From 4ee7737986b3127fbdf91430a64a741500d8d1f3 Mon Sep 17 00:00:00 2001 From: Markus Graf Date: Thu, 1 Nov 2018 16:42:47 +0100 Subject: [PATCH 1/2] Refactor Bundler::Audit::Scanner. We only need to know the lockfile. --- lib/bundler/audit/scanner.rb | 14 ++++---------- spec/scanner_spec.rb | 25 ++++++++++++------------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/lib/bundler/audit/scanner.rb b/lib/bundler/audit/scanner.rb index 0916a485..14c75ae7 100644 --- a/lib/bundler/audit/scanner.rb +++ b/lib/bundler/audit/scanner.rb @@ -22,9 +22,6 @@ class Scanner # @return [Database] attr_reader :database - # Project root directory - attr_reader :root - # The parsed `Gemfile.lock` from the project # # @return [Bundler::LockfileParser] @@ -33,17 +30,14 @@ class Scanner # # Initializes a scanner. # - # @param [String] root - # The path to the project root. - # + # @param [String] gemfile_lock - # Alternative name for the `Gemfile.lock` file. + # Alternative path for the `Gemfile.lock` file. # - def initialize(root=Dir.pwd,gemfile_lock='Gemfile.lock') - @root = File.expand_path(root) + def initialize(gemfile_lock=File.join(Dir.pwd,'Gemfile.lock')) @database = Database.new @lockfile = LockfileParser.new( - File.read(File.join(@root,gemfile_lock)) + File.read(gemfile_lock) ) end diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb index d69be654..09d7b1f0 100644 --- a/spec/scanner_spec.rb +++ b/spec/scanner_spec.rb @@ -3,10 +3,9 @@ describe Scanner do describe "#scan" do - let(:bundle) { 'unpatched_gems' } - let(:directory) { File.join('spec','bundle',bundle) } + let(:gemfile_lock) { File.join('spec','bundle','unpatched_gems','Gemfile.lock') } - subject { described_class.new(directory) } + subject { described_class.new(gemfile_lock) } it "should yield results" do results = [] @@ -24,9 +23,9 @@ end context "when auditing a bundle with unpatched gems" do - let(:bundle) { 'unpatched_gems' } - let(:directory) { File.join('spec','bundle',bundle) } - let(:scanner) { described_class.new(directory) } + let(:gemfile_lock) { File.join('spec','bundle','unpatched_gems','Gemfile.lock') } + + let(:scanner) { described_class.new(gemfile_lock) } subject { scanner.scan.to_a } @@ -41,16 +40,16 @@ it "should ignore the specified advisories" do ids = subject.map { |result| result.advisory.id } - + expect(ids).not_to include('OSVDB-89026') end end end context "when auditing a bundle with insecure sources" do - let(:bundle) { 'insecure_sources' } - let(:directory) { File.join('spec','bundle',bundle) } - let(:scanner) { described_class.new(directory) } + let(:gemfile_lock) { File.join('spec','bundle','insecure_sources','Gemfile.lock') } + + let(:scanner) { described_class.new(gemfile_lock) } subject { scanner.scan.to_a } @@ -61,9 +60,9 @@ end context "when auditing a secure bundle" do - let(:bundle) { 'secure' } - let(:directory) { File.join('spec','bundle',bundle) } - let(:scanner) { described_class.new(directory) } + let(:gemfile_lock) { File.join('spec','bundle','secure','Gemfile.lock') } + + let(:scanner) { described_class.new(gemfile_lock) } subject { scanner.scan.to_a } From 79bdf7d7d6ad9a28399b6130cdbb9ba6ced5c974 Mon Sep 17 00:00:00 2001 From: Markus Graf Date: Thu, 1 Nov 2018 16:43:47 +0100 Subject: [PATCH 2/2] Support of the environment variable BUNDLE_GEMFILE as it is done in the bundler. --- lib/bundler/audit/cli.rb | 4 ++-- spec/integration_spec.rb | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/bundler/audit/cli.rb b/lib/bundler/audit/cli.rb index deb1b2a7..3dcce5ec 100644 --- a/lib/bundler/audit/cli.rb +++ b/lib/bundler/audit/cli.rb @@ -37,8 +37,8 @@ class CLI < ::Thor def check update if options[:update] - - scanner = Scanner.new + gemfile_lock = ENV['BUNDLE_GEMFILE'] ? ENV['BUNDLE_GEMFILE'] + '.lock' : 'Gemfile.lock' + scanner = Scanner.new gemfile_lock vulnerable = false scanner.scan(:ignore => options.ignore) do |result| diff --git a/spec/integration_spec.rb b/spec/integration_spec.rb index 1ea487bd..e0cfb2a5 100644 --- a/spec/integration_spec.rb +++ b/spec/integration_spec.rb @@ -79,6 +79,16 @@ end end + context "when auditing a specific Gemfile using BUNDLE_GEMFILE" do + subject do + sh("BUNDLE_GEMFILE=spec/bundle/secure/Gemfile #{command}") + end + + it "should print nothing when everything is fine" do + expect(subject.strip).to eq("No vulnerabilities found") + end + end + describe "update" do let(:update_command) { "#{command} update" }