Merge branch 'develop' into feature/PEO-899-update-active-record-doctor

Author: rostikkkk2

.rubocop.yml

@@ -8,7 +8,7 @@ AllCops:
 Style/Documentation:
   Enabled: false
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 120
 
 Style/FrozenStringLiteralComment:

config/rubocop/config.yml

@@ -14,7 +14,7 @@ AllCops:
 Style/Documentation:
   Enabled: false
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 120
 
 Style/FrozenStringLiteralComment:

lib/inquisition/brakeman/vulnerability.rb

@@ -17,7 +17,8 @@ def to_h
           severity: MATCH_TABLE[warning.confidence],
           message: warning.message.to_s,
           path: warning.relative_path,
-          line: warning.line
+          line: warning.line,
+          context: warning.warning_type
         }
       end
 

lib/inquisition/bundler/audit/runner.rb

@@ -28,7 +28,7 @@ def issue_for(issue)
           when ::Bundler::Audit::Scanner::InsecureSource
             InsecureSource.new(issue.source).to_h.merge(runner: self)
           when ::Bundler::Audit::Scanner::UnpatchedGem
-            UnpatchedGem.new(issue.advisory).to_h.merge(runner: self)
+            UnpatchedGem.new(issue).to_h.merge(runner: self)
           else
             raise ArgumentError, "Unknown type: #{issue.class}"
           end

lib/inquisition/bundler/audit/vulnerability.rb

@@ -8,20 +8,22 @@ def to_h
       end
 
       class UnpatchedGem < Vulnerability
-        def initialize(advisory)
-          @advisory = advisory
+        def initialize(issue)
+          @gem = issue.gem
+          @advisory = issue.advisory
         end
 
         def to_h
           super.merge(
             severity: advisory.criticality || Severity::LOW,
-            message: advisory.title.strip
+            message: advisory.title.strip,
+            context: gem
           )
         end
 
         private
 
-        attr_reader :advisory
+        attr_reader :gem, :advisory
       end
 
       class InsecureSource < Vulnerability

lib/inquisition/issue.rb

@@ -2,15 +2,16 @@ module Inquisition
   class Issue
     COMPARISON_ATTRIBUTES = %i[path line severity message category].freeze
 
-    attr_reader :path, :line, :severity, :message, :category, :runner
+    attr_reader :path, :line, :severity, :message, :category, :runner, :context
 
-    def initialize(path:, line:, severity:, message:, category:, runner:)
+    def initialize(path:, line:, severity:, message:, category:, runner:, context: nil)
       @path = path
       @line = line
       @runner = runner
       @message = message
       @severity = Severity.new(severity)
       @category = Category.new(category)
+      @context = context
     end
 
     def ==(other)

spec/fixtures/files/bundler_audit.yml

@@ -16,6 +16,9 @@
 - severity: :low
   category: :security
   message: 'Nokogiri gem, via libxslt, is affected by multiple vulnerabilities'
+- severity: :low
+  message: 'Possible information leak / session hijack vulnerability'
+  category: :security
 - severity: :high
   category: :security
   message: 'smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature'

spec/inquisition/brakeman/runner_spec.rb

@@ -13,7 +13,8 @@
         path: 'app/controllers/users_controller.rb',
         line: 42,
         severity: Inquisition::Severity::HIGH,
-        message: 'Potentially dangerous key allowed for mass assignment'
+        message: 'Potentially dangerous key allowed for mass assignment',
+        context: 'Cross-Site Scripting'
       }
     end
 

spec/inquisition/brakeman/vulnerability_spec.rb

@@ -13,7 +13,8 @@
         confidence: confidence,
         line: 42,
         relative_path: 'app/controllers/users_controller.rb',
-        message: message
+        message: message,
+        warning_type: 'Cross-Site Scripting'
       )
     end
     let(:options) do
@@ -22,7 +23,8 @@
         message: message.to_s,
         path: warning.relative_path,
         line: warning.line,
-        category: Inquisition::Category::SECURITY
+        category: Inquisition::Category::SECURITY,
+        context: warning.warning_type
       }
     end
 

spec/inquisition/bundler/audit/vulnerability_spec.rb

@@ -3,13 +3,19 @@
     describe '#to_h' do
       subject(:vulnerability) { described_class.new }
 
-      it { expect(vulnerability.to_h).to include(path: nil, line: nil) }
+      it { expect(vulnerability.to_h).to eq(path: nil, line: nil, category: Inquisition::Category::SECURITY) }
     end
   end
 
   describe Inquisition::Bundler::Audit::UnpatchedGem do
     describe '#to_h' do
-      subject(:insecure_source) { described_class.new(advisory) }
+      subject(:unpatched_gem) do
+        described_class.new(
+          instance_double(Bundler::Audit::Scanner::UnpatchedGem, gem: gem, advisory: advisory)
+        )
+      end
+
+      let(:gem) { instance_double(Bundler::LazySpecification) }
 
       context 'when advisory criticality is :high' do
         let(:advisory) do
@@ -21,11 +27,13 @@
             path: nil,
             line: nil,
             severity: Inquisition::Severity::HIGH,
-            message: 'Cocaine Gem for Ruby contains a flaw'
+            message: 'Cocaine Gem for Ruby contains a flaw',
+            category: Inquisition::Category::SECURITY,
+            context: gem
           }
         end
 
-        it { expect(insecure_source.to_h).to include(options) }
+        it { expect(unpatched_gem.to_h).to eq(options) }
       end
 
       context 'when advisory criticality is :medium' do
@@ -37,11 +45,13 @@
             path: nil,
             line: nil,
             severity: Inquisition::Severity::MEDIUM,
-            message: 'XSS vulnerability in bootstrap'
+            message: 'XSS vulnerability in bootstrap',
+            category: Inquisition::Category::SECURITY,
+            context: gem
           }
         end
 
-        it { expect(insecure_source.to_h).to include(options) }
+        it { expect(unpatched_gem.to_h).to eq(options) }
       end
 
       context 'when advisory criticality is :low' do
@@ -54,11 +64,13 @@
             path: nil,
             line: nil,
             severity: Inquisition::Severity::LOW,
-            message: 'Multiple persistent XSS vulnerabilities in Radiant CMS'
+            message: 'Multiple persistent XSS vulnerabilities in Radiant CMS',
+            category: Inquisition::Category::SECURITY,
+            context: gem
           }
         end
 
-        it { expect(insecure_source.to_h).to include(options) }
+        it { expect(unpatched_gem.to_h).to eq(options) }
       end
 
       context 'when advisory criticality is absent' do
@@ -71,11 +83,13 @@
             path: nil,
             line: nil,
             severity: Inquisition::Severity::LOW,
-            message: 'Remote code execution in bootstrap-sass'
+            message: 'Remote code execution in bootstrap-sass',
+            category: Inquisition::Category::SECURITY,
+            context: gem
           }
         end
 
-        it { expect(insecure_source.to_h).to include(options) }
+        it { expect(unpatched_gem.to_h).to eq(options) }
       end
     end
   end
@@ -90,11 +104,12 @@
           path: nil,
           line: nil,
           severity: Inquisition::Severity::MEDIUM,
+          category: Inquisition::Category::SECURITY,
           message: 'Insecure Source URI found: http://rubygems.org/'
         }
       end
 
-      it { expect(insecure_source.to_h).to include(options) }
+      it { expect(insecure_source.to_h).to eq(options) }
     end
   end
 end