subject.check_library(library) do |advisory|
subject.check_rubygems(rubygems) do |advisory|
advisories << advisory
end

Expand All @@ -17,14 +17,14 @@
advisory.is_a?(Bundler::Audit::Advisory)
end).to be_truthy
expect(advisories.map(&:id)).to include('CVE-2015-3900')
expect(advisories.map(&:path).reject { |p| p =~ /libraries/ })
expect(advisories.map(&:path).reject { |p| p =~ /rubygems-update/ })
.to be_empty
end
end

context 'when given no block' do
it 'should return an Enumerator' do
expect(subject.check_library(library)).to be_kind_of(Enumerable)
expect(subject.check_rubygems(rubygems)).to be_kind_of(Enumerable)
end
end
end
Expand All @@ -44,7 +44,7 @@
expect(advisories.all? do |advisory|
advisory.is_a?(Bundler::Audit::Advisory)
end).to be_truthy
expect(advisories.map(&:id)).to include('OSVDB-120541')
expect(advisories.map(&:id)).to include('CVE-2015-1855')
expect(advisories.map(&:path).reject { |p| p =~ /rubies/ }).to be_empty
end
end
Expand Down
10 changes: 5 additions & 5 deletions spec/scanner_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,28 +18,28 @@
expect(subject.all? do |result|
result.advisory.vulnerable?(result.gem.version)
end).to be_truthy
expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541')
expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-1855')
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are the same advisories - ruby-advisory-db changed their IDs to be CVE-*.

end

it 'respects patch level' do
stub_const('RUBY_VERSION', '1.9.3')
stub_const('RUBY_PATCHLEVEL', 392)
expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747')
expect(subject.map { |r| r.advisory.id }).to include('CVE-2014-8080')
end

it 'handles preview versions' do
stub_const('RUBY_VERSION', '2.1.0')
stub_const('RUBY_PATCHLEVEL', -1)
allow_any_instance_of(RubyAudit::Scanner)
.to receive(:ruby_version).and_return('2.1.0.dev')
expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113')
expect(subject.map { |r| r.advisory.id }).to include('CVE-2013-4164')
end

context 'when the :ignore option is given' do
subject { scanner.scan(ignore: ['OSVDB-120541']) }
subject { scanner.scan(ignore: ['CVE-2015-1855']) }

it 'should ignore the specified advisories' do
expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541')
expect(subject.map { |r| r.advisory.id }).not_to include('CVE-2015-1855')
end
end
end
Expand Down
2 changes: 1 addition & 1 deletion vendor/ruby-advisory-db
Submodule ruby-advisory-db updated 1216 files
Loading