dccscr 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 001c4cfef47663ecde65ab85d8a224c41aeccd1830e38efec45595ae7d98f156
-  data.tar.gz: 4ba7252fed6b9412ce92baae6cafa46b7ff1b69d645fbb1bce2a6f5912d367fc
+  metadata.gz: 753dc4edfd916f55efc0d2d533fa67835de1d8540f37b749304f208c3268ce0e
+  data.tar.gz: 03020aa7432733669621c0d318985e05a7a5c8a2f007143dc762e8cf12f70311
 SHA512:
-  metadata.gz: b32f02be518dd05d0fffaea3d3fad634843f72bb7ae842eae8d1568f0378df9d65baa2f42a836ee1b9340019f32b66ed2711b80841b27076dafe5de1499e7eab
-  data.tar.gz: 96e7a216935df6e9a3ec38081c01a524968d57c01901ae8280d17ddaf578ff9fa50fd36e139dcfa363c9899c198629031aeca572a0b9cb2005dcb4aa1ab63b02
+  metadata.gz: 25e36706bda36da321fa36f2df0f415aebfeebe4a5d476408c8dc74738a300146edf890c6b6295e724369e924f939d4773c12ea7b53e8cc951ad508a2bb21942
+  data.tar.gz: a09fa390de7045f70fafb575bc7cb5ef91fedc40310b7f1f93cc5498f1c489fd7d90d91a3afd27cd34a85669e61b9194021743ad090e1d9bdafa8250e5bc4d32

data/.gitlab-ci.yml

@@ -1,9 +1,16 @@
 image: ruby:2.7.3
-
-before_script:
+example_job:
+  before_script:
   - gem install bundler -v 2.2.17
   - bundle install
-
-example_job:
   script:
-    - bundle exec rake
+  - bundle exec rake
+stages:
+- test
+sast:
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
+- template: Security/Dependency-Scanning.gitlab-ci.yml
+- template: Security/Secret-Detection.gitlab-ci.yml
+- template: Security/License-Scanning.gitlab-ci.yml

data/.rubocop.yml

@@ -11,6 +11,9 @@ Metrics/MethodLength:
 Naming/InclusiveLanguage:
   Enabled: false
 
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
 Naming/MethodParameterName:
   MinNameLength: 2
 
@@ -23,9 +26,15 @@ Style/ConditionalAssignment:
 Style/HashConversion:
   Enabled: false
 
+Style/ClassAndModuleChildren:
+  Enabled: false
+
 Style/SpecialGlobalVars:
   Enabled: false
 
+Style/SignalException:
+  Enabled: false
+
 Style/StringLiterals:
   Enabled: true
   EnforcedStyle: single_quotes

data/Gemfile

@@ -6,9 +6,10 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'rake', '~> 13.0'
+gem 'rubocop-rake'
 
 gem 'minitest', '~> 5.0'
+gem 'minitest-ok', '~> 0.3.3'
+gem 'rubocop-minitest'
 
 gem 'rubocop', '~> 1.7'
-gem 'rubocop-rake'
-gem 'rubocop-minitest'

data/Gemfile.lock

@@ -1,13 +1,16 @@
 PATH
   remote: .
   specs:
-    dccscr (0.2.1)
+    dccscr (0.3.0)
+      shellwords (~> 0.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.2)
     minitest (5.14.4)
+    minitest-ok (0.3.3)
+      minitest
     parallel (1.20.1)
     parser (3.0.2.0)
       ast (~> 2.4.1)
@@ -31,6 +34,7 @@ GEM
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
     ruby-progressbar (1.11.0)
+    shellwords (0.1.0)
     unicode-display_width (2.0.0)
 
 PLATFORMS
@@ -39,6 +43,7 @@ PLATFORMS
 DEPENDENCIES
   dccscr!
   minitest (~> 5.0)
+  minitest-ok (~> 0.3.3)
   rake (~> 13.0)
   rubocop (~> 1.7)
   rubocop-minitest

data/dccscr.gemspec

@@ -26,8 +26,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  # Uncomment to register a new dependency of your gem
-  # spec.add_dependency 'example-gem', '~> 1.0'
+  # ec.add_dependency 'shell',      '~> 0.8'
+  spec.add_dependency 'shellwords', '~> 0.1'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

data/exe/update_allowlist_with_dccscr

@@ -1,74 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require 'dccscr/whitelist'
+require 'dccscr/whitelist/update_allowlist_with_dccscr'
 
-def load_dccscr_whitelist
-  DCCSCR::Whitelist.new.tap do |wl|
-    # load wl entries for args
-    # will load parents as well
-    ARGV.each { |arg| wl[arg] }
-  end
-end
-
-def load_gitlab_allowlist
-  if File.exist?('local-vulnerability-allowlist.yml')
-    warn 'Loading local-vulnerability-allowlist.yml'
-    YAML.safe_load(File.read('local-vulnerability-allowlist.yml'))
-  elsif File.exist?('vulnerability-allowlist.yml')
-    warn 'Loading and renaming vulnerability-allowlist.yml'
-    YAML.safe_load(File.read('vulnerability-allowlist.yml'))
-    File.rename('vulnerability-allowlist.yml', 'local-vulnerability-allowlist.yml')
-  else
-    warn 'No [local-]vulnerability-allowlist.yml'
-    {}
-  end
-end
-
-def allow_list_dccscr(wl)
-  warn 'Generating dccscr list in gitlab format'
-
-  {
-    'generalallowlist' => Hash[
-      wl.entries.map { |_, entry|
-        entry.value['whitelisted_vulnerabilities'].map { |v|
-          [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
-        }.compact
-      }.flatten(1).sort
-    ]
-  }
-end
-
-def combined_list(dl, ll)
-  warn 'Merging dccscr and local lists'
-
-  dl.merge(ll) { |_, d, l|
-    case d
-    when Hash
-      d.merge(l)
-    else
-      l
-    end
-  }
-end
-
-def update_allow_list_file(cl)
-  warn 'Updating vulnerability-allowlist.yml'
-
-  File.open('vulnerability-allowlist.yml', 'w') do |f|
-    f << cl.to_yaml
-  end
-end
-
-def run
-  ll = load_gitlab_allowlist
-
-  wl = load_dccscr_whitelist
-  dl = allow_list_dccscr(wl)
-
-  cl = combined_list(dl, ll)
-
-  update_allow_list_file(cl)
-end
-
-run if __FILE__ == $0
+DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR.new(
+  images: ARGV
+).run

data/lib/dccscr/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DCCSCR
-  VERSION = '0.2.1'
+  VERSION = '0.3.0'
 end

data/lib/dccscr/whitelist.rb

@@ -3,6 +3,7 @@
 require 'json'
 require 'yaml'
 require 'tmpdir'
+require 'shellwords'
 
 module DCCSCR
   # Class to download the dccscr_whitelist repo and store greylist entries.
@@ -26,12 +27,7 @@ module DCCSCR
         @repo = UPSTREAM_REPO
       end
 
-      if clone
-        raise('path exists and is not empty') unless Dir.empty?(@path)
-
-        `git clone #{clone_options} #{@repo.inspect} #{@path.inspect}`
-        $?.success? || raise('error cloning repo')
-      end
+      clone_repo(clone_options) if clone
 
       @entries = {}
     end
@@ -51,5 +47,16 @@ module DCCSCR
         whitelist[@parent] unless (@parent = @value['image_parent_name'])&.empty?
       end
     end
+
+    private
+
+    def clone_repo(clone_options = '')
+      system Shellwords.join [].tap { |cmd|
+        cmd << %w[git clone]
+        cmd << Shellwords.split(clone_options).map { |w| Shellwords.escape(w) }
+        cmd << ['--', Shellwords.escape(@repo), Shellwords.escape(@path)]
+      }.flatten
+      $?.success? || fail('error cloning repo')
+    end
   end
 end

data/lib/dccscr/whitelist/update_allowlist_with_dccscr.rb

@@ -0,0 +1,96 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../whitelist'
+
+# Service class to update a GitLab vulnerability-allowlist.yml with
+# whitelisted_vulnerabilities from the dccscr-whitelist for a set
+# of images.
+#
+class DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR
+  attr_reader :images, :allow_filename, :local_filename
+
+  def initialize(images: [], allow_filename: nil, local_filename: nil)
+    @images = images
+    @allow_filename = allow_filename || 'vulnerability-allowlist.yml'
+    @local_filename = local_filename || 'local-vulnerability-allowlist.yml'
+  end
+
+  def whitelist
+    @_whitelist ||= DCCSCR::Whitelist.new
+  end
+
+  def run
+    ll = load_gitlab_allowlist
+
+    wl = load_dccscr_whitelist
+    dl = allow_list_dccscr(wl)
+
+    cl = combined_list(dl, ll)
+
+    update_allow_list_file(cl)
+  end
+
+  private
+
+  def load_dccscr_whitelist
+    whitelist.tap do |wl|
+      # load wl entries for args
+      # will load parents as well
+      images.each { |arg| wl[arg] }
+    end
+  end
+
+  def load_gitlab_allowlist
+    if File.exist?(local_filename)
+      warn 'Loading local file'
+      load(local_filename)
+    elsif File.exist?(allow_filename)
+      warn 'Loading and renaming local allow file'
+      File.rename(allow_filename, local_filename)
+      load(local_filename)
+    else
+      warn 'No local allow file'
+      {}
+    end
+  end
+
+  def load(yml)
+    YAML.safe_load(File.read(yml))
+  end
+
+  def allow_list_dccscr(wl)
+    warn 'Generating dccscr list in gitlab format'
+
+    {
+      'generalallowlist' => Hash[
+        wl.entries.map { |_, entry|
+          entry.value['whitelisted_vulnerabilities'].map { |v|
+            [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
+          }.compact
+        }.flatten(1).sort
+      ]
+    }
+  end
+
+  def combined_list(dl, ll)
+    warn 'Merging dccscr and local lists'
+
+    dl.merge(ll) { |_, d, l|
+      case d
+      when Hash
+        d.merge(l)
+      else
+        l
+      end
+    }
+  end
+
+  def update_allow_list_file(cl)
+    warn 'Updating allow file'
+
+    File.open(allow_filename, 'w') do |f|
+      f << cl.to_yaml
+    end
+  end
+end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: dccscr
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Frank J. Cameron
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-08-07 00:00:00.000000000 Z
-dependencies: []
+date: 2021-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: shellwords
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 description:
 email:
 - fjc@fastmail.net
@@ -34,6 +48,7 @@ files:
 - lib/dccscr.rb
 - lib/dccscr/version.rb
 - lib/dccscr/whitelist.rb
+- lib/dccscr/whitelist/update_allowlist_with_dccscr.rb
 homepage: https://gitlab.com/fjc/dccscr.rb
 licenses:
 - MIT