gitrob 1.0.1 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +35 -2
- data/lib/gitrob/blob_observer.rb +38 -10
- data/lib/gitrob/cli/commands/analyze.rb +9 -0
- data/lib/gitrob/version.rb +1 -1
- data/signatures.json +14 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5ad1363305b13ddc14f0f3925d2f0186a49afb14
|
|
4
|
+
data.tar.gz: ad49ab2e0e2383f7f37672f04ddd83aa27fdc2d0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1c36118753c8cb59074a0ce9ff823b53864fc2c7931941484783bf3f6e512dc4d24e869c9e6ef1726f21aae3819e2f6fd98dcd1ab7f9c0b38062f760ca1f036f
|
|
7
|
+
data.tar.gz: 5c9a28a3d1ae91a23b820827fb0a385a69c4ba77f35fb885591229938e69bc460c7c0787b3afc819611cdb079bc1d03c437f9e6c703c05c55ac06c1da0d2c4fc
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
|
|
|
4
4
|
|
|
5
5
|
## [Unreleased]
|
|
6
6
|
|
|
7
|
+
## [1.1.0]
|
|
8
|
+
### Added
|
|
9
|
+
- Ability to define custom signatures in `~/.gitrobsignatures`
|
|
10
|
+
|
|
11
|
+
### New signatures
|
|
12
|
+
- Terraform variable configuration files (`filename == "terraform.tfvars"`)
|
|
13
|
+
Thanks to [Alfonso Cabrera](https://github.com/alfonso-cabrera)
|
|
14
|
+
- Environment configuration files (`filename =~ /\A\.?env\z/`)
|
|
15
|
+
|
|
7
16
|
## [1.0.1]
|
|
8
17
|
### Fixed
|
|
9
18
|
- The `--verify-ssl` command option did not properly set SSL configuration
|
data/README.md
CHANGED
|
@@ -70,7 +70,7 @@ See `gitrob help analyze` for more options.
|
|
|
70
70
|
|
|
71
71
|
Gitrob can analyze organizations and users on custom GitHub Enterprise installations instead of the official GitHub site. The `analyze` command takes several options to control this:
|
|
72
72
|
|
|
73
|
-
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api --access-tokens=token1,token2
|
|
73
|
+
gitrob analyze johndoe --site=https://github.acme.com --endpoint=https://github.acme.com/api/v3 --access-tokens=token1,token2
|
|
74
74
|
|
|
75
75
|
See `gitrob help analyze` for more options.
|
|
76
76
|
|
|
@@ -86,7 +86,40 @@ By default, the server will listen on [localhost:9393](http://localhost:9393). T
|
|
|
86
86
|
|
|
87
87
|
See `gitrob help server` for more options.
|
|
88
88
|
|
|
89
|
-
###
|
|
89
|
+
### Adding custom signatures
|
|
90
|
+
|
|
91
|
+
If you want to look for files that are specific to your organisation or projects, it is easy to add custom signatures.
|
|
92
|
+
|
|
93
|
+
When Gitrob starts it looks for a file at `~/.gitrobsignatures` which it expects to be a JSON document with signatures that follow the same structure as the main [signatures.json](signatures.json) file. Here is an example:
|
|
94
|
+
|
|
95
|
+
[
|
|
96
|
+
{
|
|
97
|
+
"part": "filename",
|
|
98
|
+
"type": "match",
|
|
99
|
+
"pattern": "otr.private_key",
|
|
100
|
+
"caption": "Pidgin OTR private key",
|
|
101
|
+
"description": null
|
|
102
|
+
}
|
|
103
|
+
]
|
|
104
|
+
|
|
105
|
+
This signature instructs Gitrob to flag files where the filename exactly matches `otr.private_key`. The caption and description are used in the web interface when displaying the findings.
|
|
106
|
+
|
|
107
|
+
#### Signature keys
|
|
108
|
+
|
|
109
|
+
* `part`: Can be one of:
|
|
110
|
+
* `path`: The complete file path
|
|
111
|
+
* `filename`: Only the filename
|
|
112
|
+
* `extension`: Only the file extension
|
|
113
|
+
* `type`: Can be one of:
|
|
114
|
+
* `match`: Simple match of part and pattern
|
|
115
|
+
* `regex`: Regular expression matching of part and pattern
|
|
116
|
+
* `pattern`: The value or regular expression to match with
|
|
117
|
+
* `caption`: A short description of the finding
|
|
118
|
+
* `description`: More detailed description if needed (set to `null` if not).
|
|
119
|
+
|
|
120
|
+
Have a look at the main [signatures.json](signatures.json) file for more examples of signatures.
|
|
121
|
+
|
|
122
|
+
**If you think other people can benefit from your custom signatures, please consider contributing them back to the Gitrob project by opening a Pull Request or an Issue. Thanks!**
|
|
90
123
|
|
|
91
124
|
## Development
|
|
92
125
|
|
data/lib/gitrob/blob_observer.rb
CHANGED
|
@@ -2,6 +2,8 @@ module Gitrob
|
|
|
2
2
|
class BlobObserver
|
|
3
3
|
SIGNATURES_FILE_PATH = File.expand_path(
|
|
4
4
|
"../../../signatures.json", __FILE__)
|
|
5
|
+
CUSTOM_SIGNATURES_FILE_PATH = File.join(
|
|
6
|
+
Dir.home, ".gitrobsignatures")
|
|
5
7
|
|
|
6
8
|
REQUIRED_SIGNATURE_KEYS = %w(part type pattern caption description)
|
|
7
9
|
ALLOWED_TYPES = %w(regex match)
|
|
@@ -30,23 +32,49 @@ module Gitrob
|
|
|
30
32
|
|
|
31
33
|
def self.load_signatures!
|
|
32
34
|
@signatures = []
|
|
33
|
-
JSON.load(File.read(SIGNATURES_FILE_PATH))
|
|
35
|
+
signatures = JSON.load(File.read(SIGNATURES_FILE_PATH))
|
|
36
|
+
validate_signatures!(signatures)
|
|
37
|
+
signatures.each_with_index do |signature|
|
|
34
38
|
@signatures << Signature.new(signature)
|
|
35
39
|
end
|
|
36
|
-
validate_signatures!
|
|
37
40
|
rescue CorruptSignaturesError => e
|
|
38
41
|
raise e
|
|
39
42
|
rescue
|
|
40
43
|
raise CorruptSignaturesError, "Could not parse signature file"
|
|
41
44
|
end
|
|
42
45
|
|
|
43
|
-
def self.
|
|
46
|
+
def self.unload_signatures
|
|
47
|
+
@signatures = []
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def self.custom_signatures?
|
|
51
|
+
File.exist?(CUSTOM_SIGNATURES_FILE_PATH)
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def self.load_custom_signatures!
|
|
55
|
+
signatures = JSON.load(File.read(CUSTOM_SIGNATURES_FILE_PATH))
|
|
56
|
+
validate_signatures!(signatures)
|
|
57
|
+
signatures.each do |signature|
|
|
58
|
+
@signatures << Signature.new(signature)
|
|
59
|
+
end
|
|
60
|
+
rescue CorruptSignaturesError => e
|
|
61
|
+
raise e
|
|
62
|
+
rescue
|
|
63
|
+
raise CorruptSignaturesError, "Could not parse signature file"
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def self.validate_signatures!(signatures)
|
|
44
67
|
if !signatures.is_a?(Array) || signatures.empty?
|
|
45
68
|
fail CorruptSignaturesError,
|
|
46
69
|
"Signature file contains no signatures"
|
|
47
70
|
end
|
|
48
|
-
signatures.
|
|
49
|
-
|
|
71
|
+
signatures.each_with_index do |signature, index|
|
|
72
|
+
begin
|
|
73
|
+
validate_signature!(signature)
|
|
74
|
+
rescue CorruptSignaturesError => e
|
|
75
|
+
raise CorruptSignaturesError,
|
|
76
|
+
"Validation failed for Signature ##{index + 1}: #{e.message}"
|
|
77
|
+
end
|
|
50
78
|
end
|
|
51
79
|
end
|
|
52
80
|
|
|
@@ -58,7 +86,7 @@ module Gitrob
|
|
|
58
86
|
|
|
59
87
|
def self.validate_signature_keys!(signature)
|
|
60
88
|
REQUIRED_SIGNATURE_KEYS.each do |key|
|
|
61
|
-
unless signature.
|
|
89
|
+
unless signature.key?(key)
|
|
62
90
|
fail CorruptSignaturesError,
|
|
63
91
|
"Missing required signature key: #{key}"
|
|
64
92
|
end
|
|
@@ -66,16 +94,16 @@ module Gitrob
|
|
|
66
94
|
end
|
|
67
95
|
|
|
68
96
|
def self.validate_signature_type!(signature)
|
|
69
|
-
unless ALLOWED_TYPES.include?(signature
|
|
97
|
+
unless ALLOWED_TYPES.include?(signature["type"])
|
|
70
98
|
fail CorruptSignaturesError,
|
|
71
|
-
"Invalid signature type: #{signature
|
|
99
|
+
"Invalid signature type: #{signature['type']}"
|
|
72
100
|
end
|
|
73
101
|
end
|
|
74
102
|
|
|
75
103
|
def self.validate_signature_part!(signature)
|
|
76
|
-
unless ALLOWED_PARTS.include?(signature
|
|
104
|
+
unless ALLOWED_PARTS.include?(signature["part"])
|
|
77
105
|
fail CorruptSignaturesError,
|
|
78
|
-
"Invalid signature part: #{signature
|
|
106
|
+
"Invalid signature part: #{signature['part']}"
|
|
79
107
|
end
|
|
80
108
|
end
|
|
81
109
|
|
|
@@ -40,6 +40,15 @@ module Gitrob
|
|
|
40
40
|
task("Loading signatures...", true) do
|
|
41
41
|
Gitrob::BlobObserver.load_signatures!
|
|
42
42
|
end
|
|
43
|
+
|
|
44
|
+
if Gitrob::BlobObserver.custom_signatures?
|
|
45
|
+
task("Loading custom signatures...", true) do
|
|
46
|
+
Gitrob::BlobObserver.load_custom_signatures!
|
|
47
|
+
end
|
|
48
|
+
info("Please consider contributing your custom signatures to the " \
|
|
49
|
+
"Gitrob project.")
|
|
50
|
+
end
|
|
51
|
+
info("Loaded #{Gitrob::BlobObserver.signatures.count} signatures")
|
|
43
52
|
end
|
|
44
53
|
|
|
45
54
|
def start_web_server
|
data/lib/gitrob/version.rb
CHANGED
data/signatures.json
CHANGED
|
@@ -537,5 +537,19 @@
|
|
|
537
537
|
"pattern": "\\A\\.?npmrc\\z",
|
|
538
538
|
"caption": "NPM configuration file",
|
|
539
539
|
"description": "Might contain credentials for NPM registries"
|
|
540
|
+
},
|
|
541
|
+
{
|
|
542
|
+
"part": "filename",
|
|
543
|
+
"type": "match",
|
|
544
|
+
"pattern": "terraform.tfvars",
|
|
545
|
+
"caption": "Terraform variable config file",
|
|
546
|
+
"description": "Might contain credentials for terraform providers"
|
|
547
|
+
},
|
|
548
|
+
{
|
|
549
|
+
"part": "filename",
|
|
550
|
+
"type": "regex",
|
|
551
|
+
"pattern": "\\A\\.?env\\z",
|
|
552
|
+
"caption": "Environment configuration file",
|
|
553
|
+
"description": null
|
|
540
554
|
}
|
|
541
555
|
]
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitrob
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Michael Henriksen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-04-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|