Add a new rule type that allows matching patterns in specific files

Ang Ming Yi · Ang Ming Yi · commit a323de0e4507 · 2017-11-17T16:46:33.000+08:00
This allows one to specify pattern for files that are important such as CHANGELOG, and pattern to match such as Security Fix.
diff --git a/app/controllers/rules_controller.rb b/app/controllers/rules_controller.rb
@@ -57,6 +57,6 @@ def destroy
 private
 
   def rule_params
-    params.require(:rule).permit(:name, :rule_type_id, :value, :description, :notification_id)
+    params.require(:rule).permit(:name, :rule_type_id, :value, :value2, :description, :notification_id)
   end
 end
diff --git a/app/views/rules/edit.html.erb b/app/views/rules/edit.html.erb
@@ -47,6 +47,11 @@ limitations under the License.
     <%= f.text_area :value %>
   </p>
 
+  <p>
+    <%= f.label :value2 %><br>
+    <%= f.text_area :value2 %>
+  </p>
+
   <p>
     <%= f.label :description %><br>
     <%= f.text_field :description %>
diff --git a/app/views/rules/index.html.erb b/app/views/rules/index.html.erb
@@ -24,6 +24,7 @@ limitations under the License.
     <th>Name</th>
     <th>Rule Type Id</th>
     <th>Value</th>
+    <th>Value 2</th>
     <th>Description</th>
     <th>Notification</th>
     <th colspan="2"></th>
@@ -34,6 +35,7 @@ limitations under the License.
       <td><%= rule.name %></td>
       <td><%= rule.rule_type_id %></td>
       <td><code><%= rule.value %></code></td>
+      <td><code><%= rule.value2 %></code></td>
       <td><%= rule.description %></td>
       <td><%= rule.notification_id %></td>
       <td><%= link_to 'Edit', edit_rule_path(rule.id) %></td>
diff --git a/app/views/rules/new.html.erb b/app/views/rules/new.html.erb
@@ -49,6 +49,11 @@ limitations under the License.
     <%= f.text_area :value %>
   </p>
 
+    <p>
+      <%= f.label :value2 %><br>
+      <%= f.text_area :value2 %>
+    </p>
+
   <p>
     <%= f.label :description %><br>
     <%= f.text_field :description %>
diff --git a/config/rule_types.yml b/config/rule_types.yml
@@ -26,3 +26,7 @@
   :name: 'expression'
   :requires_diff: true
   :description: 'Boolean expression referencing one or more rules'
+8:
+  :name: 'specific_file_changes'
+  :requires_diff: true
+  :description: 'Regular expression for any code in a specified file'
diff --git a/db/migrate/20171117075335_add_value_2_to_rules.rb b/db/migrate/20171117075335_add_value_2_to_rules.rb
@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table :rules do
+      add_column :value2, 'longtext'
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -64,6 +64,7 @@
       column :value, "longtext", :null=>false
       column :description, "text"
       foreign_key :notification_id, :notifications, :type=>"int(11) unsigned", :key=>[:id]
+      column :value2, "longtext"
       
       index [:name], :name=>:name, :unique=>true
       index [:notification_id], :name=>:notification_id
@@ -74,5 +75,6 @@
                 change do
                   self << "INSERT INTO `schema_migrations` (`filename`) VALUES ('20170118000000_initial_migration.rb')"
 self << "INSERT INTO `schema_migrations` (`filename`) VALUES ('20170119020524_add_credentials_to_projects.rb')"
+self << "INSERT INTO `schema_migrations` (`filename`) VALUES ('20171117075335_add_value_2_to_rules.rb')"
                 end
               end
diff --git a/db/seeds.rb b/db/seeds.rb
@@ -573,5 +573,3 @@
 
 RuleSets.create(name: 'vulns', rules: ['strong_vuln_patterns'].to_json, description: 'Finds fixes for vulnerabilities')
 RuleSets.create(name: 'sensitive', rules: sensitive_rules.to_json, description: 'Finds files which may contain sensitive information')
-
-Projects.create(name: 'srcclr/commit_watcher', rule_sets: ['vulns'].to_json)
diff --git a/lib/audit_results_builder.rb b/lib/audit_results_builder.rb
@@ -27,11 +27,13 @@ def build(project_id, commit, diff, rules)
     audit_results = []
     auditor = RuleAuditor.new(@all_rules)
     rules.each do |r|
+      value2 = r[:value2] || ''
       audit_result = auditor.audit(
         commit,
         r[:rule_type_id],
         r[:value],
-        diff
+        diff,
+        value2
       )
       next unless audit_result
 
diff --git a/lib/rules/rule_auditor.rb b/lib/rules/rule_auditor.rb
@@ -26,7 +26,7 @@ def initialize(all_rules)
     @all_rules = all_rules
   end
 
-  def audit(commit, rule_type_id, rule_value, diff)
+  def audit(commit, rule_type_id, rule_value, diff, rule_value_2='')
     case rule_type_id
     when 1
       return unless diff
@@ -45,6 +45,8 @@ def audit(commit, rule_type_id, rule_value, diff)
       audit_commit_pattern(commit, Regexp.new(rule_value), diff)
     when 7
       audit_expression(commit, rule_value, diff)
+    when 8
+      audit_specific_file_changes_pattern(Regexp.new(rule_value), Regexp.new(rule_value_2), diff)
     end
   end
 
@@ -157,4 +159,18 @@ def audit_commit_pattern(commit, pattern, diff)
     results.compact!
     results.empty? ? nil : results
   end
+
+  def audit_specific_file_changes_pattern(pattern, filename, diff)
+    results = []
+    return results if filename.blank?
+    diff.each do |d|
+      next if d.file.empty? || (d.file =~ filename).blank?
+      next if d.body.empty? || (d.body =~ pattern).blank?
+      results << {
+          file: d.file,
+          body: d.body,
+      }
+    end
+    results.empty? ? nil : results
+  end
 end
