Open source commit

Author: pbrisbin

.codeclimate.yml

@@ -0,0 +1,6 @@
+engines:
+  rubocop:
+    enabled: true
+ratings:
+  paths:
+  - "**.rb"

.ruby-version

@@ -0,0 +1 @@
+2.2.2

Dockerfile

@@ -0,0 +1,15 @@
+FROM mhart/alpine-node
+
+WORKDIR /usr/src/app
+RUN apk --update add ruby ruby-dev ruby-bundler build-base git
+
+COPY Gemfile /usr/src/app/
+COPY Gemfile.lock /usr/src/app/
+RUN bundle install -j 4 && \
+    bundle-audit update && \
+    apk del build-base && rm -fr /usr/share/ri
+
+COPY . /usr/src/app
+
+CMD ["/usr/src/app/bin/bundler-audit"]
+

Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem 'bundler-audit'
+gem 'json'
+gem 'versionomy'

Gemfile.lock

@@ -0,0 +1,22 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    blockenspiel (0.4.5)
+    bundler-audit (0.3.1)
+      bundler (~> 1.2)
+      thor (~> 0.18)
+    json (1.8.3)
+    thor (0.19.1)
+    versionomy (0.4.4)
+      blockenspiel (>= 0.4.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler-audit
+  json
+  versionomy
+
+BUNDLED WITH
+   1.10.3

README.md

@@ -0,0 +1,19 @@
+# Code Climate bundler-audit Engine
+
+[![Code Climate](https://codeclimate.com/repos/55841a7de30ba012e6020762/badges/20e726217fbdea3896db/gpa.svg)](https://codeclimate.com/repos/55841a7de30ba012e6020762/feed)
+
+`codeclimate-bundler-audit` is a Code Climate engine that wraps [bundler-audit](https://github.com/rubysec/bundler-audit). You can run it on your command line using the Code Climate CLI, or on our hosted analysis platform.
+
+bundler-audit offers patch-level verification for [Bundler](http://bundler.io/).
+
+### Installation
+
+1. If you haven't already, [install the Code Climate CLI](https://github.com/codeclimate/codeclimate).
+2. Run `codeclimate engines:enable bundler-audit`. This command both installs the engine and enables it in your `.codeclimate.yml` file.
+3. You're ready to analyze! Browse into your project's folder and run `codeclimate analyze`.
+
+### Need help?
+
+For help with bundler-audit, [check out their documentation](https://github.com/rubysec/bundler-audit).
+
+If you're running into a Code Climate issue, first look over this project's [GitHub Issues](https://github.com/codeclimate/bundler-audit/issues), as your question may have already been covered. If not, [go ahead and open a support ticket with us](https://codeclimate.com/help).

bin/bundler-audit

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift(File.expand_path(File.join(File.dirname(__FILE__), "../lib")))
+
+require 'cc/engine/bundler_audit'
+
+def parse_engine_config(raw)
+  raw ? JSON.parse(raw) : {}
+end
+engine_config = parse_engine_config(ENV['ENGINE_CONFIG'])
+CC::Engine::BundlerAudit.new(
+  directory: "/code", engine_config: engine_config, io: STDOUT
+).run

lib/cc/engine/bundler_audit.rb

@@ -0,0 +1,89 @@
+require 'json'
+require 'versionomy'
+
+module CC
+  module Engine
+    class BundlerAudit
+      def initialize(directory: , io: , engine_config: )
+        @directory = directory
+        @engine_config = engine_config
+        @io = io
+      end
+
+      def run
+        Dir.chdir(@directory)
+        raw_output = `bundle-audit`
+        raw_issues = raw_output.split(/\n\n/).select { |chunk| 
+          chunk =~ /^Name: /
+        }
+        @gemfile_lock_lines = File.read(
+          File.join(@directory, 'Gemfile.lock')
+        ).lines
+        raw_issues.each do |raw_issue|
+          issue = issue_from_raw(raw_issue)
+          @io.print("#{issue.to_json}\0")
+        end
+      end
+
+      private
+
+      def issue_from_raw(raw_issue)
+        raw_issue_hash = {}
+        raw_issue.lines.each do |l|
+          l =~ /^([^:]+): (.+)\n?/
+          raw_issue_hash[$1] = $2
+        end
+        line_number = nil
+        @gemfile_lock_lines.each_with_index do |l, i|
+          if l =~ /^\s*#{raw_issue_hash['Name']} \([\d.]+\)/
+              line_number = i + 1
+          end
+        end
+        {
+          type: 'Issue',
+          check_name: "Insecure Dependency",
+          description: raw_issue_hash['Title'],
+          categories: ['Security'],
+          remediation_points: remediation_points(
+            raw_issue_hash['Version'], raw_issue_hash['Solution']
+          ),
+          location: {
+            path: 'Gemfile.lock',
+            lines: {
+              begin: line_number,
+              end: line_number
+            }
+          }
+        }
+      end
+
+      def remediation_points(current_version, raw_solution)
+        if raw_solution =~ /^upgrade to (.*)/
+          raw_upgrades = $1.scan(/\d+\.\d+\.\d+/)
+          current_version = Versionomy.parse(current_version)
+          result = 5_000_000_000
+          raw_upgrades.each do |raw_upgrade|
+            upgrade_version = Versionomy.parse(raw_upgrade)
+            if upgrade_version > current_version
+              points_this_upgrade = nil
+              if current_version.major == upgrade_version.major
+                if current_version.minor == upgrade_version.minor
+                  points_this_upgrade = 500_000 # patch upgrade
+                else
+                  points_this_upgrade = 5_000_000 # minor upgrade
+                end
+              else
+                points_this_upgrade = 50_000_000 # major upgrade
+              end
+              result = points_this_upgrade if points_this_upgrade < result
+            end
+          end
+          result
+        else
+          500_000_000 # No upgrade of gem possible
+        end
+      end
+    end
+  end
+end
+