adapter for brakeman

2019-11-01 18:37:30 +01:00 · 2019-11-01 18:37:30 +01:00 · ef286dea64
commit ef286dea64
parent 144099eee3
13 changed files with 327 additions and 3375 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,5 @@
 spec
 Gemfile
 Gemfile.lock
 LICENSE
 README.md
--- a/15
+++ b/15
@ -1,18 +1,15 @@
 FROM ruby:2.6.5-alpine
-RUN apk add --update build-base git
+LABEL "com.github.actions.name"="Brakeman linter"
-
+LABEL "com.github.actions.description"="A GitHub Action that lints your Ruby code with Brakeman!"
 LABEL "com.github.actions.name"="Rubocop Linter"
 LABEL "com.github.actions.description"="A GitHub Action that lints your Ruby code with Rubocop!"
 LABEL "com.github.actions.icon"="code"
 LABEL "com.github.actions.color"="red"
-
+LABEL "repository"="https://github.com/devmasx/brakeman-linter-action"
-LABEL "repository"="https://github.com/andrewmcodes/rubocop-linter-action"
+LABEL "maintainer"="Miguel Savignano <migue.masx@gmail.com>"
 LABEL "maintainer"="Andrew Mason <andrewmcodes@protonmail.com>"
 LABEL "version"="1.0.0"
 RUN gem install brakeman
 COPY lib /action/lib
 RUN gem install bundler
-ENTRYPOINT ["/action/lib/entrypoint.sh"]
+CMD ["ruby", "/action/lib/index.rb"]
--- a/lib/action.json
+++ b/lib/action.json
@ -1,8 +1,8 @@
 {
  "repository": {
    "owner": {
-      "login": "andrewmcodes"
+      "login": "devmasx"
-    }
+    },
-    ,"name": "rubocop-linter"
+    "name": "brakeman-linter"
  }
 }
--- a/lib/entrypoint.sh
+++ b/lib/entrypoint.sh
@ -1,7 +0,0 @@
 #!/bin/sh
 set -e
 gem install rubocop rubocop-performance rubocop-rails rubocop-minitest rubocop-rspec
 ruby /action/lib/index.rb
--- a/lib/github_check_run_service.rb
+++ b/lib/github_check_run_service.rb
@ -7,7 +7,7 @@ class GithubCheckRunService
    @report = report
    @github_data = github_data
    @report_adapter = report_adapter
-    @client = GithubClient.new(@github_data[:token], user_agent: 'rubocop-action')
+    @client = GithubClient.new(@github_data[:token], user_agent: 'brakeman-action')
  end
  def run
--- a/lib/index.rb
+++ b/lib/index.rb
@ -23,7 +23,7 @@ end
  if ENV['REPORT_PATH']
    read_json(ENV['REPORT_PATH'])
  else
-    Dir.chdir(ENV['GITHUB_WORKSPACE']) { JSON.parse(`rubocop -f json`) }
+    Dir.chdir(ENV['GITHUB_WORKSPACE']) { JSON.parse(`brakeman -f json`) }
  end
 GithubCheckRunService.new(@report, @github_data, ReportAdapter).run
--- a/lib/report_adapter.rb
+++ b/lib/report_adapter.rb
@ -1,54 +1,38 @@
 # frozen_string_literal: true
 # https://developer.github.com/v3/checks/runs/#output-object
 class ReportAdapter
  class << self
    CONCLUSION_TYPES = { failure: 'failure', success: 'success' }.freeze
-    ANNOTATION_LEVELS = {
+    ANNOTATION_LEVEL = { notice: 'notice', warning: 'warning', failure: 'failure' }.freeze
      'refactor' => 'failure',
      'convention' => 'failure',
      'warning' => 'warning',
      'error' => 'failure',
      'fatal' => 'failure'
    }.freeze
    def conslusion(report)
-      return CONCLUSION_TYPES[:failure] if total_offenses(report).positive?
+      return CONCLUSION_TYPES[:failure] if security_warnings(report).positive?
      CONCLUSION_TYPES[:success]
    end
    def summary(report)
-      "#{total_offenses(report)} offense(s) found"
+      "**Brakeman Report**: \n - #{security_warnings(report)} security warnings"
    end
    def annotations(report)
-      annotation_list = []
+      report['warnings'].map do |error|
-      count = 0
+        {
-      report['files'].each do |file|
+          'path' => error['file'],
-        file['offenses'].each do |offense|
+          'start_line' => error['line'],
-          count += 1
+          'end_line' => error['line'],
-          return annotation_list if count == 48
+          'annotation_level' => ANNOTATION_LEVEL[:warning],
-
+          'title' => "#{error['confidence']} - #{error['check_name']}",
-          location = offense['location']
+          'message' => error['message']
-          annotation_list.push(
+        }
            'path' => file['path'],
            'start_line' => location['start_line'],
            'end_line' => location['last_line'],
            'annotation_level' => annotation_level(offense['severity']),
            'message' => offense['message']
          )
        end
      end
    end
    private
-    def annotation_level(severity)
+    def security_warnings(report)
-      ANNOTATION_LEVELS[severity]
+      report['scan_info']['security_warnings']
    end
    def total_offenses(report)
      report.dig('summary', 'offense_count')
    end
  end
 end
--- a/spec/fixtures/event.json
+++ b/spec/fixtures/event.json
@ -0,0 +1,171 @@
 {
  "after": "6668752dba6d4f1b1e72e88f7355889cc039176c",
  "base_ref": null,
  "before": "64bf02a0916fab1a4f5e91a7cd44068302cd31f7",
  "commits": [
    {
      "author": {
        "email": "migue.masx@gmail.com",
        "name": "Miguel Savignano",
        "username": "MiguelSavignano"
      },
      "committer": {
        "email": "migue.masx@gmail.com",
        "name": "Miguel Savignano",
        "username": "MiguelSavignano"
      },
      "distinct": true,
      "id": "6668752dba6d4f1b1e72e88f7355889cc039176c",
      "message": ".",
      "timestamp": "2019-10-24T01:13:19+02:00",
      "tree_id": "b99d954a0de55070aec5999d530dd7438210f594",
      "url": "https://github.com/MiguelSavignano/dockerize-rails/commit/6668752dba6d4f1b1e72e88f7355889cc039176c"
    }
  ],
  "compare": "https://github.com/MiguelSavignano/dockerize-rails/compare/64bf02a0916f...6668752dba6d",
  "created": false,
  "deleted": false,
  "forced": false,
  "head_commit": {
    "author": {
      "email": "migue.masx@gmail.com",
      "name": "Miguel Savignano",
      "username": "MiguelSavignano"
    },
    "committer": {
      "email": "migue.masx@gmail.com",
      "name": "Miguel Savignano",
      "username": "MiguelSavignano"
    },
    "distinct": true,
    "id": "6668752dba6d4f1b1e72e88f7355889cc039176c",
    "message": ".",
    "timestamp": "2019-10-24T01:13:19+02:00",
    "tree_id": "b99d954a0de55070aec5999d530dd7438210f594",
    "url": "https://github.com/MiguelSavignano/dockerize-rails/commit/6668752dba6d4f1b1e72e88f7355889cc039176c"
  },
  "pusher": {
    "email": "migue.masx@gmail.com",
    "name": "MiguelSavignano"
  },
  "ref": "refs/heads/test-brakeman-errros",
  "repository": {
    "archive_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/{archive_format}{/ref}",
    "archived": false,
    "assignees_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/assignees{/user}",
    "blobs_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/git/blobs{/sha}",
    "branches_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/branches{/branch}",
    "clone_url": "https://github.com/MiguelSavignano/dockerize-rails.git",
    "collaborators_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/collaborators{/collaborator}",
    "comments_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/comments{/number}",
    "commits_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/commits{/sha}",
    "compare_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/compare/{base}...{head}",
    "contents_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/contents/{+path}",
    "contributors_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/contributors",
    "created_at": 1546466490,
    "default_branch": "master",
    "deployments_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/deployments",
    "description": "Example rails with docker, docker-compose and minikube. Use worker with sidekiq and nginx web server.",
    "disabled": false,
    "downloads_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/downloads",
    "events_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/events",
    "fork": false,
    "forks": 1,
    "forks_count": 1,
    "forks_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/forks",
    "full_name": "MiguelSavignano/dockerize-rails",
    "git_commits_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/git/commits{/sha}",
    "git_refs_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/git/refs{/sha}",
    "git_tags_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/git/tags{/sha}",
    "git_url": "git://github.com/MiguelSavignano/dockerize-rails.git",
    "has_downloads": true,
    "has_issues": true,
    "has_pages": false,
    "has_projects": true,
    "has_wiki": true,
    "homepage": null,
    "hooks_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/hooks",
    "html_url": "https://github.com/MiguelSavignano/dockerize-rails",
    "id": 163894157,
    "issue_comment_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/issues/comments{/number}",
    "issue_events_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/issues/events{/number}",
    "issues_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/issues{/number}",
    "keys_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/keys{/key_id}",
    "labels_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/labels{/name}",
    "language": "Ruby",
    "languages_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/languages",
    "license": null,
    "master_branch": "master",
    "merges_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/merges",
    "milestones_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/milestones{/number}",
    "mirror_url": null,
    "name": "dockerize-rails",
    "node_id": "MDEwOlJlcG9zaXRvcnkxNjM4OTQxNTc=",
    "notifications_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/notifications{?since,all,participating}",
    "open_issues": 0,
    "open_issues_count": 0,
    "owner": {
      "avatar_url": "https://avatars3.githubusercontent.com/u/6641863?v=4",
      "email": "migue.masx@gmail.com",
      "events_url": "https://api.github.com/users/MiguelSavignano/events{/privacy}",
      "followers_url": "https://api.github.com/users/MiguelSavignano/followers",
      "following_url": "https://api.github.com/users/MiguelSavignano/following{/other_user}",
      "gists_url": "https://api.github.com/users/MiguelSavignano/gists{/gist_id}",
      "gravatar_id": "",
      "html_url": "https://github.com/MiguelSavignano",
      "id": 6641863,
      "login": "MiguelSavignano",
      "name": "MiguelSavignano",
      "node_id": "MDQ6VXNlcjY2NDE4NjM=",
      "organizations_url": "https://api.github.com/users/MiguelSavignano/orgs",
      "received_events_url": "https://api.github.com/users/MiguelSavignano/received_events",
      "repos_url": "https://api.github.com/users/MiguelSavignano/repos",
      "site_admin": false,
      "starred_url": "https://api.github.com/users/MiguelSavignano/starred{/owner}{/repo}",
      "subscriptions_url": "https://api.github.com/users/MiguelSavignano/subscriptions",
      "type": "User",
      "url": "https://api.github.com/users/MiguelSavignano"
    },
    "private": false,
    "pulls_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/pulls{/number}",
    "pushed_at": 1571872407,
    "releases_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/releases{/id}",
    "size": 249,
    "ssh_url": "git@github.com:MiguelSavignano/dockerize-rails.git",
    "stargazers": 1,
    "stargazers_count": 1,
    "stargazers_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/stargazers",
    "statuses_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/statuses/{sha}",
    "subscribers_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/subscribers",
    "subscription_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/subscription",
    "svn_url": "https://github.com/MiguelSavignano/dockerize-rails",
    "tags_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/tags",
    "teams_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/teams",
    "trees_url": "https://api.github.com/repos/MiguelSavignano/dockerize-rails/git/trees{/sha}",
    "updated_at": "2019-04-10T17:03:40Z",
    "url": "https://github.com/MiguelSavignano/dockerize-rails",
    "watchers": 1,
    "watchers_count": 1
  },
  "sender": {
    "avatar_url": "https://avatars3.githubusercontent.com/u/6641863?v=4",
    "events_url": "https://api.github.com/users/MiguelSavignano/events{/privacy}",
    "followers_url": "https://api.github.com/users/MiguelSavignano/followers",
    "following_url": "https://api.github.com/users/MiguelSavignano/following{/other_user}",
    "gists_url": "https://api.github.com/users/MiguelSavignano/gists{/gist_id}",
    "gravatar_id": "",
    "html_url": "https://github.com/MiguelSavignano",
    "id": 6641863,
    "login": "MiguelSavignano",
    "node_id": "MDQ6VXNlcjY2NDE4NjM=",
    "organizations_url": "https://api.github.com/users/MiguelSavignano/orgs",
    "received_events_url": "https://api.github.com/users/MiguelSavignano/received_events",
    "repos_url": "https://api.github.com/users/MiguelSavignano/repos",
    "site_admin": false,
    "starred_url": "https://api.github.com/users/MiguelSavignano/starred{/owner}{/repo}",
    "subscriptions_url": "https://api.github.com/users/MiguelSavignano/subscriptions",
    "type": "User",
    "url": "https://api.github.com/users/MiguelSavignano"
  }
 }
--- a/spec/fixtures/input.json
+++ b/spec/fixtures/input.json
@ -0,0 +1,107 @@
 {
  "scan_info": {
    "app_path": "/home/miguemasx/developer/dockerize-rails",
    "rails_version": "5.2.2",
    "security_warnings": 1,
    "start_time": "2019-10-25 11:25:31 +0200",
    "end_time": "2019-10-25 11:25:31 +0200",
    "duration": 0.108293375,
    "checks_performed": [
      "BasicAuth",
      "BasicAuthTimingAttack",
      "ContentTag",
      "CookieSerialization",
      "CreateWith",
      "CrossSiteScripting",
      "DefaultRoutes",
      "Deserialize",
      "DetailedExceptions",
      "DigestDoS",
      "DynamicFinders",
      "EscapeFunction",
      "Evaluation",
      "Execute",
      "FileAccess",
      "FileDisclosure",
      "FilterSkipping",
      "ForgerySetting",
      "HeaderDoS",
      "I18nXSS",
      "JRubyXML",
      "JSONEncoding",
      "JSONParsing",
      "LinkTo",
      "LinkToHref",
      "MailTo",
      "MassAssignment",
      "MimeTypeDoS",
      "ModelAttrAccessible",
      "ModelAttributes",
      "ModelSerialize",
      "NestedAttributes",
      "NestedAttributesBypass",
      "NumberToCurrency",
      "PermitAttributes",
      "QuoteTableName",
      "Redirect",
      "RegexDoS",
      "Render",
      "RenderDoS",
      "RenderInline",
      "ResponseSplitting",
      "RouteDoS",
      "SQL",
      "SQLCVEs",
      "SSLVerify",
      "SafeBufferManipulation",
      "SanitizeMethods",
      "SelectTag",
      "SelectVulnerability",
      "Send",
      "SendFile",
      "SessionManipulation",
      "SessionSettings",
      "SimpleFormat",
      "SingleQuotes",
      "SkipBeforeFilter",
      "SprocketsPathTraversal",
      "StripTags",
      "SymbolDoSCVE",
      "TranslateBug",
      "UnsafeReflection",
      "ValidationRegex",
      "WithoutProtection",
      "XMLDoS",
      "YAMLParsing"
    ],
    "number_of_controllers": 2,
    "number_of_models": 2,
    "number_of_templates": 7,
    "ruby_version": "2.6.3",
    "brakeman_version": "4.7.0"
  },
  "warnings": [
    {
      "warning_type": "Mass Assignment",
      "warning_code": 70,
      "fingerprint": "5b486a498b14e1a12361c50863e2770c966799c9d5c6b6b9ab9bd8797c28a986",
      "check_name": "MassAssignment",
      "message": "Parameters should be whitelisted for mass assignment",
      "file": "app/controllers/posts_controller.rb",
      "line": 17,
      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
      "code": "params.permit!",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "PostsController",
        "method": "new"
      },
      "user_input": null,
      "confidence": "High"
    }
  ],
  "ignored_warnings": [],
  "errors": [],
  "obsolete": []
 }
--- a/spec/fixtures/report.json
+++ b/spec/fixtures/report.json
--- a/spec/github_check_run_service_spec.rb
+++ b/spec/github_check_run_service_spec.rb
@ -1,11 +1,9 @@
 # frozen_string_literal: true
 require './spec/spec_helper'
 describe GithubCheckRunService do
-  let(:rubocop_report) { JSON(File.read('./spec/fixtures/report.json')) }
+  let(:brakeman_report) { JSON(File.read('./spec/fixtures/input.json')) }
  let(:github_data) { { sha: 'sha', token: 'token', owner: 'owner', repo: 'repository_name' } }
-  let(:service) { GithubCheckRunService.new(rubocop_report, github_data, ReportAdapter) }
+  let(:service) { GithubCheckRunService.new(brakeman_report, github_data, ReportAdapter) }
  it '#run' do
    stub_request(:any, 'https://api.github.com/repos/owner/repository_name/check-runs/id')
@ -17,4 +15,5 @@ describe GithubCheckRunService do
    output = service.run
    expect(output).to be_a(Hash)
  end
 end
--- a/spec/report_adapter_spec.rb
+++ b/spec/report_adapter_spec.rb
@ -1,32 +1,31 @@
 # frozen_string_literal: true
 require './spec/spec_helper'
 describe ReportAdapter do
-  let(:rubocop_report) do
+  let(:brakeman_report) {
-    JSON(File.read('./spec/fixtures/report.json'))
+    JSON(File.read('./spec/fixtures/input.json'))
-  end
+  }
  let(:adapter) { ReportAdapter }
  it '.conslusion' do
-    result = adapter.conslusion(rubocop_report)
+    result = adapter.conslusion(brakeman_report)
    expect(result).to eq('failure')
  end
  it '.summary' do
-    result = adapter.summary(rubocop_report)
+    result = adapter.summary(brakeman_report)
-    expect(result).to eq('201 offense(s) found')
+    expect(result).to be_a(String)
  end
  it '.annotations' do
-    result = adapter.annotations(rubocop_report)
+    result = adapter.annotations(brakeman_report)
-    expect(result.first).to eq(
+    expect(result).to eq([{
-      'path' => 'Gemfile',
+      'path' => 'app/controllers/posts_controller.rb',
-      'start_line' => 1,
+      'start_line' => 17,
-      'end_line' => 1,
+      'annotation_level' => 'warning',
-      'annotation_level' => 'failure',
+      'end_line' => 17,
-      'message' => 'Missing magic comment `# frozen_string_literal: true`.'
+      'title' => 'High - MassAssignment',
-    )
+      'message' => 'Parameters should be whitelisted for mass assignment'
    }])
  end
 end
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -1,5 +1,3 @@
 # frozen_string_literal: true
 require 'webmock/rspec'
 require 'json'
 require 'pry'