puppet-sec-lint 0.5.17 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/README.md +40 -8
- data/docs/images/puppet-sec-lint_configuration_bool.png +0 -0
- data/docs/images/puppet-sec-lint_configuration_list.png +0 -0
- data/docs/images/puppet-sec-lint_configuration_regex.png +0 -0
- data/docs/images/puppet-sec-lint_rule.png +0 -0
- data/lib/puppet-sec-lint/version.rb +1 -1
- data/puppet-sec-lint.gemspec +1 -1
- metadata +6 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0ed39e8fd69a0dd1d3091aaee274f88cc192e973ef2b2cd21076a86aa21f6712
|
4
|
+
data.tar.gz: 9483297393e0eaebe4551b037d87260552c0e26b2b76d77dd9db14485c0a197c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c759dca11c5156be203bafff3ccb26dfcc02a10936a5157b061dabdb42de8689ddc69e79865a999e792c704712cbd95757f383ee1afac33e75b326ad1dbeb9dd
|
7
|
+
data.tar.gz: 49d80107d0ab6d01c73fa24b6482cd7a483f7bf0ec049e860b12b67a27aa69293df98b00bf24cd36def138d3bce3884c4d2b87421b2162f7bec90251d957bf11
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -50,20 +50,52 @@ puppet-sec-lint -c
|
|
50
50
|
|
51
51
|
## Development
|
52
52
|
|
53
|
-
### Development of new rules
|
54
|
-
|
55
53
|
The linter was built on top of a modular architecture, which means that new customizable rules can be added fairly easy facing the discovery of new scenarios and vulnerabilities.
|
56
54
|
|
57
|
-
|
58
|
-
|
55
|
+
### Cloning and running
|
56
|
+
|
57
|
+
To add new functionality to the tool, start by cloning the repository into a folder.
|
58
|
+
To run the software locally, run the executable **exe/puppet-sec-lint** from a command line.
|
59
|
+
|
60
|
+
### Adding new rules
|
61
|
+
|
62
|
+
To add a new rule, the easiest way is to duplicate the file of an existing rule inside the **lib/rules** folder. Taking the *Admin By Default* rule as an example, here is everything that can be changed and customized.
|
63
|
+
|
64
|
+
![puppet-sec-lint rule](docs/images/puppet-sec-lint_rule.png)
|
65
|
+
|
66
|
+
#### Naming
|
67
|
+
|
68
|
+
The class should have an unique and meaningful name, both at the class name itself and the property @Name (that's what's displayed in the Configurations page). It should also be derived from the **Rule** class.
|
69
|
+
|
70
|
+
#### Token analysis
|
71
|
+
|
72
|
+
Each rule works by running the **AnalyzeTokens** method, receiving a list of tokens (that represent the entire code of the file being analyzed) and after analyzing everything, it should return a list of results (each result is a vulnerability found represented by the **Sin** class). Adding new types of vulnerabilities can be done by adding new elements to the **SinType** class.
|
73
|
+
|
74
|
+
#### Configurations
|
75
|
+
|
76
|
+
To add configurable elements to the class, simply create new instances of the child classes of the **Configuration** class, as exemplified in the above rule. The constructor takes as arguments the title and description (to be shown in the configurations page) and the initial default value (before the user modifies the application settings).
|
77
|
+
|
78
|
+
All configurations should then be added to the @configurations array.
|
79
|
+
|
80
|
+
The current types of configurations available (children of the **Configuration** class) are:
|
81
|
+
|
82
|
+
* Boolean
|
83
|
+
|
84
|
+
![puppet-sec-lint configuration_bool](docs/images/puppet-sec-lint_configuration_bool.png)
|
85
|
+
* List of elements
|
86
|
+
|
87
|
+
![puppet-sec-lint configuration_list](docs/images/puppet-sec-lint_configuration_list.png)
|
88
|
+
* Regular Expression
|
89
|
+
|
90
|
+
![puppet-sec-lint configuration_regex](docs/images/puppet-sec-lint_configuration_regex.png)
|
59
91
|
|
60
|
-
|
61
|
-
-->
|
92
|
+
#### Add rule to rule engine
|
62
93
|
|
63
|
-
|
94
|
+
The final step is to ensure that the Rule Engine can detect and run the rule everytime an analysis is performed. As such, in the **lib/rule_engine.rb** file, import the newly created rule and add it to the @rules array.
|
64
95
|
|
65
|
-
|
96
|
+
---
|
66
97
|
|
98
|
+
After following these steps, the rule should then be automatically run everytime an analysis is performed. Also, the configurations now show up automatically in the configurations page, giving the user the possibility to customize its values.
|
67
99
|
|
68
100
|
## Contributing
|
69
101
|
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|
data/puppet-sec-lint.gemspec
CHANGED
@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
|
|
12
12
|
spec.description = "Linter built to detect potential security vulnerabilities in Puppet manifests code. It also offers integration with Visual Studio Code https://marketplace.visualstudio.com/items?itemName=tiago1998.puppet-sec-lint-vscode"
|
13
13
|
spec.homepage = "https://github.com/TiagoR98/puppet-sec-lint"
|
14
14
|
spec.license = "MIT"
|
15
|
-
spec.required_ruby_version = Gem::Requirement.new(">= 2.
|
15
|
+
spec.required_ruby_version = Gem::Requirement.new(">= 2.7.0")
|
16
16
|
|
17
17
|
spec.metadata["allowed_push_host"] = "https://rubygems.org"
|
18
18
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppet-sec-lint
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 1.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tiago Ribeiro
|
@@ -173,8 +173,12 @@ files:
|
|
173
173
|
- docs/empty-password.md
|
174
174
|
- docs/hard-coded-credentials.md
|
175
175
|
- docs/http-without-tls.md
|
176
|
+
- docs/images/puppet-sec-lint_configuration_bool.png
|
177
|
+
- docs/images/puppet-sec-lint_configuration_list.png
|
178
|
+
- docs/images/puppet-sec-lint_configuration_regex.png
|
176
179
|
- docs/images/puppet-sec-lint_configurations.png
|
177
180
|
- docs/images/puppet-sec-lint_console.png
|
181
|
+
- docs/images/puppet-sec-lint_rule.png
|
178
182
|
- docs/images/puppet-sec-lint_vscode.png
|
179
183
|
- docs/index.md
|
180
184
|
- docs/invalid-ip-addr-binding.md
|
@@ -224,7 +228,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
224
228
|
requirements:
|
225
229
|
- - ">="
|
226
230
|
- !ruby/object:Gem::Version
|
227
|
-
version: 2.
|
231
|
+
version: 2.7.0
|
228
232
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
229
233
|
requirements:
|
230
234
|
- - ">="
|