require 'spec_helper' describe "CLI" do include Helpers let(:command) do File.expand_path('../bundle/wrapper.rb', __FILE__) end context "when auditing a bundle with unpatched gems" do let(:bundle) { 'unpatched_gems' } let(:directory) { File.join('spec','bundle',bundle) } context "in default display mode" do subject do Dir.chdir(directory) { sh(command, :fail => true) } end it "should print a warning" do subject.should include("Unpatched versions found!") end it "should print advisory information for the vulnerable gems" do advisory_pattern = /(Name: [^\n]+ Version: \d+.\d+.\d+ Advisory: OSVDB-\d+ Criticality: (High|Medium) URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+ Title: [^\n]*? Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/ expect(subject).to match(advisory_pattern) expect(subject).to include("Unpatched versions found!") end end context "in verbose display mode" do subject do Dir.chdir(directory) { sh(command + " --verbose", :fail => true) } end it "should print a warning" do subject.should include("Unpatched versions found!") end it "should print advisory information for the vulnerable gems" do advisory_pattern = /(Name: [^\n]+ Version: \d+.\d+.\d+ Advisory: OSVDB-\d+ Criticality: (High|Medium) URL: http:\/\/(direct|www\.)?osvdb.org\/show\/osvdb\/\d+ Description: (( .*?)?\n)+ Solution: upgrade to ((~>|=>) \d+.\d+.\d+, )*(~>|=>) \d+.\d+.\d+[\s\n]*?)+/ expect(subject).to match(advisory_pattern) expect(subject).to include("Unpatched versions found!") end end end context "when displaying bundler-audit version" do let(:bundle) { 'unpatched_gems' } let(:directory) { File.join('spec','bundle',bundle) } let(:command) do File.expand_path('../bundle/wrapper.rb', __FILE__) + " version" end subject do # Ignoring failure here as bundle-audit version seems to return a # non-zero status, and Dir.chdir(directory) { sh(command, :fail => false) } end it "should show the version and number of known advisories" do # It prints a name based on $0, so our wrapper mucks up the display in a # predictable way. subject.should match(/^wrapper\.rb #{Regexp.quote('0.3.4')} \(advisories: \d+\)/) end end context "when auditing a bundle with ignored gems" do let(:bundle) { 'unpatched_gems' } let(:directory) { File.join('spec','bundle',bundle) } let(:command) do File.expand_path('../bundle/wrapper.rb', __FILE__) + " -i OSVDB-89026" end subject do Dir.chdir(directory) { sh(command, :fail => true) } end it "should not print advisory information for ignored gem" do subject.should_not include("OSVDB-89026") end end context "when auditing a bundle with insecure sources" do let(:bundle) { 'insecure_sources' } let(:directory) { File.join('spec','bundle',bundle) } subject do Dir.chdir(directory) { sh(command, :fail => true) } end it "should print warnings about insecure sources" do subject.should include(%{ Insecure Source URI found: git://github.com/rails/jquery-rails.git Insecure Source URI found: http://rubygems.org/ }.strip) end end context "when auditing a secure bundle" do let(:bundle) { 'secure' } let(:directory) { File.join('spec','bundle',bundle) } # Skip this test on any Ruby below 1.9.3. version = RUBY_VERSION.split(/\./).map(&:to_i) if((version[0] == 1 && version[1] >= 9 && version[2] >= 3) || (version[0] >= 2)) subject do Dir.chdir(directory) { sh(command) } end it "should notify us properly when everything is fine" do # We check the end of the output because a DB install/update "may" ( # _will_, in the case of the test but _may_ in the real world) have been # performed. subject.strip.should =~ /No unpatched versions found\Z/ end else it "should notify us properly when everything is fine" do pending "Requires ActiveSupport 4.x, which requires Ruby >= 1.9.3." end end end end