0.3.0 / 2013-10-31

• Added Bundler::Audit::Database.update! which uses git to download ruby-advisory-db to ~/.local/share/ruby-advisory-db.
• Bundler::Audit::Database.path now returns the path to either ~/.local/share/ruby-advisory-db or the vendored copy, depending on which is more recent.

CLI

• Added the bundle-audit update sub-command.

0.2.0 / 2013-03-05

• Require RubyGems >= 1.8.0. Prior versions of RubyGems could not correctly parse approximate version requirements (~> 1.2.3).
• Updated the ruby-advisory-db.
• Added Bundler::Audit::Advisory#unaffected_versions.
• Added Bundler::Audit::Advisory#unaffected?.
• Added Bundler::Audit::Advisory#patched?.
• Renamed Advisory#cve to Bundler::Audit::Advisory#id.

0.1.2 / 2013-02-17

• Require bundler ~> 1.2.
• Vendor a full copy of the ruby-advisory-db.
• Added Bundler::Audit::Advisory#path for debugging purposes.
• Added Bundler::Audit::Advisory#to_s for debugging purposes.

CLI

• Simply parse the Gemfile.lock instead of loading the bundle (@grosser).
• Exit with non-zero status on failure (@grosser).

0.1.1 / 2013-02-12

• Fixed a Ruby 1.8 syntax error.

Advisories

• Imported advisories from the Ruby Advisory DB.
  • CVE-2011-0739
  • CVE-2012-2139
  • CVE-2012-2140
  • CVE-2012-267
  • CVE-2012-1098
  • CVE-2012-1099
  • CVE-2012-2660
  • CVE-2012-2661
  • CVE-2012-3424
  • CVE-2012-3463
  • CVE-2012-3464
  • CVE-2012-3465

CLI

• If the advisory has no patched_versions, recommend removing or disabling the gem until a patch is made available.

0.1.0 / 2013-02-11

• Initial release:
  • Checks for vulnerable versions of gems in Gemfile.lock.
  • Prints advisory information.
  • Does not require a network connection.

Advisories

• CVE-2013-0269
• CVE-2013-0263
• CVE-2013-0155
• CVE-2013-0156
• CVE-2013-0276
• CVE-2013-0277
• CVE-2013-0333