dccscr 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19f7a39dba0aaf6a38390ec0231123337295fc09ed67688f2385570c7a0e2e68
-  data.tar.gz: 2cb39e932916aa6f64c3e6bda49d7e92fdda67b3714172098db1a06bb3c09f05
+  metadata.gz: 753dc4edfd916f55efc0d2d533fa67835de1d8540f37b749304f208c3268ce0e
+  data.tar.gz: 03020aa7432733669621c0d318985e05a7a5c8a2f007143dc762e8cf12f70311
 SHA512:
-  metadata.gz: a2beaade232b0aace980995067f07b0cf50791d640cac99ee6bec6151a0a09f2c1d937ae432ec04e64b66974853971b9ca2f32d5397df7f92f206c8ec0b4ea96
-  data.tar.gz: 793bd0cf0c5d45a488e53e8c3382f87c3ad5428ccd7c3af31d6ff81fac57951d2c684e20e2b7d4ecdb6cf651c449b06e295e6dc2c978d3cd808338f3ae628a92
+  metadata.gz: 25e36706bda36da321fa36f2df0f415aebfeebe4a5d476408c8dc74738a300146edf890c6b6295e724369e924f939d4773c12ea7b53e8cc951ad508a2bb21942
+  data.tar.gz: a09fa390de7045f70fafb575bc7cb5ef91fedc40310b7f1f93cc5498f1c489fd7d90d91a3afd27cd34a85669e61b9194021743ad090e1d9bdafa8250e5bc4d32

data/.rubocop.yml

@@ -11,6 +11,9 @@ Metrics/MethodLength:
 Naming/InclusiveLanguage:
   Enabled: false
 
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
 Naming/MethodParameterName:
   MinNameLength: 2
 
@@ -23,6 +26,9 @@ Style/ConditionalAssignment:
 Style/HashConversion:
   Enabled: false
 
+Style/ClassAndModuleChildren:
+  Enabled: false
+
 Style/SpecialGlobalVars:
   Enabled: false
 

data/Gemfile

@@ -9,6 +9,7 @@ gem 'rake', '~> 13.0'
 gem 'rubocop-rake'
 
 gem 'minitest', '~> 5.0'
+gem 'minitest-ok', '~> 0.3.3'
 gem 'rubocop-minitest'
 
 gem 'rubocop', '~> 1.7'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    dccscr (0.2.4)
+    dccscr (0.3.0)
       shellwords (~> 0.1)
 
 GEM
@@ -9,6 +9,8 @@ GEM
   specs:
     ast (2.4.2)
     minitest (5.14.4)
+    minitest-ok (0.3.3)
+      minitest
     parallel (1.20.1)
     parser (3.0.2.0)
       ast (~> 2.4.1)
@@ -41,6 +43,7 @@ PLATFORMS
 DEPENDENCIES
   dccscr!
   minitest (~> 5.0)
+  minitest-ok (~> 0.3.3)
   rake (~> 13.0)
   rubocop (~> 1.7)
   rubocop-minitest

data/exe/update_allowlist_with_dccscr

@@ -1,74 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
-require 'dccscr/whitelist'
+require 'dccscr/whitelist/update_allowlist_with_dccscr'
 
-def load_dccscr_whitelist
-  DCCSCR::Whitelist.new.tap do |wl|
-    # load wl entries for args
-    # will load parents as well
-    ARGV.each { |arg| wl[arg] }
-  end
-end
-
-def load_gitlab_allowlist
-  if File.exist?('local-vulnerability-allowlist.yml')
-    warn 'Loading local-vulnerability-allowlist.yml'
-    YAML.safe_load(File.read('local-vulnerability-allowlist.yml'))
-  elsif File.exist?('vulnerability-allowlist.yml')
-    warn 'Loading and renaming vulnerability-allowlist.yml'
-    File.rename('vulnerability-allowlist.yml', 'local-vulnerability-allowlist.yml')
-    YAML.safe_load(File.read('local-vulnerability-allowlist.yml'))
-  else
-    warn 'No [local-]vulnerability-allowlist.yml'
-    {}
-  end
-end
-
-def allow_list_dccscr(wl)
-  warn 'Generating dccscr list in gitlab format'
-
-  {
-    'generalallowlist' => Hash[
-      wl.entries.map { |_, entry|
-        entry.value['whitelisted_vulnerabilities'].map { |v|
-          [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
-        }.compact
-      }.flatten(1).sort
-    ]
-  }
-end
-
-def combined_list(dl, ll)
-  warn 'Merging dccscr and local lists'
-
-  dl.merge(ll) { |_, d, l|
-    case d
-    when Hash
-      d.merge(l)
-    else
-      l
-    end
-  }
-end
-
-def update_allow_list_file(cl)
-  warn 'Updating vulnerability-allowlist.yml'
-
-  File.open('vulnerability-allowlist.yml', 'w') do |f|
-    f << cl.to_yaml
-  end
-end
-
-def run
-  ll = load_gitlab_allowlist
-
-  wl = load_dccscr_whitelist
-  dl = allow_list_dccscr(wl)
-
-  cl = combined_list(dl, ll)
-
-  update_allow_list_file(cl)
-end
-
-run
+DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR.new(
+  images: ARGV
+).run

data/lib/dccscr/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DCCSCR
-  VERSION = '0.2.4'
+  VERSION = '0.3.0'
 end

data/lib/dccscr/whitelist.rb

@@ -27,11 +27,7 @@ module DCCSCR
         @repo = UPSTREAM_REPO
       end
 
-      if clone
-        clone_options = Shellwords.join(Shellwords.split(clone_options).map { |w| Shellwords.escape(w) })
-        system "git clone #{clone_options} -- #{@repo.inspect} #{@path.inspect}"
-        $?.success? || fail('error cloning repo')
-      end
+      clone_repo(clone_options) if clone
 
       @entries = {}
     end
@@ -51,5 +47,16 @@ module DCCSCR
         whitelist[@parent] unless (@parent = @value['image_parent_name'])&.empty?
       end
     end
+
+    private
+
+    def clone_repo(clone_options = '')
+      system Shellwords.join [].tap { |cmd|
+        cmd << %w[git clone]
+        cmd << Shellwords.split(clone_options).map { |w| Shellwords.escape(w) }
+        cmd << ['--', Shellwords.escape(@repo), Shellwords.escape(@path)]
+      }.flatten
+      $?.success? || fail('error cloning repo')
+    end
   end
 end

data/lib/dccscr/whitelist/update_allowlist_with_dccscr.rb

@@ -0,0 +1,96 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../whitelist'
+
+# Service class to update a GitLab vulnerability-allowlist.yml with
+# whitelisted_vulnerabilities from the dccscr-whitelist for a set
+# of images.
+#
+class DCCSCR::Whitelist::UpdateAllowlistWithDCCSCR
+  attr_reader :images, :allow_filename, :local_filename
+
+  def initialize(images: [], allow_filename: nil, local_filename: nil)
+    @images = images
+    @allow_filename = allow_filename || 'vulnerability-allowlist.yml'
+    @local_filename = local_filename || 'local-vulnerability-allowlist.yml'
+  end
+
+  def whitelist
+    @_whitelist ||= DCCSCR::Whitelist.new
+  end
+
+  def run
+    ll = load_gitlab_allowlist
+
+    wl = load_dccscr_whitelist
+    dl = allow_list_dccscr(wl)
+
+    cl = combined_list(dl, ll)
+
+    update_allow_list_file(cl)
+  end
+
+  private
+
+  def load_dccscr_whitelist
+    whitelist.tap do |wl|
+      # load wl entries for args
+      # will load parents as well
+      images.each { |arg| wl[arg] }
+    end
+  end
+
+  def load_gitlab_allowlist
+    if File.exist?(local_filename)
+      warn 'Loading local file'
+      load(local_filename)
+    elsif File.exist?(allow_filename)
+      warn 'Loading and renaming local allow file'
+      File.rename(allow_filename, local_filename)
+      load(local_filename)
+    else
+      warn 'No local allow file'
+      {}
+    end
+  end
+
+  def load(yml)
+    YAML.safe_load(File.read(yml))
+  end
+
+  def allow_list_dccscr(wl)
+    warn 'Generating dccscr list in gitlab format'
+
+    {
+      'generalallowlist' => Hash[
+        wl.entries.map { |_, entry|
+          entry.value['whitelisted_vulnerabilities'].map { |v|
+            [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
+          }.compact
+        }.flatten(1).sort
+      ]
+    }
+  end
+
+  def combined_list(dl, ll)
+    warn 'Merging dccscr and local lists'
+
+    dl.merge(ll) { |_, d, l|
+      case d
+      when Hash
+        d.merge(l)
+      else
+        l
+      end
+    }
+  end
+
+  def update_allow_list_file(cl)
+    warn 'Updating allow file'
+
+    File.open(allow_filename, 'w') do |f|
+      f << cl.to_yaml
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dccscr
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Frank J. Cameron
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-08-08 00:00:00.000000000 Z
+date: 2021-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: shellwords
@@ -48,6 +48,7 @@ files:
 - lib/dccscr.rb
 - lib/dccscr/version.rb
 - lib/dccscr/whitelist.rb
+- lib/dccscr/whitelist/update_allowlist_with_dccscr.rb
 homepage: https://gitlab.com/fjc/dccscr.rb
 licenses:
 - MIT