-
Notifications
You must be signed in to change notification settings - Fork 280
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding pre-commit hook for bundler audit
- Loading branch information
Showing
3 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
module Overcommit::Hook::PreCommit | ||
# Checks for vulnerable versions of gems in Gemfile.lock. | ||
# | ||
# @see https://github.com/rubysec/bundler-audit | ||
class BundleAudit < Base | ||
LOCK_FILE = 'Gemfile.lock'.freeze | ||
|
||
def run | ||
# Ignore if Gemfile.lock is not tracked by git | ||
ignored_files = execute(%w[git ls-files -o -i --exclude-standard]).stdout.split("\n") | ||
return :pass if ignored_files.include?(LOCK_FILE) | ||
|
||
result = execute(command) | ||
if result.success? | ||
:pass | ||
else | ||
return [:warn, result.stdout] | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
require 'spec_helper' | ||
|
||
describe Overcommit::Hook::PreCommit::BundleAudit do | ||
let(:config) { Overcommit::ConfigurationLoader.default_configuration } | ||
let(:context) { double('context') } | ||
subject { described_class.new(config, context) } | ||
|
||
context 'when Gemfile.lock is ignored' do | ||
around do |example| | ||
repo do | ||
touch 'Gemfile.lock' | ||
echo('Gemfile.lock', '.gitignore') | ||
`git add .gitignore` | ||
`git commit -m "Ignore Gemfile.lock"` | ||
example.run | ||
end | ||
end | ||
|
||
it { should pass } | ||
end | ||
|
||
context 'when Gemfile.lock is not ignored' do | ||
around do |example| | ||
repo do | ||
example.run | ||
end | ||
end | ||
|
||
before do | ||
subject.stub(:execute).with(%w[git ls-files -o -i --exclude-standard]). | ||
and_return(double(stdout: '')) | ||
subject.stub(:execute).with(%w[bundle-audit]).and_return(result) | ||
end | ||
|
||
context 'and it reports some outdated gems' do | ||
let(:result) do | ||
double( | ||
success?: false, | ||
stdout: <<-EOF | ||
Name: rest-client | ||
Version: 1.6.9 | ||
Advisory: CVE-2015-1820 | ||
Criticality: Unknown | ||
URL: https://github.com/rest-client/rest-client/issues/369 | ||
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses | ||
Solution: upgrade to >= 1.8.0 | ||
Name: rest-client | ||
Version: 1.6.9 | ||
Advisory: CVE-2015-3448 | ||
Criticality: Unknown | ||
URL: http://www.osvdb.org/show/osvdb/117461 | ||
Title: Rest-Client Gem for Ruby logs password information in plaintext | ||
Solution: upgrade to >= 1.7.3 | ||
Vulnerabilities found! | ||
EOF | ||
) | ||
end | ||
|
||
it { should warn } | ||
end | ||
|
||
let(:result) do | ||
double( | ||
success?: false, | ||
stdout: <<-EOF | ||
Insecure Source URI found: git://github.com/xxx/overcommit.git | ||
Vulnerabilities found! | ||
EOF | ||
) | ||
end | ||
|
||
it { should warn } | ||
|
||
context 'and it reports bundle up to date' do | ||
let(:result) do | ||
double(success?: true, stdout: 'No vulnerabilities found') | ||
end | ||
|
||
it { should pass } | ||
end | ||
end | ||
end |