Merge upstream master and resolve conflicts

Author: local

.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: weekly
+    cooldown:
+      semver-major-days: 7
+      semver-minor-days: 3
+      semver-patch-days: 2
+      default-days: 7
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    groups:
+      github-actions:
+        patterns:
+          - "*"
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7

.github/workflows/ruby.yml

@@ -1,10 +1,18 @@
 name: CI
 
-on: [ push, pull_request ]
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    types: [ opened, synchronize ]
+
+permissions: {}
 
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -14,7 +22,6 @@ jobs:
           - '3.2'
           - '3.3'
           - '3.4'
-          - '3.5'
           - '4.0'
           - jruby
           - truffleruby
@@ -25,15 +32,18 @@ jobs:
             rubygems_version: '3.6.9'
     name: Ruby ${{ matrix.ruby }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: ${{ matrix.ruby }}
       - name: Update RubyGems
         env:
           RUBYGEMS_VERSION: ${{ matrix.rubygems_version }}
         run: |
+            # shellcheck disable=SC2086 # empty version is intentional: no arg means update to latest
             gem update --system ${RUBYGEMS_VERSION:-}
             gem -v
       - name: Install dependencies
@@ -44,13 +54,36 @@ jobs:
   # rubocop linting
   rubocop:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@afeafc3d1ab54a631816aba4c914a0081c12ff2f # v1.310.0
         with:
           ruby-version: 2.7
       - name: Install dependencies
         run: bundle install --jobs 4 --retry 3
       - name: Run rubocop
         run: bundle exec rubocop --parallel
+
+  lint-actions:
+    name: GitHub Actions audit
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run actionlint
+        uses: rhysd/actionlint@914e7df21a07ef503a81201c76d2b11c789d3fca # v1.7.12
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          advanced-security: false

README.md

@@ -1,7 +1,6 @@
 # bundler-audit
 
 [![CI](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml/badge.svg)](https://github.com/rubysec/bundler-audit/actions/workflows/ruby.yml)
-[![Code Climate](https://codeclimate.com/github/rubysec/bundler-audit.svg)](https://codeclimate.com/github/rubysec/bundler-audit)
 [![Gem Version](https://badge.fury.io/rb/bundler-audit.svg)](https://badge.fury.io/rb/bundler-audit)
 
 * [Homepage](https://github.com/rubysec/bundler-audit#readme)

spec/bundle/secure/Gemfile.lock

@@ -59,16 +59,16 @@ GEM
     marcel (1.0.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.0)
+    mini_portile2 (2.8.9)
     minitest (5.17.0)
     nio4r (2.5.8)
-    nokogiri (1.13.10)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.19.3)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.13.10-x86_64-linux)
+    nokogiri (1.19.3-x86_64-linux-gnu)
       racc (~> 1.4)
-    racc (1.6.1)
-    rack (2.2.6.3)
+    racc (1.8.1)
+    rack (2.2.23)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.8)

spec/scanner_spec.rb

@@ -15,6 +15,129 @@
         }.to raise_error(Scanner::InvalidGemfileLock,/is not a valid Gemfile\.lock/)
       end
     end
+
+    context "when given no arguments" do
+      subject { described_class }
+
+      context "when a Gemfile.lock exists in Dir.pwd" do
+        it "must default root to Dir.pwd" do
+          Dir.chdir(directory) do
+            scanner = subject.new
+            expect(scanner.root).to eq(File.expand_path(Dir.pwd))
+          end
+        end
+      end
+    end
+
+    context "when given a root directory" do
+      let(:root) { directory }
+
+      subject { described_class.new(root) }
+
+      it "must set #root to the expanded directory path" do
+        expect(subject.root).to eq(File.expand_path(root))
+      end
+
+      it "must set #database" do
+        expect(subject.database).to be_kind_of(Database)
+      end
+
+      it "must set #lockfile by parsing the Gemfile.lock" do
+        expect(subject.lockfile).to be_kind_of(Bundler::LockfileParser)
+      end
+
+      it "must set #config to a default Configuration when no config file exists" do
+        expect(subject.config).to be_kind_of(Configuration)
+        expect(subject.config.ignore).to be_empty
+      end
+    end
+
+    context "when the Gemfile.lock does not exist in the root directory" do
+      let(:bad_dir) { File.join('spec','bundle','nonexistent') }
+
+      it "must raise Bundler::GemfileLockNotFound" do
+        expect {
+          described_class.new(bad_dir)
+        }.to raise_error(Bundler::GemfileLockNotFound)
+      end
+
+      it "must include the lock file name and root in the error message" do
+        expect {
+          described_class.new(bad_dir)
+        }.to raise_error(Bundler::GemfileLockNotFound, /Gemfile\.lock/)
+      end
+    end
+
+    context "when given a custom gemfile_lock name" do
+      it "must raise Bundler::GemfileLockNotFound if the custom lock file does not exist" do
+        expect {
+          described_class.new(directory, 'NoSuchLockFile.lock')
+        }.to raise_error(Bundler::GemfileLockNotFound)
+      end
+
+      it "must use the custom gemfile_lock name" do
+        scanner = described_class.new(directory, 'Gemfile.lock')
+        expect(scanner.lockfile).to be_kind_of(Bundler::LockfileParser)
+      end
+    end
+
+    context "when given a custom database" do
+      let(:custom_db) { Database.new }
+
+      subject { described_class.new(directory, 'Gemfile.lock', custom_db) }
+
+      it "must set #database to the custom database" do
+        expect(subject.database).to be(custom_db)
+      end
+    end
+
+    context "when a .bundler-audit.yml config file exists" do
+      let(:bundle) { 'unpatched_gems_with_dot_configuration' }
+
+      subject { described_class.new(directory) }
+
+      it "must load the configuration from the config file" do
+        expect(subject.config).to be_kind_of(Configuration)
+        expect(subject.config.ignore).to include('OSVDB-89025')
+      end
+    end
+
+    context "when given a custom config_dot_file" do
+      let(:config_path) { File.join('spec','bundle','unpatched_gems_with_dot_configuration','.bundler-audit.yml') }
+
+      context "when the config_dot_file is an absolute path" do
+        let(:absolute_config_path) { File.absolute_path(config_path) }
+
+        subject { described_class.new(directory, 'Gemfile.lock', Database.new, absolute_config_path) }
+
+        it "must load the configuration from the absolute path" do
+          expect(subject.config).to be_kind_of(Configuration)
+          expect(subject.config.ignore).to include('OSVDB-89025')
+        end
+      end
+
+      context "when the config_dot_file is a relative path" do
+        let(:relative_config_path) { File.join('..','unpatched_gems_with_dot_configuration','.bundler-audit.yml') }
+
+        subject { described_class.new(directory, 'Gemfile.lock', Database.new, relative_config_path) }
+
+        it "must load the configuration from the relative path" do
+          expect(subject.config).to be_kind_of(Configuration)
+          expect(subject.config.ignore).to include('OSVDB-89025')
+        end
+      end
+    end
+
+    context "when no .bundler-audit.yml config file exists" do
+      let(:bundle) { 'secure' }
+
+      subject { described_class.new(directory) }
+
+      it "must set #config to a default empty Configuration" do
+        expect(subject.config).to be_kind_of(Configuration)
+        expect(subject.config.ignore).to be_empty
+      end
+    end
   end
 
   describe "#scan" do