Merge pull request #17 from civisanalytics/compatibility-bundler-audi…

…t-0.8

Compatibility with bundler-audit 0.8

CHANGELOG.md

@@ -5,9 +5,16 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [2.0.0] - 2021-03-22
+
 ### Added
 
-* Added Ruby 3.0 to the Travis matrix, no changes needed
+* Require bundler-audit 0.8
+* Added Ruby 3.0 to the Travis matrix
+
+### Removed
+
+* Removed support for bundler-audit 0.7
 
 ## [1.3.0] - 2020-07-01
 
@@ -70,7 +77,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 * Initial Release
 
-[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...HEAD
+[Unreleased]: https://github.com/civisanalytics/ruby_audit/compare/v2.0.0...HEAD
+[1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.3.0...v2.0.0
 [1.3.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.2.0...v1.3.0
 [1.2.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.1.0...v1.2.0
 [1.1.0]: https://github.com/civisanalytics/ruby_audit/compare/v1.0.1...v1.1.0

lib/ruby_audit.rb

@@ -1,4 +1,3 @@
-require 'bundler/audit/cli'
 require 'ruby_audit/cli'
 require 'ruby_audit/database'
 require 'ruby_audit/scanner'

lib/ruby_audit/cli.rb

@@ -1,5 +1,10 @@
+require 'thor'
+
 module RubyAudit
-  class CLI < Bundler::Audit::CLI
+  class CLI < ::Thor
+    default_task :check
+    map '--version' => :version
+
     desc 'check', 'Checks Ruby and RubyGems for insecure versions'
     method_option :ignore, type: :array, aliases: '-i'
     method_option :no_update, type: :boolean, aliases: '-n'
@@ -52,6 +57,72 @@ def version
 
     private
 
+    def say(message = '', color = nil)
+      color = nil unless $stdout.tty?
+      super(message.to_s, color)
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/PerceivedComplexity
+    def print_advisory(gem, advisory)
+      say 'Name: ', :red
+      say gem.name
+
+      say 'Version: ', :red
+      say gem.version
+
+      say 'Advisory: ', :red
+
+      if advisory.cve
+        say advisory.cve_id
+      elsif advisory.osvdb
+        say advisory.osvdb_id
+      elsif advisory.ghsa
+        say advisory.ghsa_id
+      end
+
+      say 'Criticality: ', :red
+      case advisory.criticality
+      when :none     then say 'None'
+      when :low      then say 'Low'
+      when :medium   then say 'Medium', :yellow
+      when :high     then say 'High', %i[red bold]
+      when :critical then say 'Critical', %i[red bold]
+      else                say 'Unknown'
+      end
+
+      say 'URL: ', :red
+      say advisory.url
+
+      if options.verbose?
+        say 'Description:', :red
+        say
+
+        print_wrapped advisory.description, indent: 2
+        say
+      else
+
+        say 'Title: ', :red
+        say advisory.title
+      end
+
+      if advisory.patched_versions.empty?
+        say 'Solution: ', :red
+        say 'remove or disable this gem until a patch is available!', %i[red bold]
+      else
+        say 'Solution: upgrade to ', :red
+        say advisory.patched_versions.join(', ')
+      end
+
+      say
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+    # rubocop:enable Metrics/MethodLength
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+
     def check_for_stale_database
       database = Database.new
       return unless database.size == 89

lib/ruby_audit/database.rb

@@ -1,3 +1,5 @@
+require 'bundler/audit/database'
+
 module RubyAudit
   class Database < Bundler::Audit::Database
     def advisories_for(name, type)

lib/ruby_audit/scanner.rb

@@ -1,5 +1,8 @@
+require 'bundler/audit/results/unpatched_gem'
+require 'set'
+
 module RubyAudit
-  class Scanner < Bundler::Audit::Scanner
+  class Scanner
     class Version
       def initialize(name, version)
         @name = name
@@ -9,11 +12,9 @@ def initialize(name, version)
       attr_reader :name, :version
     end
 
-    # rubocop:disable Lint/MissingSuper
     def initialize
       @database = Database.new
     end
-    # rubocop:enable Lint/MissingSuper
 
     def scan(options = {}, &block)
       return enum_for(__method__, options) unless block
@@ -61,7 +62,9 @@ def scan_inner(specs, type, options = {})
 
       specs.each do |spec|
         @database.send("check_#{type}".to_sym, spec) do |advisory|
-          yield UnpatchedGem.new(spec, advisory) unless ignore.intersect?(advisory.identifiers.to_set)
+          unless ignore.intersect?(advisory.identifiers.to_set)
+            yield Bundler::Audit::Results::UnpatchedGem.new(spec, advisory)
+          end
         end
       end
     end

lib/ruby_audit/version.rb

@@ -1,3 +1,3 @@
 module RubyAudit
-  VERSION = '1.3.0'.freeze
+  VERSION = '2.0.0'.freeze
 end

ruby_audit.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'bundler-audit', '~> 0.7.0'
+  spec.add_dependency 'bundler-audit', '~> 0.8.0'
   spec.add_development_dependency 'pry', '~> 0.13.0'
   spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.9'

spec/spec_helper.rb

@@ -5,7 +5,7 @@
 
 RSpec.configure do |config|
   config.before(:each) do
-    stub_const('Bundler::Audit::Database::VENDORED_PATH',
+    stub_const('Bundler::Audit::Database::DEFAULT_PATH',
                File.join(File.dirname(__FILE__), '..', 'vendor',
                          'ruby-advisory-db'))
   end