Use Bundler::Audit::Scanner for analysis

[dblandin]

This PR updates the engine analysis to use bundler-audit's internal Scanner class which offers better access to gem and advisory information.

This particular change is also necessary to disable the gem's network access attempt in order to determine whether a Gemfile source is internal or external, an update which will be introduced following this PR.

This PR also takes a few refactoring steps to improve overall structure and clarify remediation point calculation.

There should be no behavioral changes as a result of the updates in this PR.

@codeclimate/review 🔎

Before

{
    "categories": [
        "Security"
    ],
    "check_name": "Insecure Dependency",
    "content": {
        "body": "**Advisory**: CVE-2013-1800\n\n**Criticality**: High\n\n**URL**: http://osvdb.org/show/osvdb/90742\n\n**Solution**: upgrade to >= 0.3.2"
    },
    "description": "crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution",
    "location": {
        "lines": {
            "begin": 87,
            "end": 87
        },
        "path": "Gemfile.lock"
    },
    "remediation_points": 500000,
    "severity": "critical",
    "type": "Issue"
}

After

{
    "categories": [
        "Security"
    ],
    "check_name": "Insecure Dependency",
    "content": {
        "body": "**Advisory**: CVE-2013-1800\n\n**Criticality**: High\n\n**URL**: http://osvdb.org/show/osvdb/90742\n\n**Solution**: upgrade to >= 0.3.2"
    },
    "description": "crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution",
    "location": {
        "lines": {
            "begin": 87,
            "end": 87
        },
        "path": "Gemfile.lock"
    },
    "remediation_points": 500000,
    "severity": "critical",
    "type": "Issue"
}

[gdiggs]

WDYT of changing to_issue below to as_json and then you could just do result.to_json below?

[dblandin]

I think I'd feel more comfortable with that if we renamed the class to Issue. Then we would have:

issue = Issue.new(vulnerability, File.open(gemfile_lock_path))
io.print("#{issue.to_json}\0")

WDYT?

[gdiggs]

I like this direction. Did we lose the insecure source checks entirely?

[dblandin]

I like this direction. Did we lose the insecure source checks entirely?

I don't think those checks ever worked as the output looks completely different and isn't picked up by our currently handling of the output on master.

Here's an example of that output. We currently just ignore it. I'd like to bring in proper support for insecure source checks in a separate PR.

Insecure Source URI found: http://rubygems.org/

[gdiggs]

I'd like to bring in proper support for insecure source checks in a separate PR.

Sounds good to me!

[dblandin]

@codeclimate/review This is ready for another 🔎

[gdiggs]

Why are we excluding this file?

[dblandin]

Rubocop generated an error on the shebang line. I think we usually drop the extension on executables in other engines, which is why this doesn't often need to be excluded. Might be worth doing that instead.

[dblandin]

Never mind. That doesn't seem to be the issue. I get the false positive locally but not on dotcom. Strange.

❯ codeclimate analyze -e rubocop                                         codeclimate-bundler-audit/git/devon/use-bundler-audit-scanner-for-analysis
Starting analysis
Running rubocop: Done!

== bin/bundler-audit (1 issue) ==
1: Use snake_case for source file names. [rubocop]

Analysis complete! Found 1 issue.

[dblandin]

@gordondiggs Updated to remove that exclude path.

[gdiggs]

LGTM!