govuk_security_audit 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 98b7fe0fb8b87cdd432d66f922aff024737d768c
+  data.tar.gz: 815404bf280233fc01720d72df97d5d5d3486200
+SHA512:
+  metadata.gz: 6354a9d85ff121085d903590dc10a8a51074eea27d96944aefddcbd37e2f0d380c29f02cb22ea73373d32f770054d9d38ed19d227b359dc6f47c10d436bfb6a6
+  data.tar.gz: 7edd64c7a2c49ac6ee19d52506cfef0c832caa4e0444b388aa2949ef93ab890448949e4cd87b89836556746aced66d6cf1b503079965756c4b7d2352ccb72da4

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/.ruby-version

@@ -0,0 +1 @@
+2.2

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.1.0
+
+- Initial gem release

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in govuk_security_audit.gemspec
+gemspec

data/LICENCE.txt

@@ -0,0 +1,19 @@
+Copyright (C) 2014 Crown Copyright (Government Digital Service)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,48 @@
+# GOV.UK Gem Security Checker
+
+This wraps the [`bundler-audit`](https://github.com/rubysec/bundler-audit/) gem to allow checking
+specific Bundler lockfiles.
+
+## Usage
+
+Install the gem:
+
+```
+gem install govuk_security_audit
+```
+
+Update the Ruby Advisory Database:
+
+```
+govuk_security_audit update
+```
+
+Check the current directory:
+
+```
+govuk_security_audit check
+```
+
+Check another directory:
+
+```
+govuk_security_audit check ~/govuk/whitehall
+```
+
+Check a specific Gemfile.lock:
+
+```
+govuk_security_audit check /tmp/whitehall-gemfile.lock
+```
+
+Check a repo on Github:
+
+```
+govuk_security_audit github alphagov whitehall
+```
+
+Check a specific branch on Github:
+
+```
+govuk_security_audit github alphagov whitehall upgrade-rails
+```

data/Rakefile

@@ -0,0 +1,6 @@
+require "gem_publisher"
+
+task :publish_gem do |t|
+  gem = GemPublisher.publish_if_updated("govuk_security_audit.gemspec", :rubygems)
+  puts "Published #{gem}" if gem
+end

data/exe/govuk_security_audit

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+require 'govuk_security_audit/cli'
+
+GovukSecurityAudit::CLI.start

data/govuk_security_audit.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'govuk_security_audit/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "govuk_security_audit"
+  spec.version       = GovukSecurityAudit::VERSION
+  spec.authors       = ["Government Digital Service"]
+  spec.email         = ["govuk-dev@digital.cabinet-office.gov.uk"]
+  spec.licenses      = ["MIT"]
+
+  spec.summary       = %q{Check repos for gem vulnerabilities}
+  spec.description   = %q{Wraps bundler-audit gem to check specific repos for gem vulnerabilities}
+  spec.homepage      = "https://github.com/alphagov/govuk_security_audit"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "gem_publisher", "1.5.0"
+  spec.add_dependency "bundler-audit", "~> 0.4.0"
+  spec.add_dependency "thor", "~> 0.19"
+end

data/jenkins.sh

@@ -0,0 +1,18 @@
+#!/bin/bash -x
+set -e
+
+rm -f Gemfile.lock
+git clean -fdx
+bundle install --path "${HOME}/bundles/${JOB_NAME}"
+
+# Run against our own lockfile to test
+bundle exec govuk_security_audit update
+bundle exec govuk_security_audit check
+
+# Check against rails/rails master as this should always be ahead of security Updates
+# We can't check our own repo on Github as we don't commit the Gemfile.lock.
+bundle exec govuk_security_audit github rails rails master
+
+if [[ -n "$PUBLISH_GEM" ]]; then
+  bundle exec rake publish_gem
+fi

data/jenkins_branches.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+VENV_PATH="${HOME}/venv/${JOB_NAME}"
+
+[ -x ${VENV_PATH}/bin/pip ] || virtualenv ${VENV_PATH}
+. ${VENV_PATH}/bin/activate
+
+pip install -q ghtools
+
+REPO="alphagov/govuk_security_audit"
+gh-status "$REPO" "$GIT_COMMIT" pending -d "\"Build #${BUILD_NUMBER} is running on Jenkins\"" -u "$BUILD_URL" >/dev/null
+
+if ./jenkins.sh; then
+  gh-status "$REPO" "$GIT_COMMIT" success -d "\"Build #${BUILD_NUMBER} succeeded on Jenkins\"" -u "$BUILD_URL" >/dev/null
+  exit 0
+else
+  gh-status "$REPO" "$GIT_COMMIT" failure -d "\"Build #${BUILD_NUMBER} failed on Jenkins\"" -u "$BUILD_URL" >/dev/null
+  exit 1
+fi

data/lib/govuk_security_audit/cli.rb

@@ -0,0 +1,114 @@
+require "net/https"
+require "uri"
+require "thor"
+require "bundler/audit/database"
+
+require "govuk_security_audit/scanner"
+
+module GovukSecurityAudit
+  class CLI < Thor
+    desc "github USER REPO [REF]", "check the Github repo USER/REPO at an optional REF. Defaults to master."
+    def github(user, repo, ref="master")
+      uri = URI.parse("https://raw.githubusercontent.com/#{user}/#{repo}/#{ref}/Gemfile.lock")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+      request = Net::HTTP::Get.new(uri.request_uri)
+
+      response = http.request(request)
+      if response.code != "200"
+        say "Failed to fetch from Github: #{response.code} - #{response.message}", :red
+        exit 1
+      end
+
+      file = Tempfile.new(["Gemfile", ".lock"])
+      file.write(response.body)
+      check(file.path)
+    end
+
+    desc "check [PATH]", "check the Gemfile at PATH, or the current directory."
+    def check(path=Dir.pwd)
+      scanner    = Scanner.new(path)
+      vulnerable = false
+
+      scanner.scan do |result|
+        vulnerable = true
+
+        case result
+        when Scanner::InsecureSource
+          say "Insecure Source URI found: #{result.source}", :yellow
+        when Scanner::UnpatchedGem
+          print_advisory result.gem, result.advisory
+        end
+      end
+
+      if vulnerable
+        say "Vulnerabilities found!", :red
+        exit 1
+      else
+        say "No vulnerabilities found", :green
+      end
+    end
+
+    desc 'update', 'Updates the ruby-advisory-db'
+    def update
+      say "Updating ruby-advisory-db ..."
+
+      Bundler::Audit::Database.update!
+      puts "ruby-advisory-db: #{Bundler::Audit::Database.new.size} advisories"
+    end
+
+    private
+
+    def print_advisory(gem, advisory)
+      say "Name: ", :red
+      say gem.name
+
+      say "Version: ", :red
+      say gem.version
+
+      say "Advisory: ", :red
+
+      if advisory.cve
+        say "CVE-#{advisory.cve}"
+      elsif advisory.osvdb
+        say advisory.osvdb
+      end
+
+      say "Criticality: ", :red
+      case advisory.criticality
+      when :low    then say "Low"
+      when :medium then say "Medium", :yellow
+      when :high   then say "High", [:red, :bold]
+      else              say "Unknown"
+      end
+
+      say "URL: ", :red
+      say advisory.url
+
+      if options.verbose?
+        say "Description:", :red
+        say
+
+        print_wrapped advisory.description, :indent => 2
+        say
+      else
+
+        say "Title: ", :red
+        say advisory.title
+      end
+
+      unless advisory.patched_versions.empty?
+        say "Solution: upgrade to ", :red
+        say advisory.patched_versions.join(', ')
+      else
+        say "Solution: ", :red
+        say "remove or disable this gem until a patch is available!", [:red, :bold]
+      end
+
+      say
+    end
+
+  end
+end

data/lib/govuk_security_audit/scanner.rb

@@ -0,0 +1,18 @@
+require "bundler/audit/database"
+require "bundler/audit/scanner"
+require "bundler/lockfile_parser"
+
+module GovukSecurityAudit
+  class Scanner < Bundler::Audit::Scanner
+    def initialize(path=Dir.pwd)
+      path = File.expand_path(path)
+      if File.directory?(path)
+        path = File.join(path, "Gemfile.lock")
+      end
+
+      @root = File.dirname(path)
+      @database = Bundler::Audit::Database.new
+      @lockfile = Bundler::LockfileParser.new(File.read(path))
+    end
+  end
+end

data/lib/govuk_security_audit/version.rb

@@ -0,0 +1,3 @@
+module GovukSecurityAudit
+  VERSION = "0.1.0"
+end

data/lib/govuk_security_audit.rb

@@ -0,0 +1,4 @@
+require "govuk_security_audit/version"
+
+module GovukSecurityAudit
+end

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: govuk_security_audit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Government Digital Service
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-07-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: gem_publisher
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: Wraps bundler-audit gem to check specific repos for gem vulnerabilities
+email:
+- govuk-dev@digital.cabinet-office.gov.uk
+executables:
+- govuk_security_audit
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".ruby-version"
+- CHANGELOG.md
+- Gemfile
+- LICENCE.txt
+- README.md
+- Rakefile
+- exe/govuk_security_audit
+- govuk_security_audit.gemspec
+- jenkins.sh
+- jenkins_branches.sh
+- lib/govuk_security_audit.rb
+- lib/govuk_security_audit/cli.rb
+- lib/govuk_security_audit/scanner.rb
+- lib/govuk_security_audit/version.rb
+homepage: https://github.com/alphagov/govuk_security_audit
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Check repos for gem vulnerabilities
+test_files: []