0.9.1 / 2022-05-19
CLI
- Improve the readability of the suggested gem versions to upgrade to
(pull #331).
Rake Task
- Fixed a regression introduced in 0.9.0 where the
bundler:audit
rake task
was not exiting with an error status code if vulnerabilities were found.
Now when the bundler-audit
command fails, the rake task will also exit with
the bundler-audit
command's error code.
- If the
bundler-audit
command could not be found for some reason raise the
Bundler::Audit::Task::CommandNotFound exception.
0.9.0.1 / 2021-08-31
- Add a workaround for Psych < 3.1.0 to support running on Ruby < 2.6.
(issue #319)
- Although, Ruby 2.5 and prior have all reached End-of-Life and
are no longer receiving security updates. It is strongly advised that you
should upgrade to a currently supported version of Ruby.
0.9.0 / 2021-08-31
CLI
- Added the
--config
option. (pull #306)
- Added the
junit
output format (ex: --format junit
). (pull #314)
- Add missing output for CVSSv3 criticality information. (pull #302)
- Include criticality information in the JSON output as well. (pull #310)
bundle-audit stats
now prints the commit ID of the ruby-advisory-db.
- Fixed a deprecation warning from Thor. (issue #317)
Rake Task
- Add the
bundle:audit:update
task for updating the ruby-advisory-db.
(pull #296)
- Aliased
bundle:audit
to bundle:audit:check
.
- Aliased
bundler:audit:*
to bundle:audit:*
.
- Rake tasks now execute
bundle-audit
command as a subprocess to ensure
isolation.
0.8.0 / 2021-03-10
CLI
- Require thor ~> 1.0.
- Added
bundler-audit stats
.
- Added
bundler-audit download
.
bundler-audit check
:
- Now accepts a optional
DIR
argument for the project directory.
bundler-audit check
will now print an explicit error message and exit,
if the given DIR
does not exist.
- Will now auto-download ruby-advisory-db to ensure the latest advisory
information is used on first run.
- Now supports a
--database
option for specifying a path
to an alternative ruby-advisory-db copy.
- Now supports a
--gemfile-lock
option for specifying a
custom Gemfile.lock
file within the project directory.
- Now supports a
--format
option for specifying the
desired format. text
and json
are supported, but other custom formats
can be loaded. See Bundler::Audit::CLI::Formats.
- Now supports a
--output
option for writing the report output to a file.
- Prints both CVE and GHSA IDs.
- Print all error messages to stderr.
- No longer print number of advisories in
bundler-audit version
.
0.7.0.1 / 2020-06-12
- Forgot to populate
data/ruby-advisory-db
.
0.7.0 / 2020-06-12
0.6.1 / 2019-01-17
- Require bundler
>= 1.2.0, < 3
to support bundler 2.0.
0.6.0 / 2017-07-18
- Added
--quiet
option to check
and update
commands (@jaredbeck).
- Added
bin/bundler-audit
which will be executed when bundle audit
is ran
(@vassilevsky).
0.5.0 / 2016-02-28
CLI
- Added the
--update
option to bundler-audit check
.
bundler-audit update
now returns a non-zero exit status on error.
bundler-audit update
only updates ~/.local/share/ruby-advisory-db
, if it is a git
repository.
0.4.0 / 2015-06-30
- Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
- Added Bundler::Audit::Advisory#osvdb.
- Resolve the IP addresses of gem sources and ignore intranet gem sources.
(PR #90)
- Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
(PR #92)
CLI
- Print the CVE or OSVDB id.
- No longer print "Unpatched versions found!" when an insecure gem source
is detected. (PR #84)
0.3.1 / 2014-04-20
- Added thor ~> 0.18 as a dependency.
- No longer rely on the vendored version of thor within bundler.
- Store the timestamp of when
data/ruby-advisory-db
was last updated in
data/ruby-advisory-db.ts
.
- Use
data/ruby-advisory-db.ts
instead of the creation time of the
dataruby-advisory-db
directory, which is always the install time
of the rubygem.
0.3.0 / 2013-10-31
CLI
- Added the
bundler-audit update
sub-command.
0.2.0 / 2013-03-05
0.1.2 / 2013-02-17
CLI
- Simply parse the
Gemfile.lock
instead of loading the bundle (@grosser).
- Exit with non-zero status on failure (@grosser).
0.1.1 / 2013-02-12
- Fixed a Ruby 1.8 syntax error.
Advisories
CLI
- If the advisory has no
patched_versions
, recommend removing or disabling
the gem until a patch is made available.
0.1.0 / 2013-02-11
- Initial release:
- Checks for vulnerable versions of gems in
Gemfile.lock
.
- Prints advisory information.
- Does not require a network connection.
Advisories