From c773d28bbec5a6d7681a477a581253d23d2a1e0a Mon Sep 17 00:00:00 2001 From: Ernesto Tagwerker Date: Fri, 20 Sep 2019 14:09:36 -0400 Subject: [PATCH 1/4] Talk about `leaky?` gems, not `vulnerable?` gems We want the public API to define methods that are talking about leaky gems, not vulnerable gems. A memory leak is not necessarily a vulnerability. :) --- lib/bundler/plumber/advisory.rb | 6 +++--- lib/bundler/plumber/cli.rb | 6 +++--- lib/bundler/plumber/database.rb | 2 +- spec/advisory_spec.rb | 10 +++++----- spec/integration_spec.rb | 2 +- spec/scanner_spec.rb | 2 +- 6 files changed, 14 insertions(+), 14 deletions(-) diff --git a/lib/bundler/plumber/advisory.rb b/lib/bundler/plumber/advisory.rb index dbeb0e0..d66e8f6 100644 --- a/lib/bundler/plumber/advisory.rb +++ b/lib/bundler/plumber/advisory.rb @@ -100,15 +100,15 @@ def patched?(version) end # - # Checks whether the version is vulnerable to the advisory. + # Checks whether the version is leaky to the advisory. # # @param [Gem::Version] version # The version to compare against {#patched_versions}. # # @return [Boolean] - # Specifies whether the version is vulnerable to the advisory or not. + # Specifies whether the version is leaky to the advisory or not. # - def vulnerable?(version) + def leaky?(version) !patched?(version) && !unaffected?(version) end diff --git a/lib/bundler/plumber/cli.rb b/lib/bundler/plumber/cli.rb index 6962ff3..f79d6f1 100644 --- a/lib/bundler/plumber/cli.rb +++ b/lib/bundler/plumber/cli.rb @@ -39,10 +39,10 @@ def check update if options[:update] scanner = Scanner.new - vulnerable = false + leaky = false scanner.scan do |result| - vulnerable = true + leaky = true case result when Scanner::UnpatchedGem @@ -50,7 +50,7 @@ def check end end - if vulnerable + if leaky say "Leaks found!", :red exit 1 else diff --git a/lib/bundler/plumber/database.rb b/lib/bundler/plumber/database.rb index 46bd803..5558c73 100644 --- a/lib/bundler/plumber/database.rb +++ b/lib/bundler/plumber/database.rb @@ -178,7 +178,7 @@ def check_gem(gem) return enum_for(__method__,gem) unless block_given? advisories_for(gem.name) do |advisory| - if advisory.vulnerable?(gem.version) + if advisory.leaky?(gem.version) yield advisory end end diff --git a/spec/advisory_spec.rb b/spec/advisory_spec.rb index afd3389..53f5509 100644 --- a/spec/advisory_spec.rb +++ b/spec/advisory_spec.rb @@ -115,12 +115,12 @@ end end - describe "#vulnerable?" do + describe "#leaky?" do context "when passed a version that matches one patched version" do let(:version) { Gem::Version.new('0.12.4') } it "should return false" do - expect(subject.vulnerable?(version)).to be_falsey + expect(subject.leaky?(version)).to be_falsey end end @@ -128,7 +128,7 @@ let(:version) { Gem::Version.new('2.9.0') } it "should return true" do - expect(subject.vulnerable?(version)).to be_truthy + expect(subject.leaky?(version)).to be_truthy end context "when unaffected_versions is not empty" do @@ -138,7 +138,7 @@ let(:version) { Gem::Version.new(an_unaffected_version) } it "should return false" do - expect(subject.vulnerable?(version)).to be_falsey + expect(subject.leaky?(version)).to be_falsey end end @@ -146,7 +146,7 @@ let(:version) { Gem::Version.new('1.2.3') } it "should return true" do - expect(subject.vulnerable?(version)).to be_truthy + expect(subject.leaky?(version)).to be_truthy end end end diff --git a/spec/integration_spec.rb b/spec/integration_spec.rb index 29cce83..d1551f6 100644 --- a/spec/integration_spec.rb +++ b/spec/integration_spec.rb @@ -19,7 +19,7 @@ expect(subject).to include("Leaks found!") end - it "should print advisory information for the vulnerable gems" do + it "should print advisory information for the leaky gems" do advisory_pattern = /(Name: [^\n]+ Version: \d+.\d+.\d+ URL: https?:\/\/(www\.)?.+ diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb index f4ae06b..4bd23d8 100644 --- a/spec/scanner_spec.rb +++ b/spec/scanner_spec.rb @@ -32,7 +32,7 @@ it "should match unpatched gems to their advisories" do expect(subject.all? { |result| - result.advisory.vulnerable?(result.gem.version) + result.advisory.leaky?(result.gem.version) }).to be_truthy end From 2692426fea6b3c1af7d243bc7ad6f076cae489e2 Mon Sep 17 00:00:00 2001 From: Ernesto Tagwerker Date: Fri, 20 Sep 2019 14:10:25 -0400 Subject: [PATCH 2/4] Define our own ChangeLog.md, the previous version had the `bundler-leak` ChangeLog.md --- ChangeLog.md | 127 +++------------------------------------------------ 1 file changed, 6 insertions(+), 121 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 04d0319..93b0780 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,125 +1,10 @@ -### 0.6.0 / 2017-07-18 +### 0.1.0 / 2019-08-28 -* Added `--quiet` option to `check` and `update` commands (@jaredbeck). -* Added `bin/bundler-audit` which will be executed when `bundle audit` is ran - (@vassilevsky). +* Improve database update logic -### 0.5.0 / 2016-02-28 +### 0.0.0 / 2019-08-26 -* Added {Bundler::Audit::Task}. -* Added {Bundler::Audit::Advisory#date}. -* Added {Bundler::Audit::Advisory#cve_id}. -* Added {Bundler::Audit::Advisory#osvdb_id}. -* Allow insecure gem sources (`http://` and `git://`), if they are hosted on a - private network. +* Initial release -#### CLI - -* Added the `--update` option to `bundle-audit check`. -* `bundle-audit update` now returns a non-zero exit status on error. -* `bundle-audit update` only updates `~/.local/share/ruby-advisory-db`, if it is a git - repository. - -### 0.4.0 / 2015-06-30 - -* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3. -* Added {Bundler::Audit::Advisory#osvdb}. -* Resolve the IP addresses of gem sources and ignore intranet gem sources. - (PR #90) -* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db. - (PR #92) - -#### CLI - -* Print the CVE or OSVDB id. -* No longer print "Unpatched versions found!" when an insecure gem source - is detected. (PR #84) - -### 0.3.1 / 2014-04-20 - -* Added thor ~> 0.18 as a dependency. -* No longer rely on the vendored version of thor within bundler. -* Store the timestamp of when `data/ruby-advisory-db` was last updated in - `data/ruby-advisory-db.ts`. -* Use `data/ruby-advisory-db.ts` instead of the creation time of the - `dataruby-advisory-db` directory, which is always the install time - of the rubygem. - -### 0.3.0 / 2013-10-31 - -* Added {Bundler::Audit::Database.update!} which uses `git` to download - [ruby-advisory-db] to `~/.local/share/ruby-advisory-db`. -* {Bundler::Audit::Database.path} now returns the path to either - `~/.local/share/ruby-advisory-db` or the vendored copy, depending on which - is more recent. - -#### CLI - -* Added the `bundle-audit update` sub-command. - -### 0.2.0 / 2013-03-05 - -* Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly - parse approximate version requirements (`~> 1.2.3`). -* Updated the [ruby-advisory-db]. -* Added {Bundler::Audit::Advisory#unaffected_versions}. -* Added {Bundler::Audit::Advisory#unaffected?}. -* Added {Bundler::Audit::Advisory#patched?}. -* Renamed `Advisory#cve` to {Bundler::Audit::Advisory#id}. - -### 0.1.2 / 2013-02-17 - -* Require [bundler] ~> 1.2. -* Vendor a full copy of the [ruby-advisory-db]. -* Added {Bundler::Audit::Advisory#path} for debugging purposes. -* Added {Bundler::Audit::Advisory#to_s} for debugging purposes. - -#### CLI - -* Simply parse the `Gemfile.lock` instead of loading the bundle (@grosser). -* Exit with non-zero status on failure (@grosser). - -### 0.1.1 / 2013-02-12 - -* Fixed a Ruby 1.8 syntax error. - -### Advisories - -* Imported advisories from the [Ruby Advisory DB][ruby-advisory-db]. - * [CVE-2011-0739](http://www.osvdb.org/show/osvdb/70667) - * [CVE-2012-2139](http://www.osvdb.org/show/osvdb/81631) - * [CVE-2012-2140](http://www.osvdb.org/show/osvdb/81632) - * [CVE-2012-267](http://osvdb.org/83077) - * [CVE-2012-1098](http://osvdb.org/79726) - * [CVE-2012-1099](http://www.osvdb.org/show/osvdb/79727) - * [CVE-2012-2660](http://www.osvdb.org/show/osvdb/82610) - * [CVE-2012-2661](http://www.osvdb.org/show/osvdb/82403) - * [CVE-2012-3424](http://www.osvdb.org/show/osvdb/84243) - * [CVE-2012-3463](http://osvdb.org/84515) - * [CVE-2012-3464](http://www.osvdb.org/show/osvdb/84516) - * [CVE-2012-3465](http://www.osvdb.org/show/osvdb/84513) - -### CLI - -* If the advisory has no `patched_versions`, recommend removing or disabling - the gem until a patch is made available. - -### 0.1.0 / 2013-02-11 - -* Initial release: - * Checks for vulnerable versions of gems in `Gemfile.lock`. - * Prints advisory information. - * Does not require a network connection. - -#### Advisories - -* [CVE-2013-0269](http://direct.osvdb.org/show/osvdb/90074) -* [CVE-2013-0263](http://osvdb.org/show/osvdb/89939) -* [CVE-2013-0155](http://osvdb.org/show/osvdb/89025) -* [CVE-2013-0156](http://osvdb.org/show/osvdb/89026) -* [CVE-2013-0276](http://direct.osvdb.org/show/osvdb/90072) -* [CVE-2013-0277](http://direct.osvdb.org/show/osvdb/90073) -* [CVE-2013-0333](http://osvdb.org/show/osvdb/89594) - -[bundler]: http://gembundler.com/ -[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db#readme +[bundler]: http://bundler.io/ +[ruby-mem-advisory-db]: https://github.com/rubymem/ruby-mem-advisory-db#readme From b9e40c0a4591431240c3342b88e4dd2b2359716c Mon Sep 17 00:00:00 2001 From: Ernesto Tagwerker Date: Fri, 20 Sep 2019 14:10:53 -0400 Subject: [PATCH 3/4] Make documentation more accurate --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a148fad..eb3f2c0 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,13 @@ ## Description -Patch-level verification for [bundler]. +The best tool to find leaky gems in your dependencies. Make sure your memory leaks +are not in your gem dependencies. ## Features -* Checks for memory leaks of gems in `Gemfile.lock`. -* Prints memory leak information. -* Does not require a network connection. +* Checks for memory leaks of gems in `Gemfile.lock` +* Prints memory leak information ## Synopsis @@ -93,7 +93,7 @@ task default: 'bundle:leak' ## License -Copyright (c) 2019 Ombulabs (hello at ombulabs.com) +Copyright (c) 2019 OmbuLabs (hello at ombulabs.com) Copyright (c) 2013-2016 Hal Brodigan (postmodern.mod3 at gmail.com) From 6f2e582934a5cd46093570b6b36daa5a681af665 Mon Sep 17 00:00:00 2001 From: Ernesto Tagwerker Date: Fri, 20 Sep 2019 15:16:33 -0400 Subject: [PATCH 4/4] Improve wording --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eb3f2c0..eb50402 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ ## Description -The best tool to find leaky gems in your dependencies. Make sure your memory leaks +The best tool to find leaky gems in your dependencies. Make sure memory leaks are not in your gem dependencies. ## Features