Merge pull request #19 from shopsmart/bundle-audit/skip

Bundle audit/skip
shopsmart · Dec 11, 2018 · 84fc176 · 84fc176
2 parents 25148b8 + af2839f
commit 84fc176
Show file tree

Hide file tree

Showing 10 changed files with 279 additions and 16 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    bd_lint (0.3.0)
+    bd_lint (0.4.0)
       brakeman
       bundler-audit
       execjs

diff --git a/README.md b/README.md
@@ -46,18 +46,36 @@ Install pre-commit on your local copy of the application
 $ bundle exec rake bd_lint:setup:local
 ```
 
+## Bundle Audit Issues
+If you are trying to merge or push a change out and temporarily ignore bundle audit, you can disable it by performing the following steps.
+
+1. Vist your Travis builds Repository
+2. Click `More options` / `Settings`
+3. Go to the `Environment Variables` section
+4. Add `DISABLE_BUNDLE_AUDIT` with a value of `true`
+5. Re-run your travis build
+6. After your build completes successfully remove the variable from Travis
+
+#### Note
+If you are merging a pull requests and deploying to staging wait until after your code is deployed before removing the variable from Travis.
+
 ## Additional Commands
 
 #### Evaluate Changes Manually
 If you wish to run checks without commiting you can run the following
 ```bash
-$ rake bd_lint:check
+$ bundle exec rake bd_lint:check
 ```
 
 #### If you are using RVM and your install is not working
 The command ensures checks will run on RMV
 ```bash
-$ rake bd_lint:rvm_check
+$ bundle exec rake bd_lint:rvm_check
+```
+
+Check an application for known security vulnerabilities in its Gems by running the following
+```bash
+$ bundle exec rake bd_lint:audit
 ```
 
 ## Contributing

diff --git a/lib/bd_lint/audit/cli.rb b/lib/bd_lint/audit/cli.rb
@@ -0,0 +1,22 @@
+require "bundler/audit/cli"
+require "bundler/audit/scanner"
+
+module BdLint
+  module Audit
+    class CLI < Bundler::Audit::CLI
+      DISABLED_WARNING = [
+        "WARNING! Bundle Audit is disabled",
+        "Please remove `DISABLE_BUNDLE_AUDIT` from the repositories environment variables once the build has completed"
+      ].freeze
+
+      def check
+        if ENV["DISABLE_BUNDLE_AUDIT"]
+          DISABLED_WARNING.each { |msg| say msg, :yellow }
+          exit 0
+        end
+
+        super
+      end
+    end
+  end
+end
diff --git a/lib/bd_lint/rake_tasks.rb b/lib/bd_lint/rake_tasks.rb
@@ -1,4 +1,3 @@
-require 'rake'
+require "rake"
 
 load 'tasks/bd_lint.rake'
-load 'tasks/bundle_audit.rake'
diff --git a/lib/bd_lint/version.rb b/lib/bd_lint/version.rb
@@ -1,3 +1,3 @@
 module BdLint
-  VERSION = "0.3.0".freeze
+  VERSION = "0.4.0".freeze
 end
diff --git a/lib/tasks/bd_lint.rake b/lib/tasks/bd_lint.rake
@@ -12,6 +12,21 @@ namespace :bd_lint do
     BdLint::RvmVersion.check
   end
 
+  begin
+    require "bd_lint/audit/cli"
+
+    desc "Audit Application For Security Vulnerabilities"
+    task :audit do
+      %w(update check).each do |command|
+        BdLint::Audit::CLI.start [command]
+      end
+    end
+
+    task default: "bd_lint:audit"
+  rescue LoadError
+    puts "Bundle Audit Gem not loaded. Nothing to do"
+  end
+
   namespace :setup do
     desc "Install application config files"
     task :app do

diff --git a/lib/tasks/bundle_audit.rake b/lib/tasks/bundle_audit.rake
diff --git a/spec/lib/tasks/bd_lint_spec.rb b/spec/lib/tasks/bd_lint_spec.rb
@@ -1,9 +1,11 @@
 require "rails_helper"
+require "bd_lint/audit/cli"
+require "bundler/audit/scanner"
 
 describe "bd_lint:check" do
   include_context "rake"
 
-  it 'calls the runner' do
+  it "calls the runner" do
     expect(BdLint).to receive(:run)
     subject.invoke
   end
@@ -12,8 +14,42 @@
 describe "bd_lint:rvm_check" do
   include_context "rake"
 
-  it 'calls the runner' do
+  it "calls the runner" do
     expect(BdLint::RvmVersion).to receive(:check)
     subject.invoke
   end
 end
+
+describe "bd_lint:audit" do
+  include_context "rake"
+
+  it "calls update" do
+    expect_any_instance_of(BdLint::Audit::CLI).to receive(:update)
+    subject.invoke
+  end
+
+  it "calls the check function" do
+    expect_any_instance_of(BdLint::Audit::CLI).to receive(:check)
+    subject.invoke
+  end
+
+  it "scans Gemfile.lock" do
+      expect_any_instance_of(Bundler::Audit::Scanner).to receive(:scan).and_call_original
+      subject.invoke
+    end
+
+  context "when the DISABLE_BUNDLE_AUDIT is set" do
+    before do
+      allow(ENV).to receive(:[]).with("DISABLE_BUNDLE_AUDIT").and_return("true")
+    end
+
+    after do
+      allow(ENV).to receive(:[]).with("DISABLE_BUNDLE_AUDIT").and_return(nil)
+    end
+
+    it "skips the audit scan" do
+      expect_any_instance_of(Bundler::Audit::Scanner).not_to receive(:scan)
+      subject.invoke
+    end
+  end
+end
diff --git a/test_app/Gemfile b/test_app/Gemfile
@@ -0,0 +1,9 @@
+source "https://rubygems.org"
+
+git_source(:github) do |repo_name|
+  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
+  "https://github.com/#{repo_name}.git"
+end
+
+gem "rails", "~> 5.2.2"
+gem "bd_lint", path: "../"
diff --git a/test_app/Gemfile.lock b/test_app/Gemfile.lock
@@ -0,0 +1,172 @@
+PATH
+  remote: ..
+  specs:
+    bd_lint (0.3.0)
+      brakeman
+      bundler-audit
+      execjs
+      pre-commit
+      rubocop
+      rubocop-rspec
+      scss_lint
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.2.2)
+      actionpack (= 5.2.2)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.2)
+      actionpack (= 5.2.2)
+      actionview (= 5.2.2)
+      activejob (= 5.2.2)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.2)
+      actionview (= 5.2.2)
+      activesupport (= 5.2.2)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.2)
+      activesupport (= 5.2.2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.2)
+      activesupport (= 5.2.2)
+      globalid (>= 0.3.6)
+    activemodel (5.2.2)
+      activesupport (= 5.2.2)
+    activerecord (5.2.2)
+      activemodel (= 5.2.2)
+      activesupport (= 5.2.2)
+      arel (>= 9.0)
+    activestorage (5.2.2)
+      actionpack (= 5.2.2)
+      activerecord (= 5.2.2)
+      marcel (~> 0.3.1)
+    activesupport (5.2.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    arel (9.0.0)
+    ast (2.4.0)
+    brakeman (4.3.1)
+    builder (3.2.3)
+    bundler-audit (0.6.0)
+      bundler (~> 1.2)
+      thor (~> 0.18)
+    concurrent-ruby (1.1.3)
+    crass (1.0.4)
+    erubi (1.7.1)
+    execjs (2.7.0)
+    ffi (1.9.25)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    i18n (1.1.1)
+      concurrent-ruby (~> 1.0)
+    jaro_winkler (1.5.1)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    method_source (0.9.2)
+    mimemagic (0.3.2)
+    mini_mime (1.0.1)
+    mini_portile2 (2.3.0)
+    minitest (5.11.3)
+    nio4r (2.3.1)
+    nokogiri (1.8.5)
+      mini_portile2 (~> 2.3.0)
+    parallel (1.12.1)
+    parser (2.5.3.0)
+      ast (~> 2.4.0)
+    pluginator (1.5.0)
+    powerpack (0.1.2)
+    pre-commit (0.39.0)
+      pluginator (~> 1.5)
+    rack (2.0.6)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (5.2.2)
+      actioncable (= 5.2.2)
+      actionmailer (= 5.2.2)
+      actionpack (= 5.2.2)
+      actionview (= 5.2.2)
+      activejob (= 5.2.2)
+      activemodel (= 5.2.2)
+      activerecord (= 5.2.2)
+      activestorage (= 5.2.2)
+      activesupport (= 5.2.2)
+      bundler (>= 1.3.0)
+      railties (= 5.2.2)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.2)
+      actionpack (= 5.2.2)
+      activesupport (= 5.2.2)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
+    rainbow (3.0.0)
+    rake (12.3.2)
+    rb-fsevent (0.10.3)
+    rb-inotify (0.9.10)
+      ffi (>= 0.5.0, < 2)
+    rubocop (0.61.1)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.5, != 2.5.1.1)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.4.0)
+    rubocop-rspec (1.30.1)
+      rubocop (>= 0.60.0)
+    ruby-progressbar (1.10.0)
+    sass (3.7.2)
+      sass-listen (~> 4.0.0)
+    sass-listen (4.0.0)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+    scss_lint (0.57.1)
+      rake (>= 0.9, < 13)
+      sass (~> 3.5, >= 3.5.5)
+    sprockets (3.7.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.4.0)
+    websocket-driver (0.7.0)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bd_lint!
+  rails (~> 5.2.2)
+
+BUNDLED WITH
+   1.16.1