puppet-sec-lint 0.5.8 → 0.5.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 844e10fd83efbd1c88d6347db5efefa488118e636da85ccb16354e0176d95465
-  data.tar.gz: 0eca06adb099f34d833d581bffc019cfd8ad61153c2cffd53b3f6d70709f706e
+  metadata.gz: e4f5d30d4bf9e32338bf3c81fa619d6cb6560870343d01a62905282ac5724d6e
+  data.tar.gz: d6d63ef87f2df9654f2edac1a1b75f3525b2bc514e46608f2990923b830a5134
 SHA512:
-  metadata.gz: 2150f2863771a997167858fb75561b848671788047d09bf8ef0dccde18f77d8756851ddfd68a2b94fb2dc096ce089465b7377a6270a1aed9d2786d1fd8b525d6
-  data.tar.gz: c33d424d3f105db9d88be69ce103263dbbaf1da1ecc4648d4b5bd06bfede2d9ee18de4d491d71104e9db93d1cd73177f2feb7bcf1e911bc98dafaeea23629ac7
+  metadata.gz: 90e1f2fddbc2d97ad919d54e98870650f4d56b944676ff8f115a29b84395ae9413770d4985f45510fd77a5de46b5a4377b404974eb8265aca8a18087a9392d83
+  data.tar.gz: 88312bf0a323156a1eb265700079cacf07c19e92c190d6b497acf28e2b08a92b7cb56ec7e656649ffff5865dfb7b08f546b0dc90f72fcba13fbf8e6fe2e8cd43

data/.idea/modules.xml

@@ -2,6 +2,7 @@
 <project version="4">
   <component name="ProjectModuleManager">
     <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/modules/docs.iml" filepath="$PROJECT_DIR$/.idea/modules/docs.iml" />
       <module fileurl="file://$PROJECT_DIR$/.idea/puppet-sec-lint.iml" filepath="$PROJECT_DIR$/.idea/puppet-sec-lint.iml" />
     </modules>
   </component>

data/.idea/puppet-sec-lint.iml

@@ -15,6 +15,7 @@
     <orderEntry type="library" scope="PROVIDED" name="bundler (v2.2.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="inifile (v3.0.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="launchy (v2.5.0, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="logger (v1.4.3, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="minitest (v5.14.4, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="public_suffix (v4.0.6, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
     <orderEntry type="library" scope="PROVIDED" name="puppet-lint (v2.4.2, RVM: ruby-3.0.0 [global]) [gem]" level="application" />
@@ -24,30 +25,7 @@
   </component>
   <component name="RakeTasksCache">
     <option name="myRootTask">
-      <RakeTaskImpl id="rake">
-        <subtasks>
-          <RakeTaskImpl description="Build puppet-sec-lint-0.5.7.gem into the pkg directory" fullCommand="build" id="build" />
-          <RakeTaskImpl description="Remove any temporary products" fullCommand="clean" id="clean" />
-          <RakeTaskImpl description="Remove any generated files" fullCommand="clobber" id="clobber" />
-          <RakeTaskImpl description="Build and install puppet-sec-lint-0.5.7.gem into system gems" fullCommand="install" id="install" />
-          <RakeTaskImpl id="install">
-            <subtasks>
-              <RakeTaskImpl description="Build and install puppet-sec-lint-0.5.7.gem into system gems without network access" fullCommand="install:local" id="local" />
-            </subtasks>
-          </RakeTaskImpl>
-          <RakeTaskImpl description="Create tag v0.5.7 and build and push puppet-sec-lint-0.5.7.gem to https://rubygems.org" fullCommand="release[remote]" id="release[remote]" />
-          <RakeTaskImpl description="Run tests" fullCommand="test" id="test" />
-          <RakeTaskImpl description="" fullCommand="default" id="default" />
-          <RakeTaskImpl description="" fullCommand="release" id="release" />
-          <RakeTaskImpl id="release">
-            <subtasks>
-              <RakeTaskImpl description="" fullCommand="release:guard_clean" id="guard_clean" />
-              <RakeTaskImpl description="" fullCommand="release:rubygem_push" id="rubygem_push" />
-              <RakeTaskImpl description="" fullCommand="release:source_control_push" id="source_control_push" />
-            </subtasks>
-          </RakeTaskImpl>
-        </subtasks>
-      </RakeTaskImpl>
+      <RakeTaskImpl id="rake" />
     </option>
   </component>
 </module>

data/Gemfile

@@ -17,4 +17,6 @@ gem 'webrick'
 
 gem 'inifile'
 
-gem 'launchy'
+gem 'launchy'
+
+gem 'logger'

data/Gemfile.lock

@@ -1,13 +1,15 @@
 PATH
   remote: .
   specs:
-    puppet-sec-lint (0.5.7)
+    puppet-sec-lint (0.5.14)
       inifile (~> 3.0.0)
       launchy (~> 2.5.0)
+      logger (~> 1.4.3)
       minitest (~> 5.0)
       puppet-lint (~> 2.4, >= 2.4.2)
       rack (~> 2.2.3)
       rake (~> 13.0)
+      webrick (~> 1.7.0)
 
 GEM
   remote: https://rubygems.org/
@@ -17,6 +19,7 @@ GEM
     inifile (3.0.0)
     launchy (2.5.0)
       addressable (~> 2.7)
+    logger (1.4.3)
     minitest (5.14.4)
     public_suffix (4.0.6)
     puppet-lint (2.4.2)
@@ -30,6 +33,7 @@ PLATFORMS
 DEPENDENCIES
   inifile
   launchy
+  logger
   minitest (~> 5.0)
   puppet-lint
   puppet-sec-lint!

data/README.md

@@ -25,14 +25,6 @@ If the linter is called with a folder, all puppet files inside are recursively a
 puppet-sec-lint /folder
 ```
 
-To open the configurations page to better tune the different rules applied, use the appropriate flag:
-
-```bash
-puppet-sec-lint -c
-```
-(this will open the configurations page on the computer default web browser)
-
-
 ### Integration with Visual Studio Code
 
 The linter can also work inside Visual Studio code. For it, please ensure that the 'puppet-sec-lint' gem was installed on your system.
@@ -43,12 +35,36 @@ Now, after that the extension is activate, it should be activated automatically
 
 ![puppet-sec-lint console execution](docs/images/puppet-sec-lint_vscode.png)
 
+###Customization of Linter Rules
+
+All rules applied by the linter to detect vulnerabilities can be configured to better adapt the tool to any project conventions and requirements.
+
+To open the configurations page, use the appropriate flag:
+
+```bash
+puppet-sec-lint -c
+```
+(this will open the configurations page on the computer default web browser)
+
+![puppet-sec-lint configurations page](docs/images/puppet-sec-lint_configurations.png)
+
 ## Development
 
+### Development of new rules
+
+The linter was built on top of a modular architecture, which means that new customizable rules can be added fairly easy facing the discovery of new scenarios and vulnerabilities.
+
+<!--
+(add instructions on how to clone, build and run tool)
+
+(add instructions on where and how to add new rule and configurations)
+-->
+
 <!--After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).-->
 
+
 ## Contributing
 
 <!-- Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/puppet-sec-lint. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/[USERNAME]/puppet-sec-lint/blob/master/CODE_OF_CONDUCT.md). -->

data/docs/http-without-tls.md

@@ -0,0 +1,42 @@
+---
+title: Use HTTP without TLS
+permalink: /http-without-tls/
+layout: default
+---
+
+# Use HTTP without TLS
+
+## What is it?
+
+Connecting to a server using the regular HTTP protocol instead of the secure HTTPS, which uses TLS, doesn't allow for an encrypted connection. This means that all the data is sent in plaintext and easily viewed and modified by anyone, including malicious attackers.
+
+### Example
+Providing a server to run the PHPMyAdmin application:
+```puppet
+define phpmyadmin::server (
+  $blowfish_key      = md5("${::fqdn}${::ipaddress}"),
+  $absolute_uri      = "http://${::fqdn}/phpmyadmin/",
+  $config_file       = $::phpmyadmin::params::config_file
+)
+```
+This newly created service will be available to clients through a non secure HTTP address.
+
+A more secure way of hosting the server would be by using an HTTPS url:
+```puppet
+define phpmyadmin::server (
+  $blowfish_key      = md5("${::fqdn}${::ipaddress}"),
+  $absolute_uri      = "https://${::fqdn}/phpmyadmin/",
+  $config_file       = $::phpmyadmin::params::config_file
+)
+```
+
+
+## How can it be exploited?
+
+When a connection is made to a website using a non-secure HTTP address, all communications are sent unencrypted. An attacker can capture the traffic sent and received by a victim, for example, in the same Wifi network. After analyzing his traffic, the attacker can extract sensitive information exchanged by the victim with the websites visited, like passwords and tokens. 
+
+The attacker can then use this information to attack his victim, by logging in and impersonating him in several different websites that don't use the TLS protocol.
+
+## How to avoid it?
+
+All connections to internet addresses or made available to the public by a service configured with a Puppet manifest must use some kind of secure protocol, to ensure the confidentiality, authenticity and integrity of all data exchanged. Making an HTTPS connection is the easiest way to do this and it's also the recommended way of addressing this security vulnerability. In some cases, if the transferred information is verified afterwards by an hashing algorithm, like packages transferred from a repository, then this solution can be considered optional.

data/docs/invalid-ip-addr-binding.md

@@ -6,7 +6,7 @@ layout: default
 
 # Invalid IP Address binding
 
-## What it it?
+## What is it?
 
 Binding an IP address to a server or service means authorizing connections incoming from those networks. This allows to limit what kind of incoming connections a server may or may not accept. Binding the 0.0.0.0 IP address to a service means that any connection from any network is accepted.
 

data/exe/puppet-sec-lint

@@ -5,6 +5,7 @@ require 'json'
 require 'launchy'
 require 'optparse'
 require 'optparse/uri'
+require 'logger'
 require_relative '../lib/puppet-sec-lint/version'
 require_relative '../lib/visitors/configuration_visitor'
 require_relative '../lib/facades/configuration_file_facade'
@@ -12,6 +13,9 @@ require_relative '../lib/facades/configuration_file_facade'
 ConfigurationVisitor.GenerateIDs
 ConfigurationFileFacade.LoadConfigurations
 
+$logger = Logger.new(STDOUT)
+$logger.level = Logger::ERROR
+
 #get free port
 loop do
   $port = rand(3000..9999)
@@ -49,6 +53,11 @@ OptionParser.new do |opts|
   opts.on("-p", "--port=PORT", "TCP Port open for socket communication with the language server (Default:5007)") do |port|
     options[:port] = port
   end
+
+  opts.on("-v", "--verbose", "Verbose mode (shows all communications and other debug info)") do |v|
+    options[:verbose] = v
+    $logger.level = Logger::DEBUG
+  end
 end.parse!
 
 puts '___  _  _ ___  ___  ____ ___    ____ ____ ____ _  _ ____ _ ___ _   _    _    _ _  _ ___ ____ ____ '

data/lib/lol2.pp

@@ -0,0 +1,11 @@
+# addresses bug: https://bugs.launchpad.net/keystone/+bug/1472285
+class example (
+  $power_username= 'admin',
+  $power_password= ‘’,
+  $pwd = ‘EHDJSKD’
+){
+  $bind_host = ‘0.0.0.0’
+  $quantum_auth_url = ‘http://127.0.0.1:35357/v2.0’
+“  $”tr = "hey"
+  $message = sha1($str)
+}

data/lib/manifest.pp

@@ -0,0 +1,83 @@
+#class path_attribute {
+#  file { 'ssh_config_file':
+#    path    => '/etc/ssh/sshd_config',
+#    content => 'Bad path attribute, bad.',
+#  }
+#}
+
+# the following code addresses the bug: https://bugs.launchpad.net/keystone/+bug/1472285 .
+
+class consul_template::service (
+    $rpc_password                   = '{6ad470ec62b0511b63340dca2950d750181598efnHKvN1ge',
+    $admin_username = 'admin',
+    $password       = 'ceilometer',
+    $admin_password = 'admin',
+  ) {
+  exec { 'network-restart':
+    command        => 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDM release-runner key',
+    path           => '/usr/bin:/usr/sbin:/bin:/sbin',
+    refreshonly    => true,
+    vmware_md5     => 'LOL',
+    autho          => 'MD5',
+    cmd            => 'virsh secret-define --file ${secret_xml} && virsh secret-set-value --secret ${rbd_secret_uuid} --base64 $(ceph auth get-key client.${user})',
+    $auth_uri      => 'http://127.0.0.1:5000',
+    'bind_address' => '0.0.0.0',
+    password       => '',
+  }
+  case $::osfamily {
+    'RedHat': {
+    exec { 'upload-img':
+      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /opt/vm/cirros-x86_64-disk.img",
+      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
+
+      }
+    }
+    'Debian': {
+    exec { 'upload-img':
+      command => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} add name=${img_name} is_public=${public} container_format=${container_format} disk_format=${disk_format} distro=${os_name} < /usr/share/cirros-testvm/cirros-x86_64-disk.img",
+      unless => "/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index && (/usr/bin/glance -N ${os_auth_url} -T ${os_tenant_name} -I ${os_username} -K ${os_password} index | grep ${img_name})",
+      key => "E8CC67053ED3B199",
+      key_content => '-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQENBE/oXVkBCACcjAcV7lRGskECEHovgZ6a2robpBroQBW+tJds7B+qn/DslOAN
+1hm0UuGQsi8pNzHDE29FMO3yOhmkenDd1V/T6tHNXqhHvf55nL6anlzwMmq3syIS
+uqVjeMMXbZ4d+Rh0K/rI4TyRbUiI2DDLP+6wYeh1pTPwrleHm5FXBMDbU/OZ5vKZ
+67j99GaARYxHp8W/be8KRSoV9wU1WXr4+GA6K7ENe2A8PT+jH79Sr4kF4uKC3VxD
+BF5Z0yaLqr+1V2pHU3AfmybOCmoPYviOqpwj3FQ2PhtObLs+hq7zCviDTX2IxHBb
+Q3mGsD8wS9uyZcHN77maAzZlL5G794DEr1NLABEBAAG0NU9wZW5TdGFja0BDaXNj
+byBBUFQgcmVwbyA8b3BlbnN0YWNrLWJ1aWxkZEBjaXNjby5jb20+iQE4BBMBAgAi
+BQJP6F1ZAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDozGcFPtOxmXcK
+B/9WvQrBwxmIMV2M+VMBhQqtipvJeDX2Uv34Ytpsg2jldl0TS8XheGlUNZ5djxDy
+u3X0hKwRLeOppV09GVO3wGizNCV1EJjqQbCMkq6VSJjD1B/6Tg+3M/XmNaKHK3Op
+zSi+35OQ6xXc38DUOrigaCZUU40nGQeYUMRYzI+d3pPlNd0+nLndrE4rNNFB91dM
+BTeoyQMWd6tpTwz5MAi+I11tCIQAPCSG1qR52R3bog/0PlJzilxjkdShl1Cj0RmX
+7bHIMD66uC1FKCpbRaiPR8XmTPLv29ZTk1ABBzoynZyFDfliRwQi6TS20TuEj+ZH
+xq/T6MM6+rpdBVz62ek6/KBcuQENBE/oXVkBCACgzyyGvvHLx7g/Rpys1WdevYMH
+THBS24RMaDHqg7H7xe0fFzmiblWjV8V4Yy+heLLV5nTYBQLS43MFvFbnFvB3ygDI
+IdVjLVDXcPfcp+Np2PE8cJuDEE4seGU26UoJ2pPK/IHbnmGWYwXJBbik9YepD61c
+NJ5XMzMYI5z9/YNupeJoy8/8uxdxI/B66PL9QN8wKBk5js2OX8TtEjmEZSrZrIuM
+rVVXRU/1m732lhIyVVws4StRkpG+D15Dp98yDGjbCRREzZPeKHpvO/Uhn23hVyHe
+PIc+bu1mXMQ+N/3UjXtfUg27hmmgBDAjxUeSb1moFpeqLys2AAY+yXiHDv57ABEB
+AAGJAR8EGAECAAkFAk/oXVkCGwwACgkQ6MxnBT7TsZng+AgAnFogD90f3ByTVlNp
+Sb+HHd/cPqZ83RB9XUxRRnkIQmOozUjw8nq8I8eTT4t0Sa8G9q1fl14tXIJ9szzz
+BUIYyda/RYZszL9rHhucSfFIkpnp7ddfE9NDlnZUvavnnyRsWpIZa6hJq8hQEp92
+IQBF6R7wOws0A0oUmME25Rzam9qVbywOh9ZQvzYPpFaEmmjpCRDxJLB1DYu8lnC4
+h1jP1GXFUIQDbcznrR2MQDy5fNt678HcIqMwVp2CJz/2jrZlbSKfMckdpbiWNns/
+xKyLYs5m34d4a0it6wsMem3YCefSYBjyLGSd/kCI/CgOdGN1ZY1HSdLmmjiDkQPQ
+UcXHbA==
+=v6jg
+-----END PGP PUBLIC KEY BLOCK-----',
+
+      }
+    }
+  }
+  file { '/var/lib/gerrit/.ssh/id_rsa' :
+    owner   => 'gerrit',
+    group   => 'gerrit',
+    mode    => '0600',
+    content => $ssh_replication_rsa_key_contents,
+    replace => true,
+    require => File['/var/lib/gerrit/.ssh']
+  }
+}

data/lib/puppet-sec-lint/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module PuppetSecLint
-  VERSION = "0.5.8"
+  VERSION = "0.5.14"
   YEAR = "2021"
-  AUTHOR = "Tiago Ribeiro"
+  AUTHOR = "TQRG"
 end

data/lib/rule_engine.rb

@@ -21,8 +21,9 @@ class RuleEngine
     begin
       lexer = PuppetLint::Lexer.new
       tokens = lexer.tokenise(code)
-    rescue
-      puts "Error in getting tokens from Puppet-Lint"
+    rescue => error
+      $logger.error("Error in getting tokens from Puppet-Lint")
+      $logger.error(error.backtrace)
       tokens = []
     end
 
@@ -34,8 +35,12 @@ class RuleEngine
     tokens = self.getTokens(code)
 
     @rules.each do |rule|
-      if rule.configurations[0].value
-        (result << rule.AnalyzeTokens(tokens)).flatten!
+      begin
+        if rule.configurations[0].value
+          (result << rule.AnalyzeTokens(tokens)).flatten!
+        end
+      rescue
+        $logger.error("Error in running rule #{rule.name}")
       end
     end
 

data/lib/rules/no_http_rule.rb

@@ -8,21 +8,22 @@ class NoHTTPRule < Rule
   @resources = %w[apt::source ::apt::source wget::fetch yumrepo yum:: aptly::mirror util::system_package yum::managed_yumrepo]
   @keywords = %w[backport key download uri mirror]
   @http = /^http:\/\/.+/
-  @whitelist = [] # Todo:Need to check how is this set up
+  @whitelist = ""
 
   @resources_conf = ListConfiguration.new("List of resources that can use HTTP", @resources, "List of resources that are known to not use HTTPS but that validate the transferred content with other secure methods.")
   @keywords_conf = ListConfiguration.new("List of keywords for URLs", @keywords, "List of keywords that identify hyperlinks that should be analyzed.")
+  @whitelist_conf = RegexConfiguration.new("HTTP Address whitelist", @whitelist, "List of addresses that are allowed to have non-secure http connections to them.")
   @http_conf = RegexConfiguration.new("Regular expression of a normal HTTP address", @http, "Regular expression that identifies the URL of a website using the regular non-secure HTTP protocol.")
 
-  @configurations+=[@resources_conf, @keywords_conf, @http_conf]
+  @configurations+=[@resources_conf, @keywords_conf, @http_conf, @whitelist_conf]
 
   def self.AnalyzeTokens(tokens)
     result = []
 
     ptokens = self.filter_resources(tokens, @resources_conf.value)
-    ctokens = self.filter_variables(ptokens, @keywords_conf.value)
-    if @whitelist
-      wtokens = self.filter_whitelist(ctokens)
+    ctokens = self.filter_variables(ptokens, @keywords_conf.value) #TODO: It's working upside down
+    if @whitelist_conf.value
+      wtokens = self.filter_whitelist(ctokens, @whitelist_conf.value)
     else
       wtokens = ptokens
     end

data/lib/rules/rule.rb

@@ -67,10 +67,9 @@ class Rule
     return ftokens
   end
 
-  def self.filter_whitelist(tokens)
+  def self.filter_whitelist(tokens, whitelist)
     ftokens=tokens.find_all do |hash|
-      #!(@whitelist =~ hash.value.downcase)
-      true # TODO: Understand the whitelist
+      !(whitelist =~ hash.value.downcase)
     end
     return ftokens
   end

data/lib/servers/language_server.rb

@@ -18,7 +18,7 @@ class LanguageServer
           length=Integer(line.scan(/\d/).join(''))
           line=client.read(length+2)
           request = JSON.parse(line)
-          puts line
+          $logger.debug(line)
 
           method_name = request['method'].sub('/', '_')
           response = if self.respond_to? "client_"+method_name then self.send("client_"+method_name,request['id'],request['params']) end
@@ -27,7 +27,7 @@ class LanguageServer
             client.flush
             client.print("Content-Length: "+response.length.to_s+"\r\n\r\n")
             client.print(response)
-            puts response
+            $logger.debug(response)
           end
         end
         client.close

data/lib/servers/linter_server.rb

@@ -1,4 +1,5 @@
 require "rack"
+require 'webrick'
 require 'json'
 require 'uri'
 require_relative '../rule_engine'
@@ -43,7 +44,8 @@ class LinterServer
   end
 
   def self.start(port)
-    Rack::Handler::WEBrick.run(LinterServer.new, :Port => port)
+    log = WEBrick::Log.new $stdout,1
+    Rack::Handler::WEBrick.run(LinterServer.new, :Port => port,Logger: log )
   end
 
 end

data/lib/settings.ini

@@ -1,15 +1,16 @@
 [HardCodedCredentialsRule]
-HardCodedCredentialsRule-enable_configuration = false
+HardCodedCredentialsRule-enable_configuration = true
 HardCodedCredentialsRule-list_of_known_words_not_considered_in_credentials = pe-puppet,pe-webserver,pe-puppetdb,pe-postgres,pe-console-services,pe-orchestration-services,pe-ace-server,pe-bolt-server
 HardCodedCredentialsRule-list_of_invalid_values_in_credentials = undefined,unset,www-data,wwwrun,www,no,yes,[],root
 HardCodedCredentialsRule-regular_expression_of_words_present_in_credentials = (?-mix:user|usr|pass(word|_|$)|pwd|key|secret)
 HardCodedCredentialsRule-regular_expression_of_words_not_present_in_credentials = (?-mix:gpg|path|type|buff|zone|mode|tag|header|scheme|length|guid)
 
 [NoHTTPRule]
-NoHTTPRule-enable_configuration = false
+NoHTTPRule-enable_configuration = true
 NoHTTPRule-list_of_resources_that_can_use_http = apt::source,::apt::source,wget::fetch,yumrepo,yum::,aptly::mirror,util::system_package,yum::managed_yumrepo
 NoHTTPRule-list_of_keywords_for_urls = backport,key,download,uri,mirror
 NoHTTPRule-regular_expression_of_a_normal_http_address = (?-mix:^http:\/\/.+)
+NoHTTPRule-http_address_whitelist = (?-mix:^(127.0.0.1))
 
 [AdminByDefaultRule]
 AdminByDefaultRule-enable_configuration = true

data/puppet-sec-lint.gemspec

@@ -8,8 +8,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Tiago Ribeiro"]
   spec.email         = ["tiago7b27@gmail.com"]
 
-  spec.summary       = "This is a security linter for the puppet language"
-  spec.description   = "This is a more complete security linter for the puppet language"
+  spec.summary       = "Security vulnerabilities linter for Puppet Manifests"
+  spec.description   = "Linter built to detect potential security vulnerabilities in Puppet manifests code. It also offers integration with Visual Studio Code https://marketplace.visualstudio.com/items?itemName=tiago1998.puppet-sec-lint-vscode"
   spec.homepage      = "https://github.com/TiagoR98/puppet-sec-lint"
   spec.license       = "MIT"
   spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
@@ -34,8 +34,10 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'rake', '~> 13.0'
   spec.add_runtime_dependency 'minitest', '~> 5.0'
   spec.add_runtime_dependency 'rack', '~> 2.2.3'
+  spec.add_runtime_dependency 'webrick', '~> 1.7.0'
   spec.add_runtime_dependency 'inifile', '~> 3.0.0'
   spec.add_runtime_dependency 'launchy', '~> 2.5.0'
+  spec.add_runtime_dependency 'logger', '~> 1.4.3'
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet-sec-lint
 version: !ruby/object:Gem::Version
-  version: 0.5.8
+  version: 0.5.14
 platform: ruby
 authors:
 - Tiago Ribeiro
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-05-14 00:00:00.000000000 Z
+date: 2021-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: puppet-lint
@@ -72,6 +72,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.2.3
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.7.0
 - !ruby/object:Gem::Dependency
   name: inifile
   requirement: !ruby/object:Gem::Requirement
@@ -100,7 +114,22 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.5.0
-description: This is a more complete security linter for the puppet language
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.3
+description: Linter built to detect potential security vulnerabilities in Puppet manifests
+  code. It also offers integration with Visual Studio Code https://marketplace.visualstudio.com/items?itemName=tiago1998.puppet-sec-lint-vscode
 email:
 - tiago7b27@gmail.com
 executables:
@@ -143,6 +172,8 @@ files:
 - docs/cyrillic-homograph-attack.md
 - docs/empty-password.md
 - docs/hard-coded-credentials.md
+- docs/http-without-tls.md
+- docs/images/puppet-sec-lint_configurations.png
 - docs/images/puppet-sec-lint_console.png
 - docs/images/puppet-sec-lint_vscode.png
 - docs/index.md
@@ -156,6 +187,8 @@ files:
 - lib/facades/configuration_file_facade.rb
 - lib/facades/configuration_page_facade.rb
 - lib/lol.pp
+- lib/lol2.pp
+- lib/manifest.pp
 - lib/puppet-sec-lint/version.rb
 - lib/rule_engine.rb
 - lib/rules/admin_by_default_rule.rb
@@ -200,5 +233,5 @@ requirements: []
 rubygems_version: 3.2.3
 signing_key: 
 specification_version: 4
-summary: This is a security linter for the puppet language
+summary: Security vulnerabilities linter for Puppet Manifests
 test_files: []