From 24cf1a1c9ed1b4b4f23c1ac0761d74f54318e198 Mon Sep 17 00:00:00 2001 From: Yoann Lecuyer Date: Fri, 16 Sep 2022 11:36:42 +0200 Subject: [PATCH 1/2] Use correct version for jruby --- lib/ruby_audit/scanner.rb | 4 +- spec/scanner_spec.rb | 97 +++++++++++++++++++++++---------------- 2 files changed, 60 insertions(+), 41 deletions(-) diff --git a/lib/ruby_audit/scanner.rb b/lib/ruby_audit/scanner.rb index 2586d30..8535681 100644 --- a/lib/ruby_audit/scanner.rb +++ b/lib/ruby_audit/scanner.rb @@ -26,7 +26,9 @@ def scan(options = {}, &block) end def scan_ruby(options = {}, &block) - version = if RUBY_PATCHLEVEL < 0 + version = if RUBY_ENGINE == "jruby" + "#{JRUBY_VERSION}" + elsif RUBY_PATCHLEVEL < 0 ruby_version else "#{RUBY_VERSION}.#{RUBY_PATCHLEVEL}" diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb index 0f40cdc..66a0f20 100644 --- a/spec/scanner_spec.rb +++ b/spec/scanner_spec.rb @@ -5,59 +5,76 @@ subject { scanner.scan.to_a } - before(:each) do - stub_const('RUBY_VERSION', '2.2.1') - stub_const('RUBY_ENGINE', 'ruby') - stub_const('RUBY_PATCHLEVEL', 85) - allow_any_instance_of(RubyAudit::Scanner) - .to receive(:rubygems_version).and_return('2.4.5') - end - - context 'when auditing an unpatched Ruby' do - it 'should match an unpatched Ruby to its advisories' do - expect(subject.all? do |result| - result.advisory.vulnerable?(result.gem.version) - end).to be_truthy - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541') + context 'jruby' do + before(:each) do + stub_const('RUBY_ENGINE', 'jruby') + stub_const('JRUBY_VERSION', '1.4.0') + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:rubygems_version).and_return('2.4.5') end - it 'respects patch level' do - stub_const('RUBY_VERSION', '1.9.3') - stub_const('RUBY_PATCHLEVEL', 392) - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747') + it 'handles jruby versions' do + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:ruby_version).and_return('1.4.0') + expect(subject.map { |r| r.advisory.id }).to include('CVE-2010-1330') end + end - it 'handles preview versions' do - stub_const('RUBY_VERSION', '2.1.0') - stub_const('RUBY_PATCHLEVEL', -1) + context 'ruby' do + before(:each) do + stub_const('RUBY_VERSION', '2.2.1') + stub_const('RUBY_ENGINE', 'ruby') + stub_const('RUBY_PATCHLEVEL', 85) allow_any_instance_of(RubyAudit::Scanner) - .to receive(:ruby_version).and_return('2.1.0.dev') - expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113') + .to receive(:rubygems_version).and_return('2.4.5') end - context 'when the :ignore option is given' do - subject { scanner.scan(ignore: ['OSVDB-120541']) } + context 'when auditing an unpatched Ruby' do + it 'should match an unpatched Ruby to its advisories' do + expect(subject.all? do |result| + result.advisory.vulnerable?(result.gem.version) + end).to be_truthy + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-120541') + end - it 'should ignore the specified advisories' do - expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541') + it 'respects patch level' do + stub_const('RUBY_VERSION', '1.9.3') + stub_const('RUBY_PATCHLEVEL', 392) + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-113747') end - end - end - context 'when auditing an unpatched RubyGems' do - it 'should match an unpatched RubyGems to its advisories' do - expect(subject.all? do |result| - result.advisory.vulnerable?(result.gem.version) - end).to be_truthy - expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-3900') + it 'handles preview versions' do + stub_const('RUBY_VERSION', '2.1.0') + stub_const('RUBY_PATCHLEVEL', -1) + allow_any_instance_of(RubyAudit::Scanner) + .to receive(:ruby_version).and_return('2.1.0.dev') + expect(subject.map { |r| r.advisory.id }).to include('OSVDB-100113') + end + + context 'when the :ignore option is given' do + subject { scanner.scan(ignore: ['OSVDB-120541']) } + + it 'should ignore the specified advisories' do + expect(subject.map { |r| r.advisory.id }).not_to include('OSVDB-120541') + end + end end - context 'when the :ignore option is given' do - subject { scanner.scan(ignore: ['CVE-2015-3900']) } + context 'when auditing an unpatched RubyGems' do + it 'should match an unpatched RubyGems to its advisories' do + expect(subject.all? do |result| + result.advisory.vulnerable?(result.gem.version) + end).to be_truthy + expect(subject.map { |r| r.advisory.id }).to include('CVE-2015-3900') + end + + context 'when the :ignore option is given' do + subject { scanner.scan(ignore: ['CVE-2015-3900']) } - it 'should ignore the specified advisories' do - expect(subject.map { |r| r.advisory.id }) - .not_to include('CVE-2015-3900') + it 'should ignore the specified advisories' do + expect(subject.map { |r| r.advisory.id }) + .not_to include('CVE-2015-3900') + end end end end From e3942f608965efee9ff0eb3e1d547b1a04ee432b Mon Sep 17 00:00:00 2001 From: Yoann Lecuyer Date: Fri, 16 Sep 2022 11:43:31 +0200 Subject: [PATCH 2/2] add changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fed42b0..6030734 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] +### Changed + +* Use JRUBY_VERSION when checking jruby engine + ## [2.1.0] - 2022-02-23 ### Added