RubyGems - govuk_security_audit - Versions diffs - 0.1.0 - Mend

govuk_security_audit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +7 -0
data/.gitignore +10 -0
data/.ruby-version +1 -0
data/CHANGELOG.md +3 -0
data/Gemfile +4 -0
data/LICENCE.txt +19 -0
data/README.md +48 -0
data/Rakefile +6 -0
data/exe/govuk_security_audit +10 -0
data/govuk_security_audit.gemspec +27 -0
data/jenkins.sh +18 -0
data/jenkins_branches.sh +20 -0
data/lib/govuk_security_audit/cli.rb +114 -0
data/lib/govuk_security_audit/scanner.rb +18 -0
data/lib/govuk_security_audit/version.rb +3 -0
data/lib/govuk_security_audit.rb +4 -0
metadata +130 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 98b7fe0fb8b87cdd432d66f922aff024737d768c
+  data.tar.gz: 815404bf280233fc01720d72df97d5d5d3486200
+SHA512:
+  metadata.gz: 6354a9d85ff121085d903590dc10a8a51074eea27d96944aefddcbd37e2f0d380c29f02cb22ea73373d32f770054d9d38ed19d227b359dc6f47c10d436bfb6a6
+  data.tar.gz: 7edd64c7a2c49ac6ee19d52506cfef0c832caa4e0444b388aa2949ef93ab890448949e4cd87b89836556746aced66d6cf1b503079965756c4b7d2352ccb72da4

data/.gitignore ADDED Viewed

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/.ruby-version ADDED Viewed

	@@ -0,0 +1 @@
1	+ 2.2

data/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,3 @@
+## 0.1.0
+- Initial gem release

data/Gemfile ADDED Viewed

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+# Specify your gem's dependencies in govuk_security_audit.gemspec
+gemspec

data/LICENCE.txt ADDED Viewed

@@ -0,0 +1,19 @@
+Copyright (C) 2014 Crown Copyright (Government Digital Service)
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md ADDED Viewed

@@ -0,0 +1,48 @@
+# GOV.UK Gem Security Checker
+This wraps the [`bundler-audit`](https://github.com/rubysec/bundler-audit/) gem to allow checking
+specific Bundler lockfiles.
+## Usage
+Install the gem:
+```
+gem install govuk_security_audit
+```
+Update the Ruby Advisory Database:
+```
+govuk_security_audit update
+```
+Check the current directory:
+```
+govuk_security_audit check
+```
+Check another directory:
+```
+govuk_security_audit check ~/govuk/whitehall
+```
+Check a specific Gemfile.lock:
+```
+govuk_security_audit check /tmp/whitehall-gemfile.lock
+```
+Check a repo on Github:
+```
+govuk_security_audit github alphagov whitehall
+```
+Check a specific branch on Github:
+```
+govuk_security_audit github alphagov whitehall upgrade-rails
+```

data/Rakefile ADDED Viewed

@@ -0,0 +1,6 @@
+require "gem_publisher"
+task :publish_gem do |t|
+  gem = GemPublisher.publish_if_updated("govuk_security_audit.gemspec", :rubygems)
+  puts "Published #{gem}" if gem
+end

data/exe/govuk_security_audit ADDED Viewed

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+lib_dir = File.expand_path(File.join(File.dirname(__FILE__),'..','lib'))
+$LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+require 'govuk_security_audit/cli'
+GovukSecurityAudit::CLI.start

data/govuk_security_audit.gemspec ADDED Viewed

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'govuk_security_audit/version'
+Gem::Specification.new do |spec|
+  spec.name          = "govuk_security_audit"
+  spec.version       = GovukSecurityAudit::VERSION
+  spec.authors       = ["Government Digital Service"]
+  spec.email         = ["govuk-dev@digital.cabinet-office.gov.uk"]
+  spec.licenses      = ["MIT"]
+  spec.summary       = %q{Check repos for gem vulnerabilities}
+  spec.description   = %q{Wraps bundler-audit gem to check specific repos for gem vulnerabilities}
+  spec.homepage      = "https://github.com/alphagov/govuk_security_audit"
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "gem_publisher", "1.5.0"
+  spec.add_dependency "bundler-audit", "~> 0.4.0"
+  spec.add_dependency "thor", "~> 0.19"
+end

data/jenkins.sh ADDED Viewed

@@ -0,0 +1,18 @@
+#!/bin/bash -x
+set -e
+rm -f Gemfile.lock
+git clean -fdx
+bundle install --path "${HOME}/bundles/${JOB_NAME}"
+# Run against our own lockfile to test
+bundle exec govuk_security_audit update
+bundle exec govuk_security_audit check
+# Check against rails/rails master as this should always be ahead of security Updates
+# We can't check our own repo on Github as we don't commit the Gemfile.lock.
+bundle exec govuk_security_audit github rails rails master
+if [[ -n "$PUBLISH_GEM" ]]; then
+  bundle exec rake publish_gem
+fi

data/jenkins_branches.sh ADDED Viewed

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+VENV_PATH="${HOME}/venv/${JOB_NAME}"
+[ -x ${VENV_PATH}/bin/pip ] || virtualenv ${VENV_PATH}
+. ${VENV_PATH}/bin/activate
+pip install -q ghtools
+REPO="alphagov/govuk_security_audit"
+gh-status "$REPO" "$GIT_COMMIT" pending -d "\"Build #${BUILD_NUMBER} is running on Jenkins\"" -u "$BUILD_URL" >/dev/null
+if ./jenkins.sh; then
+  gh-status "$REPO" "$GIT_COMMIT" success -d "\"Build #${BUILD_NUMBER} succeeded on Jenkins\"" -u "$BUILD_URL" >/dev/null
+  exit 0
+else
+  gh-status "$REPO" "$GIT_COMMIT" failure -d "\"Build #${BUILD_NUMBER} failed on Jenkins\"" -u "$BUILD_URL" >/dev/null
+  exit 1
+fi

data/lib/govuk_security_audit/cli.rb ADDED Viewed

@@ -0,0 +1,114 @@
+require "net/https"
+require "uri"
+require "thor"
+require "bundler/audit/database"
+require "govuk_security_audit/scanner"
+module GovukSecurityAudit
+  class CLI < Thor
+    desc "github USER REPO [REF]", "check the Github repo USER/REPO at an optional REF. Defaults to master."
+    def github(user, repo, ref="master")
+      uri = URI.parse("https://raw.githubusercontent.com/#{user}/#{repo}/#{ref}/Gemfile.lock")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      request = Net::HTTP::Get.new(uri.request_uri)
+      response = http.request(request)
+      if response.code != "200"
+        say "Failed to fetch from Github: #{response.code} - #{response.message}", :red
+        exit 1
+      end
+      file = Tempfile.new(["Gemfile", ".lock"])
+      file.write(response.body)
+      check(file.path)
+    end
+    desc "check [PATH]", "check the Gemfile at PATH, or the current directory."
+    def check(path=Dir.pwd)
+      scanner    = Scanner.new(path)
+      vulnerable = false
+      scanner.scan do |result|
+        vulnerable = true
+        case result
+        when Scanner::InsecureSource
+          say "Insecure Source URI found: #{result.source}", :yellow
+        when Scanner::UnpatchedGem
+          print_advisory result.gem, result.advisory
+        end
+      end
+      if vulnerable
+        say "Vulnerabilities found!", :red
+        exit 1
+      else
+        say "No vulnerabilities found", :green
+      end
+    end
+    desc 'update', 'Updates the ruby-advisory-db'
+    def update
+      say "Updating ruby-advisory-db ..."
+      Bundler::Audit::Database.update!
+      puts "ruby-advisory-db: #{Bundler::Audit::Database.new.size} advisories"
+    end
+    private
+    def print_advisory(gem, advisory)
+      say "Name: ", :red
+      say gem.name
+      say "Version: ", :red
+      say gem.version
+      say "Advisory: ", :red
+      if advisory.cve
+        say "CVE-#{advisory.cve}"
+      elsif advisory.osvdb
+        say advisory.osvdb
+      end
+      say "Criticality: ", :red
+      case advisory.criticality
+      when :low    then say "Low"
+      when :medium then say "Medium", :yellow
+      when :high   then say "High", [:red, :bold]
+      else              say "Unknown"
+      end
+      say "URL: ", :red
+      say advisory.url
+      if options.verbose?
+        say "Description:", :red
+        say
+        print_wrapped advisory.description, :indent => 2
+        say
+      else
+        say "Title: ", :red
+        say advisory.title
+      end
+      unless advisory.patched_versions.empty?
+        say "Solution: upgrade to ", :red
+        say advisory.patched_versions.join(', ')
+      else
+        say "Solution: ", :red
+        say "remove or disable this gem until a patch is available!", [:red, :bold]
+      end
+      say
+    end
+  end
+end

data/lib/govuk_security_audit/scanner.rb ADDED Viewed

@@ -0,0 +1,18 @@
+require "bundler/audit/database"
+require "bundler/audit/scanner"
+require "bundler/lockfile_parser"
+module GovukSecurityAudit
+  class Scanner < Bundler::Audit::Scanner
+    def initialize(path=Dir.pwd)
+      path = File.expand_path(path)
+      if File.directory?(path)
+        path = File.join(path, "Gemfile.lock")
+      end
+      @root = File.dirname(path)
+      @database = Bundler::Audit::Database.new
+      @lockfile = Bundler::LockfileParser.new(File.read(path))
+    end
+  end
+end

data/lib/govuk_security_audit/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module GovukSecurityAudit
+  VERSION = "0.1.0"
+end

data/lib/govuk_security_audit.rb ADDED Viewed

@@ -0,0 +1,4 @@
+require "govuk_security_audit/version"
+module GovukSecurityAudit
+end

metadata ADDED Viewed

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: govuk_security_audit
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Government Digital Service
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2015-07-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: gem_publisher
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+description: Wraps bundler-audit gem to check specific repos for gem vulnerabilities
+email:
+- govuk-dev@digital.cabinet-office.gov.uk
+executables:
+- govuk_security_audit
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".ruby-version"
+- CHANGELOG.md
+- Gemfile
+- LICENCE.txt
+- README.md
+- Rakefile
+- exe/govuk_security_audit
+- govuk_security_audit.gemspec
+- jenkins.sh
+- jenkins_branches.sh
+- lib/govuk_security_audit.rb
+- lib/govuk_security_audit/cli.rb
+- lib/govuk_security_audit/scanner.rb
+- lib/govuk_security_audit/version.rb
+homepage: https://github.com/alphagov/govuk_security_audit
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.5
+signing_key:
+specification_version: 4
+summary: Check repos for gem vulnerabilities
+test_files: []