Updated vulnerability specs to use `skip` instead of `pending` to align
with RSpec 3+ semantics where pending means "expected to fail."
Background:
In RSpec 2, `pending` would skip tests. In RSpec 3+, `pending` marks
a test as expected to fail, and if it passes, that's an error. This was
causing issues in maintainer mode where passing tests were incorrectly
flagged as failures.
Changes:
- Replaced `pending unless verifying_fixed?` with `skip unless verifying_fixed?`
in 11 vulnerability spec files:
- broken_auth_spec.rb
- command_injection_spec.rb
- csrf_spec.rb
- insecure_dor_spec.rb
- mass_assignment_spec.rb
- password_complexity_spec.rb
- sensitive_data_exposure.rb
- sql_injection_spec.rb
- unvalidated_redirects_spec.rb
- url_access_spec.rb
- xss_spec.rb
Impact:
- Maintainer mode: Tests are properly skipped (no false failures)
- Training mode: Tests run and demonstrate vulnerabilities as before
- All tests pass with 0 failures in maintainer mode
Reference: https://rspec.info/blog/2014/05/notable-changes-in-rspec-3🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Ken Johnson