Merge pull request #20 from codeclimate/devon/update-bundler-audit-db-as-app

Update bundler-audit vulnerability database as app user

Author: dblandin

Dockerfile

@@ -6,12 +6,13 @@ RUN apk --update add ruby ruby-dev ruby-bundler build-base git
 COPY Gemfile /usr/src/app/
 COPY Gemfile.lock /usr/src/app/
 RUN bundle install -j 4 && \
-    bundle-audit update && \
     apk del build-base && rm -fr /usr/share/ri
 
 RUN adduser -u 9000 -D app
 USER app
 
+RUN bundle-audit update
+
 COPY . /usr/src/app
 
 CMD ["/usr/src/app/bin/bundler-audit"]

lib/cc/engine/bundler_audit/unpatched_gem_issue.rb

@@ -67,7 +67,7 @@ def remediation_points
         end
 
         def severity
-          SEVERITIES[advisory.criticality]
+          SEVERITIES.fetch(advisory.criticality, "normal")
         end
 
         def solution

lib/cc/engine/bundler_audit/unpatched_gem_remediation.rb

@@ -4,7 +4,8 @@ module BundlerAudit
       class UnpatchedGemRemediation
         MAJOR_UPGRADE_POINTS = 50_000_000
         MINOR_UPGRADE_POINTS = 5_000_000
-        PATCH_UPGRADE_POINTS = 500_000
+        TINY_UPGRADE_POINTS = 500_000
+        MINIMUM_UPGRADE_POINTS = 50_000
         UNPATCHED_VERSION_POINTS = 500_000_000
 
         def initialize(gem_version, patched_versions)
@@ -31,7 +32,9 @@ def calculate_points(upgrade_version)
           when current_version.minor != upgrade_version.minor
             MINOR_UPGRADE_POINTS
           when current_version.tiny != upgrade_version.tiny
-            PATCH_UPGRADE_POINTS
+            TINY_UPGRADE_POINTS
+          else
+            MINIMUM_UPGRADE_POINTS
           end
         end
 

spec/cc/engine/bundler_audit/analyzer_spec.rb

@@ -15,15 +15,19 @@ module CC::Engine::BundlerAudit
 
         issues = analyze_directory(directory)
 
-        expect(issues).to eq(expected_issues("unpatched_versions"))
+        expected_issues("unpatched_versions").each do |expected_issue|
+          expect(issues).to include(expected_issue)
+        end
       end
 
       it "emits issues for insecure sources in Gemfile.lock" do
-        directory = fixture_directory("insecure_source")
+        directory = fixture_directory("insecure_sources")
 
         issues = analyze_directory(directory)
 
-        expect(issues).to eq(expected_issues("insecure_source"))
+        expected_issues("insecure_sources").each do |expected_issue|
+          expect(issues).to include(expected_issue)
+        end
       end
 
       it "logs to stderr when we encounter an unsupported vulnerability" do

spec/cc/engine/bundler_audit/remediation_spec.rb

@@ -15,10 +15,28 @@ module CC::Engine::BundlerAudit
         expect(remediation.points).to eq(UnpatchedGemRemediation::MINOR_UPGRADE_POINTS)
       end
 
-      it "returns patch upgrade remediation points when an upgrade requies a patch version bump" do
-        remediation = UnpatchedGemRemediation.new("1.0.0", %w[1.0.3 2.0.3])
+      it "returns tiny upgrade remediation points when an upgrade requies a tiny version bump" do
+        remediation = UnpatchedGemRemediation.new("1.0", %w[1.0.2])
 
-        expect(remediation.points).to eq(UnpatchedGemRemediation::PATCH_UPGRADE_POINTS)
+        expect(remediation.points).to eq(UnpatchedGemRemediation::TINY_UPGRADE_POINTS)
+      end
+
+      it "returns minimum upgrade remediation points when an upgrade requies a <= tiny2 version bump" do
+        remediation = UnpatchedGemRemediation.new("1.0", %w[1.0.0.2-2])
+
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINIMUM_UPGRADE_POINTS)
+
+        remediation = UnpatchedGemRemediation.new("1.0", %w[1.0.0.2-2])
+
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINIMUM_UPGRADE_POINTS)
+
+        remediation = UnpatchedGemRemediation.new("1.0", %w[1.0a2])
+
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINIMUM_UPGRADE_POINTS)
+
+        remediation = UnpatchedGemRemediation.new("1.0", %w[1.0b2])
+
+        expect(remediation.points).to eq(UnpatchedGemRemediation::MINIMUM_UPGRADE_POINTS)
       end
 
       it "returns unpatched version remediation points when an upgrade is not possible" do