/
security.rake
36 lines (29 loc) · 1.16 KB
/
security.rake
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
require "open3"
require "rainbow"
desc "shortcut to run all linting tools, at the same time."
task :security_caseflow do
puts "running Brakeman security scan..."
brakeman_result = ShellCommand.run(
"brakeman --exit-on-warn --run-all-checks --confidence-level=2"
)
puts "running bundle-audit to check for insecure dependencies..."
exit!(1) unless ShellCommand.run("bundle-audit update")
# Set time zone when running in Circle CI environment.
# TODO: Remove this when we stop calling Time.zone... below.
Time.zone = "Eastern Time (US & Canada)"
# Only ignore this vulnerability for a week.
audit_cmd = "bundle-audit check --ignore CVE-2018-1000201"
if Time.zone.local(2018, 9, 10) < Time.zone.today - 1.week
audit_cmd = "bundle-audit check"
end
# ignore CVE-2018-1000201 (awaiting on https://github.com/rails/rails-html-sanitizer/pull/73)
audit_cmd += " --ignore CVE-2018-16468"
audit_result = ShellCommand.run(audit_cmd)
puts "\n"
if brakeman_result && audit_result
puts Rainbow("Passed. No obvious security vulnerabilities.").green
else
puts Rainbow("Failed. Security vulnerabilities were found.").red
exit!(1)
end
end