Module: Contrast::Agent::Assess::Policy::PolicyScanner

Includes:

Components::Interface

Defined in:

lib/contrast/agent/assess/policy/policy_scanner.rb

Overview

This is how we scan our customer’s code. It provides a way to analyze the classes we need to observe to find vulnerabilities in the context of a file vs data flow, such as the detection of Hardcoded Passwords or Keys.

Class Method Summary

• .policy ⇒ Object
• .scan(trace_point) ⇒ Object

  Use the given trace_point, built from an :end event, to determine where the loaded code lives and scan that code for policy violations.

Methods included from Components::Interface

included

Class Method Details

.policy ⇒ Object

# File 'lib/contrast/agent/assess/policy/policy_scanner.rb', line 52

def policy
  Contrast::Agent::Assess::Policy::Policy.instance
end

.scan(trace_point) ⇒ Object

Use the given trace_point, built from an :end event, to determine where the loaded code lives and scan that code for policy violations.

Parameters:

• trace_point (TracePoint) —

  the TracePoint generated by an :end event at the end of a Module definition.

# File 'lib/contrast/agent/assess/policy/policy_scanner.rb', line 26

def scan trace_point
  return unless ASSESS.enabled?
  return unless ASSESS.require_scan?

  provider_values = policy.providers.values
  return if provider_values.all?(&:disabled?)

  return unless trace_point.path
  return if trace_point.path.start_with?(Gem.dir)

  mod = trace_point.self
  return if mod.cs__frozen? || mod.singleton_class?

  # TODO: RUBY-1014 - remove non-AST approach
  if RUBY_VERSION >= '2.6.0'
    ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
    provider_values.each do |provider|
      provider.parse(trace_point, ast)
    end
  else
    provider_values.each do |provider|
      provider.analyze(mod)
    end
  end
end