scanny 0.1.0

data/spec/scanny/rake_taks_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+module Scanny
+  describe RakeTask do
+    before(:each) { MockTask.reset_tasks }
+
+    it "executes clean scanny" do
+      task = RakeTask.new
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny"
+    end
+
+    it "executes scanny with format" do
+      task = RakeTask.new { |t| t.format = :stdout }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -f stdout"
+    end
+
+    it "executes scanny with include option" do
+      task = RakeTask.new { |t| t.include = "./checks" }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -i ./checks"
+    end
+
+    it "executes scanny with many include option" do
+      task = RakeTask.new { |t| t.include = ["./checks", "./checks2"] }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -i ./checks ./checks2"
+    end
+
+    it "executes scanny with disable options" do
+      task = RakeTask.new { |t| t.disable = "HTTPRequestCheck" }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -d HTTPRequestCheck"
+    end
+
+    it "executes scanny with many disable options" do
+      task = RakeTask.new { |t| t.disable = ["HTTPRequestCheck", "Check"] }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -d HTTPRequestCheck Check"
+    end
+
+    it "executes scanny in strict mode" do
+      task = RakeTask.new { |t| t.strict = true }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny -s"
+    end
+
+    it "executes scanny with custom directory" do
+      task = RakeTask.new { |t| t.path = "./custom/app" }
+      MockTask.last_instance.call
+      MockTask.last_cmd.should == "scanny ./custom/app"
+    end
+
+    describe "system command return false" do
+      before do
+        task = RakeTask.new { |t| t.fail_on_error = true }
+        def task.system(*) return false end
+      end
+
+      it "fails on error" do
+        lambda {
+          MockTask.last_instance.call
+        }.should raise_error(RuntimeError)
+      end
+    end
+
+    describe "ruby parser mode" do
+      it "executes scanny with ruby 18 mode" do
+        task = RakeTask.new { |t| t.ruby_mode = "18" }
+        MockTask.last_instance.call
+        MockTask.last_cmd.should == "scanny -m 18"
+      end
+
+      it "executes scanny with ruby 19 mode" do
+        task = RakeTask.new { |t| t.ruby_mode = "19" }
+        MockTask.last_instance.call
+        MockTask.last_cmd.should == "scanny -m 19"
+      end
+    end
+  end
+end

data/spec/scanny/reporters/reporter_spec.rb

@@ -0,0 +1,24 @@
+require "spec_helper"
+
+module Scanny
+  module Reporters
+    describe Reporter do
+      describe "initialize" do
+        it "setup correctly instance variables" do
+          arguments = {
+            :file             => :file,
+            :checks_performed => :checks_performed,
+            :nodes_inspected  => :nodes_inspected,
+            :issues           => :issues
+          }
+          reporter = Reporter.new(arguments)
+
+          reporter.file.should be_equal(arguments[:file])
+          reporter.checks_performed.should be_equal(arguments[:checks_performed])
+          reporter.nodes_inspected.should be_equal(arguments[:nodes_inspected])
+          reporter.issues.should be_equal(arguments[:issues])
+        end
+      end
+    end
+  end
+end

data/spec/scanny/reporters/simple_reporter_spec.rb

@@ -0,0 +1,48 @@
+require "spec_helper"
+
+module Scanny
+  module Reporters
+    describe SimpleReporter do
+      describe "report" do
+        describe "no issues" do
+          it "returns correctly formatted string" do
+            checks_performed = 5
+            nodes_inspected  = 10
+
+            reporter = SimpleReporter.new
+            reporter.stub(:puts)
+            reporter.file             = 'foo.rb'
+            reporter.checks_performed = checks_performed
+            reporter.nodes_inspected  = nodes_inspected
+
+            reporter.report.should == "foo.rb [#{checks_performed} checks done | "\
+                                    "#{nodes_inspected} nodes inspected | "\
+                                    "0 issues]"
+          end
+        end
+
+        describe "has issues" do
+          it "returns correctly formatted string" do
+            checks_performed = 5
+            nodes_inspected  = 10
+
+            reporter = SimpleReporter.new
+            reporter.stub(:puts)
+            reporter.file             = 'foo.rb'
+            reporter.checks_performed = checks_performed
+            reporter.nodes_inspected  = nodes_inspected
+            reporter.issues << Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+            reporter.issues << Issue.new("unsecure.rb", 43, :high, "Hey, I found unsecure code!", 43)
+
+            expected_string = <<-EOT
+foo.rb [#{checks_performed} checks done | #{nodes_inspected} nodes inspected | 2 issues]
+  - [high] unsecure.rb:42: Hey, I found unsecure code! (CWE-43)
+  - [high] unsecure.rb:43: Hey, I found unsecure code! (CWE-43)
+            EOT
+            reporter.report.should == expected_string.chomp
+          end
+        end
+      end
+    end
+  end
+end

data/spec/scanny/reporters/xml_reporter_spec.rb

@@ -0,0 +1,52 @@
+require "spec_helper"
+
+module Scanny
+  module Reporters
+    describe XMLReporter do
+      describe "report" do
+        describe "no issues" do
+          it "returns correctly formatted string" do
+            checks_performed = 5
+            nodes_inspected  = 10
+
+            report = XMLReporter.new
+            report.file             = 'foo.rb'
+            report.checks_performed = checks_performed
+            report.nodes_inspected  = nodes_inspected
+
+            doc = REXML::Document.new report.report
+            doc.should_not have_xml('/testsuite/testcase')
+          end
+        end
+
+        describe "has issues" do
+          it "returns correctly formatted string" do
+            file             = 'foo.rb'
+            checks_performed = 5
+            nodes_inspected  = 10
+
+            report = XMLReporter.new
+            report.file             = file
+            report.checks_performed = checks_performed
+            report.nodes_inspected  = nodes_inspected
+            report.issues << Issue.new("unsecure.rb", 42, :high, "Hey, I found unsecure code!", 43)
+            report.issues << Issue.new("unsecure.rb", 43, :high, "Hey, I found unsecure code!", 43)
+
+            xpath_query = "/testsuite[@tests='#{checks_performed}' and "\
+                                     "@skipped='0' and @failures='0' and "\
+                                     "@assertions='#{nodes_inspected}' and "\
+                                     "@name='#{file}']"
+            report.report.should have_xml xpath_query
+
+            report.issues.each do |issue|
+              xpath_query = "//testcase[@name='#{issue.file}:#{issue.line}' and "\
+                            "[error[@message='#{issue.message}' and "\
+                                   "@type='#{issue.impact.to_s}']]]"
+              report.report.should have_xml xpath_query
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/scanny/ruby_version_check_spec.rb

@@ -0,0 +1,24 @@
+require "spec_helper"
+
+describe "Ruby version check" do
+
+  before { @load_file = "scanny/ruby_version_check.rb" }
+
+  it "should raise exception (ruby 1.8)" do
+    -> { load_with('ruby', '1.8', @load_file) }.should raise_error
+  end
+
+  it "should raise exception (ruby 1.9)" do
+    -> { load_with('ruby', '1.9', @load_file) }.should raise_error
+  end
+
+  it "should raise exception (rbx 1.8 mode)" do
+    -> { load_with('rbx', '1.8', @load_file) }.should raise_error
+  end
+
+  it "should not raise exception (rbx 1.9 mode)" do
+    -> { load_with('rbx', '1.9', @load_file) }.should_not raise_error
+  end
+
+end
+

data/spec/scanny/runner_spec.rb

@@ -0,0 +1,128 @@
+require "spec_helper"
+
+module Scanny
+  describe Runner do
+    before :each do
+      @check = Checks::TestCheck.new
+      @runner = Runner.new(@check)
+    end
+
+    describe "initialize" do
+      it "uses passed checks when they are passed" do
+        @runner.checks.should == [@check]
+      end
+
+      it "uses default checks when no checks are passed" do
+        checks = Runner.new.checks
+
+        checks.any? { |ch| ch.is_a?(Checks::TestCheck) }.should be_true
+        checks.any? { |ch| ch.is_a?(Checks::XssSendCheck) }.should be_true
+      end
+
+      it "uses only \"leaf\" check classes" do
+        checks = Runner.new.checks
+
+        checks.any? { |ch| ch.class == Checks::ExtendCheck }.should be_false
+        checks.any? { |ch| ch.class == Checks::MyCheck }.should be_true
+      end
+
+      it "initializes checks_data on start" do
+        runner = Runner.new
+        runner.checks_data.should_not be_nil
+      end
+    end
+
+    describe "check" do
+      it "reports issues" do
+        check_data = @runner.check("unsecure.rb", '42')
+
+        check_data[:file].should   == 'unsecure.rb'
+        check_data[:issues].should == [
+          Issue.new("unsecure.rb", 1, :high, "Hey, I found unsecure code!", 42),
+          Issue.new("unsecure.rb", 1, :high, "Hey, I found more unsecure code!", 43),
+          Issue.new("unsecure.rb", 1, :low,  "OK, this is unsecure too, but not that much")
+        ]
+      end
+
+      it "raises SyntaxError when the input can't be parsed as Ruby code" do
+        lambda {
+          @runner.check("rubbish.rb", "@$%")
+        }.should raise_error(SyntaxError)
+      end
+
+      describe "ignore comments" do
+        describe "SCANNY_IGNORE" do
+          it "ignores lines with SCANNY_IGNORE" do
+            @runner.should check('42 # SCANNY_IGNORE').without_issues
+          end
+
+          it "does not ignore lines before SCANNY_IGNORE" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              42
+              boo # SCANNY_IGNORE
+            EOT
+          end
+
+          it "does not ignore lines after SCANNY_IGNORE" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              boo # SCANNY_IGNORE
+              42
+            EOT
+          end
+        end
+
+        describe "SCANNY_IGNORE_NEXT" do
+          it "ignores line after SCANNY_IGNORE_NEXT" do
+            @runner.should check(<<-EOT).without_issues
+              boo # SCANNY_IGNORE_NEXT
+              42
+            EOT
+          end
+
+          it "does not ignore a line with SCANNY_IGNORE_NEXT" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              42 # SCANNY_IGNORE_NEXT
+            EOT
+          end
+
+          it "does not ignore 2nd line after SCANNY_IGNORE_NEXT" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              boo # SCANNY_IGNORE_NEXT
+              boo
+              42
+            EOT
+          end
+        end
+
+        describe "SCANNY_IGNORE_NEXT_n" do
+          it "ignores n lines after SCANNY_IGNORE_NEXT_n" do
+            @runner.should check(<<-EOT).without_issues
+              # SCANNY_IGNORE_NEXT_3
+              42
+              42
+              42
+            EOT
+          end
+
+          it "does not ignore a line with SCANNY_IGNORE_NEXT_n" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              42 # SCANNY_IGNORE_NEXT_3
+            EOT
+          end
+
+          it "does not ignore (n+1)th line after SCANNY_IGNORE_NEXT_n" do
+            @runner.should check(<<-EOT).with_n_issues(3)
+              boo # SCANNY_IGNORE_NEXT_3
+              boo
+              boo
+              boo
+              42
+            EOT
+          end
+        end
+      end
+    end
+
+    # We don't test #check_file since it's just a tiny wrapper around #check.
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+require "scanny"
+
+Dir[File.dirname(__FILE__) + "/support/**/*.rb"].each {|f| require f}
+
+RSpec.configure do |c|
+  c.include CheckSpecHelpers
+  c.include ConstSpecHelpers
+  c.include Aruba::Api
+  c.color_enabled = true
+end

data/spec/support/aruba.rb

@@ -0,0 +1,4 @@
+require 'aruba/api'
+
+extra_path_folder = File.join(File.expand_path(File.dirname(__FILE__)), '../../bin')
+ENV['PATH'] = [extra_path_folder, ENV['PATH']].join(File::PATH_SEPARATOR)

data/spec/support/check_spec_helpers.rb

@@ -0,0 +1,5 @@
+module CheckSpecHelpers
+  def issue(*args)
+    Scanny::Issue.new("scanned_file.rb", 1, *args)
+  end
+end

data/spec/support/checks/extend_test_check.rb

@@ -0,0 +1,11 @@
+module Scanny
+  module Checks
+    class ExtendCheck < Check; end
+
+    class MyCheck < ExtendCheck
+      def pattern
+        'NilClass'
+      end
+    end
+  end
+end

data/spec/support/checks/test_check.rb

@@ -0,0 +1,15 @@
+module Scanny
+  module Checks
+    class TestCheck < Check
+      def pattern
+        'FixnumLiteral'
+      end
+
+      def check(node)
+        issue :high, "Hey, I found unsecure code!", :cwe => 42
+        issue :high, "Hey, I found more unsecure code!", :cwe => 43
+        issue :low,  "OK, this is unsecure too, but not that much"
+      end
+    end
+  end
+end

data/spec/support/checks/test_strict_check.rb

@@ -0,0 +1,17 @@
+module Scanny
+  module Checks
+    class TestStrictCheck < Check
+      def pattern
+        'FixnumLiteral'
+      end
+
+      def check(node)
+        puts 'strict checked'
+      end
+
+      def strict?
+        true
+      end
+    end
+  end
+end

data/spec/support/const_spec_helpers.rb

@@ -0,0 +1,36 @@
+module ConstSpecHelpers
+  def with_const(const, &block)
+    saved_consts = {}
+    const.each do |const, val|
+      saved_consts[const] = Object.const_get(const)
+      Object.const_set(const, val)
+    end
+
+    begin
+      block.call
+    ensure
+      const.each_key do |const|
+        Object.const_set(const, saved_consts[ const ])
+      end
+    end
+  end
+
+  def with_ruby(engine = "rbx", version = '1.9.3', &block)
+    with_const(:RUBY_VERSION => version,:RUBY_ENGINE => engine, &block)
+  end
+
+  def silence
+    orig_stdout = $stderr
+    $stderr = File.new('/dev/null', 'w')
+    yield
+  ensure
+    $stderr = orig_stdout
+  end
+
+  def load_with(engine, version, file)
+    silence do
+      with_ruby(engine, version) { load(file) }
+    end
+  end
+end
+