Support Ruby 3.2

.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
   test:
     strategy:
       matrix:
-        ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1]
+        ruby_version: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, 3.3]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

.ruby-version

@@ -1 +1 @@
-3.1.0
+3.3.0

CHANGELOG.md

@@ -5,6 +5,37 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [2.3.1] - 2024-05-17
+
+### Removed
+
+* [#34](https://github.com/civisanalytics/ruby_audit/pull/34)
+Removed check for stale database that no longer does anything
+
+### Fixed
+
+* [#35](https://github.com/civisanalytics/ruby_audit/pull/35)
+Look for rubygems advisories in the correct directory of the ruby-advisory-db
+
+## [2.3.0] - 2024-01-10
+
+### Added
+
+* Support for Ruby 3.3
+
+## [2.2.0] - 2023-01-05
+
+### Added
+
+* Support for Ruby 3.2
+
+## [2.1.0] - 2022-02-23
+
+### Added
+
+* Support for ruby 3.1
+* Require bundler-audit >= 0.9
+
 ## [2.0.0] - 2021-03-22
 
 ### Added
@@ -77,8 +108,11 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
-[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.3.0...HEAD
+[2.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0

README.md

@@ -57,9 +57,12 @@ $ ruby-audit check -n
 
 After checking out the repo, run `bin/setup` to install dependencies.
 You'll also want to run `git submodule update --init` to populate the ruby-advisory-db
-submodule used for testing. Then, run `rake spec` to run the tests.
+submodule in `/vendor` that is used for testing. Then, run `rake spec` to run the tests.
 You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
+The database in `/vendor/ruby-advisory-db` is only used as a fixture for unit tests.
+By default, the database used for actual vulnerability checks is stored at `~/.local/share/ruby-advisory-db`.
+
 To install this gem onto your local machine, run `bundle exec rake install`.
 To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 

lib/ruby_audit/cli.rb

@@ -12,8 +12,6 @@ class CLI < ::Thor
     def check
       update unless options[:no_update]
 
-      check_for_stale_database
-
       scanner = Scanner.new
       vulnerable = false
 
@@ -30,7 +28,6 @@ def check
       end
     end
 
-    # Copied from bundler-audit master. Not present in 0.4.0.
     desc 'update', 'Updates the ruby-advisory-db'
     def update
       say 'Updating ruby-advisory-db ...'
@@ -45,14 +42,16 @@ def update
         say 'Skipping update', :yellow
       end
 
-      puts "ruby-advisory-db: #{Database.new.size} advisories"
+      database = Database.new
+      puts "ruby-advisory-db: #{database.size} advisories, " \
+           "last updated #{database.last_updated_at.utc}"
     end
 
     desc 'version', 'Prints the ruby-audit version'
     def version
       database = Database.new
-      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} "\
-           "(advisories: #{database.size})"
+      puts "#{File.basename($PROGRAM_NAME)} #{VERSION} " \
+           "(advisories: #{database.size}, last updated: #{database.last_updated_at.utc})"
     end
 
     private
@@ -122,16 +121,5 @@ def print_advisory(gem, advisory)
     # rubocop:enable Metrics/MethodLength
     # rubocop:enable Metrics/CyclomaticComplexity
     # rubocop:enable Metrics/AbcSize
-
-    def check_for_stale_database
-      database = Database.new
-      return unless database.size == 89
-
-      # bundler-audit 0.4.0 comes bundled with an old verison of
-      # ruby-advisory-db that has 89 advisories and NO advisories for Ruby
-      # or RubyGems. If #size == 89, the database has never been updated.
-      say 'The database must be updated before using RubyAudit', :red
-      exit 1
-    end
   end
 end

lib/ruby_audit/database.rb

@@ -14,8 +14,8 @@ def check_ruby(ruby, &block)
       check(ruby, 'rubies', &block)
     end
 
-    def check_library(library, &block)
-      check(library, 'libraries', &block)
+    def check_rubygems(rubygems, &block)
+      check(rubygems, 'gems', &block)
     end
 
     def check(object, type = 'gems')
@@ -29,8 +29,7 @@ def check(object, type = 'gems')
     protected
 
     def each_advisory_path(&block)
-      Dir.glob(File.join(@path, '{gems,libraries,rubies}', '*', '*.yml'),
-               &block)
+      Dir.glob(File.join(@path, '{gems,rubies}', '*', '*.yml'), &block)
     end
 
     def each_advisory_path_for(name, type = 'gems', &block)

lib/ruby_audit/scanner.rb

@@ -36,8 +36,8 @@ def scan_ruby(options = {}, &block)
     end
 
     def scan_rubygems(options = {}, &block)
-      specs = [Version.new('rubygems', rubygems_version)]
-      scan_inner(specs, 'library', options, &block)
+      specs = [Version.new('rubygems-update', rubygems_version)]
+      scan_inner(specs, 'rubygems', options, &block)
     end
 
     private

lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '2.0.1'.freeze
+  VERSION = '2.3.1'.freeze
 end

ruby_audit.gemspec

@@ -17,14 +17,14 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/civisanalytics/ruby_audit'
   spec.license       = 'GPL-3.0-or-later'
 
-  spec.required_ruby_version = ['>= 2.5', '< 3.2']
+  spec.required_ruby_version = ['>= 2.5', '< 3.4']
   spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
   spec.add_dependency 'bundler-audit', '~> 0.9.0'
-  spec.add_development_dependency 'pry', '~> 0.13.0'
+  spec.add_development_dependency 'pry', '~> 0.14.1'
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.9'
   spec.add_development_dependency 'rubocop', '~> 1.9.1'

spec/database_spec.rb

@@ -1,14 +1,14 @@
 require 'spec_helper'
 
 describe RubyAudit::Database do
-  describe '#check_library' do
-    let(:library) { RubyAudit::Scanner::Version.new('rubygems', '2.4.5') }
+  describe '#check_rubygems' do
+    let(:rubygems) { RubyAudit::Scanner::Version.new('rubygems-update', '2.4.5') }
 
     context 'when given a block' do
-      it 'should yield every advisory affecting the library' do
+      it 'should yield every advisory affecting the rubygems version' do
         advisories = []
 
-        subject.check_library(library) do |advisory|
+        subject.check_rubygems(rubygems) do |advisory|
           advisories << advisory
         end
 
@@ -17,14 +17,14 @@
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
         expect(advisories.map(&:id)).to include('CVE-2015-3900')
-        expect(advisories.map(&:path).reject { |p| p =~ /libraries/ })
+        expect(advisories.map(&:path).reject { |p| p =~ /rubygems-update/ })
           .to be_empty
       end
     end
 
     context 'when given no block' do
       it 'should return an Enumerator' do
-        expect(subject.check_library(library)).to be_kind_of(Enumerable)
+        expect(subject.check_rubygems(rubygems)).to be_kind_of(Enumerable)
       end
     end
   end
@@ -44,7 +44,7 @@
         expect(advisories.all? do |advisory|
                  advisory.is_a?(Bundler::Audit::Advisory)
                end).to be_truthy
-        expect(advisories.map(&:id)).to include('OSVDB-120541')
+        expect(advisories.map(&:id)).to include('CVE-2015-1855')
         expect(advisories.map(&:path).reject { |p| p =~ /rubies/ }).to be_empty
       end
     end

spec/scanner_spec.rb

@@ -18,28 +18,28 @@
       expect(subject.all? do |result|
                result.advisory.vulnerable?(result.gem.version)
              end).to be_truthy
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-1855')
     end
 
     it 'respects patch level' do
       stub_const('RUBY_VERSION', '1.9.3')
       stub_const('RUBY_PATCHLEVEL', 392)
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2014-8080')
     end
 
     it 'handles preview versions' do
       stub_const('RUBY_VERSION', '2.1.0')
       stub_const('RUBY_PATCHLEVEL', -1)
       allow_any_instance_of(RubyAudit::Scanner)
         .to receive(:ruby_version).and_return('2.1.0.dev')
-      expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113')
+      expect(subject.map { |r| r.advisory.id }).to include('CVE-2013-4164')
     end
 
     context 'when the :ignore option is given' do
-      subject { scanner.scan(ignore: ['OSVDB-120541']) }
+      subject { scanner.scan(ignore: ['CVE-2015-1855']) }
 
       it 'should ignore the specified advisories' do
-        expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541')
+        expect(subject.map { |r| r.advisory.id }).not_to include('CVE-2015-1855')
       end
     end
   end