bundler-audit/spec/integration_spec.rb at ebc65160957888e5407d955b82a2c6c904fb6e0a · rubysec/bundler-audit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
require 'spec_helper'

describe "CLI" do
  include Helpers

  let(:command) do
    File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit'))
  end

  context "when auditing a bundle with unpatched gems" do
    let(:bundle)    { 'unpatched_gems' }
    let(:directory) { File.join('spec','bundle',bundle) }

    subject do
      Dir.chdir(directory) { sh(command, :fail => true) }
    end

    it "should print a warning" do
      expect(subject).to include("Vulnerabilities found!")
    end

    it "should print advisory information for the vulnerable gems" do
      advisory_pattern = %r{(Name: [^\n]+
Version: \d+\.\d+\.\d+(\.\d+)?
Advisory: CVE-[0-9]{4}-[0-9]{4}
Criticality: (Critical|High|Medium|Low|None|Unknown)
URL: https?://(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#!?&//=]*)
Title: [^\n]*?
Solution: upgrade to (~>|>=) \d+\.\d+\.\d+(\.\d+)?(, (~>|>=) \d+\.\d+\.\d+(\.\d+)?)*[\s\n]*?)}

      expect(subject).to match(advisory_pattern)
      expect(subject).to include("Vulnerabilities found!")
    end
  end

  context "when auditing a bundle with ignored gems" do
    let(:bundle)    { 'unpatched_gems' }
    let(:directory) { File.join('spec','bundle',bundle) }

    let(:command) do
      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -i CVE-2013-0156'))
    end

    subject do
      Dir.chdir(directory) { sh(command, :fail => true) }
    end

    it "should not print advisory information for ignored gem" do
      expect(subject).not_to include("CVE-2013-0156")
    end
  end

  context "when auditing a bundle with filtered criticality" do
    let(:bundle)    { 'unpatched_gems' }
    let(:directory) { File.join('spec','bundle',bundle) }

    let(:command) do
      File.expand_path(File.join(File.dirname(__FILE__),'..','bin','bundler-audit -f medium'))
    end

    subject do
      Dir.chdir(directory) { sh(command, :fail => true) }
    end

    it "should print advisories for filtered criticality" do
      expect(subject).not_to include("Criticality: High")
      expect(subject).to include("Criticality: Medium")
    end
  end

  context "when auditing a bundle with insecure sources" do
    let(:bundle)    { 'insecure_sources' }
    let(:directory) { File.join('spec','bundle',bundle) }

    subject do
      Dir.chdir(directory) { sh(command, :fail => true) }
    end

    it "should print warnings about insecure sources" do
      expect(subject).to include(%{
Insecure Source URI found: git://github.com/rails/jquery-rails.git
Insecure Source URI found: http://rubygems.org/
      }.strip)
    end
  end

  context "when auditing a secure bundle" do
    let(:bundle)    { 'secure' }
    let(:directory) { File.join('spec','bundle',bundle) }

    subject do
      Dir.chdir(directory) { sh(command) }
    end

    it "should print nothing when everything is fine" do
      expect(subject.strip).to eq("No vulnerabilities found")
    end
  end

  describe "update" do

    let(:update_command) { "#{command} update" }
    let(:bundle)         { 'secure' }
    let(:directory)      { File.join('spec','bundle',bundle) }

    subject do
      Dir.chdir(directory) { sh(update_command) }
    end

    context "when advisories update successfully" do
      it "should print status" do
        expect(subject).not_to include("Fail")
        expect(subject).to include("Updating ruby-advisory-db ...\n")
        expect(subject).to include("Updated ruby-advisory-db\n")
        expect(subject.lines.to_a.last).to match(/ruby-advisory-db: [1-9]\d+ advisories/)
      end
    end

  end

end