dccscr 0.2.2 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb980c1757d630d37ffb78c3fd249a730f511965ace798021554f82fe8e5a361
-  data.tar.gz: e5e8910e8dadfb3caef955914693aaa8bf8ba0c206ae2eee622bde5367d4bbcf
+  metadata.gz: 8954b4af554f62fddde9626b2c81c9d5372f80ab598de160949010cd6cc9bbc3
+  data.tar.gz: d4b647df03a1c76a4ea2a6b5ab83d07bf401879ba796278e1ac27a76f5f0fedc
 SHA512:
-  metadata.gz: 6090ea3324a05e5792261e5172b3daa36b6504652a97e1895fe27b9e0f00dfd94b1c2c3792de95494697900c99d9cb15697f89d20be4ef22c057041f1d02379a
-  data.tar.gz: 17ce549bd4c2f16a0632d1c571df9bd0e65a229972244402f0edb3a0e5f898ca830690c3c625a5c474de6d883aef84751cd816a0840f51baf52682a1b3fa7e65
+  metadata.gz: '08f9ae8ebfd9c6f09cae029728f5a50bdd3f57aa316429231c5f2b90e6884a644cf195a3dc24f142f497c4861850368e259ca5efcfe561b298a15938f244cc11'
+  data.tar.gz: 816c17205b0fbfad164016f8df53ec177ab5217576279347be27f3c1990d9b3b9a931bfc73729830e299f666c7f226dd86c6ea080c0c69ad3b89552b8f9348e1

data/.gitlab-ci.yml

@@ -1,9 +1,16 @@
 image: ruby:2.7.3
-
-before_script:
+example_job:
+  before_script:
   - gem install bundler -v 2.2.17
   - bundle install
-
-example_job:
   script:
-    - bundle exec rake
+  - bundle exec rake
+stages:
+- test
+sast:
+  stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
+- template: Security/Dependency-Scanning.gitlab-ci.yml
+- template: Security/Secret-Detection.gitlab-ci.yml
+- template: Security/License-Scanning.gitlab-ci.yml

data/.rubocop.yml

@@ -11,6 +11,9 @@ Metrics/MethodLength:
 Naming/InclusiveLanguage:
   Enabled: false
 
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
 Naming/MethodParameterName:
   MinNameLength: 2
 
@@ -23,9 +26,15 @@ Style/ConditionalAssignment:
 Style/HashConversion:
   Enabled: false
 
+Style/ClassAndModuleChildren:
+  Enabled: false
+
 Style/SpecialGlobalVars:
   Enabled: false
 
+Style/SignalException:
+  Enabled: false
+
 Style/StringLiterals:
   Enabled: true
   EnforcedStyle: single_quotes

data/Gemfile

@@ -6,9 +6,10 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'rake', '~> 13.0'
+gem 'rubocop-rake'
 
 gem 'minitest', '~> 5.0'
+gem 'minitest-ok', '~> 0.3.3'
+gem 'rubocop-minitest'
 
 gem 'rubocop', '~> 1.7'
-gem 'rubocop-rake'
-gem 'rubocop-minitest'

data/Gemfile.lock

@@ -1,13 +1,16 @@
 PATH
   remote: .
   specs:
-    dccscr (0.2.2)
+    dccscr (0.3.1)
+      shellwords (~> 0.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.2)
     minitest (5.14.4)
+    minitest-ok (0.3.3)
+      minitest
     parallel (1.20.1)
     parser (3.0.2.0)
       ast (~> 2.4.1)
@@ -31,6 +34,7 @@ GEM
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
     ruby-progressbar (1.11.0)
+    shellwords (0.1.0)
     unicode-display_width (2.0.0)
 
 PLATFORMS
@@ -39,6 +43,7 @@ PLATFORMS
 DEPENDENCIES
   dccscr!
   minitest (~> 5.0)
+  minitest-ok (~> 0.3.3)
   rake (~> 13.0)
   rubocop (~> 1.7)
   rubocop-minitest

data/dccscr.gemspec

@@ -26,8 +26,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  # Uncomment to register a new dependency of your gem
-  # spec.add_dependency 'example-gem', '~> 1.0'
+  # ec.add_dependency 'shell',      '~> 0.8'
+  spec.add_dependency 'shellwords', '~> 0.1'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

data/exe/update_allowlist_with_dccscr

@@ -1,74 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require 'dccscr/whitelist'
+require 'dccscr/whitelist/update_allowlist_with_dccscr'
 
-def load_dccscr_whitelist
-  DCCSCR::Whitelist.new.tap do |wl|
-    # load wl entries for args
-    # will load parents as well
-    ARGV.each { |arg| wl[arg] }
-  end
-end
-
-def load_gitlab_allowlist
-  if File.exist?('local-vulnerability-allowlist.yml')
-    warn 'Loading local-vulnerability-allowlist.yml'
-    YAML.safe_load(File.read('local-vulnerability-allowlist.yml'))
-  elsif File.exist?('vulnerability-allowlist.yml')
-    warn 'Loading and renaming vulnerability-allowlist.yml'
-    YAML.safe_load(File.read('vulnerability-allowlist.yml'))
-    File.rename('vulnerability-allowlist.yml', 'local-vulnerability-allowlist.yml')
-  else
-    warn 'No [local-]vulnerability-allowlist.yml'
-    {}
-  end
-end
-
-def allow_list_dccscr(wl)
-  warn 'Generating dccscr list in gitlab format'
-
-  {
-    'generalallowlist' => Hash[
-      wl.entries.map { |_, entry|
-        entry.value['whitelisted_vulnerabilities'].map { |v|
-          [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
-        }.compact
-      }.flatten(1).sort
-    ]
-  }
-end
-
-def combined_list(dl, ll)
-  warn 'Merging dccscr and local lists'
-
-  dl.merge(ll) { |_, d, l|
-    case d
-    when Hash
-      d.merge(l)
-    else
-      l
-    end
-  }
-end
-
-def update_allow_list_file(cl)
-  warn 'Updating vulnerability-allowlist.yml'
-
-  File.open('vulnerability-allowlist.yml', 'w') do |f|
-    f << cl.to_yaml
-  end
-end
-
-def run
-  ll = load_gitlab_allowlist
-
-  wl = load_dccscr_whitelist
-  dl = allow_list_dccscr(wl)
-
-  cl = combined_list(dl, ll)
-
-  update_allow_list_file(cl)
-end
-
-run
+DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR.new(
+  images: ARGV
+).run

data/lib/dccscr/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DCCSCR
-  VERSION = '0.2.2'
+  VERSION = '0.3.1'
 end

data/lib/dccscr/whitelist.rb

@@ -3,6 +3,7 @@
 require 'json'
 require 'yaml'
 require 'tmpdir'
+require 'shellwords'
 
 module DCCSCR
   # Class to download the dccscr_whitelist repo and store greylist entries.
@@ -26,12 +27,7 @@ module DCCSCR
         @repo = UPSTREAM_REPO
       end
 
-      if clone
-        raise('path exists and is not empty') unless Dir.empty?(@path)
-
-        `git clone #{clone_options} #{@repo.inspect} #{@path.inspect}`
-        $?.success? || raise('error cloning repo')
-      end
+      clone_repo(clone_options) if clone
 
       @entries = {}
     end
@@ -46,10 +42,23 @@ module DCCSCR
       attr_reader :value, :parent
 
       def initialize(whitelist:, subpath:, greylist: "#{File.basename(subpath)}.greylist")
+        warn "Parse: #{File.join subpath,  greylist}"
+
         @value = JSON.parse(File.read(File.join(whitelist.path, subpath, greylist)))
 
-        whitelist[@parent] unless (@parent = @value['image_parent_name'])&.empty?
+        whitelist[@parent] unless (@parent = @value['image_parent_name'] || '').empty?
       end
     end
+
+    private
+
+    def clone_repo(clone_options = '')
+      system Shellwords.join [].tap { |cmd|
+        cmd << %w[git clone]
+        cmd << Shellwords.split(clone_options).map { |w| Shellwords.escape(w) }
+        cmd << ['--', Shellwords.escape(@repo), Shellwords.escape(@path)]
+      }.flatten
+      $?.success? || fail('error cloning repo')
+    end
   end
 end

data/lib/dccscr/whitelist/update_allowlist_with_dccscr.rb

@@ -0,0 +1,96 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../whitelist'
+
+# Service class to update a GitLab vulnerability-allowlist.yml with
+# whitelisted_vulnerabilities from the dccscr-whitelist for a set
+# of images.
+#
+class DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR
+  attr_reader :images, :allow_filename, :local_filename
+
+  def initialize(images: [], allow_filename: nil, local_filename: nil)
+    @images = images
+    @allow_filename = allow_filename || 'vulnerability-allowlist.yml'
+    @local_filename = local_filename || 'local-vulnerability-allowlist.yml'
+  end
+
+  def whitelist
+    @_whitelist ||= DCCSCR::Whitelist.new
+  end
+
+  def run
+    ll = load_gitlab_allowlist
+
+    wl = load_dccscr_whitelist
+    dl = allow_list_dccscr(wl)
+
+    cl = combined_list(dl, ll)
+
+    update_allow_list_file(cl)
+  end
+
+  private
+
+  def load_dccscr_whitelist
+    whitelist.tap do |wl|
+      # load wl entries for args
+      # will load parents as well
+      images.each { |arg| wl[arg] }
+    end
+  end
+
+  def load_gitlab_allowlist
+    if File.exist?(local_filename)
+      warn 'Loading local file'
+      load(local_filename)
+    elsif File.exist?(allow_filename)
+      warn 'Loading and renaming local allow file'
+      File.rename(allow_filename, local_filename)
+      load(local_filename)
+    else
+      warn 'No local allow file'
+      {}
+    end
+  end
+
+  def load(yml)
+    YAML.safe_load(File.read(yml))
+  end
+
+  def allow_list_dccscr(wl)
+    warn 'Generating dccscr list in gitlab format'
+
+    {
+      'generalallowlist' => Hash[
+        wl.entries.map { |_, entry|
+          entry.value['whitelisted_vulnerabilities'].map { |v|
+            [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
+          }.compact
+        }.flatten(1).sort
+      ]
+    }
+  end
+
+  def combined_list(dl, ll)
+    warn 'Merging dccscr and local lists'
+
+    dl.merge(ll) { |_, d, l|
+      case d
+      when Hash
+        d.merge(l)
+      else
+        l
+      end
+    }
+  end
+
+  def update_allow_list_file(cl)
+    warn 'Updating allow file'
+
+    File.open(allow_filename, 'w') do |f|
+      f << cl.to_yaml
+    end
+  end
+end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: dccscr
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.1
 platform: ruby
 authors:
 - Frank J. Cameron
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-08-07 00:00:00.000000000 Z
-dependencies: []
+date: 2021-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: shellwords
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 description:
 email:
 - fjc@fastmail.net
@@ -34,6 +48,7 @@ files:
 - lib/dccscr.rb
 - lib/dccscr/version.rb
 - lib/dccscr/whitelist.rb
+- lib/dccscr/whitelist/update_allowlist_with_dccscr.rb
 homepage: https://gitlab.com/fjc/dccscr.rb
 licenses:
 - MIT