class Pipeline::BundleAudit

Public Class Methods

new(trigger, tracker) click to toggle source
Calls superclass method Pipeline::BaseTask::new
# File lib/pipeline/tasks/bundle-audit.rb, line 10
def initialize(trigger, tracker)
  super(trigger, tracker)
  @name = "BundleAudit"
  @description = "Dependency Checker analysis for Ruby"
  @stage = :code
  @labels << "code" << "ruby"
  @results = {}
end

Public Instance Methods

analyze() click to toggle source
# File lib/pipeline/tasks/bundle-audit.rb, line 28
def analyze
  # puts @result
  begin
    get_warnings
  rescue Exception => e
    Pipeline.warn e.message
    Pipeline.notify "Appears not to be a project with Gemfile.lock or there was another problem ... bundle-audit skipped."
  end
end
run() click to toggle source
# File lib/pipeline/tasks/bundle-audit.rb, line 19
def run
  directories_with?('Gemfile.lock').each do |dir|
    Pipeline.notify "#{@name} scanning: #{dir}"
    Dir.chdir(dir) do
      @results[dir] = runsystem(true, "bundle-audit", "check")
    end
  end
end
supported?() click to toggle source
# File lib/pipeline/tasks/bundle-audit.rb, line 38
def supported?
  supported=runsystem(false, "bundle-audit", "update")
  if supported =~ /command not found/
    Pipeline.notify "Run: gem install bundler-audit"
    return false
  else
    return true
  end
end

Private Instance Methods

get_warnings() click to toggle source
# File lib/pipeline/tasks/bundle-audit.rb, line 49
def get_warnings
  @results.each do |dir, result|
    detail, jem, source, sev, hash = '','',{},'',''
    result.each_line do | line |

      if /\S/ !~ line
        # Signal section is over.  Reset variables and report.
        if detail != ''
          report "Gem #{jem} has known security issues.", detail, source, sev, fingerprint(hash)
        end

        detail, jem, source, sev, hash = '','', {},'',''
      end

      name, value = line.chomp.split(':')
      case name
      when 'Name'
        jem << value
        hash << value
      when 'Version'
        jem << value
        hash << value
      when 'Advisory'
        source = { :scanner => @name, :file => "#{relative_path(dir, @trigger.path)}/Gemfile.lock", :line => nil, :code => nil }
        hash << value
      when 'Criticality'
        sev = severity(value)
        hash << sev
      when 'URL'
        detail += line.chomp.split('URL:').last
      when 'Title'
        detail += ",#{value}"
      when 'Solution'
        detail += ": #{value}"
      when 'Insecure Source URI found'
        report "Insecure GEM Source", "#{line.chomp} - use git or https", {:scanner => @name, :file => 'Gemfile.lock', :line => nil, :code =>  nil}, severity('high'), fingerprint("bundlerauditgemsource#{line.chomp}")
      else
        if line =~ /\S/ and line !~ /Unpatched versions found/
          Pipeline.debug "Not sure how to handle line: #{line}"
        end
      end
    end
  end
end