Adding pre-commit hook for bundler audit

sds · Jul 10, 2016 · 83cd1b6 · 83cd1b6
1 parent e243f97
commit 83cd1b6
Show file tree

Hide file tree

Showing 3 changed files with 111 additions and 0 deletions.
diff --git a/config/default.yml b/config/default.yml
@@ -164,6 +164,12 @@ PreCommit:
     description: 'Check for broken symlinks'
     quiet: true
 
+  BundleAudit:
+    enabled: false
+    description: 'Check for vulnerable versions of gems'
+    required_executable: 'bundle-audit'
+    install_command: 'gem install bundler-audit'
+
   BundleCheck:
     enabled: false
     description: 'Check Gemfile dependencies'

diff --git a/lib/overcommit/hook/pre_commit/bundle_audit.rb b/lib/overcommit/hook/pre_commit/bundle_audit.rb
@@ -0,0 +1,21 @@
+module Overcommit::Hook::PreCommit
+  # Checks for vulnerable versions of gems in Gemfile.lock.
+  #
+  # @see https://github.com/rubysec/bundler-audit
+  class BundleAudit < Base
+    LOCK_FILE = 'Gemfile.lock'.freeze
+
+    def run
+      # Ignore if Gemfile.lock is not tracked by git
+      ignored_files = execute(%w[git ls-files -o -i --exclude-standard]).stdout.split("\n")
+      return :pass if ignored_files.include?(LOCK_FILE)
+
+      result = execute(command)
+      if result.success?
+        :pass
+      else
+        return [:warn, result.stdout]
+      end
+    end
+  end
+end
diff --git a/spec/overcommit/hook/pre_commit/bundle_audit_spec.rb b/spec/overcommit/hook/pre_commit/bundle_audit_spec.rb
@@ -0,0 +1,84 @@
+require 'spec_helper'
+
+describe Overcommit::Hook::PreCommit::BundleAudit do
+  let(:config)  { Overcommit::ConfigurationLoader.default_configuration }
+  let(:context) { double('context') }
+  subject { described_class.new(config, context) }
+
+  context 'when Gemfile.lock is ignored' do
+    around do |example|
+      repo do
+        touch 'Gemfile.lock'
+        echo('Gemfile.lock', '.gitignore')
+        `git add .gitignore`
+        `git commit -m "Ignore Gemfile.lock"`
+        example.run
+      end
+    end
+
+    it { should pass }
+  end
+
+  context 'when Gemfile.lock is not ignored' do
+    around do |example|
+      repo do
+        example.run
+      end
+    end
+
+    before do
+      subject.stub(:execute).with(%w[git ls-files -o -i --exclude-standard]).
+        and_return(double(stdout: ''))
+      subject.stub(:execute).with(%w[bundle-audit]).and_return(result)
+    end
+
+    context 'and it reports some outdated gems' do
+      let(:result) do
+        double(
+          success?: false,
+          stdout: <<-EOF
+Name: rest-client
+Version: 1.6.9
+Advisory: CVE-2015-1820
+Criticality: Unknown
+URL: https://github.com/rest-client/rest-client/issues/369
+Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
+Solution: upgrade to >= 1.8.0
+
+Name: rest-client
+Version: 1.6.9
+Advisory: CVE-2015-3448
+Criticality: Unknown
+URL: http://www.osvdb.org/show/osvdb/117461
+Title: Rest-Client Gem for Ruby logs password information in plaintext
+Solution: upgrade to >= 1.7.3
+
+Vulnerabilities found!
+EOF
+        )
+      end
+
+      it { should warn }
+    end
+
+    let(:result) do
+      double(
+        success?: false,
+        stdout: <<-EOF
+Insecure Source URI found: git://github.com/xxx/overcommit.git
+Vulnerabilities found!
+EOF
+      )
+    end
+
+    it { should warn }
+
+    context 'and it reports bundle up to date' do
+      let(:result) do
+        double(success?: true, stdout: 'No vulnerabilities found')
+      end
+
+      it { should pass }
+    end
+  end
+end