sensu-plugins-ruby 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: ec7224c32897f3dfb83b505d4a09f43f38b58466a98f9c7cdb23a15ff08cac6e
+  data.tar.gz: 4eab94904ad8480dc8ec9d697ca5ba9a11bb1b63459c710bb0afff4fd2e5487d
+SHA512:
+  metadata.gz: 53de6f426203ae0a80ab8fcb31a47d32054adb409bda280cf497d50e69d83f23b4a3a14acdb9d4124ef976ece01a967a8ac2cc89f1767767b1aa7226814a7717
+  data.tar.gz: 7ce5be6cbe45f37d34f8aa5ce0394d6e9733da9f05b94d471d307d7562835dd6d91082380b586f448c198d710c8902a35cc312d4111cd9990d5ab3d6ba710719

data/.bonsai.yml

@@ -0,0 +1,26 @@
+description: "#{repo}"
+builds:
+- platform: "debian"
+  arch: "amd64"
+  asset_filename: "#{repo}_#{version}_debian_linux_amd64.tar.gz"
+  sha_filename: "#{repo}_#{version}_sha512-checksums.txt"
+  filter:
+  -  "entity.system.os == 'linux'"
+  -  "entity.system.arch == 'amd64'"
+  -  "entity.system.platform == 'debian'"
+- platform: "centos"
+  arch: "amd64"
+  asset_filename: "#{repo}_#{version}_centos_linux_amd64.tar.gz"
+  sha_filename: "#{repo}_#{version}_sha512-checksums.txt"
+  filter:
+  -  "entity.system.os == 'linux'"
+  -  "entity.system.arch == 'amd64'"
+  -  "entity.system.platform == 'rhel'"
+- platform: "alpine"
+  arch: "amd64"
+  asset_filename: "#{repo}_#{version}_alpine_linux_amd64.tar.gz"
+  sha_filename: "#{repo}_#{version}_sha512-checksums.txt"
+  filter:
+  -  "entity.system.os == 'linux'"
+  -  "entity.system.arch == 'amd64'"
+  -  "entity.system.platform == 'alpine'"

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,5 @@
+LineLength:
+  Max: 160
+
+AbcSize:
+  Max: 20

data/.travis.yml

@@ -0,0 +1,47 @@
+sudo: required
+language: ruby
+
+rvm:
+  - 2.5.5
+
+services:
+  - docker
+
+cache:
+  - bundler
+
+before_install:
+  - gem install bundler
+
+install:
+  - bundle install
+
+script:
+  - gem build sensu-plugins-ruby.gemspec
+  - gem install sensu-plugins-ruby-*.gem
+
+before_deploy:
+- bash -c "[ ! -d bonsai/ ] && git clone https://github.com/sensu/sensu-go-bonsai-asset.git bonsai || echo 'bonsai/ exists, skipping git clone'"
+
+deploy:
+  - provider: rubygems
+    api_key:
+      secure: Vha7m1Li7Jg7Md81siv18OvnqBaZHGnhhCIfe1ASxf5fe22EbLzqevBgSg8NI2MbOXOjOXZpO1WnWaeQKVRToYdqfLPRVQ0IwhvJxlT+fiYigczhj9jxNejIE7vfuJ/wWkjPubmRBvQBlr1eVT5donoyeCGlEoUGYoHF2AJ5rm2Yy056DxEFLXkYskpJZh49JIaTkELkSk8IfGKmDql2YDJQdqkwLcsz4Zg2cS8I4WlwpsW8bQjvTeuCKKIjnh3ylt9BYLCrs7kUPhXOyTdJzy8JxTzA/J2aM0jN0/PRfXMhzOtQfjywdJlCuVA3WTLBCr6Ny+ciS7W9kE5cHAm9SaPCZKPWPlhZB0KF1y7RpEEY2r+io3AE4oqPNBRHIXjfahyDbd71SqlFC05ZdUThVjGo9rgOHJUyxDjQ44KwjRKiX1e6MVouGHTjDjgATF2dqd1QOGiSKuqw7NmIMxge8unwz+FGVmMxCNqcVAfbMsZ1F0Unyh3KnWo7lp/cr7CyyWTRaRjC4le7l5120e1Akcx0rsHE8vlcqBbHGANtM4qW+qihUtVO0CKN+sPSsIRbmcC9gshIxrsxWX9agnT49UYB5kCy3ajkELjRHCDFtEXKm8DYzxcBRPD68mEZgJxEU63ZSfF1BZfM0Km63tyoxEtwr4CusAG1zIMsJZzWhmQ=
+    gem: sensu-plugins-ruby
+    on:
+      tags: true
+      all_branches: true
+      rvm: 2.5.5
+      repo: SICSoftwareGmbH/sensu-plugins-ruby
+
+  - provider: script
+    script: bonsai/ruby-runtime/travis-build-ruby-plugin-assets.sh sensu-plugins-ruby
+    skip_cleanup: true
+    on:
+      tags: true
+      all_branches: true
+      rvm: 2.5.5
+
+env:
+  global:
+    secure: "wCy0rkujPL05QmhgC4m2896hsUmVn2aoolF9nF3IYklHTYLRUAcTpWPbjKNse0KkVJGNu1TGpxoKqD5IYyWagYfarI/mHPlkV7/JIVMOGx01AWT+gPIfF2AbRdzaYwhQGmPb1I4lAg4ZGXTQdIitSPQaKXT4Bqi5XdlOwbAY1vqtUI8nylEmepSKi32a1kz0ArDkrEX1FUeK0B4m3lxFGf9K+ZybYxx2TOhvVtuBLQSZHfsgcczO7LgUClJVpiJoXaAHUOG5Iur4G5bDEGcMSWA+w32NqEmSg20k3ZsSYhMTre9G937YCGpjnWybLy44tqPLs6FW1SB2HooyvI5yDRWGjPhHLjRlbsU7GgIGrKUbAIbAcXMgQsVQSXEA/tQ4HMSjfNHj3oSqNQaq5PcQk8t0s7VITx4c14rZ88ueH9ulwyhOfodjEVnPZ7P50aUCBJgDDZYdK/agmW+OhQCBT/OPO7XXaelf3KO9WC7IelV5MjH7Wt9pkBLozVFOuGN5pKc7wb99yNdgX9tCmjE2ZXRZmddu8ydgn+Kvk5F6I92f3u0e6FQKQoJCj0fbItaM5S3Mlw8MIraXveWN750va3j9cHMTjlnEhlE3YOtGe/A4U+bCqP7iSDVbyhE1uTcPBkDrB/0mu3T8tkoAeuAO0daQJkzznvRIl5IXlDOvVzE="

data/CHANGELOG.md

@@ -0,0 +1,12 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2019-07-26
+### Added
+- check if ruby version is current
+- check for security advisories using bundler-audit

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in foo.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 SIC! Software GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,18 @@
+## sensu-plugins-ruby
+
+[![Build Status](https://travis-ci.org/SICSoftwareGmbH/sensu-plugins-ruby.svg?branch=master)](https://travis-ci.org/SICSoftwareGmbH/sensu-plugins-ruby)
+[![Gem Version](https://badge.fury.io/rb/sensu-plugins-ruby.svg)](http://badge.fury.io/rb/sensu-plugins-ruby)
+[![Sensu Bonsai Asset](https://img.shields.io/badge/Bonsai-Download%20Me-brightgreen.svg?colorB=89C967&logo=sensu)](https://bonsai.sensu.io/assets/SICSoftwareGmbH/sensu-plugins-ruby)
+
+## Sensu Asset  
+  The Sensu assets packaged from this repository are built against the Sensu ruby runtime environment. When using these assets as part of a Sensu Go resource (check, mutator or handler), make sure you include the corresponding Sensu ruby runtime asset in the list of assets needed by the resource.  The current ruby-runtime assets can be found [here](https://bonsai.sensu.io/assets/sensu/sensu-ruby-runtime) in the [Bonsai Asset Index](bonsai.sensu.io).
+
+## Functionality
+
+## Files
+ * bin/check-bundler-audit
+ * bin/check-ruby-version
+
+## Installation
+
+[Installation and Setup](http://sensu-plugins.io/docs/installation_instructions.html)

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+task default: :spec

data/bin/check-bundler-audit

@@ -0,0 +1,128 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#   check-bundle-audit
+#
+# DESCRIPTION:
+#   Check bundle for vulnerabilities
+#
+# OUTPUT:
+#   Plain text
+#
+# PLATFORMS:
+#   Linux; bundler-audit gem must be installed
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#   gem: bundler-audit
+#
+# LICENSE:
+#   Florian Schwab <me@ydkn.io>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'bundler/audit/database'
+require 'bundler/audit/scanner'
+require 'sensu-plugin/check/cli'
+
+# Sensu plugin for checking bundle audit status
+class BundlerAuditCheck < Sensu::Plugin::Check::CLI
+  CRITICALITY_UNKOWN = 0
+  CRITICALITY_LOW    = 1
+  CRITICALITY_MEDIUM = 2
+  CRITICALITY_HIGH   = 3
+
+  option :paths,
+         short: '-p RUBY_APP_PATHS',
+         long: '--paths RUBY_APP_PATHS',
+         description: 'Comma separated list of paths containing ruby applications',
+         required: true
+
+  option :criticality,
+         short: '-c CRIT_NUM',
+         long: '--criticality CRIT_NUM',
+         description: 'Ignore vulnerabilities with lower criticality than this',
+         default: '0'
+
+  option :ignore,
+         short: '-i CVE_NUBMERS',
+         long: '--ignore CVE_NUMBERS',
+         description: 'Comma separated list of CVE numbers to ignore',
+         default: ''
+
+  def run
+    update_audit_db
+
+    checks = config[:paths].split(',').map do |path|
+      check_audit(path.strip)
+    end
+
+    message = checks.select { |c| %i[critical warning].include?(c[:status]) }
+                    .map { |c| "#{c[:path]}: #{c[:message]}" }
+                    .compact.join("\n")
+
+    if checks.any? { |c| c[:status] == :critical }
+      critical("Vulnerabilities found: #{message}")
+    elsif checks.any? { |c| c[:status] == :warning }
+      warning("Vulnerabilities found: #{message}")
+    else
+      ok('No vulnerabilities found')
+    end
+  end
+
+  private
+
+  def update_audit_db
+    ok = Bundler::Audit::Database.update!(quiet: true)
+
+    warning("Failed to update advisory db: #{stdout} #{stderr}") unless ok
+  end
+
+  def criticality_to_int(criticality)
+    case criticality
+    when :high
+      CRITICALITY_HIGH
+    when :medium
+      CRITICALITY_MEDIUM
+    when :low
+      CRITICALITY_LOW
+    else
+      CRITICALITY_UNKOWN
+    end
+  end
+
+  def check_audit(path)
+    ENV['BUNDLE_GEMFILE'] = File.join(path, 'Gemfile.lock')
+
+    vulnerabilities = []
+
+    scanner = Bundler::Audit::Scanner.new(path)
+    scanner.scan do |result|
+      case result
+      when Bundler::Audit::Scanner::InsecureSource
+        vulnerabilities << { message: "Insecure Source URI found: #{result.source}", criticality: CRITICALITY_HIGH }
+      when Bundler::Audit::Scanner::UnpatchedGem
+        vulnerabilities << { gem: result.gem, advisory: result.advisory, criticality: criticality_to_int(result.advisory.criticality) }
+      end
+    end
+
+    if vulnerabilities.empty?
+      { path: path, status: :ok, message: 'No vulnerabilities found' }
+    else
+      message = vulnerabilities.map do |v|
+        v[:message] || "#{v[:gem].name} #{v[:gem].version} (#{v[:advisory].cve || v[:advisory].osvdb})"
+      end.join(', ')
+
+      if vulnerabilities.any? { |v| v[:criticality] >= config[:criticality].to_i && !config[:ignore].split(',').map(&:strip).include?(v[:advisory]) }
+        { path: path, status: :critical, message: message }
+      elsif vulnerabilities.any?
+        { path: path, status: :ok, message: message }
+      else
+        { path: path, status: :warning, message: 'Vulnerabilities found' }
+      end
+    end
+  rescue StandardError => e
+    { path: path, status: :warning, message: "Failed to check for vulnerabilities: #{e.message}" }
+  end
+end

data/bin/check-ruby-version

@@ -0,0 +1,112 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#   check-ruby-version
+#
+# DESCRIPTION:
+#   Check if used ruby version in .ruby-version is current patch release
+#
+# OUTPUT:
+#   Plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# LICENSE:
+#   Florian Schwab <me@ydkn.io>
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'net/http'
+require 'uri'
+require 'sensu-plugin/check/cli'
+
+# Sensu plugin for checking bundle audit status
+class RubyVersionCheck < Sensu::Plugin::Check::CLI
+  RVM_KNOWN_RUBIES_URL = 'https://raw.githubusercontent.com/rvm/rvm/stable/config/known'
+  MIN_RUBY_VERSION     = [2, 4].freeze
+
+  option :paths,
+         short: '-p RUBY_APP_PATHS',
+         long: '--paths RUBY_APP_PATHS',
+         description: 'Comma separated list of paths containing ruby applications',
+         required: true
+
+  def run
+    known_rubies = fetch_known_rubies
+    latest_ruby = known_rubies.max
+
+    checks = config[:paths].split(',').map do |path|
+      check_path(path, known_rubies, latest_ruby)
+    end
+
+    message = checks.select { |c| %i[critical warning].include?(c[:status]) }
+                    .map { |c| "#{c[:path]}: #{c[:message]}" }
+                    .compact.join("\n")
+
+    if checks.any? { |c| c[:status] == :critical }
+      critical(message)
+    elsif checks.any? { |c| c[:status] == :warning }
+      warning(message)
+    elsif checks.length == 1
+      ok(checks[0][:message])
+    else
+      ok('Ruby versions are current')
+    end
+  end
+
+  private
+
+  def fetch_known_rubies
+    Net::HTTP.get(URI.parse(RVM_KNOWN_RUBIES_URL))
+             .split("\n")
+             .map { |l| l.match(/^\[ruby\-\](\d+)\.(\d+)\[\.(\d+)\]/) }
+             .compact
+             .map { |m| [m[1], m[2], m[3]].map(&:to_i) }
+             .select { |v| v[0] >= MIN_RUBY_VERSION[0] && v[1] >= MIN_RUBY_VERSION[1] }
+  end
+
+  def parse_ruby_version(string)
+    match = string.strip.match(/^(ruby\-)?(\d+)\.(\d+)\.(\d+)/)
+
+    return unless match
+
+    [match[2], match[3], match[4]].map(&:to_i)
+  end
+
+  def check_path(path, known_rubies, latest_ruby)
+    used_ruby = parse_ruby_version(File.read(File.join(path, '.ruby-version')))
+    current_branch_patch_version = known_rubies.find { |v| v[0] == used_ruby[0] && v[1] == used_ruby[1] }
+
+    if current_branch_patch_version.nil?
+      {
+        path: path,
+        status: :critical,
+        message: format('The ruby version has reached its end of live: %s', used_ruby.join('.'))
+      }
+    elsif current_branch_patch_version[2] > used_ruby[2]
+      {
+        path: path,
+        status: :warning,
+        message: format('Outdated Ruby version of %s branch: %s', used_ruby[0..-2].join('.'), used_ruby.join('.'))
+      }
+    elsif latest_ruby[0] > used_ruby[0] || latest_ruby[1] > used_ruby[1]
+      {
+        path: path,
+        status: :ok,
+        message: format('Using latest version of %s branch: %s - latest version: %s',
+                        used_ruby[0..-2].join('.'), used_ruby.join('.'), latest_ruby[0..-2].join('.'))
+      }
+    else
+      {
+        path: path,
+        status: :ok,
+        message: format('Using latest version of ruby %s', used_ruby.join('.'))
+      }
+    end
+  end
+end

data/lib/sensu-plugins-ruby.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'sensu-plugins-ruby/version'

data/lib/sensu-plugins-ruby/version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module SensuPluginsRuby
+  module Version
+    MAJOR = 0
+    MINOR = 1
+    PATCH = 0
+
+    STRING = [MAJOR, MINOR, PATCH].compact.join('.')
+  end
+end

data/sensu-plugins-ruby.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'sensu-plugins-ruby/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'sensu-plugins-ruby'
+  spec.version       = SensuPluginsRuby::Version::STRING
+  spec.authors       = ['SIC! Software GmbH', 'Florian Schwab']
+  spec.email         = ['info@sic.software', 'me@ydkn.io']
+  spec.summary       = 'This plugin provides checks for the used ruby version and security advisories for used gems'
+  spec.description   = 'Sensu plugins vairous for ruby related stuff'
+  spec.homepage      = 'https://github.com/SICSoftwareGmbH/sensu-plugins-ruby'
+  spec.license       = 'MIT'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = 'https://github.com/SICSoftwareGmbH/sensu-plugins-ruby/blob/master/CHANGELOG.md'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: sensu-plugins-ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- SIC! Software GmbH
+- Florian Schwab
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-07-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Sensu plugins vairous for ruby related stuff
+email:
+- info@sic.software
+- me@ydkn.io
+executables:
+- check-bundler-audit
+- check-ruby-version
+extensions: []
+extra_rdoc_files: []
+files:
+- ".bonsai.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/check-bundler-audit
+- bin/check-ruby-version
+- lib/sensu-plugins-ruby.rb
+- lib/sensu-plugins-ruby/version.rb
+- sensu-plugins-ruby.gemspec
+homepage: https://github.com/SICSoftwareGmbH/sensu-plugins-ruby
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/SICSoftwareGmbH/sensu-plugins-ruby
+  source_code_uri: https://github.com/SICSoftwareGmbH/sensu-plugins-ruby
+  changelog_uri: https://github.com/SICSoftwareGmbH/sensu-plugins-ruby/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.4
+signing_key: 
+specification_version: 4
+summary: This plugin provides checks for the used ruby version and security advisories
+  for used gems
+test_files: []