Added SensioLabs Security Checker Plugin. Issue #27

2017-04-04 20:59:28 +07:00 · 2017-04-04 20:59:28 +07:00 · e3e3cf5124
commit e3e3cf5124
parent e4803f657a
10 changed files with 2253 additions and 1269 deletions
--- a/src/PHPCensor/Languages/lang.en.php
+++ b/src/PHPCensor/Languages/lang.en.php
@ -394,6 +394,7 @@ PHP Censor',
    'slack_notify'         => 'Slack',
    'technical_debt'       => 'Technical Debt',
    'xmpp'                 => 'XMPP',
+    'security_checker'     => 'SensioLabs Security Checker',

    'confirm_message' => 'Item will be permanently deleted. Are you sure?',
    'confirm_title'   => 'Item delete confirmation',
--- a/src/PHPCensor/Languages/lang.ru.php
+++ b/src/PHPCensor/Languages/lang.ru.php
@ -377,6 +377,7 @@ PHP Censor',
    'slack_notify'         => 'Slack',
    'technical_debt'       => 'Technical Debt',
    'xmpp'                 => 'XMPP',
+    'security_checker'     => 'SensioLabs Security Checker',

    'confirm_message' => 'Элемент будет удален навсегда. Вы уверены?',
    'confirm_title'   => 'Подтвержение удаления',
--- a/src/PHPCensor/Plugin/Mage.php
+++ b/src/PHPCensor/Plugin/Mage.php
@ -8,13 +8,14 @@ namespace PHPCensor\Plugin;
 use PHPCensor\Builder;
 use PHPCensor\Model\Build;
 use Psr\Log\LogLevel;
+use \PHPCensor\Plugin;

 /**
 * Integrates PHPCensor with Mage: https://github.com/andres-montanez/Magallanes
 * @package      PHPCensor
 * @subpackage   Plugins
 */
-class Mage extends \PHPCensor\Plugin
+class Mage extends Plugin
 {
    protected $mage_bin = 'mage';
    protected $mage_env;
--- a/src/PHPCensor/Plugin/PhpDocblockChecker.php
+++ b/src/PHPCensor/Plugin/PhpDocblockChecker.php
@ -5,6 +5,7 @@ namespace PHPCensor\Plugin;
 use PHPCensor;
 use PHPCensor\Builder;
 use PHPCensor\Model\Build;
+use PHPCensor\Model\BuildError;
 use PHPCensor\Plugin;
 use PHPCensor\ZeroConfigPluginInterface;

@ -28,6 +29,10 @@ class PhpDocblockChecker extends Plugin implements ZeroConfigPluginInterface

    protected $skipClasses = false;
    protected $skipMethods = false;
+
+    /**
+     * @var integer
+     */
    protected $allowed_warnings;

    /**
@ -128,8 +133,8 @@ class PhpDocblockChecker extends Plugin implements ZeroConfigPluginInterface
        // Re-enable exec output logging:
        $this->builder->logExecOutput(true);

-        $output = json_decode($this->builder->getLastOutput(), true);
-        $errors = count($output);
+        $output  = json_decode($this->builder->getLastOutput(), true);
+        $errors  = count($output);
        $success = true;

        $this->build->storeMeta('phpdoccheck-warnings', $errors);
@ -150,11 +155,11 @@ class PhpDocblockChecker extends Plugin implements ZeroConfigPluginInterface
    {
        foreach ($output as $error) {
            $message = 'Class ' . $error['class'] . ' is missing a docblock.';
-            $severity = PHPCensor\Model\BuildError::SEVERITY_LOW;
+            $severity = BuildError::SEVERITY_LOW;

            if ($error['type'] == 'method') {
                $message = $error['class'] . '::' . $error['method'] . ' is missing a docblock.';
-                $severity = PHPCensor\Model\BuildError::SEVERITY_NORMAL;
+                $severity = BuildError::SEVERITY_NORMAL;
            }

            $this->build->reportError(
--- a/src/PHPCensor/Plugin/SecurityChecker.php
+++ b/src/PHPCensor/Plugin/SecurityChecker.php
@ -0,0 +1,98 @@
+<?php
+
+namespace PHPCensor\Plugin;
+
+use PHPCensor;
+use PHPCensor\Builder;
+use PHPCensor\Model\Build;
+use PHPCensor\Plugin;
+use PHPCensor\Model\BuildError;
+use PHPCensor\ZeroConfigPluginInterface;
+use SensioLabs\Security\SecurityChecker as BaseSecurityChecker;
+
+/**
+ * SensioLabs Security Checker Plugin
+ * 
+ * @author Dmitry Khomutov <poisoncorpsee@gmail.com>
+ */
+class SecurityChecker extends Plugin implements ZeroConfigPluginInterface
+{
+    /**
+     * @var integer
+     */
+    protected $allowed_warnings;
+    
+    /**
+     * @return string
+     */
+    public static function pluginName()
+    {
+        return 'security_checker';
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function __construct(Builder $builder, Build $build, array $options = [])
+    {
+        parent::__construct($builder, $build, $options);
+
+        $this->allowed_warnings = 0;
+
+        if (isset($options['zero_config']) && $options['zero_config']) {
+            $this->allowed_warnings = -1;
+        }
+
+        if (array_key_exists('allowed_warnings', $options)) {
+            $this->allowed_warnings = (int)$options['allowed_warnings'];
+        }
+    }
+
+    /**
+     * Check if this plugin can be executed.
+     *
+     * @param         $stage
+     * @param Builder $builder
+     * @param Build   $build
+     *
+     * @return bool
+     */
+    public static function canExecute($stage, Builder $builder, Build $build)
+    {
+        $path = $builder->buildPath . DIRECTORY_SEPARATOR . 'composer.lock';
+
+        if (file_exists($path) && $stage == Build::STAGE_TEST) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public function execute()
+    {
+        $success   = true;
+        $checker   = new BaseSecurityChecker();
+        $warnings  = $checker->check($this->builder->buildPath . DIRECTORY_SEPARATOR . 'composer.lock');
+
+        if ($warnings) {
+            foreach ($warnings as $library => $warning) {
+                foreach ($warning['advisories'] as $advisory => $data) {
+                    $this->build->reportError(
+                        $this->builder,
+                        'security_checker',
+                        $library . ' (' . $warning['version'] . ")\n" . $data['cve'] . ': ' . $data['title'] . "\n" . $data['link'],
+                        BuildError::SEVERITY_CRITICAL,
+                        '-',
+                        '-'
+                    );
+                }
+            }
+
+            if ($this->allowed_warnings != -1 && ((int)$checker->getLastVulnerabilityCount() > $this->allowed_warnings)) {
+                $success = false;
+            }
+        }
+
+        return $success;
+    }
+}