Create BundlerAudit module and nest everything else underneath

Author: dblandin

bin/bundler-audit

@@ -10,6 +10,6 @@ else
   engine_config = {}
 end
 
-CC::Engine::BundlerAudit.new(
+CC::Engine::BundlerAudit::Analyzer.new(
   directory: "/code", engine_config: engine_config, io: STDOUT
 ).run

lib/cc/engine/bundler_audit.rb

@@ -1,44 +1,14 @@
-require "json"
 require "bundler/audit/scanner"
-require_relative "./result_decorator"
+require "forwardable"
+require "json"
+require "versionomy"
+
+require "cc/engine/bundler_audit/analyzer"
+require "cc/engine/bundler_audit/result"
 
 module CC
   module Engine
-    class BundlerAudit
-      GemfileLockNotFound = Class.new(StandardError)
-
-      def initialize(directory: , io: , engine_config: )
-        @directory = directory
-        @engine_config = engine_config
-        @io = io
-      end
-
-      def run
-        if gemfile_lock_exists?
-          Dir.chdir(@directory) do
-            Bundler::Audit::Scanner.new.scan do |result|
-              gemfile_lock = File.open(gemfile_lock_path)
-              decorated = ResultDecorator.new(result, gemfile_lock)
-              issue = decorated.to_issue
-
-              @io.print("#{issue.to_json}\0")
-            end
-          end
-        else
-          raise GemfileLockNotFound, "No Gemfile.lock found."
-        end
-      end
-
-      private
-
-      def gemfile_lock_exists?
-        File.exist?(gemfile_lock_path)
-      end
-
-      def gemfile_lock_path
-        File.join(@directory, "Gemfile.lock")
-      end
+    module BundlerAudit
     end
   end
 end
-

lib/cc/engine/bundler_audit/analyzer.rb

@@ -0,0 +1,41 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class Analyzer
+        GemfileLockNotFound = Class.new(StandardError)
+
+        def initialize(directory: , io: , engine_config: )
+          @directory = directory
+          @engine_config = engine_config
+          @io = io
+        end
+
+        def run
+          if gemfile_lock_exists?
+            Dir.chdir(@directory) do
+              Bundler::Audit::Scanner.new.scan do |vulnerability|
+                result = Result.new(vulnerability, File.open(gemfile_lock_path))
+                issue = result.to_issue
+
+                @io.print("#{issue.to_json}\0")
+              end
+            end
+          else
+            raise GemfileLockNotFound, "No Gemfile.lock found."
+          end
+        end
+
+        private
+
+        def gemfile_lock_exists?
+          File.exist?(gemfile_lock_path)
+        end
+
+        def gemfile_lock_path
+          File.join(@directory, "Gemfile.lock")
+        end
+      end
+    end
+  end
+end
+

lib/cc/engine/bundler_audit/result.rb

@@ -0,0 +1,116 @@
+module CC
+  module Engine
+    module BundlerAudit
+      class Result
+        GEM_REGEX = /^\s*(?<name>\S+) \([\d.]+\)/.freeze
+        SEVERITIES = {
+          high: "critical",
+          medium: "normal",
+          low: "info",
+        }.freeze
+
+        extend Forwardable
+
+        def initialize(result, gemfile_lock)
+          @gem = result.gem
+          @advisory = result.advisory
+          @gemfile_lock = gemfile_lock
+        end
+
+        def to_issue
+          {
+            categories: ["Security"],
+            check_name: "Insecure Dependency",
+            content: {
+              body: content_body
+            },
+            description: advisory.title,
+            location: {
+              path: "Gemfile.lock",
+              lines: {
+                begin: line_number,
+                end: line_number
+              }
+            },
+            remediation_points: remediation_points,
+            severity: severity,
+            type: "Issue",
+          }
+        end
+
+        private
+
+        attr_reader :advisory, :gem, :gemfile_lock
+
+        def_delegators :gem, :name, :version
+        def_delegators :advisory, :criticality, :title, :cve, :patched_versions, :url
+
+        def content_body
+          [
+            "**Advisory**: #{identifier}",
+            "**Criticality**: #{criticality.capitalize}",
+            "**URL**: #{url}",
+            "**Solution**: #{solution}",
+          ].join("\n\n")
+        end
+
+        def line_number
+          @line_number ||= begin
+             gemfile_lock.find_index do |line|
+               (match = GEM_REGEX.match(line)) && match[:name] == name
+             end + 1
+          end
+        end
+
+        def remediation_points
+          if patched_versions.any?
+            upgrade_versions.map do |upgrade_version|
+              case
+              when current_version.major != upgrade_version.major
+                50_000_000
+              when current_version.minor != upgrade_version.minor
+                5_000_000
+              when current_version.tiny != upgrade_version.tiny
+                500_000
+              end
+            end.min
+          else
+            500_000_000
+          end
+        end
+
+        def severity
+          SEVERITIES[criticality]
+        end
+
+        def solution
+          if patched_versions.any?
+            "upgrade to #{patched_versions.join(', ')}"
+          else
+            "remove or disable this gem until a patch is available!"
+          end
+        end
+
+        def identifier
+          case
+          when cve then "CVE-#{cve}"
+          when osvdb then osvdb
+          end
+        end
+
+        def current_version
+          Versionomy.parse(version.to_s)
+        end
+
+        def upgrade_versions
+          patched_versions.map do |gem_requirement|
+            requirements = Gem::Requirement.parse(gem_requirement)
+            unqualified_version = requirements.last
+
+            Versionomy.parse(unqualified_version.to_s)
+          end
+        end
+      end
+    end
+  end
+end

lib/cc/engine/result_decorator.rb

@@ -1,21 +1,21 @@
 require "spec_helper"
 
-module CC::Engine
-  describe BundlerAudit do
+module CC::Engine::BundlerAudit
+  describe Analyzer do
     describe "#run" do
       it "raises an error when no Gemfile.lock exists" do
         directory = File.join(Dir.pwd, "spec", "fixtures", "no_gemfile_lock")
         io = StringIO.new
 
-        expect { BundlerAudit.new(directory: directory, io: io, engine_config: {}).run }
-          .to raise_error(CC::Engine::BundlerAudit::GemfileLockNotFound)
+        expect { Analyzer.new(directory: directory, io: io, engine_config: {}).run }
+          .to raise_error(Analyzer::GemfileLockNotFound)
       end
 
       it "emits issues for Gemfile.lock problems" do
         io = StringIO.new
         directory = File.join(Dir.pwd, "spec", "fixtures", "unpatched_versions")
 
-        audit = BundlerAudit.new(directory: directory, io: io, engine_config: {})
+        audit = Analyzer.new(directory: directory, io: io, engine_config: {})
         audit.run
 
         issues = io.string.split("\0").map { |issue| JSON.load(issue) }