owasp-pipeline 0.8.6 → 0.8.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e0a8269dc146b2c043c1f82f86a181b69e1bf35e
-  data.tar.gz: e1f15cfe853e2d53b8e894033a9b665f4813ff26
+  metadata.gz: 98d9b83c7bf2a41446cb2cae6ec1af341d92a3d0
+  data.tar.gz: db61e28ed85f2d35b6d6ec1aa707d22ee080d6c9
 SHA512:
-  metadata.gz: c6ff7447583d96ca3b88da5d54f0c85663879017c3e6d4cc4119e5d1969bfd36e356ab5db1e5aaea5bda4df181a95f39f826acac174d72bd53226058b609c741
-  data.tar.gz: 7d811611176d44b8f9d7c3a7955c049430142907f1fb453771724c102617a6a2b49bb9589e6d40e5ba2b880abe08dca874f0039aaadb7ed169fd5e0032ea21a8
+  metadata.gz: 355dfc5f3fb2932485dc3a8a5565ce868a3db3e2cd1a361158b13e4378da0c8e47e2f2fd611fa712113361829987ec66c49f258103da3921a61677d181a93aea
+  data.tar.gz: 03185283ea2a3151c2b4311091663ac4f806bdca2f08192264155487100c8c39734db9b4e264d29da38724e4cfbd924d4ef736e29216228114cfc0dbb5aec597

data/lib/pipeline.rb

@@ -34,7 +34,19 @@ module Pipeline
       options[:report_progress] = false
     end
 
-    scan options
+    unless options[:logfile].nil?
+      if options[:logfile].is_a? File
+        $logfile = options[:logfile]
+      else
+        $logfile = File.open(options[:logfile], 'a')
+      end
+
+      begin
+        scan options
+      ensure
+        $logfile.close unless options[:logfile].is_a? File
+      end
+    end
   end
 
   #Sets up options for run, checks given application path
@@ -262,18 +274,22 @@ module Pipeline
 
   def self.error message
     $stderr.puts message
+    $logfile.puts "[#{Time.now}] #{message}" if $logfile
   end
 
   def self.warn message
     $stderr.puts message unless @quiet
+    $logfile.puts "[#{Time.now}] #{message}" if $logfile
   end
 
   def self.notify message
     $stderr.puts message #unless @debug
+    $logfile.puts "[#{Time.now}] #{message}" if $logfile
   end
 
   def self.debug message
     $stderr.puts message if @debug
+    $logfile.puts "[#{Time.now}] #{message}" if $logfile
   end
 
   def self.load_pipeline_dependency name

data/lib/pipeline/options.rb

@@ -140,6 +140,10 @@ module Pipeline::Options
           options[:summary_only] = true
         end
 
+        opts.on "-L LOGFILE", "--logfile LOGFILE", "Write full pipeline log to LOGFILE" do |file|
+          options[:logfile] = file
+        end
+
         opts.separator ""
         opts.separator "JIRA options:"
 

data/lib/pipeline/reporters.rb

@@ -25,14 +25,14 @@ class Pipeline::Reporters
   #Returns a new instance of tasks with the results.
   def self.run_report(tracker)
     @reporters.each do |c|
-      reporter = c.new()      
+      reporter = c.new()
       if tracker.options[:output_format].first == reporter.format
         begin
           output = reporter.run_report(tracker)
           if tracker.options[:output_file]
             file = File.open(tracker.options[:output_file], 'w'){ |f| f.write(output)}
           else
-            Pipeline.notify output
+            Pipeline.notify output unless tracker.options[:quiet]
           end
         rescue => e
           Pipeline.error e.message

data/lib/pipeline/tasks/bundle-audit.rb

@@ -36,7 +36,7 @@ class Pipeline::BundleAudit < Pipeline::BaseTask
   end
 
   def supported?
-    supported=runsystem(true, "bundle-audit", "update")
+    supported=runsystem(false, "bundle-audit", "update")
     if supported =~ /command not found/
       Pipeline.notify "Run: gem install bundler-audit"
       return false

data/lib/pipeline/tasks/findsecbugs.rb

@@ -24,9 +24,9 @@ class Pipeline::FindSecurityBugs < Pipeline::BaseTask
 
     unless File.exist?("#{@trigger.path}/.git/config")
       Dir.chdir(@trigger.path) do
-        system("git", "init")
-        system("git", "add", "*")
-        system("git", "commit", "-am", "fake commit for mvn compile")
+        runsystem(true, "git", "init")
+        runsystem(true, "git", "add", "*")
+        runsystem(true, "git", "commit", "-am", "fake commit for mvn compile")
       end
     end
 

data/lib/pipeline/tasks/npm.rb

@@ -28,8 +28,8 @@ class Pipeline::Npm < Pipeline::BaseTask
         else
           registry = nil
         end
-        @command = "npm install --ignore-scripts #{registry}"
-        @results << system(@command)
+        @command = "npm install -q --ignore-scripts #{registry}"
+        @results << runsystem(true, @command)
       end
     end
   end

data/lib/pipeline/tasks/nsp.rb

@@ -21,7 +21,8 @@ class Pipeline::NodeSecurityProject < Pipeline::BaseTask
     directories_with?('package.json', exclude_dirs).each do |dir|
       Pipeline.notify "#{@name} scanning: #{dir}"
       Dir.chdir(dir) do
-        @results << JSON.parse(`nsp check --output json 2>&1`)
+        res = runsystem(true, "nsp", "check", "--output", "json")
+        @results << JSON.parse(res)
       end
     end
   end

data/lib/pipeline/tasks/pmd.rb

@@ -19,7 +19,7 @@ class Pipeline::PMD < Pipeline::BaseTask
   def run
     @tracker.options[:pmd_checks] ||= "java-basic,java-sunsecure"
     Dir.chdir @tracker.options[:pmd_path] do
-      @results = Nokogiri::XML(`bin/run.sh pmd -d #{@trigger.path} -f xml -R #{@tracker.options[:pmd_checks]}`).xpath('//file')
+      @results = Nokogiri::XML(runsystem(true,'bin/run.sh', 'pmd', '-d', "#{@trigger.path}", '-f', 'xml', '-R', "#{@tracker.options[:pmd_checks]}")).xpath('//file')
     end
   end
 

data/lib/pipeline/tasks/retirejs.rb

@@ -24,19 +24,22 @@ class Pipeline::RetireJS < Pipeline::BaseTask
     exclude_dirs = exclude_dirs.concat(@tracker.options[:exclude_dirs]).uniq if @tracker.options[:exclude_dirs]
     directories_with?('package.json', exclude_dirs).each do |dir|
       Pipeline.notify "#{@name} scanning: #{dir}"
-      @results << `retire -c --outputformat json --path #{dir} 2>&1`
+      @results << runsystem(false, 'retire', '-c', '--outputformat', 'json', '--path', "#{dir}")
     end
   end
 
   def analyze
     begin
       @results.each do |result|
-        vulnerabilities = parse_retire_json(JSON.parse(result))
+        parsed_json = JSON.parse(result)
+        vulnerabilities = parse_retire_json(parsed_json) if parsed_json
 
         vulnerabilities.each do |vuln|
           report "Package #{vuln[:package]} has known security issues", vuln[:detail], vuln[:source], vuln[:severity], fingerprint("#{vuln[:package]}#{vuln[:source]}#{vuln[:severity]}")
         end
       end
+    rescue JSON::ParserError => e
+      Pipeline.debug e.message
     rescue Exception => e
       Pipeline.warn e.message
       Pipeline.warn e.backtrace
@@ -92,7 +95,7 @@ class Pipeline::RetireJS < Pipeline::BaseTask
   end
 
   def supported?
-    supported=runsystem(true, "retire", "--help")
+    supported=runsystem(false, "retire", "--help")
     if supported =~ /command not found/
       Pipeline.notify "Install RetireJS"
       return false

data/lib/pipeline/util.rb

@@ -1,25 +1,22 @@
 require 'open3'
 require 'pathname'
 require 'digest'
+require 'pry'
 
 module Pipeline::Util
 
-  def runsystem(report,*splat)
+  def runsystem(report, *splat)
     Open3.popen3(*splat) do |stdin, stdout, stderr, wait_thr|
-      #puts *splat
-      pid   = wait_thr.pid
-      res = stdout.read
-      error = stderr.read
-      exit  = wait_thr.value
 
-      if wait_thr.value != 0 && report
-        # Weird. wait_thr value is non-0 for bundler-audit
-        # but not brakeman. Comment to keep output cleaner...
-        # puts res
-        puts error
-        #puts *splat
+      Thread.new do
+        if $logfile and report
+          while line = stderr.gets do
+            $logfile.puts line
+          end
+        end
       end
-      return res
+
+      return stdout.read.chomp
     end
   end
 

data/lib/pipeline/version.rb

@@ -1,3 +1,3 @@
 module Pipeline
-  Version = "0.8.6"
+  Version = "0.8.7"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: owasp-pipeline
 version: !ruby/object:Gem::Version
-  version: 0.8.6
+  version: 0.8.7
 platform: ruby
 authors:
 - Matt Konda
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-20 00:00:00.000000000 Z
+date: 2016-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: terminal-table