- Opt into rubygems.org MFA requirement.
- Improve the readability of the suggested gem versions to upgrade to (pull #331).
- Fixed a regression introduced in 0.9.0 where the
bundler:auditrake task was not exiting with an error status code if vulnerabilities were found. Now when thebundler-auditcommand fails, the rake task will also exit with thebundler-auditcommand's error code. - If the
bundler-auditcommand could not be found for some reason raise the {Bundler::Audit::Task::CommandNotFound} exception.
- Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
(issue #319)
- Although, Ruby 2.5 and prior have all reached End-of-Life and are no longer receiving security updates. It is strongly advised that you should upgrade to a currently supported version of Ruby.
- Load advisory metadata using
YAML.safe_load. (issue #302)- Explicitly permit the
Dateclass for Psych >= 4.0.0 and Ruby >= 3.1.0.
- Explicitly permit the
- Added {Bundler::Audit::Advisory#to_h}. (pull #310)
- Added {Bundler::Audit::Database#commit_id}.
- Added the
--configoption. (pull #306) - Added the
junitoutput format (ex:--format junit). (pull #314) - Add missing output for CVSSv3 criticality information. (pull #302)
- Include criticality information in the JSON output as well. (pull #310)
bundle-audit statsnow prints the commit ID of the ruby-advisory-db.- Fixed a deprecation warning from Thor. (issue #317)
- Add the
bundle:audit:updatetask for updating the ruby-advisory-db. (pull #296) - Aliased
bundle:audittobundle:audit:check. - Aliased
bundler:audit:*tobundle:audit:*. - Rake tasks now execute
bundle-auditcommand as a subprocess to ensure isolation.
- No longer vendor ruby-advisory-db.
- Added {Bundler::Audit::Configuration}.
- Supports loading YAML configuration data from a
.bundler-audit.ymlfile.
- Supports loading YAML configuration data from a
- Added {Bundler::Audit::Results}.
- Added {Bundler::Audit::Report}.
- Added {Bundler::Audit::CLI::Formats}.
- Added {Bundler::Audit::CLI::Formats::Text}.
- Added {Bundler::Audit::CLI::Formats::JSON}.
- Added {Bundler::Audit::Database::DEFAULT_PATH}.
- Added {Bundler::Audit::Database.exists?}.
- Added {Bundler::Audit::Database#git?}.
- Added {Bundler::Audit::Database#update!}.
- Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
exception, if the
git pullcommand fails.
- Will raise a {Bundler::Audit::Database::UpdateFailed UpdateFailed}
exception, if the
- Added {Bundler::Audit::Database#last_updated_at}.
- Added {Bundler::Audit::Scanner#report}.
- {Bundler::Audit::Database::USER_PATH} is now
Gem.user_homeaware.Gem.user_homewill try to inferHOME, even if it is not set.
- {Bundler::Audit::Database#download} will now raise a
{Bundler::Audit::Database::DownloadFailed DownloadFailed} exception, if the
git clonecommand fails. - {Bundler::Audit::Scanner#initialize}:
- Now accepts an additional
databaseandconfig_dot_filearguments. - Will now raise a
Bundler::GemfileLockNotFoundexception, if the givenGemfile.lockfile cannot be found.
- Now accepts an additional
- {Bundler::Audit::Scanner#scan_sources} will now ignore any source with a
127.0.0.0/8or::1/128IP address. - {Bundler::Audit::Scanner#scan_specs} will ignore any advisories listed in
{Bundler::Audit::Configuration#ignore}, which is loaded from the
.bundler-audit.ymlfile. - Deprecated {Bundler::Audit::Database.update!} in favor of {Bundler::Audit::Database#update! #update!}.
- Removed
Bundler::Audit::Database::VENDORED_PATH. - Removed
Bundler::Audit::Database::VENDORED_TIMESTAMP.
- Require thor ~> 1.0.
- Added
bundler-audit stats. - Added
bundler-audit download. bundler-audit check:- Now accepts a optional
DIRargument for the project directory.bundler-audit checkwill now print an explicit error message and exit, if the givenDIRdoes not exist.
- Will now auto-download ruby-advisory-db to ensure the latest advisory information is used on first run.
- Now supports a
--databaseoption for specifying a path to an alternative ruby-advisory-db copy. - Now supports a
--gemfile-lockoption for specifying a customGemfile.lockfile within the project directory. - Now supports a
--formatoption for specifying the desired format.textandjsonare supported, but other custom formats can be loaded. See {Bundler::Audit::CLI::Formats}. - Now supports a
--outputoption for writing the report output to a file. - Prints both CVE and GHSA IDs.
- Now accepts a optional
- Print all error messages to stderr.
- No longer print number of advisories in
bundler-audit version.
- Forgot to populate
data/ruby-advisory-db.
- Require thor >= 0.18, < 2.
- Added {Bundler::Audit::Advisory#ghsa} (@rschultheis).
- Added {Bundler::Audit::Advisory#cvss_v3} (@ahamlin-nr).
- Added {Bundler::Audit::Advisory#identifiers} (@rschultheis).
- Updated {Bundler::Audit::Advisory#criticality} ranges (@reedloden).
- Avoid rebasing the ruby-advisory-db when updating (@nicknovitski).
- Fixed issue with Bundler 2.x where source URIs are no longer parsed as
URI::HTTPobjects, but asBundler::URI::HTTPobjects. (@milgner) - Make it more explicit that git is required for database updates (@fatkodima)
- Require bundler
>= 1.2.0, < 3to support bundler 2.0.
- Added
--quietoption tocheckandupdatecommands (@jaredbeck). - Added
bin/bundler-auditwhich will be executed whenbundle auditis ran (@vassilevsky).
- Added {Bundler::Audit::Task}.
- Added {Bundler::Audit::Advisory#date}.
- Added {Bundler::Audit::Advisory#cve_id}.
- Added {Bundler::Audit::Advisory#osvdb_id}.
- Allow insecure gem sources (
http://andgit://), if they are hosted on a private network.
- Added the
--updateoption tobundler-audit check. bundler-audit updatenow returns a non-zero exit status on error.bundler-audit updateonly updates~/.local/share/ruby-advisory-db, if it is a git repository.
- Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
- Added {Bundler::Audit::Advisory#osvdb}.
- Resolve the IP addresses of gem sources and ignore intranet gem sources. (PR #90)
- Use ISO8601 date format when querying the git timestamp of ruby-advisory-db. (PR #92)
- Print the CVE or OSVDB id.
- No longer print "Unpatched versions found!" when an insecure gem source is detected. (PR #84)
- Added thor ~> 0.18 as a dependency.
- No longer rely on the vendored version of thor within bundler.
- Store the timestamp of when
data/ruby-advisory-dbwas last updated indata/ruby-advisory-db.ts. - Use
data/ruby-advisory-db.tsinstead of the creation time of thedataruby-advisory-dbdirectory, which is always the install time of the rubygem.
- Added {Bundler::Audit::Database.update!} which uses
gitto download ruby-advisory-db to~/.local/share/ruby-advisory-db. - {Bundler::Audit::Database.path} now returns the path to either
~/.local/share/ruby-advisory-dbor the vendored copy, depending on which is more recent.
- Added the
bundler-audit updatesub-command.
- Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly
parse approximate version requirements (
~> 1.2.3). - Updated the ruby-advisory-db.
- Added {Bundler::Audit::Advisory#unaffected_versions}.
- Added {Bundler::Audit::Advisory#unaffected?}.
- Added {Bundler::Audit::Advisory#patched?}.
- Renamed
Advisory#cveto {Bundler::Audit::Advisory#id}.
- Require bundler ~> 1.2.
- Vendor a full copy of the ruby-advisory-db.
- Added {Bundler::Audit::Advisory#path} for debugging purposes.
- Added {Bundler::Audit::Advisory#to_s} for debugging purposes.
- Simply parse the
Gemfile.lockinstead of loading the bundle (@grosser). - Exit with non-zero status on failure (@grosser).
- Fixed a Ruby 1.8 syntax error.
- Imported advisories from the Ruby Advisory DB.
- If the advisory has no
patched_versions, recommend removing or disabling the gem until a patch is made available.
- Initial release:
- Checks for vulnerable versions of gems in
Gemfile.lock. - Prints advisory information.
- Does not require a network connection.
- Checks for vulnerable versions of gems in