Merge pull request #18 from codeclimate/devon/add-support-for-insecure-source

Add support for insecure source checks

Author: dblandin

.codeclimate.yml

@@ -13,8 +13,12 @@ engines:
   rubocop:
     enabled: true
     exclude_fingerprints:
-    # Ignoring long method length for Issue#to_json
-    - 3d618821b1ce28599d6c54f90bb4df59
+    # Ignoring long method length for Analyzer#run
+    - b18e3ac8a9b02f26a0b769f67d758761
+    # Ignoring long method length for UnpatchedGemIssue#to_json
+    - 60d15e0a35747ad1c4a7dfe29301f3bd
+    # Ignoring long method length for InsecureSourceIssue#to_json
+    - f861a7b796b8b07217f4a75db9bb631d
 ratings:
   paths:
   - "**.rb"

lib/cc/engine/bundler_audit.rb

@@ -3,12 +3,22 @@
 require "versionomy"
 
 require "cc/engine/bundler_audit/analyzer"
-require "cc/engine/bundler_audit/issue"
-require "cc/engine/bundler_audit/remediation"
+require "cc/engine/bundler_audit/insecure_source_issue"
+require "cc/engine/bundler_audit/unpatched_gem_issue"
+require "cc/engine/bundler_audit/unpatched_gem_remediation"
 
 module CC
   module Engine
     module BundlerAudit
     end
   end
 end
+
+# Patch Bundler::Audit::Scanner to prevent network access during insecure
+# source checks
+
+Bundler::Audit::Scanner.module_eval do
+  def internal_host?(_uri)
+    false
+  end
+end

lib/cc/engine/bundler_audit/analyzer.rb

@@ -4,18 +4,21 @@ module BundlerAudit
       class Analyzer
         GemfileLockNotFound = Class.new(StandardError)
 
-        def initialize(directory:, io: STDOUT)
+        def initialize(directory:, stdout: STDOUT, stderr: STDERR)
           @directory = directory
-          @io = io
+          @stdout = stdout
+          @stderr = stderr
         end
 
         def run
           if gemfile_lock_exists?
             Dir.chdir(directory) do
               Bundler::Audit::Scanner.new.scan do |vulnerability|
-                issue = Issue.new(vulnerability, gemfile_lock_lines)
-
-                io.print("#{issue.to_json}\0")
+                if (issue = issue_for_vulerability(vulnerability))
+                  stdout.print("#{issue.to_json}\0")
+                else
+                  stderr.print("Unsupported vulnerability: #{vulnerability.class.name}")
+                end
               end
             end
           else
@@ -25,10 +28,19 @@ def run
 
         private
 
-        attr_reader :directory, :io
+        attr_reader :directory, :stdout, :stderr
+
+        def issue_for_vulerability(vulnerability)
+          case vulnerability
+          when Bundler::Audit::Scanner::UnpatchedGem
+            UnpatchedGemIssue.new(vulnerability, gemfile_lock_lines)
+          when Bundler::Audit::Scanner::InsecureSource
+            InsecureSourceIssue.new(vulnerability, gemfile_lock_lines)
+          end
+        end
 
         def gemfile_lock_lines
-          @gemfile_lock_lines ||= File.open(gemfile_lock_path).lines.to_a
+          @gemfile_lock_lines ||= File.open(gemfile_lock_path).each_line.to_a
         end
 
         def gemfile_lock_exists?

lib/cc/engine/bundler_audit/insecure_source_issue.rb

@@ -0,0 +1,48 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class InsecureSourceIssue
+        REMEDIATION_POINTS = 5_000_000
+        SOURCE_REGEX = /^\s*remote: (?<source>\S+)/
+
+        def initialize(result, gemfile_lock_lines)
+          @source = result.source
+          @gemfile_lock_lines = gemfile_lock_lines
+        end
+
+        def to_json(*a)
+          {
+            categories: %w[Security],
+            check_name: "Insecure Source",
+            content: {
+              body: "",
+            },
+            description: "Insecure Source URI found: #{source}",
+            location: {
+              path: "Gemfile.lock",
+              lines: {
+                begin: line_number,
+                end: line_number,
+              },
+            },
+            remediation_points: REMEDIATION_POINTS,
+            severity: "normal",
+            type: "Issue",
+          }.to_json(a)
+        end
+
+        private
+
+        attr_reader :source, :gemfile_lock_lines
+
+        def line_number
+          @line_number ||= begin
+            gemfile_lock_lines.find_index do |line|
+              (match = SOURCE_REGEX.match(line)) && match[:source] == source
+            end + 1
+          end
+        end
+      end
+    end
+  end
+end

lib/cc/engine/bundler_audit/issue.rb renamed to lib/cc/engine/bundler_audit/unpatched_gem_issue.rb

@@ -1,7 +1,7 @@
 module CC
   module Engine
     module BundlerAudit
-      class Issue
+      class UnpatchedGemIssue
         GEM_REGEX = /^\s*(?<name>\S+) \([\d.]+\)/
         SEVERITIES = {
           high: "critical",
@@ -63,7 +63,7 @@ def remediation_points
             requirements.last
           end
 
-          Remediation.new(gem.version, patched_versions).points
+          UnpatchedGemRemediation.new(gem.version, patched_versions).points
         end
 
         def severity

lib/cc/engine/bundler_audit/remediation.rb renamed to lib/cc/engine/bundler_audit/unpatched_gem_remediation.rb

@@ -1,7 +1,7 @@
 module CC
   module Engine
     module BundlerAudit
-      class Remediation
+      class UnpatchedGemRemediation
         MAJOR_UPGRADE_POINTS = 50_000_000
         MINOR_UPGRADE_POINTS = 5_000_000
         PATCH_UPGRADE_POINTS = 500_000

spec/cc/engine/bundler_audit/analyzer_spec.rb

@@ -5,22 +5,51 @@ module CC::Engine::BundlerAudit
     describe "#run" do
       it "raises an error when no Gemfile.lock exists" do
         directory = fixture_directory("no_gemfile_lock")
-        io = StringIO.new
 
-        expect { Analyzer.new(directory: directory, io: io).run }.
+        expect { Analyzer.new(directory: directory).run }.
           to raise_error(Analyzer::GemfileLockNotFound)
       end
 
-      it "emits issues for Gemfile.lock problems" do
-        io = StringIO.new
+      it "emits issues for unpatched gems in Gemfile.lock" do
         directory = fixture_directory("unpatched_versions")
 
-        audit = Analyzer.new(directory: directory, io: io)
+        issues = analyze_directory(directory)
+
+        expect(issues).to eq(expected_issues("unpatched_versions"))
+      end
+
+      it "emits issues for insecure sources in Gemfile.lock" do
+        directory = fixture_directory("insecure_source")
+
+        issues = analyze_directory(directory)
+
+        expect(issues).to eq(expected_issues("insecure_source"))
+      end
+
+      it "logs to stderr when we encounter an unsupported vulnerability" do
+        directory = fixture_directory("unpatched_versions")
+        stderr = StringIO.new
+
+        stub_vulnerability("UnhandledVulnerability")
+
+        analyze_directory(directory, stderr: stderr)
+
+        expect(stderr.string).to eq("Unsupported vulnerability: UnhandledVulnerability")
+      end
+
+      def analyze_directory(directory, stdout: StringIO.new, stderr: StringIO.new)
+        audit = Analyzer.new(directory: directory, stdout: stdout, stderr: stderr)
         audit.run
 
-        issues = io.string.split("\0").map { |issue| JSON.load(issue) }
+        stdout.string.split("\0").map { |issue| JSON.load(issue) }
+      end
+
+      def stub_vulnerability(name)
+        scanner = double(:scanner)
+        vulnerability = double(:vulnerability, class: double(name: name))
 
-        expect(issues).to eq(expected_issues("unpatched_versions"))
+        allow(Bundler::Audit::Scanner).to receive(:new).and_return(scanner)
+        allow(scanner).to receive(:scan).and_yield(vulnerability)
       end
 
       def expected_issues(fixture)

spec/cc/engine/bundler_audit/remediation_spec.rb

@@ -1,30 +1,30 @@
 require "spec_helper"
 
 module CC::Engine::BundlerAudit
-  describe Remediation do
+  describe UnpatchedGemRemediation do
     describe "#points" do
       it "returns major upgrade remediation points when an upgrade requies a major version bump" do
-        remediation = Remediation.new("1.0.0", %w[2.0.1 3.0.1])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[2.0.1 3.0.1])
 
-        expect(remediation.points).to eq(Remediation::MAJOR_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MAJOR_UPGRADE_POINTS)
       end
 
       it "returns minor upgrade remediation points when an upgrade requies a minor version bump" do
-        remediation = Remediation.new("1.0.0", %w[1.2.1 2.2.1])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[1.2.1 2.2.1])
 
-        expect(remediation.points).to eq(Remediation::MINOR_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINOR_UPGRADE_POINTS)
       end
 
       it "returns patch upgrade remediation points when an upgrade requies a patch version bump" do
-        remediation = Remediation.new("1.0.0", %w[1.0.3 2.0.3])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[1.0.3 2.0.3])
 
-        expect(remediation.points).to eq(Remediation::PATCH_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::PATCH_UPGRADE_POINTS)
       end
 
       it "returns unpatched version remediation points when an upgrade is not possible" do
-        remediation = Remediation.new("1.0.0", [])
+        remediation = UnpatchedGemRemediation.new("1.0.0", [])
 
-        expect(remediation.points).to eq(Remediation::UNPATCHED_VERSION_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::UNPATCHED_VERSION_POINTS)
       end
     end
   end