redmine_audit 0.1.1 → 0.2.0

data/init.rb

@@ -1,8 +1,9 @@
 Redmine::Plugin.register :redmine_audit do
   name 'Redmine Audit plugin'
   author 'Sho Hashimoto'
-  description 'Redmine plugin for checking vulnerabilities'
+  description 'Redmine plugin for checking Redmine\'s own vulnerabilities'
   version RedmineAudit::VERSION
+  requires_redmine version_or_higher: '3.3.0'
   url 'https://github.com/sho-h/redmine_audit/'
   author_url 'https://github.com/sho-h/'
 end

data/lib/redmine_audit/advisory.rb

@@ -1,13 +1,23 @@
 module RedmineAudit
-  # Redmine advisory
+  # Redmine/Redmine plugin advisory
   #
   # ex)  Advisory.new('High', 'http://someurl.example.com',
-  #                   [Gem::Requirement], [Gem::Requirement])
-  class Advisory < Struct.new(:severity,
-                              :details,
-                              :external_references,
-                              :unaffected_versions,
-                              :fixed_versions)
+  #                   [Gem::Requirement], [Gem::Requirement], 'CVE-XXXX-XXXX', nil, 7.5)
+  Advisory = Struct.new(:severity,
+                        :details,
+                        :external_references,
+                        :unaffected_versions,
+                        :fixed_versions,
+                        :id, :cvss_v2, :cvss_v3) do
+    def initialize(severity, details, external_references,
+                   unaffected_versions, fixed_versions, id, cvss_v2, cvss_v3)
+      super
+      self.severity = cvss_to_severity if self.severity.nil?
+      [:external_references, :unaffected_versions, :fixed_versions].each do |attr|
+        self[attr] = [] if self[attr].nil?
+      end
+    end
+
     # Checks whether the version is not affected by the advisory.
     #
     # @param [Gem::Version] version
@@ -44,5 +54,37 @@ module RedmineAudit
     def vulnerable?(version)
       !fixed?(version) && !unaffected?(version)
     end
+
+    private
+
+    def cvss_to_severity
+      if cvss_v2
+        case cvss_v2
+        when 0.0..3.9
+          'Low'
+        when 4.0..6.9
+          'Medium'
+        when 7.0..10.0
+          'High'
+        else
+          raise ArgumentError, "invalid CVSS v2 score: #{cvss_v2}"
+        end
+      elsif cvss_v3
+        case cvss_v3
+        when 0.0
+          'None'
+        when 0.1..3.9
+          'Low'
+        when 4.0..6.9
+          'Medium'
+        when 7.0..8.9
+          'High'
+        when 9.0..10
+          'Critical'
+        else
+          raise ArgumentError, "invalid CVSS v3 score: #{cvss_v3}"
+        end
+      end
+    end
   end
 end

data/lib/redmine_audit/database.rb

@@ -8,8 +8,6 @@ module RedmineAudit
     URL = 'http://www.redmine.org/projects/redmine/wiki/Security_Advisories'
     TABLE_XPATH = '//*[@id="content"]/div[2]/table'
 
-    attr_reader :vulnerabilities
-
     # Get unfixed advisories against specified Redmine version.
     #
     # @param [String] version
@@ -24,7 +22,7 @@ module RedmineAudit
         doc = Nokogiri::HTML(html)
         doc.xpath(TABLE_XPATH).xpath('tr')[1..-1].each do |tr|
           if res = parse_tds(tr.xpath('td'))
-            @known_advisories << Advisory.new(*res)
+            @known_advisories << Advisory.new(*res, nil, nil, nil)
           end
         end
       end

data/lib/redmine_audit/plugin_database.rb

@@ -0,0 +1,62 @@
+require 'open-uri'
+require 'yaml'
+# TODO: use Redmine's Redmine::Plugin
+begin
+  require 'redmine/plugin'
+rescue LoadError
+end
+require 'redmine_audit/advisory'
+
+module RedmineAudit
+  # Redmine plugin advisory database
+  class PluginDatabase
+    URL = 'https://raw.githubusercontent.com/sho-h/redmine_audit/master/data/plugin_advisories.yml'
+
+    # Get unfixed plugin advisories against specified Redmine version.
+    #
+    # @return [[Redmine::Advisory]]
+    #   The array of plugin's Redmine::Advisory unfixed.
+    def advisories
+      if @known_advisories.nil?
+        @known_advisories = {}
+        YAML.load(fetch_advisory_data).each do |plugin_id, advisories|
+          @known_advisories[plugin_id] ||= []
+          advisories.each do |cve_id, attrs|
+            unaffected_vers = (attrs['unaffected_versions'] || []).map { |ver|
+              Gem::Requirement.new(ver)
+            }
+            patched_vers = (attrs['patched_versions'] || []).map { |ver|
+              Gem::Requirement.new(ver)
+            }
+            args = [
+              nil, attrs['title'], [attrs['url']],
+              unaffected_vers, patched_vers,
+              cve_id, attrs['cvss_v2'], attrs['cvss_v3'],
+            ]
+            @known_advisories[plugin_id] << Advisory.new(*args)
+          end
+        end
+      end
+
+      unfixed_advisories = {}
+      Redmine::Plugin.all.each do |plugin|
+        advisories = @known_advisories[plugin.id]
+        next if advisories.nil? || advisories.empty?
+
+        advisories.each do |advisory|
+          if advisory.vulnerable?(Gem::Version.new(plugin.version))
+            unfixed_advisories[plugin] ||= []
+            unfixed_advisories[plugin].push(advisory)
+          end
+        end
+      end
+      return unfixed_advisories
+    end
+
+    private
+
+    def fetch_advisory_data(url = URL)
+      open(url).read
+    end
+  end
+end

data/lib/redmine_audit/version.rb

@@ -1,3 +1,3 @@
 module RedmineAudit
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 end

data/lib/tasks/redmine_audit.rake

@@ -1,32 +1,70 @@
 require 'redmine/version'
 require 'redmine_audit/advisory'
 require 'redmine_audit/database'
+require 'redmine_audit/plugin_database'
+require 'bundler/audit/scanner'
+require 'ruby_audit/database'
+require 'ruby_audit/scanner'
 
 desc <<-END_DESC
 Check redmine vulnerabilities.
 
 Available options:
-  * users    => comma separated list of user/group ids who should be notified
+  * users => comma separated list of user/group ids who should be notified
+  * dont_check_ruby_and_gems => don't bundler-audit and ruby_audit if '1' specified
 
 Example:
-  rake redmine:bundle_audit users="1,23, 56" RAILS_ENV="production"
+  rake redmine:audit users="1,23, 56" RAILS_ENV="production"
 END_DESC
 
 namespace :redmine do
-  # Avoid to define same task twice.
-  # TODO: stop load twice this .rake file.
-  if !Rake::Task.task_defined?(:audit)
-    task audit: :environment do
-      # TODO: More better if requires mailer automatically.
-      require_dependency 'mailer'
-      require_relative '../../app/models/mailer.rb'
-
-      redmine_ver = Redmine::VERSION
-      advisories = RedmineAudit::Database.new.advisories(redmine_ver.to_s)
-      if advisories.length > 0
-        users = (ENV['users'] || '').split(',').each(&:strip!)
+  task audit: :environment do
+    user_ids = (ENV['users'] || '').split(',').each(&:strip!)
+    if user_ids.empty?
+      raise 'need to specify environment variable: users'
+    end
+
+    users = User.active.where(admin: true, id: user_ids).to_a
+    if users.empty?
+      raise ActiveRecord::RecordNotFound.new("Couldn't find user specified: #{user_ids.inspect}")
+    end
+
+    # TODO: More better if requires mailer automatically.
+    require_dependency 'mailer'
+    require_relative '../../app/models/mailer.rb'
+    Rake::Task['redmine:audit:redmine'].invoke(users)
+    unless ENV['dont_check_ruby_and_gems'] == '1'
+      Rake::Task['redmine:audit:ruby_and_gems'].invoke(users)
+    end
+  end
+
+  namespace :audit do
+    task :redmine, [:users] do |t, args|
+      redmine_ver = Redmine::VERSION.to_s
+      advisories = RedmineAudit::Database.new.advisories(redmine_ver)
+      plugin_advisories = RedmineAudit::PluginDatabase.new.advisories
+      if advisories.length > 0 || plugin_advisories.length > 0
+        Mailer.with_synched_deliveries do
+          Mailer.unfixed_redmine_advisories_found(redmine_ver, advisories, plugin_advisories, args.users).deliver
+        end
+      end
+    end
+
+    # Update ruby-advisory-db.
+    task :update_ruby_advisory_db do
+      begin
+        Bundler::Audit::Database.update!(quiet: true)
+      rescue => e
+        warn "failed to update ruby-advisory-db: #{e.message}"
+      end
+    end
+
+    task :ruby_and_gems, [:users] => :update_ruby_advisory_db do |t, args|
+      ruby_result = RubyAudit::Scanner.new.scan
+      gems_result = Bundler::Audit::Scanner.new.scan
+      if ruby_result.count > 0 || gems_result.count > 0
         Mailer.with_synched_deliveries do
-          Mailer.unfixed_advisories_found(redmine_ver, advisories, users).deliver
+          Mailer.unfixed_ruby_and_gems_advisories_found(ruby_result, gems_result, args.users).deliver
         end
       end
     end

data/redmine_audit.gemspec

@@ -22,9 +22,12 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_runtime_dependency 'nokogiri'
+  spec.add_runtime_dependency 'bundler-audit'
+  spec.add_runtime_dependency 'ruby_audit'
 
   spec.add_development_dependency 'bundler', '~> 1.14'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'test-unit'
   spec.add_development_dependency 'test-unit-rr'
+  spec.add_development_dependency 'travis'
 end

data/scripts/create_plugin_list

@@ -0,0 +1,42 @@
+require 'open-uri'
+require 'nokogiri'
+require 'yaml'
+
+URL_BASE = 'http://www.redmine.org/'
+LIST_PATH = File.join(__dir__, '../data/plugins.yml')
+
+plugins = {}
+page = 1
+loop do
+  puts "chacking page:#{page}..."
+  doc = Nokogiri::HTML(open(URL_BASE + "plugins?page=#{page}").read)
+  doc.xpath('//a[@class="plugin"]').each do |a|
+    path = a.attributes["href"].value
+    name = path.split('/').last
+    plugins[name] = {}
+
+    sleep 60
+    puts "chacking page:#{page}:#{name}..."
+
+    detail_url = File.join(URL_BASE, path)
+    detail_doc = Nokogiri::HTML(open(detail_url).read)
+    {website: 2, repository: 3}.each do |key, index|
+      xpath = "//*[@id=\"content\"]/div[2]/table/tr[#{index}]/td/a"
+      detail_doc.xpath(xpath).each do |da|
+        plugins[name][key] = da.attributes["href"].value
+      end
+    end
+  end
+  if doc.xpath('//a[@class="next"]').count > 0
+    page += 1
+  else
+    break
+  end
+
+  File.open(LIST_PATH, 'w') do |f|
+    f.write(plugins.to_yaml)
+  end
+
+  sleep 60
+end
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: redmine_audit
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Sho Hashimoto
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-06-17 00:00:00.000000000 Z
+date: 2018-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -24,6 +24,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby_audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: travis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Redmine plugin for checking Redmine's own vulnerabilities
 email:
 - sho.hsmt@gmail.com
@@ -88,30 +130,38 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".travis.yml"
 - LICENSE
 - README.md
 - Rakefile
 - app/controllers/.keep
 - app/helpers/.keep
+- app/helpers/redmine_audit_helper.rb
 - app/models/.keep
 - app/models/mailer.rb
 - app/views/.keep
-- app/views/mailer/unfixed_advisories_found.html.erb
-- app/views/mailer/unfixed_advisories_found.text.erb
+- app/views/mailer/unfixed_redmine_advisories_found.html.erb
+- app/views/mailer/unfixed_redmine_advisories_found.text.erb
+- app/views/mailer/unfixed_ruby_and_gems_advisories_found.html.erb
+- app/views/mailer/unfixed_ruby_and_gems_advisories_found.text.erb
 - bin/console
 - bin/setup
 - config/locales/en.yml
 - config/locales/ja.yml
 - config/routes.rb
+- data/plugin_advisories.yml
+- data/plugins.yml
 - db/migrate/.keep
 - init.rb
 - lib/redmine_audit.rb
 - lib/redmine_audit/advisory.rb
 - lib/redmine_audit/database.rb
+- lib/redmine_audit/plugin_database.rb
 - lib/redmine_audit/version.rb
 - lib/tasks/.keep
 - lib/tasks/redmine_audit.rake
 - redmine_audit.gemspec
+- scripts/create_plugin_list
 homepage: https://github.com/sho-h/redmine_audit
 licenses:
 - MIT
@@ -132,7 +182,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.5.2.3
 signing_key: 
 specification_version: 4
 summary: Redmine plugin for checking Redmine's own vulnerabilities

data/app/views/mailer/unfixed_advisories_found.html.erb

@@ -1,27 +0,0 @@
-<div><%= l(:mail_summary_advisories_found) %></div>
-
-<%-
-@advisories.each do |advisory|
-  if advisory.external_references && !advisory.external_references.empty?
-    ext_refs = advisory.external_references
-  else
-    ext_refs = 'none'
-  end
-  solution = advisory.fixed_versions.join(', ')
--%>
-
-<div>
-  <ul style="list-style:none;">
-    <li>Name: Redmine</li>
-    <li>Version: <%= @redmine_version %></li>
-    <li>Severity: <%= advisory.severity %></li>
-    <li>URL: <%= ext_refs %></li>
-    <li>Detail: <%= advisory.details %></li>
-    <li>Solution: upgrade to <%= solution %></li>
-  </ul>
-</div>
-<%- end -%>
-
-<div>
-<%= l(:mail_detail_link_head_advisories_found) %> <%= link_to 'redmine.org', RedmineAudit::Database::URL %> <%= l(:mail_detail_link_tail_advisories_found) %>
-</div>