Extract ResultDecorator from BundlerAudit class

Author: dblandin

lib/cc/engine/bundler_audit.rb

@@ -1,15 +1,11 @@
-require 'json'
-require 'versionomy'
+require "json"
+require "bundler/audit/scanner"
+require_relative "./result_decorator"
 
 module CC
   module Engine
     class BundlerAudit
       GemfileLockNotFound = Class.new(StandardError)
-      SEVERITIES = {
-        "High" => "critical",
-        "Low" => "info",
-        "Medium" => "normal",
-      }
 
       def initialize(directory: , io: , engine_config: )
         @directory = directory
@@ -20,15 +16,11 @@ def initialize(directory: , io: , engine_config: )
       def run
         if gemfile_lock_exists?
           Dir.chdir(@directory) do
-            raw_output = `bundle-audit`
-            raw_issues = raw_output.split(/\n\n/).select { |chunk|
-              chunk =~ /^Name: /
-            }
-            @gemfile_lock_lines = File.read(
-              File.join(@directory, 'Gemfile.lock')
-            ).lines
-            raw_issues.each do |raw_issue|
-              issue = issue_from_raw(raw_issue)
+            Bundler::Audit::Scanner.new.scan do |result|
+              gemfile_lock = File.open(gemfile_lock_path)
+              decorated = ResultDecorator.new(result, gemfile_lock)
+              issue = decorated.to_issue
+
               @io.print("#{issue.to_json}\0")
             end
           end
@@ -40,74 +32,11 @@ def run
       private
 
       def gemfile_lock_exists?
-        File.exist?(File.join(@directory, 'Gemfile.lock'))
-      end
-
-      def issue_from_raw(raw_issue)
-        raw_issue_hash = {}
-        raw_issue.lines.each do |l|
-          l =~ /^([^:]+): (.+)\n?/
-          raw_issue_hash[$1] = $2
-        end
-        line_number = nil
-        @gemfile_lock_lines.each_with_index do |l, i|
-          if l =~ /^\s*#{raw_issue_hash['Name']} \([\d.]+\)/
-              line_number = i + 1
-          end
-        end
-        {
-          categories: ['Security'],
-          check_name: "Insecure Dependency",
-          content: {
-            body: content_body(raw_issue_hash)
-          },
-          description: raw_issue_hash['Title'],
-          location: {
-            path: 'Gemfile.lock',
-            lines: {
-              begin: line_number,
-              end: line_number
-            }
-          },
-          remediation_points: remediation_points(
-            raw_issue_hash['Version'], raw_issue_hash['Solution']
-          ),
-          severity: SEVERITIES[raw_issue_hash["Criticality"]],
-          type: 'Issue',
-        }
-      end
-
-      def remediation_points(current_version, raw_solution)
-        if raw_solution =~ /^upgrade to (.*)/
-          raw_upgrades = $1.scan(/\d+\.\d+\.\d+/)
-          current_version = Versionomy.parse(current_version)
-          result = 5_000_000_000
-          raw_upgrades.each do |raw_upgrade|
-            upgrade_version = Versionomy.parse(raw_upgrade)
-            if upgrade_version > current_version
-              points_this_upgrade = nil
-              if current_version.major == upgrade_version.major
-                if current_version.minor == upgrade_version.minor
-                  points_this_upgrade = 500_000 # patch upgrade
-                else
-                  points_this_upgrade = 5_000_000 # minor upgrade
-                end
-              else
-                points_this_upgrade = 50_000_000 # major upgrade
-              end
-              result = points_this_upgrade if points_this_upgrade < result
-            end
-          end
-          result
-        else
-          500_000_000 # No upgrade of gem possible
-        end
+        File.exist?(gemfile_lock_path)
       end
 
-      def content_body(raw_issue_hash)
-        %w[Advisory Criticality URL Solution].map do |key|
-          "**#{key}**: #{raw_issue_hash[key]}"
-        end.join("\n\n")
+      def gemfile_lock_path
+        File.join(@directory, "Gemfile.lock")
       end
     end
   end

lib/cc/engine/result_decorator.rb

@@ -0,0 +1,118 @@
+require "forwardable"
+require "json"
+require "versionomy"
+
+module CC
+  module Engine
+    class ResultDecorator
+      GEM_REGEX = /^\s*(?<name>\S+) \([\d.]+\)/.freeze
+      SEVERITIES = {
+        high: "critical",
+        medium: "normal",
+        low: "info",
+      }.freeze
+
+      extend Forwardable
+
+      def initialize(result, gemfile_lock)
+        @gem = result.gem
+        @advisory = result.advisory
+        @gemfile_lock = gemfile_lock
+      end
+
+      def to_issue
+        {
+          categories: ["Security"],
+          check_name: "Insecure Dependency",
+          content: {
+            body: content_body
+          },
+          description: advisory.title,
+          location: {
+            path: "Gemfile.lock",
+            lines: {
+              begin: line_number,
+              end: line_number
+            }
+          },
+          remediation_points: remediation_points,
+          severity: severity,
+          type: "Issue",
+        }
+      end
+
+      private
+
+      attr_reader :advisory, :gem, :gemfile_lock
+
+      def_delegators :gem, :name, :version
+      def_delegators :advisory, :criticality, :title, :cve, :patched_versions, :url
+
+      def content_body
+        [
+          "**Advisory**: #{identifier}",
+          "**Criticality**: #{criticality.capitalize}",
+          "**URL**: #{url}",
+          "**Solution**: #{solution}",
+        ].join("\n\n")
+      end
+
+      def line_number
+        @line_number ||= begin
+           gemfile_lock.find_index do |line|
+             (match = GEM_REGEX.match(line)) && match[:name] == name
+           end + 1
+        end
+      end
+
+      def remediation_points
+        if patched_versions.any?
+          upgrade_versions.map do |upgrade_version|
+            case
+            when current_version.major != upgrade_version.major
+              50_000_000
+            when current_version.minor != upgrade_version.minor
+              5_000_000
+            when current_version.tiny != upgrade_version.tiny
+              500_000
+            end
+          end.min
+        else
+          500_000_000
+        end
+      end
+
+      def severity
+        SEVERITIES[criticality]
+      end
+
+      def solution
+        if patched_versions.any?
+          "upgrade to #{patched_versions.join(', ')}"
+        else
+          "remove or disable this gem until a patch is available!"
+        end
+      end
+
+      def identifier
+        case
+        when cve then "CVE-#{cve}"
+        when osvdb then osvdb
+        end
+      end
+
+      def current_version
+        Versionomy.parse(version.to_s)
+      end
+
+      def upgrade_versions
+        patched_versions.map do |gem_requirement|
+          requirements = Gem::Requirement.parse(gem_requirement)
+          unqualified_version = requirements.last
+
+          Versionomy.parse(unqualified_version.to_s)
+        end
+      end
+    end
+  end
+end

spec/fixtures/unpatched_versions/issues.json

@@ -9,11 +9,11 @@
         },
         "description": "crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution",
         "location": {
+            "path": "Gemfile.lock",
             "lines": {
                 "begin": 87,
                 "end": 87
-            },
-            "path": "Gemfile.lock"
+            }
         },
         "remediation_points": 500000,
         "severity": "critical",