Module: Contrast::Agent::Assess::Policy::PolicyScanner

Defined in:: lib/contrast/agent/assess/policy/policy_scanner.rb

Overview

This is how we scan our customer’s code. It provides a way to analyze the classes we need to observe to find vulnerabilities in the context of a file vs data flow, such as the detection of Hardcoded Passwords or Keys.

Class Method Summary collapse

.policy ⇒ Object
.scan(trace_point) ⇒ Object

Use the given trace_point, built from an :end event, to determine where the loaded code lives and scan that code for policy violations.

Class Method Details

.policy ⇒ `Object`



39
40
41

# File 'lib/contrast/agent/assess/policy/policy_scanner.rb', line 39

def policy
  Contrast::Agent::Assess::Policy::Policy.instance
end

.scan(trace_point) ⇒ `Object`

Use the given trace_point, built from an :end event, to determine where the loaded code lives and scan that code for policy violations.

Parameters:

trace_point (TracePoint) —

the TracePoint generated by an :end event at the end of a Module definition.

# File 'lib/contrast/agent/assess/policy/policy_scanner.rb', line 22

def scan trace_point
  return unless ::Contrast::ASSESS.enabled?
  return unless ::Contrast::ASSESS.require_scan?

  provider_values = policy.providers.values
  return if provider_values.all?(&:disabled?)

  return unless trace_point.path
  return if trace_point.path.start_with?(Gem.dir)

  mod = trace_point.self
  return if mod.cs__frozen? || mod.singleton_class?

  ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
  provider_values.each { |provider| provider.parse(trace_point, ast) }
end