Merge pull request #16 from codeclimate/devon/use-bundler-audit-scanner-for-analysis

Use Bundler::Audit::Scanner for analysis

Author: dblandin

.codeclimate.yml

@@ -1,6 +1,9 @@
 engines:
   rubocop:
     enabled: true
+    exclude_fingerprints:
+    # Ignoring long method length for Issue#to_json
+    - 3d618821b1ce28599d6c54f90bb4df59
 ratings:
   paths:
   - "**.rb"

.rubocop.yml

@@ -1,3 +1,5 @@
+AllCops:
+  TargetRubyVersion: 2.2
 Metrics/AbcSize:
   Enabled: false
 
@@ -16,7 +18,7 @@ Style/StringLiterals:
 Style/Documentation:
   Enabled: false
 
-Style/TrailingComma:
+Style/TrailingCommaInLiteral:
   Enabled: false
 
 Style/ClassAndModuleChildren:

Gemfile

@@ -1,11 +1,10 @@
 source "https://rubygems.org"
 
-gem 'bundler-audit'
-gem 'json'
-gem 'versionomy'
+gem "bundler-audit", "~> 0.4.0"
+gem "json", "~> 1.8.3"
+gem "versionomy", "~> 0.5.0"
 gem "rake"
 
 group :test do
   gem "rspec", require: false
-  gem "fakefs", require: false
 end

Gemfile.lock

@@ -1,12 +1,11 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    blockenspiel (0.4.5)
+    blockenspiel (0.5.0)
     bundler-audit (0.4.0)
       bundler (~> 1.2)
       thor (~> 0.18)
     diff-lcs (1.2.5)
-    fakefs (0.6.7)
     json (1.8.3)
     rake (10.4.2)
     rspec (3.3.0)
@@ -23,19 +22,18 @@ GEM
       rspec-support (~> 3.3.0)
     rspec-support (3.3.0)
     thor (0.19.1)
-    versionomy (0.4.4)
-      blockenspiel (>= 0.4.5)
+    versionomy (0.5.0)
+      blockenspiel (~> 0.5)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler-audit
-  fakefs
-  json
+  bundler-audit (~> 0.4.0)
+  json (~> 1.8.3)
   rake
   rspec
-  versionomy
+  versionomy (~> 0.5.0)
 
 BUNDLED WITH
    1.11.2

bin/bundler-audit

@@ -4,12 +4,4 @@ $LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(__FILE__), "../lib"))
 
 require 'cc/engine/bundler_audit'
 
-if File.exists?("/config.json")
-  engine_config = JSON.parse(File.read("/config.json"))
-else
-  engine_config = {}
-end
-
-CC::Engine::BundlerAudit.new(
-  directory: "/code", engine_config: engine_config, io: STDOUT
-).run
+CC::Engine::BundlerAudit::Analyzer.new(directory: "/code").run

lib/cc/engine/bundler_audit.rb

@@ -1,114 +1,14 @@
-require 'json'
-require 'versionomy'
+require "bundler/audit/scanner"
+require "json"
+require "versionomy"
+
+require "cc/engine/bundler_audit/analyzer"
+require "cc/engine/bundler_audit/issue"
+require "cc/engine/bundler_audit/remediation"
 
 module CC
   module Engine
-    class BundlerAudit
-      GemfileLockNotFound = Class.new(StandardError)
-      SEVERITIES = {
-        "High" => "critical",
-        "Low" => "info",
-        "Medium" => "normal",
-      }
-
-      def initialize(directory: , io: , engine_config: )
-        @directory = directory
-        @engine_config = engine_config
-        @io = io
-      end
-
-      def run
-        if gemfile_lock_exists?
-          Dir.chdir(@directory)
-          raw_output = `bundle-audit`
-          raw_issues = raw_output.split(/\n\n/).select { |chunk|
-            chunk =~ /^Name: /
-          }
-          @gemfile_lock_lines = File.read(
-            File.join(@directory, 'Gemfile.lock')
-          ).lines
-          raw_issues.each do |raw_issue|
-            issue = issue_from_raw(raw_issue)
-            @io.print("#{issue.to_json}\0")
-          end
-        else
-          raise GemfileLockNotFound, "No Gemfile.lock found."
-        end
-      end
-
-      private
-
-      def gemfile_lock_exists?
-        File.exist?(File.join(@directory, 'Gemfile.lock'))
-      end
-
-      def issue_from_raw(raw_issue)
-        raw_issue_hash = {}
-        raw_issue.lines.each do |l|
-          l =~ /^([^:]+): (.+)\n?/
-          raw_issue_hash[$1] = $2
-        end
-        line_number = nil
-        @gemfile_lock_lines.each_with_index do |l, i|
-          if l =~ /^\s*#{raw_issue_hash['Name']} \([\d.]+\)/
-              line_number = i + 1
-          end
-        end
-        {
-          categories: ['Security'],
-          check_name: "Insecure Dependency",
-          content: {
-            body: content_body(raw_issue_hash)
-          },
-          description: raw_issue_hash['Title'],
-          location: {
-            path: 'Gemfile.lock',
-            lines: {
-              begin: line_number,
-              end: line_number
-            }
-          },
-          remediation_points: remediation_points(
-            raw_issue_hash['Version'], raw_issue_hash['Solution']
-          ),
-          severity: SEVERITIES[raw_issue_hash["Criticality"]],
-          type: 'Issue',
-        }
-      end
-
-      def remediation_points(current_version, raw_solution)
-        if raw_solution =~ /^upgrade to (.*)/
-          raw_upgrades = $1.scan(/\d+\.\d+\.\d+/)
-          current_version = Versionomy.parse(current_version)
-          result = 5_000_000_000
-          raw_upgrades.each do |raw_upgrade|
-            upgrade_version = Versionomy.parse(raw_upgrade)
-            if upgrade_version > current_version
-              points_this_upgrade = nil
-              if current_version.major == upgrade_version.major
-                if current_version.minor == upgrade_version.minor
-                  points_this_upgrade = 500_000 # patch upgrade
-                else
-                  points_this_upgrade = 5_000_000 # minor upgrade
-                end
-              else
-                points_this_upgrade = 50_000_000 # major upgrade
-              end
-              result = points_this_upgrade if points_this_upgrade < result
-            end
-          end
-          result
-        else
-          500_000_000 # No upgrade of gem possible
-        end
-      end
-
-      def content_body(raw_issue_hash)
-        %w[Advisory Criticality URL Solution].map do |key|
-          "**#{key}**: #{raw_issue_hash[key]}"
-        end.join("\n\n")
-      end
+    module BundlerAudit
     end
   end
 end
-

lib/cc/engine/bundler_audit/analyzer.rb

@@ -0,0 +1,44 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class Analyzer
+        GemfileLockNotFound = Class.new(StandardError)
+
+        def initialize(directory:, io: STDOUT)
+          @directory = directory
+          @io = io
+        end
+
+        def run
+          if gemfile_lock_exists?
+            Dir.chdir(directory) do
+              Bundler::Audit::Scanner.new.scan do |vulnerability|
+                issue = Issue.new(vulnerability, gemfile_lock_lines)
+
+                io.print("#{issue.to_json}\0")
+              end
+            end
+          else
+            raise GemfileLockNotFound, "No Gemfile.lock found."
+          end
+        end
+
+        private
+
+        attr_reader :directory, :io
+
+        def gemfile_lock_lines
+          @gemfile_lock_lines ||= File.open(gemfile_lock_path).lines.to_a
+        end
+
+        def gemfile_lock_exists?
+          File.exist?(gemfile_lock_path)
+        end
+
+        def gemfile_lock_path
+          File.join(directory, "Gemfile.lock")
+        end
+      end
+    end
+  end
+end

lib/cc/engine/bundler_audit/issue.rb

@@ -0,0 +1,90 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class Issue
+        GEM_REGEX = /^\s*(?<name>\S+) \([\d.]+\)/
+        SEVERITIES = {
+          high: "critical",
+          medium: "normal",
+          low: "info"
+        }.freeze
+
+        def initialize(result, gemfile_lock_lines)
+          @gem = result.gem
+          @advisory = result.advisory
+          @gemfile_lock_lines = gemfile_lock_lines
+        end
+
+        def to_json(*a)
+          {
+            categories: %w[Security],
+            check_name: "Insecure Dependency",
+            content: {
+              body: content_body
+            },
+            description: advisory.title,
+            location: {
+              path: "Gemfile.lock",
+              lines: {
+                begin: line_number,
+                end: line_number
+              }
+            },
+            remediation_points: remediation_points,
+            severity: severity,
+            type: "Issue"
+          }.to_json(a)
+        end
+
+        private
+
+        attr_reader :advisory, :gem, :gemfile_lock_lines
+
+        def content_body
+          [
+            "**Advisory**: #{identifier}",
+            "**Criticality**: #{advisory.criticality.capitalize}",
+            "**URL**: #{advisory.url}",
+            "**Solution**: #{solution}"
+          ].join("\n\n")
+        end
+
+        def line_number
+          @line_number ||= begin
+            gemfile_lock_lines.find_index do |line|
+              (match = GEM_REGEX.match(line)) && match[:name] == gem.name
+            end + 1
+          end
+        end
+
+        def remediation_points
+          patched_versions = advisory.patched_versions.map do |gem_requirement|
+            requirements = Gem::Requirement.parse(gem_requirement)
+            requirements.last
+          end
+
+          Remediation.new(gem.version, patched_versions).points
+        end
+
+        def severity
+          SEVERITIES[advisory.criticality]
+        end
+
+        def solution
+          if advisory.patched_versions.any?
+            "upgrade to #{advisory.patched_versions.join(', ')}"
+          else
+            "remove or disable this gem until a patch is available!"
+          end
+        end
+
+        def identifier
+          case
+          when advisory.cve then "CVE-#{advisory.cve}"
+          when advisory.osvdb then advisory.osvdb
+          end
+        end
+      end
+    end
+  end
+end