puppet-sec-lint 0.5.0 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 809fba20ed858642afb88163e0d10a7cbb16bdba42034cc7ee64c6759e972818
-  data.tar.gz: aa3f199ba26370c45544219bd7ac6da577bda1bc1de505f3402078335005c8e2
+  metadata.gz: de8d812ebe096356c84e2f0ba54fb8effa01ec07935d70124c2cd04766ead9bc
+  data.tar.gz: 4e65a3e555ea7bd6cae034f8825ec01a976f74512c2912215ff6faaa0b6bea93
 SHA512:
-  metadata.gz: 6927190fd45bac7c13952d2ce47a182655edc2d82cbd072dc662bf33e370dfc6f964e35b0f82a05ed194cf87eb4e76121453f5f7381afac7bb702679e198ead6
-  data.tar.gz: 3f69d79d76380a44c118e5dadeed7efdd32308453fe65815258a9539a1dc642f8daa24907fb131b2293fed5adc3617f0eb9a8f6776b0ee5dce4e8e76b5595fdf
+  metadata.gz: 72bbb6d1a9c43615a668fd6bb74ea822e72efefb37ebc5d6a9544c088e83d16b528b9b75e133dbbbdc84966d15e85299de36f690105631708c8a2dcca5cfa04e
+  data.tar.gz: c392222a6cbf95db27ada9b2068a1851810967afbd08df9c10948bea3adb375b828010abe1034f5f0c157ab4336de1679fed20e967f9c750c0be15e3474ede0b

data/Gemfile.lock

@@ -1,7 +1,14 @@
 PATH
   remote: .
   specs:
-    puppet-sec-lint (0.1.2)
+    puppet-sec-lint (0.5.2)
+      inifile (~> 3.0.0)
+      launchy (~> 2.5.0)
+      minitest (~> 5.0)
+      puppet-lint (~> 2.4, >= 2.4.2)
+      rack (~> 2.2.3)
+      rake (~> 13.0)
+      thin (~> 1.8.0)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -2,6 +2,8 @@
 
 Puppet linter focused on finding security vulnerabilities in code.
 
+![puppet-sec-lint console execution](docs/images/puppet-sec-lint_console.png)
+
 ## Installation
 
 Install the Ruby gem:
@@ -39,7 +41,7 @@ Then, install the [puppet-sec-lint VSCode extension](https://marketplace.visuals
 
 Now, after that the extension is activate, it should be activated automatically when a Puppet file is opened, analyzing and displaying warnings in real time.
 
-
+![puppet-sec-lint console execution](docs/images/puppet-sec-lint_vscode.png)
 
 ## Development
 

data/exe/puppet-sec-lint

@@ -9,7 +9,13 @@ require_relative '../lib/puppet-sec-lint/version'
 require_relative '../lib/visitors/configuration_visitor'
 require_relative '../lib/facades/configuration_file_facade'
 
-conf_page_url = "http://localhost:9292/configuration"
+#get free port
+loop do
+  $port = rand(3000..9999)
+  break if (Socket.tcp('localhost', port, connect_timeout: 5) { false } rescue true)
+end
+
+conf_page_url = "http://localhost:#{$port}/configuration"
 
 options = {}
 @success = true
@@ -36,6 +42,10 @@ OptionParser.new do |opts|
   opts.on("-c", "--configurations", "Open the linter rules configurations page on a browser") do |v|
     options[:configurations] = v
   end
+
+  opts.on("-p", "--port=PORT", "TCP Port open for socket communication with the language server (Default:5007)") do |port|
+    options[:port] = port
+  end
 end.parse!
 
 puts '___  _  _ ___  ___  ____ ___    ____ ____ ____ _  _ ____ _ ___ _   _    _    _ _  _ ___ ____ ____ '
@@ -66,11 +76,12 @@ end
 
 if ARGV[0].nil? || options[:configurations]
   linter_server = Thread.new {
-  require_relative '../lib/servers/linter_server'
+    require_relative '../lib/servers/linter_server'
+    LinterServer.start($port)
   }
   language_server = Thread.new {
     require_relative '../lib/servers/language_server'
-    LanguageServer.start
+    LanguageServer.start(options[:port])
     }
 
   if options[:configurations]
@@ -78,6 +89,7 @@ if ARGV[0].nil? || options[:configurations]
     Launchy.open(conf_page_url)
   else
     puts "\nLinter configurations page available at #{conf_page_url}\n\n"
+    puts "-----------------------------------------------------------------------"
   end
 
   linter_server.join

data/{lol2.pp → file.pp}

@@ -1,17 +1,10 @@
-#class path_attribute {
-#  file { 'ssh_config_file':
-#    path    => '/etc/ssh/sshd_config',
-#    content => 'Bad path attribute, bad.',
-#  }
-#}
-
-# the following code addresses the bujjjg: https://bukkkgs.launchpad.net/keystone/+bug/1472285 .
+# the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
 
 class consul_template::service (
     $pass                   = lols(3),
     $aijoijooiumihhn_password = 'pe-puppet'
     $admin       = 'ceisssesrelometer',
-    $aijoijooiumihhn_passuihiuhword = '(adiyu(guygmin',
+    $aijoijooiumihhn_password = '(adiyu(guygmin',
   ) {
   exec { 'network-restart':
     command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
@@ -21,8 +14,9 @@ class consul_template::service (
     autho          => 'MDi09i09i5',
     cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
     $auth_uri      => 'http://127.0.0.1:5000',
-    'bind_address' => '0.0.0.0',
-    passwkkkkord       => 'joijoij',
+    address => '0.0.0.0',
+    user = 'admin',
+    password       => '',
   }
   case $::osfamily {
     'RedHat': {
@@ -36,7 +30,7 @@ class consul_template::service (
     exec { 'upload-img':
       command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /usr/share/cirros-testvm/cirros-x86_64-disk.img",
       unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
-      kehhhuhy => "E8CC67053ED3B199",
+      key => "E8CC67053ED3B199",
       key_content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 

data/lib/puppet-sec-lint/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.5.0"
+  VERSION = "0.5.5"
   YEAR = "2021"
   AUTHOR = "Tiago Ribeiro"
 end

data/lib/servers/language_server.rb

@@ -10,8 +10,9 @@ class LanguageServer
   ConfigurationVisitor.GenerateIDs
   ConfigurationFileFacade.LoadConfigurations
 
-  def self.start
-    server = TCPServer.open(5007)
+  def self.start(port)
+    port ||= 5007
+    server = TCPServer.open(port)
 
     loop {
       Thread.fork(server.accept) do |client|

data/lib/servers/linter_server.rb

@@ -45,6 +45,8 @@ class LinterServer
     return [200, { 'Content-Type' => 'text/plain' }, ["Changes saved successfully"]]
   end
 
-end
+  def self.start(port)
+    Rack::Handler::Thin.run(LinterServer.new, :Port => port)
+  end
 
-Rack::Handler::Thin.run(LinterServer.new, :Port => 9292)
+end

data/lib/settings.ini

@@ -0,0 +1,39 @@
+[HardCodedCredentialsRule]
+HardCodedCredentialsRule-enable_configuration = true
+HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
+HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
+HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
+HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
+
+[NoHTTPRule]
+NoHTTPRule-enable_configuration = true
+NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
+NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
+NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
+
+[AdminByDefaultRule]
+AdminByDefaultRule-enable_configuration = true
+AdminByDefaultRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd)
+
+[EmptyPasswordRule]
+EmptyPasswordRule-enable_configuration = true
+EmptyPasswordRule-list_of_trigger_words = pwd,password,pass
+EmptyPasswordRule-regular_expression_of_password_name = (?-mix:pass(word|_|$)|pwd)
+
+[InvalidIPAddrBindingRule]
+InvalidIPAddrBindingRule-enable_configuration = true
+InvalidIPAddrBindingRule-regular_expression_of_an_invalid_ip_address = (?-mix:^((http(s)?:\/\/)?0.0.0.0(:\d{1,5})?)$)
+
+[UseWeakCryptoAlgorithmsRule]
+UseWeakCryptoAlgorithmsRule-enable_configuration = true
+UseWeakCryptoAlgorithmsRule-regular_expression_of_weak_crypto_algorithms = (?-mix:^(sha1|md5))
+
+[SuspiciousCommentRule]
+SuspiciousCommentRule-enable_configuration = true
+SuspiciousCommentRule-list_of_trigger_words = hack,fixme,later,later2,todo,ticket,launchpad,bug,to-do
+SuspiciousCommentRule-regular_expression_of_keywords_present_in_suspicious_comments = (?-mix:hack|fixme|ticket|bug|secur|debug|defect|weak)
+
+[CyrillicHomographAttack]
+CyrillicHomographAttack-enable_configuration = true
+CyrillicHomographAttack-regular_expression_of_links_with_cyrillic_characters = (?-mix:^(http(s)?:\/\/)?.*\p{Cyrillic}+)
+

data/puppet-sec-lint.gemspec

@@ -30,7 +30,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   # Uncomment to register a new dependency of your gem
-  # spec.add_dependency "example-gem", "~> 1.0"
+  spec.add_runtime_dependency 'puppet-lint'
+  spec.add_runtime_dependency 'rake'
+  spec.add_runtime_dependency 'minitest'
+  spec.add_runtime_dependency 'rack'
+  spec.add_runtime_dependency 'thin'
+  spec.add_runtime_dependency 'inifile'
+  spec.add_runtime_dependency 'launchy'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata

@@ -1,15 +1,113 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.5.5
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-05-06 00:00:00.000000000 Z
-dependencies: []
+date: 2021-05-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: puppet-lint
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: inifile
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: launchy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: This is a more complete security linter for the puppet language
 email:
 - tiago7b27@gmail.com
@@ -48,8 +146,11 @@ files:
 - docs/_site/index.html
 - docs/_site/jekyll/update/2021/05/03/welcome-to-jekyll.html
 - docs/hard-coded-credentials.md
+- docs/images/puppet-sec-lint_console.png
+- docs/images/puppet-sec-lint_vscode.png
 - docs/index.md
 - exe/puppet-sec-lint
+- file.pp
 - lib/configurations/boolean_configuration.rb
 - lib/configurations/configuration.rb
 - lib/configurations/list_configuration.rb
@@ -70,6 +171,7 @@ files:
 - lib/rules/use_weak_crypto_algorithms_rule.rb
 - lib/servers/language_server.rb
 - lib/servers/linter_server.rb
+- lib/settings.ini
 - lib/sin/sin.rb
 - lib/sin/sin_type.rb
 - lib/test.txt
@@ -77,7 +179,8 @@ files:
 - lib/test3.rb
 - lib/test_new.rb
 - lib/visitors/configuration_visitor.rb
-- lol2.pp
+- puppet-sec-lint-0.5.3.gem
+- puppet-sec-lint-0.5.4.gem
 - puppet-sec-lint.gemspec
 homepage: https://github.com/TiagoR98/puppet-sec-lint
 licenses: