Last active
June 25, 2020 14:15
-
-
Save garethr/7451782 to your computer and use it in GitHub Desktop.
Use bundler-audit as part of an rspec test to allow unit tests to be written to check for vulnerabilities of dependencies, based on data from https://github.com/rubysec/ruby-advisory-db
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'bundler/audit/scanner' | |
| describe "my application dependencies" do | |
| before(:all) do | |
| @issues = [] | |
| scanner = Bundler::Audit::Scanner.new | |
| scanner.scan do |result| | |
| case result | |
| when Bundler::Audit::Scanner::UnpatchedGem | |
| @issues << result.gem | |
| end | |
| end | |
| end | |
| it "should have no vulnerable gems" do | |
| @issues.should have(0).items | |
| end | |
| it "should have a safe version of ruby on rails" do | |
| @issues.each do |issue| | |
| issue.to_s.should_not match("^rails") | |
| end | |
| end | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A Gemfile with a vulnerable version of rails in it | |
| source "https://rubygems.org" | |
| gem "rails", "3.2.13" | |
| gem "bundler-audit" | |
| gem "rspec" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ⚡ rspec audit-rspec.rb -f d | |
| my application dependencies | |
| should have no vulnerable gems (FAILED - 1) | |
| should have a safe version of ruby on rails | |
| Failures: | |
| 1) my application dependencies should have no vulnerable gems | |
| Failure/Error: @issues.should be_empty | |
| expected empty? to return true, got false | |
| # ./audit-rspec.rb:23:in `block (2 levels) in <top (required)>' | |
| Finished in 0.03949 seconds | |
| 2 examples, 1 failure | |
| Failed examples: | |
| rspec ./audit-rspec.rb:22 # my application dependencies should have no vulnerable gems |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment