spektr 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1fc431414443b9c71ebb40106d82714215ba142d1226b3580e324faf786f86ad
-  data.tar.gz: d768f7a18250b9ad59f6331cf65a03fadd38a8501b2f24489a139c62c33d0730
+  metadata.gz: a10d35b4824401e5731ad470bbdc042ee63a11e9df5abd1eec5552005e44f25f
+  data.tar.gz: 28859b54116afb3847fcc96a32260aa00f8deb3d02135149a219d14fe58f4261
 SHA512:
-  metadata.gz: 463d421a7a50013946fee4768b474fe2f0222522cd472351c2cb7a1a8d61a618c653944507fc7e101c606350a51731a30ec6d42a363da5e6b96d597035700ed9
-  data.tar.gz: 185c2584b1dba4e5a81fbf6c31b9ae029c2292eedd6c8366d1bb89eb146f02329810465306c2e0bc99482782d3fbe81782f36511c57c52a21341e8d26bd647ca
+  metadata.gz: a78047b2e601f90fe6008ebfb2ea0c440e4168ee9493fcd5f6ad83108a752fabfec9f957d0892b302565a0549220179e3a796dc9bc0fd7ab35ccfd9db61bffd9
+  data.tar.gz: fdc98737aed0b3fcc042cb745b6093d2a17790705932096df952ff48e8eea714275f57a3a9f9313d60e5fb5fc4798da23e5af8695e5e914c7aa08c79cc5074a4

data/CHANGELOG.md

@@ -1,3 +1,11 @@
 # Change Log
 
 ## Unreleased
+
+## 0.3.0
+
+* Add support to ignore findings
+
+## 0.2.0
+
+* add Slim support

data/Gemfile.lock

@@ -1,13 +1,14 @@
 PATH
   remote: .
   specs:
-    spektr (0.1.0)
+    spektr (0.3.0)
       activesupport (~> 6.1.0)
       erubi
       haml (~> 5.1)
       parser (~> 3.0.0)
       pastel
       ruby_parser (~> 3.13)
+      slim
       tty-color
       tty-option
       tty-spinner
@@ -18,7 +19,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.1.6)
+    activesupport (6.1.7)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -29,7 +30,7 @@ GEM
     coderay (1.1.3)
     concurrent-ruby (1.1.10)
     diff-lcs (1.5.0)
-    erubi (1.10.0)
+    erubi (1.11.0)
     ffi (1.15.5)
     formatador (0.3.0)
     guard (2.18.0)
@@ -48,7 +49,7 @@ GEM
     haml (5.2.2)
       temple (>= 0.8.0)
       tilt
-    i18n (1.10.0)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
@@ -91,6 +92,9 @@ GEM
       sexp_processor (~> 4.16)
     sexp_processor (4.16.1)
     shellany (0.0.1)
+    slim (4.1.0)
+      temple (>= 0.7.6, < 0.9)
+      tilt (>= 2.0.6, < 2.1)
     strings (0.2.1)
       strings-ansi (~> 0.2)
       unicode-display_width (>= 1.5, < 3.0)
@@ -98,7 +102,7 @@ GEM
     strings-ansi (0.2.0)
     temple (0.8.2)
     thor (1.2.1)
-    tilt (2.0.10)
+    tilt (2.0.11)
     tty-color (0.6.0)
     tty-cursor (0.7.1)
     tty-option (0.2.0)
@@ -109,14 +113,14 @@ GEM
       pastel (~> 0.8)
       strings (~> 0.2.0)
       tty-screen (~> 0.8)
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.1.0)
     unicode_utils (1.4.0)
     unparser (0.6.2)
       diff-lcs (~> 1.3)
       parser (>= 3.0.0)
-    zeitwerk (2.6.0)
+    zeitwerk (2.6.1)
 
 PLATFORMS
   ruby

data/README.md

@@ -34,6 +34,20 @@ If you want to scan an app in another folder:
 spektr path/to/app
 ```
 
+To see the available options, you can run `spektr --help`.
+
+To ignore a finding, you can use the `--ignore` flag with a comma separated list of fingerprints from the report.
+
+
+### Railsgoat Example output
+
+![Railgoat example](https://github.com/gregmolnar/spektr/blob/master/railsgoat-example.png)
+
+### False positives
+
+Due to the nature of static-code analysis, Spektr might report false positives. Please report them, so I can try
+to tweak the check.
+
 
 ## Development
 
@@ -43,12 +57,13 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/spektr. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gregmolnar/spektr/blob/master/CODE_OF_CONDUCT.md).
+Bug reports and pull requests are welcome on GitHub at https://github.com/gregmolnar/spektr. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gregmolnar/spektr/blob/master/CODE_OF_CONDUCT.md).
 
 
 ## License
 
-The gem is available as open source under the terms described in the [licence](https://github.com/gregmolnar/spektr/blob/master/licence.txt). Non-commercial use is free of charge, to obtain a commercial licence, contact us at info[at]spektrhq.com.
+The gem is available as open source under the terms described in the [licence](https://github.com/gregmolnar/spektr/blob/master/LICENSE.txt). Non-commercial use is free of charge, to obtain a commercial licence, contact us at info[at]spektrhq.com.
+If you are looking for a hosted solution, take a look at [SpektrHQ](https://spektrhq.com).
 
 
 ## Code of Conduct
@@ -63,7 +78,7 @@ Yes, this is perfectly fine without obtaining a licence. You can however donate
 
 ### I want to use Spektr in my automated code analyser SaaS, do I need a commercial licence?
 
-Yes, plese get in touch at info[at]spektrhq.com and we will work something out.
+Yes, please get in touch at info[at]spektrhq.com and we will work something out.
 
 ### I am a penetration tester and I'd like to use Spektr to audit on a paid engagement. Do I need a commercial licence?
 

data/lib/spektr/app.rb

@@ -7,7 +7,7 @@ module Spektr
       @@parser ||= Parser::CurrentRuby
     end
 
-    def initialize(checks:, root: './')
+    def initialize(checks:, ignore:, root: './')
       @root = root
       @checks = checks
       @controllers = []
@@ -17,6 +17,7 @@ module Spektr
         app: {},
         advisories: []
       }
+      @ignore = ignore || []
       @ruby_version = '2.7.1'
       version_file = File.join(root, '.ruby-version')
       @ruby_version = File.read(version_file).lines.first if File.exist?(version_file)
@@ -137,7 +138,7 @@ module Spektr
       self
     end
 
-    def report(_format = 'terminal')
+    def report
       @json_output[:app][:rails_version] = @rails_version
       @json_output[:app][:initializers] = @initializers.size
       @json_output[:app][:controllers] = @controllers.size
@@ -147,13 +148,16 @@ module Spektr
       @json_output[:app][:lib_files] = @lib_files.size
 
       @warnings.each do |warning|
+        next if @ignore.include?(warning.fingerprint)
+
         @json_output[:advisories] << {
           name: warning.check.name,
           description: warning.message,
           path: warning.path,
           location: warning.location&.line,
           line: warning.line,
-          check: warning.check.class.name
+          check: warning.check.class.name,
+          fingerprint: warning.fingerprint
         }
       end
 

data/lib/spektr/cli.rb

@@ -25,6 +25,11 @@ module Spektr
       desc 'run this single check'
     end
 
+    flag :ignore do
+      long '--ignore string'
+      desc 'comma separated list of fingerprints to ignore'
+    end
+
     flag :debug do
       long '--debug'
       short '-d'
@@ -42,7 +47,8 @@ module Spektr
         print help
         exit
       else
-        report = Spektr.run(params[:root], params[:output_format], params[:debug], params[:check])
+        ignore = params[:ignore] ? params[:ignore].split(',') : []
+        report = Spektr.run(params[:root], params[:output_format], params[:debug], params[:check], ignore)
         case params[:output_format]
         when 'json'
           puts JSON.pretty_generate report

data/lib/spektr/targets/view.rb

@@ -1,7 +1,7 @@
 module Spektr
   module Targets
     class View < Base
-      TEMPLATE_EXTENSIONS = /.*\.(erb|rhtml|haml)$/
+      TEMPLATE_EXTENSIONS = /.*\.(erb|rhtml|haml|slim)$/
       attr_accessor :view_path
 
       def initialize(path, content)
@@ -27,6 +27,9 @@ module Spektr
           Erubi.new(content, trim_mode: '-').src
         when :haml
           Haml::Engine.new(content).precompiled
+        when :slim
+          erb = Slim::ERBConverter.new.call(content)
+          Erubi.new(erb, trim_mode: '-').src
         end
       end
     end

data/lib/spektr/version.rb

@@ -1,3 +1,3 @@
 module Spektr
-  VERSION = "0.1.0"
+  VERSION = '0.3.0'
 end

data/lib/spektr/warning.rb

@@ -1,15 +1,16 @@
+require 'digest'
+
 module Spektr
   class Warning
     attr_accessor :path, :full_path, :check, :location, :message, :confidence, :line
+
     def initialize(path, full_path, check, location, message, confidence = :high)
       @path = path
       @check = check
       @location = location
       @message = message
       @confidence = confidence
-      if full_path && @location && File.exist?(full_path)
-        @line = IO.readlines(full_path)[@location.line - 1].strip
-      end
+      @line = IO.readlines(full_path)[@location.line - 1].strip if full_path && @location && File.exist?(full_path)
     end
 
     def full_message
@@ -19,5 +20,9 @@ module Spektr
         "#{message}"
       end
     end
+
+    def fingerprint
+      Digest::MD5.hexdigest("#{path}:#{line}:#{check.name}")
+    end
   end
 end

data/lib/spektr.rb

@@ -1,9 +1,11 @@
-require 'spektr/version'
+# frozen_string_literal: true
+
 require 'bundler'
 require 'parser'
 require 'parser/current'
 require 'unparser'
 require 'erb'
+require 'slim/erb_converter'
 require 'haml'
 require 'active_support/core_ext/string/inflections'
 require 'logger'
@@ -13,33 +15,37 @@ require 'tty/table'
 require 'zeitwerk'
 loader = Zeitwerk::Loader.for_gem
 loader.collapse("#{__dir__}/processors")
-loader.setup # ready!
-loader.eager_load
+loader.setup
 
 module Spektr
   class Error < StandardError; end
 
-  def self.run(root = nil, output_format = 'terminal', debug = false, checks = nil)
+  def self.run(root = nil, output_format = 'terminal', debug = false, checks = nil, ignore = [])
     pastel = Pastel.new
     @output_format = output_format
     start_spinner('Initializing')
-    @log_level = debug ? Logger::DEBUG : Logger::WARN
+    if debug
+      Logger::DEBUG
+    elsif terminal?
+      Logger::ERROR
+    else
+      Logger::WARN
+    end
     checks = Checks.load(checks)
     root = './' if root.nil?
-    @app = App.new(checks: checks, root: root)
+    @app = App.new(checks: checks, root: root, ignore: ignore)
     stop_spinner
-    puts "\n"
-    puts pastel.bold('Checks:')
-    puts "\n"
-    puts checks.collect(&:name).join(', ')
-    # table = TTY::Table.new([['Checks', checks.collect(&:name).join(', ')]])
-    # puts table.render(:basic)
-    puts "\n"
+    if terminal?
+      puts "\n"
+      puts pastel.bold('Checks:')
+      puts "\n"
+      puts checks.collect(&:name).join(', ')
+      puts "\n"
+    end
 
     start_spinner('Loading files')
     @app.load
     stop_spinner
-    puts "\n"
     table = TTY::Table.new([
                              ['Rails version', @app.rails_version],
                              ['Initializers', @app.initializers.size],
@@ -49,13 +55,17 @@ module Spektr
                              ['Routes', @app.routes.size],
                              ['Lib files', @app.lib_files.size]
                            ])
-    puts table.render(:basic)
-    puts "\n"
+    if terminal?
+      puts "\n"
+      puts table.render(:basic)
+      puts "\n"
+    end
     start_spinner('Scanning files')
     @app.scan!
     stop_spinner
     puts "\n"
     json = @app.report
+
     case output_format
     when 'json'
       json
@@ -69,6 +79,7 @@ module Spektr
         puts "#{pastel.green('Path:')} #{advisory[:path]}\n"
         puts "#{pastel.green('Location:')} #{advisory[:location]}\n"
         puts "#{pastel.green('Code:')} #{advisory[:line]}\n"
+        puts "#{pastel.green('Fingerprint:')} #{advisory[:fingerprint]}\n"
         puts "\n"
         puts "\n"
       end
@@ -112,7 +123,7 @@ module Spektr
 
   def self.logger
     @logger ||= begin
-      logger = Logger.new(STDOUT)
+      logger = Logger.new($stdout)
       logger.level = @log_level || Logger::WARN
       logger
     end

data/spektr.gemspec

@@ -33,6 +33,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'parser', '~> 3.0.0'
   spec.add_dependency 'pastel'
   spec.add_dependency 'ruby_parser', '~>3.13'
+  spec.add_dependency 'slim'
   spec.add_dependency 'tty-color'
   spec.add_dependency 'tty-option'
   spec.add_dependency 'tty-spinner'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: spektr
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Greg Molnar
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-06-21 00:00:00.000000000 Z
+date: 2022-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -94,6 +94,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: slim
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: tty-color
   requirement: !ruby/object:Gem::Requirement
@@ -334,6 +348,7 @@ files:
 - lib/spektr/targets/view.rb
 - lib/spektr/version.rb
 - lib/spektr/warning.rb
+- railsgoat-example.png
 - spektr.gemspec
 homepage: https://railscop.com
 licenses: