danger-logging_lint 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b4f62fd36901e935296e80d8e6e884604818be116be3731668fd46d9e2f29cf1
+  data.tar.gz: '0518bc5b6aabe4236039303b27e211025458c5870b135789f6311f03918fba5c'
+SHA512:
+  metadata.gz: 47ad03a313f30f32a397ff9d0faffa584b758179f8a701b53ed47e78b05657cfcec4d102965f8d045df00c14ada9b34d2750551085970d8d18e312830b197cfa
+  data.tar.gz: 42cd8e9e2872c7f126bb0c6918741b9df60cf171685beb41ee2309c9f3d185b9e444dc31d024281594511cb108e5d199f667785ce709bf88741204d2efda7ac2

data/.gitignore

@@ -0,0 +1,4 @@
+.DS_Store
+pkg
+.idea/
+.yardoc

data/.rubocop.yml

@@ -0,0 +1,148 @@
+# Defaults can be found here: https://github.com/bbatsov/rubocop/blob/master/config/default.yml
+
+# If you don't like these settings, just delete this file :)
+
+AllCops:
+  TargetRubyVersion: 2.6
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+  Enabled: true
+
+# kind_of? is a good way to check a type
+Style/ClassCheck:
+  EnforcedStyle: kind_of?
+
+# specs sometimes have useless assignments, which is fine
+Lint/UselessAssignment:
+  Exclude:
+    - '**/spec/**/*'
+
+# We could potentially enable the 2 below:
+Layout/FirstHashElementIndentation:
+  Enabled: false
+
+Layout/HashAlignment:
+  Enabled: false
+
+# HoundCI doesn't like this rule
+Layout/DotPosition:
+  Enabled: false
+
+# We allow !! as it's an easy way to convert ot boolean
+Style/DoubleNegation:
+  Enabled: false
+
+# Cop supports --auto-correct.
+Lint/UnusedBlockArgument:
+  Enabled: false
+
+# We want to allow class Fastlane::Class
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 60
+
+# The %w might be confusing for new users
+Style/WordArray:
+  MinSize: 19
+
+# raise and fail are both okay
+Style/SignalException:
+  Enabled: false
+
+# Better too much 'return' than one missing
+Style/RedundantReturn:
+  Enabled: false
+
+# Having if in the same line might not always be good
+Style/IfUnlessModifier:
+  Enabled: false
+
+# and and or is okay
+Style/AndOr:
+  Enabled: false
+
+# Configuration parameters: CountComments.
+Metrics/ClassLength:
+  Max: 350
+
+Metrics/CyclomaticComplexity:
+  Max: 17
+
+# Configuration parameters: AllowURI, URISchemes.
+Layout/LineLength:
+  Max: 370
+
+# Configuration parameters: CountKeywordArgs.
+Metrics/ParameterLists:
+  Max: 10
+
+Metrics/PerceivedComplexity:
+  Max: 18
+
+# Sometimes it's easier to read without guards
+Style/GuardClause:
+  Enabled: false
+
+# something = if something_else
+# that's confusing
+Style/ConditionalAssignment:
+  Enabled: false
+
+# Better to have too much self than missing a self
+Style/RedundantSelf:
+  Enabled: false
+
+Metrics/MethodLength:
+  Max: 60
+
+# We're not there yet
+Style/Documentation:
+  Enabled: false
+
+# Adds complexity
+Style/IfInsideElse:
+  Enabled: false
+
+# danger specific
+
+Style/BlockComments:
+  Enabled: false
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+# FIXME: 25
+Metrics/BlockLength:
+  Max: 345
+  Exclude:
+    - "**/*_spec.rb"
+
+Style/MixinGrouping:
+  Enabled: false
+
+Naming/FileName:
+  Enabled: false
+
+Layout/HeredocIndentation:
+  Enabled: false
+
+Style/SpecialGlobalVars:
+  Enabled: false
+
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    "%":  ()
+    "%i": ()
+    "%q": ()
+    "%Q": ()
+    "%r": "{}"
+    "%s": ()
+    "%w": ()
+    "%W": ()
+    "%x": ()
+
+Security/YAMLLoad:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+cache:
+  directories:
+    - bundle
+
+rvm:
+  - 2.6
+  - 2.7
+
+script:
+    - bundle exec rake spec

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in danger-logging_lint.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,170 @@
+PATH
+  remote: .
+  specs:
+    danger-logging_lint (0.0.1)
+      danger-plugin-api (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.2)
+    claide (1.1.0)
+    claide-plugins (0.9.2)
+      cork
+      nap
+      open4 (~> 1.3)
+    coderay (1.1.3)
+    colored2 (3.1.2)
+    cork (0.3.0)
+      colored2 (~> 3.1)
+    danger (8.5.0)
+      claide (~> 1.0)
+      claide-plugins (>= 0.9.2)
+      colored2 (~> 3.1)
+      cork (~> 0.1)
+      faraday (>= 0.9.0, < 2.0)
+      faraday-http-cache (~> 2.0)
+      git (~> 1.7)
+      kramdown (~> 2.3)
+      kramdown-parser-gfm (~> 1.0)
+      no_proxy_fix
+      octokit (~> 4.7)
+      terminal-table (>= 1, < 4)
+    danger-plugin-api (1.0.0)
+      danger (> 2.0)
+    diff-lcs (1.5.0)
+    faraday (1.10.0)
+      faraday-em_http (~> 1.0)
+      faraday-em_synchrony (~> 1.0)
+      faraday-excon (~> 1.1)
+      faraday-httpclient (~> 1.0)
+      faraday-multipart (~> 1.0)
+      faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.0)
+      faraday-patron (~> 1.0)
+      faraday-rack (~> 1.0)
+      faraday-retry (~> 1.0)
+      ruby2_keywords (>= 0.0.4)
+    faraday-em_http (1.0.0)
+    faraday-em_synchrony (1.0.0)
+    faraday-excon (1.1.0)
+    faraday-http-cache (2.2.0)
+      faraday (>= 0.8)
+    faraday-httpclient (1.0.1)
+    faraday-multipart (1.0.3)
+      multipart-post (>= 1.2, < 3)
+    faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.2.0)
+    faraday-patron (1.0.0)
+    faraday-rack (1.0.0)
+    faraday-retry (1.0.3)
+    ffi (1.15.5)
+    formatador (1.1.0)
+    git (1.10.2)
+      rchardet (~> 1.8)
+    guard (2.18.0)
+      formatador (>= 0.2.4)
+      listen (>= 2.7, < 4.0)
+      lumberjack (>= 1.0.12, < 2.0)
+      nenv (~> 0.1)
+      notiffany (~> 0.0)
+      pry (>= 0.13.0)
+      shellany (~> 0.0)
+      thor (>= 0.18.1)
+    guard-compat (1.2.1)
+    guard-rspec (4.7.3)
+      guard (~> 2.1)
+      guard-compat (~> 1.1)
+      rspec (>= 2.99.0, < 4.0)
+    kramdown (2.3.2)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    listen (3.0.7)
+      rb-fsevent (>= 0.9.3)
+      rb-inotify (>= 0.9.7)
+    lumberjack (1.2.8)
+    method_source (1.0.0)
+    multipart-post (2.1.1)
+    nap (1.1.0)
+    nenv (0.3.0)
+    no_proxy_fix (0.1.2)
+    notiffany (0.1.3)
+      nenv (~> 0.1)
+      shellany (~> 0.0)
+    octokit (4.22.0)
+      faraday (>= 0.9)
+      sawyer (~> 0.8.0, >= 0.5.3)
+    open4 (1.3.4)
+    parallel (1.22.1)
+    parser (3.1.1.0)
+      ast (~> 2.4.1)
+    pry (0.14.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.6)
+    rainbow (3.1.1)
+    rake (10.5.0)
+    rb-fsevent (0.11.1)
+    rb-inotify (0.10.1)
+      ffi (~> 1.0)
+    rchardet (1.8.0)
+    regexp_parser (2.3.0)
+    rexml (3.2.5)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (1.27.0)
+      parallel (~> 1.10)
+      parser (>= 3.1.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.16.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.17.0)
+      parser (>= 3.1.1.0)
+    ruby-progressbar (1.11.0)
+    ruby2_keywords (0.0.5)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    shellany (0.0.1)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    thor (1.2.1)
+    unicode-display_width (2.1.0)
+    webrick (1.7.0)
+    yard (0.9.27)
+      webrick (~> 1.7.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  danger-logging_lint!
+  guard (~> 2.14)
+  guard-rspec (~> 4.7)
+  listen (= 3.0.7)
+  pry
+  rake (~> 10.0)
+  rspec (~> 3.4)
+  rubocop
+  yard
+
+BUNDLED WITH
+   2.1.4

data/Guardfile

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# A guardfile for making Danger Plugins
+# For more info see https://github.com/guard/guard#readme
+
+# To run, use `bundle exec guard`.
+
+guard :rspec, cmd: "bundle exec rspec" do
+  require "guard/rspec/dsl"
+  dsl = Guard::RSpec::Dsl.new(self)
+
+  # RSpec files
+  rspec = dsl.rspec
+  watch(rspec.spec_helper) { rspec.spec_dir }
+  watch(rspec.spec_support) { rspec.spec_dir }
+  watch(rspec.spec_files)
+
+  # Ruby files
+  ruby = dsl.ruby
+  dsl.watch_spec_files_for(ruby.lib_files)
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2022 David Sucharda <david.sucharda@eman.cz>
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,74 @@
+## logging_lint
+
+This danger plugin can be used to check log lines in modified (added) files. It heavily relies on regex configuration which can be modified to search all kinds of parts of code in the files. Default configuration is set to support [Kotlin eMan Logger Library](https://github.com/eManPrague/logger-ktx). Ex: logInfo { "Info message $var" }.
+
+It works in two steps. First it searches for all log lines (multilines) in files. And then it applies line variable regex combined with line remove regex. Check `check_files` function for more information.
+
+## Installation
+
+    $ gem install danger-logging_lint
+
+## Usage
+
+> Log linter with its basic configuration (searches for logInfo { "Message with $var" } and it's combinations)
+> ```
+> logging_lint.log_lint
+> ```
+
+> Log linter with multiple log functions
+> ```
+> # Linting multiple log functions
+> logging_lint.log_functions = ["logInfo", "logWarn", "logError"]
+> logging_lint.log_lint
+> ```
+
+
+> Log linter with completely custom functionality
+> ```
+> # Linting only kotlin files (extensions without dot or star)
+> logging_lint.file_extensions = ["kt"]
+> # Linting multiple log functions
+> logging_lint.log_functions = ["logInfo", "logWarn", "logError"]
+> # Custom warning text and description
+> logging_lint.warning_text = "You should really check this!"
+> logging_lint.warning_description = "May be a security issue. Check this link: ...."
+> # Custom log regex (searches for "foo $ bar")
+> logging_lint.log_regex = '(\".*\$.*\")'
+> # Custom log variable regex (searches for "$" and "${message}" in the log)
+> logging_lint.line_variable_regex = ['\$', '${message}']
+> # Custom log remove regex (removes nothing from the log lines)
+> logging_lint.line_remove_regex = []
+> # Marks start of the log when variable was found in it
+> logging_lint.line_index_position = "start"
+> logging_lint.log_lint
+> ```
+
+### Attributes
+
+`file_extensions` - File extensions are used to limit the number of files checked based on their extension. For example for Kotlin language we want to check only .kt files and no other.  
+`log_functions` - Log functions are functions which define logging. They usually identify logging function that is being used. For example logInfo, logWarn or logError. Each of these values is checked in a file combined with log_regex.  
+`warning_text` - Warning text is used to modify the text displayed in the Danger report. It is a message with which the Danger warning for specific log is created.  
+`warning_description` - Warning description can be used to extend warning text. It can be used to provide more context for the log warning such as more description, link with security rules and other.  
+`log_regex` - This regex is used to search for all log lines in a file. It does not check if there are variables in it. It just searches for all logs. These results are used later to filter in them.  
+`line_variable_regex` - This regex is used to check log lines for variables. Since it is not always possible to find all variables using one single regex it is represented as an array. This array cannot be null or empty for the script to function.  
+`line_remove_regex` - This regex is used to clear the log line before variable regex is applied. It allows us to clear values that would interfere with variable searching. This array cannot be null but it can be empty for this script to function.  
+`line_index_position` - Unfortunately due to line modification in function `contains_variable` it is not possible to accurately pinpoint variable in the log. That is why there are three options for the offset to identity the line. Options are: "start", "middle", "end".
+
+### Methods
+
+`log_lint` - Triggers file linting on specific target files. But first it does few checks if it actually needs to run.
+1) Checks if `log_functions` have size at least 1. If they are not then this script send Danger fail and cancels.
+2) Checks if `line_variable_regex` have size at least 1. If they are not then this script send Danger fail and
+cancels.
+3) Filters target files based on `file_extensions` and if there are no files to check it will send Danger message
+and cancels.
+
+If all of these checks pass then it will trigger linter on target files (filtered) using `check_files`.
+
+## Development
+
+1. Clone this repo
+2. Run `bundle install` to setup dependencies.
+3. Run `bundle exec rake spec` to run the tests.
+4. Use `bundle exec guard` to automatically have tests run as you make changes.
+5. Make your changes.

data/Rakefile

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
+
+RSpec::Core::RakeTask.new(:specs)
+
+task default: :specs
+
+task :spec do
+  Rake::Task["specs"].invoke
+  Rake::Task["rubocop"].invoke
+  Rake::Task["spec_docs"].invoke
+end
+
+desc "Run RuboCop on the lib/specs directory"
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.patterns = ["lib/**/*.rb", "spec/**/*.rb"]
+end
+
+desc "Ensure that the plugin passes `danger plugins lint`"
+task :spec_docs do
+  sh "bundle exec danger plugins lint"
+end

data/danger-logging_lint.gemspec

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "logging_lint/gem_version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "danger-logging_lint"
+  spec.version       = LoggingLint::VERSION
+  spec.authors       = ["David Sucharda"]
+  spec.email         = ["david.sucharda@eman.cz"]
+  spec.description   = "Checks logging commands in code."
+  spec.summary       = "Logging might be a security issue that is why this plugin checks files for new/changed logs with variables that might be a security issue and warns them using Danger."
+  spec.homepage      = "https://github.com/eManPrague/danger-logging_lint"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "danger-plugin-api", "~> 1.0"
+
+  # General ruby development
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+
+  # Testing support
+  spec.add_development_dependency "rspec", "~> 3.4"
+
+  # Linting code and docs
+  spec.add_development_dependency "rubocop"
+  spec.add_development_dependency "yard"
+
+  # Makes testing easy via `bundle exec guard`
+  spec.add_development_dependency "guard", "~> 2.14"
+  spec.add_development_dependency "guard-rspec", "~> 4.7"
+
+  # If you want to work on older builds of ruby
+  spec.add_development_dependency "listen", "3.0.7"
+
+  # This gives you the chance to run a REPL inside your tests
+  # via:
+  #
+  #    require 'pry'
+  #    binding.pry
+  #
+  # This will stop test execution and let you inspect the results
+  spec.add_development_dependency "pry"
+end

data/lib/danger_logging_lint.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "logging_lint/gem_version"

data/lib/danger_plugin.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require "logging_lint/plugin"

data/lib/logging_lint/gem_version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module LoggingLint
+  VERSION = "0.0.1"
+end