Add support for insecure sources

dblandin · dblandin · commit d720dc0df212 · 2016-02-12T14:33:28.000-05:00
diff --git a/lib/cc/engine/bundler_audit.rb b/lib/cc/engine/bundler_audit.rb
@@ -3,8 +3,9 @@
 require "versionomy"
 
 require "cc/engine/bundler_audit/analyzer"
-require "cc/engine/bundler_audit/issue"
-require "cc/engine/bundler_audit/remediation"
+require "cc/engine/bundler_audit/insecure_source_issue"
+require "cc/engine/bundler_audit/unpatched_gem_issue"
+require "cc/engine/bundler_audit/unpatched_gem_remediation"
 
 module CC
   module Engine
diff --git a/lib/cc/engine/bundler_audit/analyzer.rb b/lib/cc/engine/bundler_audit/analyzer.rb
@@ -13,7 +13,7 @@ def run
           if gemfile_lock_exists?
             Dir.chdir(directory) do
               Bundler::Audit::Scanner.new.scan do |vulnerability|
-                issue = Issue.new(vulnerability, gemfile_lock_lines)
+                issue = issue_for_vulerability(vulnerability)
 
                 io.print("#{issue.to_json}\0")
               end
@@ -27,8 +27,17 @@ def run
 
         attr_reader :directory, :io
 
+        def issue_for_vulerability(vulnerability)
+          case vulnerability
+          when Bundler::Audit::Scanner::UnpatchedGem
+            UnpatchedGemIssue.new(vulnerability, gemfile_lock_lines)
+          when Bundler::Audit::Scanner::InsecureSource
+            InsecureSourceIssue.new(vulnerability, gemfile_lock_lines)
+          end
+        end
+
         def gemfile_lock_lines
-          @gemfile_lock_lines ||= File.open(gemfile_lock_path).lines.to_a
+          @gemfile_lock_lines ||= File.open(gemfile_lock_path).each_line.to_a
         end
 
         def gemfile_lock_exists?
diff --git a/lib/cc/engine/bundler_audit/insecure_source_issue.rb b/lib/cc/engine/bundler_audit/insecure_source_issue.rb
@@ -0,0 +1,48 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class InsecureSourceIssue
+        REMEDIATION_POINTS = 5_000_000
+        SOURCE_REGEX = /^\s*remote: (?<source>\S+)/
+
+        def initialize(result, gemfile_lock_lines)
+          @source = result.source
+          @gemfile_lock_lines = gemfile_lock_lines
+        end
+
+        def to_json(*a)
+          {
+            categories: %w[Security],
+            check_name: "Insecure Source",
+            content: {
+              body: "",
+            },
+            description: "Insecure Source URI found: #{source}",
+            location: {
+              path: "Gemfile.lock",
+              lines: {
+                begin: line_number,
+                end: line_number,
+              },
+            },
+            remediation_points: REMEDIATION_POINTS,
+            severity: "normal",
+            type: "Issue",
+          }.to_json(a)
+        end
+
+        private
+
+        attr_reader :source, :gemfile_lock_lines
+
+        def line_number
+          @line_number ||= begin
+            gemfile_lock_lines.find_index do |line|
+              (match = SOURCE_REGEX.match(line)) && match[:source] == source
+            end + 1
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/cc/engine/bundler_audit/unpatched_gem_issue.rb b/lib/cc/engine/bundler_audit/unpatched_gem_issue.rb
@@ -1,7 +1,7 @@
 module CC
   module Engine
     module BundlerAudit
-      class Issue
+      class UnpatchedGemIssue
         GEM_REGEX = /^\s*(?<name>\S+) \([\d.]+\)/
         SEVERITIES = {
           high: "critical",
@@ -63,7 +63,7 @@ def remediation_points
             requirements.last
           end
 
-          Remediation.new(gem.version, patched_versions).points
+          UnpatchedGemRemediation.new(gem.version, patched_versions).points
         end
 
         def severity
diff --git a/lib/cc/engine/bundler_audit/unpatched_gem_remediation.rb b/lib/cc/engine/bundler_audit/unpatched_gem_remediation.rb
@@ -1,7 +1,7 @@
 module CC
   module Engine
     module BundlerAudit
-      class Remediation
+      class UnpatchedGemRemediation
         MAJOR_UPGRADE_POINTS = 50_000_000
         MINOR_UPGRADE_POINTS = 5_000_000
         PATCH_UPGRADE_POINTS = 500_000
diff --git a/spec/cc/engine/bundler_audit/analyzer_spec.rb b/spec/cc/engine/bundler_audit/analyzer_spec.rb
@@ -11,16 +11,29 @@ module CC::Engine::BundlerAudit
           to raise_error(Analyzer::GemfileLockNotFound)
       end
 
-      it "emits issues for Gemfile.lock problems" do
+      it "emits issues for unpatched gems in Gemfile.lock" do
         io = StringIO.new
         directory = fixture_directory("unpatched_versions")
 
+        issues = analyze_directory(directory, io)
+
+        expect(issues).to eq(expected_issues("unpatched_versions"))
+      end
+
+      it "emits issues for insecure sources in Gemfile.lock" do
+        io = StringIO.new
+        directory = fixture_directory("insecure_source")
+
+        issues = analyze_directory(directory, io)
+
+        expect(issues).to eq(expected_issues("insecure_source"))
+      end
+
+      def analyze_directory(directory, io)
         audit = Analyzer.new(directory: directory, io: io)
         audit.run
 
-        issues = io.string.split("\0").map { |issue| JSON.load(issue) }
-
-        expect(issues).to eq(expected_issues("unpatched_versions"))
+        io.string.split("\0").map { |issue| JSON.load(issue) }
       end
 
       def expected_issues(fixture)
diff --git a/spec/cc/engine/bundler_audit/remediation_spec.rb b/spec/cc/engine/bundler_audit/remediation_spec.rb
@@ -1,30 +1,30 @@
 require "spec_helper"
 
 module CC::Engine::BundlerAudit
-  describe Remediation do
+  describe UnpatchedGemRemediation do
     describe "#points" do
       it "returns major upgrade remediation points when an upgrade requies a major version bump" do
-        remediation = Remediation.new("1.0.0", %w[2.0.1 3.0.1])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[2.0.1 3.0.1])
 
-        expect(remediation.points).to eq(Remediation::MAJOR_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MAJOR_UPGRADE_POINTS)
       end
 
       it "returns minor upgrade remediation points when an upgrade requies a minor version bump" do
-        remediation = Remediation.new("1.0.0", %w[1.2.1 2.2.1])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[1.2.1 2.2.1])
 
-        expect(remediation.points).to eq(Remediation::MINOR_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINOR_UPGRADE_POINTS)
       end
 
       it "returns patch upgrade remediation points when an upgrade requies a patch version bump" do
-        remediation = Remediation.new("1.0.0", %w[1.0.3 2.0.3])
+        remediation = UnpatchedGemRemediation.new("1.0.0", %w[1.0.3 2.0.3])
 
-        expect(remediation.points).to eq(Remediation::PATCH_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::PATCH_UPGRADE_POINTS)
       end
 
       it "returns unpatched version remediation points when an upgrade is not possible" do
-        remediation = Remediation.new("1.0.0", [])
+        remediation = UnpatchedGemRemediation.new("1.0.0", [])
 
-        expect(remediation.points).to eq(Remediation::UNPATCHED_VERSION_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::UNPATCHED_VERSION_POINTS)
       end
     end
   end
diff --git a/spec/fixtures/insecure_source/Gemfile.lock b/spec/fixtures/insecure_source/Gemfile.lock
diff --git a/spec/fixtures/insecure_source/issues.json b/spec/fixtures/insecure_source/issues.json
