simplycop 1.0.0.pre
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.custom_simplycop.yml +11 -0
- data/.github/workflows/ci.yml +34 -0
- data/.github/workflows/publish_gem.yml +26 -0
- data/.github/workflows/version_forget_me_not.yml +17 -0
- data/.gitignore +37 -0
- data/.rspec +1 -0
- data/.rubocop.yml +3 -0
- data/.ruby-version +1 -0
- data/.simplycop.yml +447 -0
- data/.simplycop_metaprogramming.yml +38 -0
- data/.simplycop_rails.yml +100 -0
- data/.simplycop_rspec.yml +234 -0
- data/.simplycop_security.yml +25 -0
- data/CODEOWNERS +3 -0
- data/Gemfile +6 -0
- data/README.md +73 -0
- data/Rakefile +3 -0
- data/bin/console +16 -0
- data/bin/setup +8 -0
- data/lib/simplycop.rb +7 -0
- data/lib/simplycop/custom_cops/constantize.rb +24 -0
- data/lib/simplycop/custom_cops/define_method.rb +29 -0
- data/lib/simplycop/custom_cops/instance_eval.rb +35 -0
- data/lib/simplycop/custom_cops/method_missing.rb +25 -0
- data/lib/simplycop/custom_cops/timecop_without_block.rb +36 -0
- data/lib/simplycop/security/check_for_vulnerable_code.rb +34 -0
- data/lib/simplycop/security/csrf_token_validation.rb +18 -0
- data/lib/simplycop/security/reject_all_requests_local.rb +25 -0
- data/lib/simplycop/version.rb +11 -0
- data/simplycop.gemspec +26 -0
- data/vuln_db.json +8 -0
- metadata +159 -0
@@ -0,0 +1,38 @@
|
|
1
|
+
AllCops:
|
2
|
+
ExtraDetails: true
|
3
|
+
|
4
|
+
require:
|
5
|
+
- './lib/simplycop/custom_cops/constantize.rb'
|
6
|
+
- './lib/simplycop/custom_cops/define_method.rb'
|
7
|
+
- './lib/simplycop/custom_cops/instance_eval.rb'
|
8
|
+
- './lib/simplycop/custom_cops/method_missing.rb'
|
9
|
+
|
10
|
+
CustomCops/Constantize:
|
11
|
+
Enabled: true
|
12
|
+
Details: >-
|
13
|
+
Decision 001 : Avoid metaprogamming, where feasible
|
14
|
+
`https://github.com/simplybusiness/chopin/blob/master/doc/decision-records/001-metaprogramming.md`
|
15
|
+
|
16
|
+
CustomCops/DefineMethod:
|
17
|
+
Enabled: true
|
18
|
+
Details: >-
|
19
|
+
Decision 001 : Avoid metaprogamming, where feasible
|
20
|
+
`https://github.com/simplybusiness/chopin/blob/master/doc/decision-records/001-metaprogramming.md`
|
21
|
+
|
22
|
+
CustomCops/InstanceEval:
|
23
|
+
Enabled: true
|
24
|
+
Details: >-
|
25
|
+
Decision 001 : Avoid metaprogamming, where feasible
|
26
|
+
`https://github.com/simplybusiness/chopin/blob/master/doc/decision-records/001-metaprogramming.md`
|
27
|
+
|
28
|
+
CustomCops/MethodMissing:
|
29
|
+
Enabled: true
|
30
|
+
Details: >-
|
31
|
+
Decision 001 : Avoid metaprogamming, where feasible
|
32
|
+
`https://github.com/simplybusiness/chopin/blob/master/doc/decision-records/001-metaprogramming.md`
|
33
|
+
|
34
|
+
Style/Send:
|
35
|
+
Enabled: true
|
36
|
+
Details: >-
|
37
|
+
Decision 001 : Avoid metaprogamming, where feasible
|
38
|
+
`https://github.com/simplybusiness/chopin/blob/master/doc/decision-records/001-metaprogramming.md`
|
@@ -0,0 +1,100 @@
|
|
1
|
+
require:
|
2
|
+
- rubocop-rails
|
3
|
+
|
4
|
+
AllCops:
|
5
|
+
Exclude:
|
6
|
+
- 'db/schema.rb'
|
7
|
+
- 'vendor/**/*'
|
8
|
+
|
9
|
+
# Cop names are not displayed in offense messages by default. Change behavior
|
10
|
+
# by overriding DisplayCopNames, or by giving the -D/--display-cop-names
|
11
|
+
# option.
|
12
|
+
DisplayCopNames: true
|
13
|
+
# Style guide URLs are not displayed in offense messages by default. Change
|
14
|
+
# behavior by overriding DisplayStyleGuide, or by giving the
|
15
|
+
# -S/--display-style-guide option.
|
16
|
+
DisplayStyleGuide: true
|
17
|
+
UseCache: true
|
18
|
+
MaxFilesInCache: 5000
|
19
|
+
# Adapted from: https://github.com/simplybusiness/how-we-roll/blob/master/development/RUBYSTYLEGUIDE.markdown
|
20
|
+
|
21
|
+
Rails:
|
22
|
+
Enabled: true
|
23
|
+
|
24
|
+
## Rails Cops
|
25
|
+
Rails/TimeZone:
|
26
|
+
Enabled: true
|
27
|
+
Severity: warning
|
28
|
+
|
29
|
+
Rails/Date:
|
30
|
+
Enabled: true
|
31
|
+
Severity: warning
|
32
|
+
|
33
|
+
Rails/Delegate:
|
34
|
+
Enabled: false
|
35
|
+
|
36
|
+
Rails/Output:
|
37
|
+
Enabled: true
|
38
|
+
|
39
|
+
Rails/Validation:
|
40
|
+
Enabled: true
|
41
|
+
|
42
|
+
Rails/FindBy:
|
43
|
+
Enabled: true
|
44
|
+
|
45
|
+
Rails/ActionFilter:
|
46
|
+
Enabled: true
|
47
|
+
|
48
|
+
Rails/ReadWriteAttribute:
|
49
|
+
Enabled: true
|
50
|
+
|
51
|
+
Rails/PluralizationGrammar:
|
52
|
+
Enabled: true
|
53
|
+
|
54
|
+
Rails/SkipsModelValidations:
|
55
|
+
Enabled: true
|
56
|
+
|
57
|
+
Rails/ActiveRecordCallbacksOrder:
|
58
|
+
Enabled: true
|
59
|
+
|
60
|
+
Rails/AfterCommitOverride:
|
61
|
+
Enabled: true
|
62
|
+
|
63
|
+
Rails/FindById:
|
64
|
+
Enabled: true
|
65
|
+
|
66
|
+
Rails/Inquiry:
|
67
|
+
Enabled: false
|
68
|
+
|
69
|
+
Rails/MailerName:
|
70
|
+
Enabled: true
|
71
|
+
|
72
|
+
Rails/MatchRoute:
|
73
|
+
Enabled: true
|
74
|
+
|
75
|
+
Rails/NegateInclude:
|
76
|
+
Enabled: true
|
77
|
+
|
78
|
+
Rails/Pluck:
|
79
|
+
Enabled: false
|
80
|
+
|
81
|
+
Rails/PluckInWhere:
|
82
|
+
Enabled: false
|
83
|
+
|
84
|
+
Rails/RenderInline:
|
85
|
+
Enabled: true
|
86
|
+
|
87
|
+
Rails/RenderPlainText:
|
88
|
+
Enabled: true
|
89
|
+
|
90
|
+
Rails/ShortI18n:
|
91
|
+
Enabled: true
|
92
|
+
|
93
|
+
Rails/SquishedSQLHeredocs:
|
94
|
+
Enabled: true
|
95
|
+
|
96
|
+
Rails/WhereExists:
|
97
|
+
Enabled: false
|
98
|
+
|
99
|
+
Rails/WhereNot:
|
100
|
+
Enabled: false
|
@@ -0,0 +1,234 @@
|
|
1
|
+
require:
|
2
|
+
- rubocop-rspec
|
3
|
+
|
4
|
+
RSpec/ContextMethod:
|
5
|
+
Enabled: false
|
6
|
+
|
7
|
+
RSpec/LeakyConstantDeclaration:
|
8
|
+
Enabled: false
|
9
|
+
|
10
|
+
RSpec/EmptyLineAfterExample:
|
11
|
+
Enabled: false
|
12
|
+
|
13
|
+
RSpec/AnyInstance:
|
14
|
+
Description: Check that instances are not being stubbed globally.
|
15
|
+
Enabled: true
|
16
|
+
|
17
|
+
RSpec/AroundBlock:
|
18
|
+
Description: Checks that around blocks actually run the test.
|
19
|
+
Enabled: true
|
20
|
+
|
21
|
+
RSpec/BeEql:
|
22
|
+
Description: Check for expectations where `be(...)` can replace `eql(...)`.
|
23
|
+
Enabled: true
|
24
|
+
|
25
|
+
RSpec/BeforeAfterAll:
|
26
|
+
Description: Check that before/after(:all) isn't being used.
|
27
|
+
Enabled: false
|
28
|
+
|
29
|
+
RSpec/DescribeClass:
|
30
|
+
Description: Check that the first argument to the top level describe is a constant.
|
31
|
+
Enabled: false
|
32
|
+
|
33
|
+
RSpec/DescribedClass:
|
34
|
+
Description: Checks that tests use `described_class`.
|
35
|
+
SkipBlocks: false
|
36
|
+
Enabled: false
|
37
|
+
EnforcedStyle: described_class
|
38
|
+
SupportedStyles:
|
39
|
+
- described_class
|
40
|
+
- explicit
|
41
|
+
|
42
|
+
RSpec/DescribeMethod:
|
43
|
+
Description: Checks that the second argument to `describe` specifies a method.
|
44
|
+
Enabled: false
|
45
|
+
|
46
|
+
RSpec/DescribeSymbol:
|
47
|
+
Description: Avoid describing symbols.
|
48
|
+
Enabled: false
|
49
|
+
|
50
|
+
RSpec/IteratedExpectation:
|
51
|
+
Description: Check that `all` matcher is used instead of iterating over an array.
|
52
|
+
Enabled: true
|
53
|
+
|
54
|
+
RSpec/EmptyExampleGroup:
|
55
|
+
Description: Checks if an example group does not include any tests.
|
56
|
+
Enabled: true
|
57
|
+
|
58
|
+
RSpec/EmptyLineAfterFinalLet:
|
59
|
+
Description: Checks if there is an empty line after the last let block.
|
60
|
+
Enabled: false
|
61
|
+
|
62
|
+
RSpec/EmptyLineAfterSubject:
|
63
|
+
Description: Checks if there is an empty line after subject block.
|
64
|
+
Enabled: false
|
65
|
+
|
66
|
+
RSpec/ExampleLength:
|
67
|
+
Description: Checks for long examples.
|
68
|
+
Enabled: false
|
69
|
+
Max: 5
|
70
|
+
|
71
|
+
RSpec/ExampleWording:
|
72
|
+
Description: Checks for common mistakes in example descriptions.
|
73
|
+
Enabled: true
|
74
|
+
CustomTransform:
|
75
|
+
be: is
|
76
|
+
BE: IS
|
77
|
+
have: has
|
78
|
+
HAVE: HAS
|
79
|
+
IgnoredWords: []
|
80
|
+
|
81
|
+
RSpec/ExpectActual:
|
82
|
+
Description: Checks for `expect(...)` calls containing literal values.
|
83
|
+
Enabled: true
|
84
|
+
|
85
|
+
RSpec/ExpectOutput:
|
86
|
+
Description: Checks for opportunities to use `expect { ... }.to output`.
|
87
|
+
Enabled: false
|
88
|
+
|
89
|
+
RSpec/FilePath:
|
90
|
+
Description: Checks that spec file paths are consistent with the test subject.
|
91
|
+
Enabled: false
|
92
|
+
CustomTransform:
|
93
|
+
RuboCop: rubocop
|
94
|
+
RSpec: rspec
|
95
|
+
IgnoreMethods: false
|
96
|
+
|
97
|
+
RSpec/Focus:
|
98
|
+
Description: Checks if examples are focused.
|
99
|
+
Enabled: false
|
100
|
+
|
101
|
+
RSpec/HookArgument:
|
102
|
+
Description: Checks the arguments passed to `before`, `around`, and `after`.
|
103
|
+
Enabled: true
|
104
|
+
EnforcedStyle: implicit
|
105
|
+
SupportedStyles:
|
106
|
+
- implicit
|
107
|
+
- each
|
108
|
+
- example
|
109
|
+
|
110
|
+
RSpec/ImplicitExpect:
|
111
|
+
Description: Check that a consistent implicit expectation style is used.
|
112
|
+
Enabled: true
|
113
|
+
EnforcedStyle: is_expected
|
114
|
+
SupportedStyles:
|
115
|
+
- is_expected
|
116
|
+
- should
|
117
|
+
|
118
|
+
RSpec/InstanceSpy:
|
119
|
+
Description: Checks for `instance_double` used with `have_received`.
|
120
|
+
Enabled: false
|
121
|
+
|
122
|
+
RSpec/InstanceVariable:
|
123
|
+
Description: Checks for instance variable usage in specs.
|
124
|
+
AssignmentOnly: false
|
125
|
+
Enabled: false
|
126
|
+
|
127
|
+
RSpec/ItBehavesLike:
|
128
|
+
Description: Checks that only one `it_behaves_like` style is used.
|
129
|
+
Enabled: true
|
130
|
+
EnforcedStyle: it_behaves_like
|
131
|
+
SupportedStyles:
|
132
|
+
- it_behaves_like
|
133
|
+
- it_should_behave_like
|
134
|
+
|
135
|
+
RSpec/LeadingSubject:
|
136
|
+
Description: Checks for `subject` definitions that come after `let` definitions.
|
137
|
+
Enabled: true
|
138
|
+
|
139
|
+
RSpec/LetSetup:
|
140
|
+
Description: Checks unreferenced `let!` calls being used for test setup.
|
141
|
+
Enabled: true
|
142
|
+
|
143
|
+
RSpec/MessageChain:
|
144
|
+
Description: Check that chains of messages are not being stubbed.
|
145
|
+
Enabled: true
|
146
|
+
|
147
|
+
RSpec/MessageExpectation:
|
148
|
+
Description: Checks for consistent message expectation style.
|
149
|
+
Enabled: false
|
150
|
+
EnforcedStyle: allow
|
151
|
+
SupportedStyles:
|
152
|
+
- allow
|
153
|
+
- expect
|
154
|
+
|
155
|
+
RSpec/MessageSpies:
|
156
|
+
Description: Checks that message expectations are set using spies.
|
157
|
+
Enabled: false
|
158
|
+
EnforcedStyle: have_received
|
159
|
+
SupportedStyles:
|
160
|
+
- have_received
|
161
|
+
- receive
|
162
|
+
|
163
|
+
RSpec/MultipleDescribes:
|
164
|
+
Description: Checks for multiple top level describes.
|
165
|
+
Enabled: true
|
166
|
+
|
167
|
+
RSpec/MultipleExpectations:
|
168
|
+
Description: Checks if examples contain too many `expect` calls.
|
169
|
+
Enabled: false
|
170
|
+
Max: 1
|
171
|
+
|
172
|
+
RSpec/MultipleMemoizedHelpers:
|
173
|
+
Enabled: false
|
174
|
+
|
175
|
+
RSpec/NamedSubject:
|
176
|
+
Description: Checks for explicitly referenced test subjects.
|
177
|
+
Enabled: true
|
178
|
+
|
179
|
+
RSpec/NestedGroups:
|
180
|
+
Description: Checks for nested example groups.
|
181
|
+
Enabled: true
|
182
|
+
Max: 4
|
183
|
+
|
184
|
+
RSpec/NotToNot:
|
185
|
+
Description: Checks for consistent method usage for negating expectations.
|
186
|
+
EnforcedStyle: not_to
|
187
|
+
SupportedStyles:
|
188
|
+
- not_to
|
189
|
+
- to_not
|
190
|
+
Enabled: false
|
191
|
+
|
192
|
+
RSpec/OverwritingSetup:
|
193
|
+
Enabled: true
|
194
|
+
Description: Checks if there is a let/subject that overwrites an existing one.
|
195
|
+
|
196
|
+
RSpec/RepeatedDescription:
|
197
|
+
Enabled: true
|
198
|
+
Description: Check for repeated description strings in example groups.
|
199
|
+
|
200
|
+
RSpec/RepeatedExample:
|
201
|
+
Enabled: true
|
202
|
+
Description: Check for repeated examples within example groups.
|
203
|
+
|
204
|
+
RSpec/SharedContext:
|
205
|
+
Description: Checks for proper shared_context and shared_examples usage.
|
206
|
+
Enabled: true
|
207
|
+
|
208
|
+
RSpec/SingleArgumentMessageChain:
|
209
|
+
Description: Checks that chains of messages contain more than one element.
|
210
|
+
Enabled: true
|
211
|
+
|
212
|
+
RSpec/ScatteredLet:
|
213
|
+
Description: Checks for let scattered across the example group.
|
214
|
+
Enabled: true
|
215
|
+
|
216
|
+
RSpec/ScatteredSetup:
|
217
|
+
Description: Checks for setup scattered across multiple hooks in an example group.
|
218
|
+
Enabled: false
|
219
|
+
|
220
|
+
RSpec/SubjectStub:
|
221
|
+
Description: Checks for stubbed test subjects.
|
222
|
+
Enabled: true
|
223
|
+
|
224
|
+
RSpec/VerifiedDoubles:
|
225
|
+
Description: Prefer using verifying doubles over normal doubles.
|
226
|
+
Enabled: false
|
227
|
+
IgnoreSymbolicNames: true
|
228
|
+
|
229
|
+
Metrics/BlockLength:
|
230
|
+
Exclude:
|
231
|
+
- 'spec/**/*.rb'
|
232
|
+
|
233
|
+
RSpec/StubbedMock:
|
234
|
+
Enabled: false
|
@@ -0,0 +1,25 @@
|
|
1
|
+
require:
|
2
|
+
- './lib/simplycop/security/csrf_token_validation.rb'
|
3
|
+
- './lib/simplycop/security/reject_all_requests_local.rb'
|
4
|
+
- './lib/simplycop/security/check_for_vulnerable_code.rb'
|
5
|
+
|
6
|
+
AllCops:
|
7
|
+
ExtraDetails: true
|
8
|
+
|
9
|
+
Security/CSRFTokenValidation:
|
10
|
+
Enabled: true
|
11
|
+
Details: >-
|
12
|
+
It is important to have authenticity token validation enabled.
|
13
|
+
if you need to disable it please check with InfoSec department first.
|
14
|
+
|
15
|
+
Security/RejectAllRequestsLocal:
|
16
|
+
Enabled: true
|
17
|
+
Details: >-
|
18
|
+
Affected environments are integration, staging, production
|
19
|
+
if you need to disable it please check with InfoSec department first.
|
20
|
+
|
21
|
+
Security/CheckForVulnerableCode:
|
22
|
+
Enabled: true
|
23
|
+
Details: >-
|
24
|
+
Please make sure that this is addressed accordingly.
|
25
|
+
Do not hesitate to contact infosec for help and guidance
|
data/CODEOWNERS
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,73 @@
|
|
1
|
+
# Simplycop
|
2
|
+
|
3
|
+
Provides standard shared rubocop configuration for Simply Business applications. No more copying `.rubocop.yml`, no more out-of-sync configuration files. Yay!
|
4
|
+
|
5
|
+
## Installation
|
6
|
+
|
7
|
+
Add this line to your application's Gemfile:
|
8
|
+
|
9
|
+
```ruby
|
10
|
+
gem 'simplycop', git: 'git@github.com:simplybusiness/simplycop.git'
|
11
|
+
|
12
|
+
```
|
13
|
+
|
14
|
+
Then install gems by executing:
|
15
|
+
|
16
|
+
$ bundle install
|
17
|
+
|
18
|
+
Put following lines at the beginning of your `rubocop.yml` file:
|
19
|
+
|
20
|
+
```yaml
|
21
|
+
inherit_gem:
|
22
|
+
simplycop: .simplycop.yml
|
23
|
+
|
24
|
+
AllCops:
|
25
|
+
Exclude:
|
26
|
+
- 'vendor/**/*'
|
27
|
+
```
|
28
|
+
|
29
|
+
* If you are implementing this in rails project and have rspec , you probably want the standard rails and rspec cops. you can include this by adding:
|
30
|
+
|
31
|
+
```yaml
|
32
|
+
inherit_gem:
|
33
|
+
simplycop:
|
34
|
+
- .simplycop.yml
|
35
|
+
- .simplycop_rails.yml
|
36
|
+
- .simplycop_rspec.yml
|
37
|
+
```
|
38
|
+
|
39
|
+
## Usage
|
40
|
+
|
41
|
+
Run Rubocop as you would usually do, i.e.
|
42
|
+
|
43
|
+
$ bundle exec rubocop
|
44
|
+
|
45
|
+
or from your continuous integration tool.
|
46
|
+
|
47
|
+
## Guidances
|
48
|
+
|
49
|
+
* If you are implementing this in a non-rails project, you probably don't want or need the rails cops. In case they cause problems, you can exclude them using:
|
50
|
+
```yaml
|
51
|
+
Rails:
|
52
|
+
Enabled: false
|
53
|
+
```
|
54
|
+
* When adding rubocop and simplycop to a legacy project, you might want to initially disable some of the rules.
|
55
|
+
|
56
|
+
## Security Cops
|
57
|
+
- CheckForVulnerableCode
|
58
|
+
|
59
|
+
This cop was built to identify possible Rails vulnerable code.
|
60
|
+
Its purpose is to raise an awareness of the finding.
|
61
|
+
When an offence was raised, please seek for help and guidance from application security team.
|
62
|
+
|
63
|
+
IMPORTANT:
|
64
|
+
This cop must be enabled at all times, if you need to disable it please check with AppSec team first.
|
65
|
+
|
66
|
+
Example of vulnerable code:
|
67
|
+
|
68
|
+
```ruby
|
69
|
+
class BooksController < ApplicationController
|
70
|
+
caches_page :show
|
71
|
+
end
|
72
|
+
```
|
73
|
+
Vulnerability Details: https://nvd.nist.gov/vuln/detail/CVE-2020-8159
|