bundler_audit_notifier 0.0.8 → 0.1.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/bundler_audit_issues_controller.rb +1 -1
- data/app/mailers/bundler_audit_issues_mailer.rb +4 -0
- data/app/views/bundler_audit_issues_mailer/error_in_running.html.erb +14 -0
- data/app/views/bundler_audit_issues_mailer/vulnerability_email.html.erb +10 -10
- data/lib/bundler_audit_notifier.rb +74 -45
- metadata +16 -15
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a83e35d3a799a6b5d82900e74a6c106347a25d51d1ddd947a2f28667558a0aec
|
4
|
+
data.tar.gz: 0c502972dc8b59643992e28313bf0683189d6bd61a43e7ce9b372b337ce1ad83
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c591a94bbf430312f1a2ed561d83066d82f0d9005f72431645255bb57e3f29d8ed42547dd0387f3c1b151152d8a6d97a6f46764e0e6181b1b984b69ade5de9e3
|
7
|
+
data.tar.gz: 76efc070abe43f3e0ad144687df4e5ba80bf8b0f9e0eacd356798e070b06cf3b0e1890dcd51b7bb1eef934d6259e612170a956ef5bf19d27958cd0e008fe55e2
|
@@ -16,7 +16,7 @@ class BundlerAuditIssuesController < ActionController::Base
|
|
16
16
|
if params[:token].present?
|
17
17
|
bundler_audit_issue = BundlerAuditIssue.where(token: params[:token]).first
|
18
18
|
if bundler_audit_issue
|
19
|
-
|
19
|
+
::Rails.logger.info("Authorized accesss to api for bundler audit issue: #{params[:token]}")
|
20
20
|
return true
|
21
21
|
else
|
22
22
|
::Rails.logger.warn("Unauthorized accesss to api for bundler audit issue: #{params[:token]}")
|
@@ -8,4 +8,8 @@ class BundlerAuditIssuesMailer < ActionMailer::Base
|
|
8
8
|
@vulnerabilities = vulnerabilities
|
9
9
|
mail(to: (opts[:custom_recipient] || DEFAULT_TO), subject: 'Vulnerability Scanner Results')
|
10
10
|
end
|
11
|
+
def error_in_running errors, opts = {}
|
12
|
+
@errors = errors
|
13
|
+
mail(to: (opts[:custom_recipient] || DEFAULT_TO), subject: 'Vulnerability Scanner Errored')
|
14
|
+
end
|
11
15
|
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
<!DOCTYPE html>
|
2
|
+
<html>
|
3
|
+
<head>
|
4
|
+
<meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
|
5
|
+
</head>
|
6
|
+
<body>
|
7
|
+
<h1>Vulnerabilities: </h1>
|
8
|
+
<ul>
|
9
|
+
<% @errors.each do |error| %>
|
10
|
+
<li> <%= error.to_s.html_safe %></li>
|
11
|
+
<% end %>
|
12
|
+
</ul>
|
13
|
+
</body>
|
14
|
+
</html>
|
@@ -6,16 +6,16 @@
|
|
6
6
|
<body>
|
7
7
|
<h1>Vulnerabilities: </h1>
|
8
8
|
<% @vulnerabilities.each do |line| %>
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
9
|
+
<ul>
|
10
|
+
<li> Name: <%= line[:name].to_s.html_safe %></li>
|
11
|
+
<li> Version: <%= line[:version].to_s.html_safe %></li>
|
12
|
+
<li> Advisory: <%= line[:advisory].to_s.html_safe %></li>
|
13
|
+
<li> Criticality:<%= line[:criticality].to_s.html_safe %></li>
|
14
|
+
<li> Url: <%= line[:url].to_s.html_safe %></li>
|
15
|
+
<li> Title: <%= line[:title].to_s.html_safe %></li>
|
16
|
+
<li> Solution: <%= line[:solution].to_s.html_safe %></li>
|
17
|
+
</ul>
|
18
|
+
<p> Click here to ignore this vulnerability: <%= link_to "ignore", ignore_url(line[:token]) %></p>
|
19
19
|
<% end %>
|
20
20
|
</body>
|
21
21
|
</html>
|
@@ -1,65 +1,94 @@
|
|
1
1
|
# dependencies
|
2
2
|
require "active_support"
|
3
|
-
require 'rake'
|
4
|
-
require "bundler_audit_notifier/engine"
|
5
|
-
require "auditer_script"
|
6
3
|
|
7
4
|
module BundlerAuditNotifier
|
8
5
|
def self.audit_parse
|
9
6
|
r, w = IO.pipe
|
7
|
+
errors = []
|
10
8
|
# Spawn executes specified command and return its pid
|
11
9
|
# This line will execute code that runs bundler-audit and then write the output into the IO pipe
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
10
|
+
script_location = "lib/auditer_script.rb"
|
11
|
+
if File.exists?("lib/auditer_script.rb")
|
12
|
+
# use local file lib
|
13
|
+
else
|
14
|
+
gem_file_path = (`bundle show bundler_audit_notifier`).strip
|
15
|
+
gem_location = (File.join(gem_file_path, 'lib', 'auditer_script.rb'))
|
16
|
+
if File.exists?(gem_location)
|
17
|
+
script_location = gem_location
|
18
|
+
else
|
19
|
+
errors << "Error parsing Script file location: Neither #{script_location} nor #{gem_location}"
|
20
|
+
end
|
21
|
+
end
|
22
|
+
if errors.none?
|
23
|
+
pid = spawn(RbConfig.ruby, script_location, :out => w, :err => [:child, :out])
|
24
|
+
Process.wait2(pid)
|
25
|
+
w.close
|
26
|
+
# At this point, the results of the bundler-audit check command are written in the IO pipe
|
27
|
+
vulnerabilities = []# load quieries from database
|
28
|
+
update_line = r.gets
|
29
|
+
# Parsing bundler-audit update results
|
30
|
+
if update_line.starts_with?("Updating ruby-advisory-db ...")
|
31
|
+
while !update_line.start_with?('ruby-advisory-db:') && !r.eof?
|
32
|
+
update_line = r.gets
|
33
|
+
end
|
34
|
+
else
|
35
|
+
errors << "Error parsing DURING UPDATE: #{update_line}"
|
36
|
+
end
|
37
|
+
while !r.eof?
|
38
|
+
# Parsing the bundler-audit results
|
39
|
+
name_line = r.gets
|
40
|
+
|
41
|
+
if name = name_line[/Name: (?<name>.+)/, :name]
|
42
|
+
version_line = r.gets
|
43
|
+
advisory_line = r.gets
|
44
|
+
criticality_line = r.gets
|
45
|
+
url_line = r.gets
|
46
|
+
title_line = r.gets
|
47
|
+
solution_line = r.gets
|
48
|
+
space = r.gets
|
49
|
+
if version_line && advisory_line && criticality_line && url_line && title_line && solution_line
|
50
|
+
version = version_line[/Version: (?<version>.+)/, :version]
|
51
|
+
advisory = advisory_line[/Advisory: (?<advisory>.+)/, :advisory]
|
52
|
+
criticality = criticality_line[/Criticality: (?<criticality>.+)/, :criticality]
|
53
|
+
url = url_line[/URL: (?<url>.+)/, :url]
|
54
|
+
title = title_line[/Title: (?<title>.+)/, :title]
|
55
|
+
solution = solution_line[/Solution: (?<solution>.+)/, :solution]
|
36
56
|
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
57
|
+
# check for valid data
|
58
|
+
# check database table for existing event
|
59
|
+
data = {name: name, version: version, advisory: advisory, criticality: criticality, url: url, title: title, solution: solution}
|
60
|
+
bai = BundlerAuditIssue.find_by_advisory(advisory)
|
61
|
+
if bai
|
62
|
+
# if event found, touch event
|
63
|
+
bai.touch
|
64
|
+
# if found event is ignored, remove from vulnerabilites hash
|
65
|
+
if !bai.ignore
|
66
|
+
vulnerabilities << data.merge({token: bai.token})
|
67
|
+
end
|
68
|
+
else
|
69
|
+
if bai = BundlerAuditIssue.create(data)
|
70
|
+
vulnerabilities << data.merge({token: bai.token})
|
71
|
+
else
|
72
|
+
errors << "Error parsing creating new BundlerAuditIssue with the following #{data}"
|
73
|
+
end
|
46
74
|
end
|
47
|
-
else
|
48
|
-
|
49
|
-
|
50
|
-
vulnerabilities << bundler_audit_issue
|
75
|
+
else
|
76
|
+
errors << "ERROR: nil line found #{version_line}, #{advisory_line}, #{criticality_line}, #{url_line}, #{title_line}, #{solution_line}"
|
51
77
|
end
|
78
|
+
elsif name_line.strip == "Vulnerabilities found!"
|
79
|
+
# puts "End of output reached!"
|
52
80
|
else
|
53
|
-
|
81
|
+
errors << "Error parsing NAME LINE: #{name_line}"
|
54
82
|
end
|
55
|
-
elsif name_line.strip == "Vulnerabilities found!"
|
56
|
-
puts "End of output reached!"
|
57
83
|
end
|
58
84
|
end
|
59
85
|
# iterate through remaining vulnerabilties and send them in an email if any are remaining
|
86
|
+
if errors.present?
|
87
|
+
BundlerAuditIssuesMailer.error_in_running(errors).deliver_now
|
88
|
+
end
|
60
89
|
if vulnerabilities.present?
|
61
90
|
BundlerAuditIssuesMailer.vulnerability_email(vulnerabilities).deliver_now
|
62
91
|
end
|
92
|
+
return [vulnerabilities, errors]
|
63
93
|
end
|
64
|
-
end
|
65
|
-
|
94
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: bundler_audit_notifier
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.1.12
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Marley Stipich
|
@@ -38,20 +38,6 @@ dependencies:
|
|
38
38
|
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
name: sqlite3
|
43
|
-
requirement: !ruby/object:Gem::Requirement
|
44
|
-
requirements:
|
45
|
-
- - ">="
|
46
|
-
- !ruby/object:Gem::Version
|
47
|
-
version: '0'
|
48
|
-
type: :runtime
|
49
|
-
prerelease: false
|
50
|
-
version_requirements: !ruby/object:Gem::Requirement
|
51
|
-
requirements:
|
52
|
-
- - ">="
|
53
|
-
- !ruby/object:Gem::Version
|
54
|
-
version: '0'
|
55
41
|
- !ruby/object:Gem::Dependency
|
56
42
|
name: rails
|
57
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -148,6 +134,20 @@ dependencies:
|
|
148
134
|
- - ">="
|
149
135
|
- !ruby/object:Gem::Version
|
150
136
|
version: '0'
|
137
|
+
- !ruby/object:Gem::Dependency
|
138
|
+
name: sqlite3
|
139
|
+
requirement: !ruby/object:Gem::Requirement
|
140
|
+
requirements:
|
141
|
+
- - ">="
|
142
|
+
- !ruby/object:Gem::Version
|
143
|
+
version: '0'
|
144
|
+
type: :development
|
145
|
+
prerelease: false
|
146
|
+
version_requirements: !ruby/object:Gem::Requirement
|
147
|
+
requirements:
|
148
|
+
- - ">="
|
149
|
+
- !ruby/object:Gem::Version
|
150
|
+
version: '0'
|
151
151
|
description:
|
152
152
|
email:
|
153
153
|
executables: []
|
@@ -158,6 +158,7 @@ files:
|
|
158
158
|
- app/mailers/bundler_audit_issues_mailer.rb
|
159
159
|
- app/models/bundler_audit_issue.rb
|
160
160
|
- app/views/bundler_audit_issues/ignore.html.erb
|
161
|
+
- app/views/bundler_audit_issues_mailer/error_in_running.html.erb
|
161
162
|
- app/views/bundler_audit_issues_mailer/vulnerability_email.html.erb
|
162
163
|
- lib/auditer_script.rb
|
163
164
|
- lib/bundler_audit_notifier.rb
|