# Copyright (c) 2021 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details.
# frozen_string_literal: true
require 'contrast/components/interface'
require 'contrast/utils/object_share'
module Contrast
module Agent
module Assess
module Policy
# This is how we scan our customer's code. It provides a way to analyze
# the classes we need to observe to find vulnerabilities in the context
# of a file vs data flow, such as the detection of Hardcoded Passwords
# or Keys.
module PolicyScanner
include Contrast::Components::Interface
access_component :analysis
class << self
# Use the given trace_point, built from an :end event, to determine
# where the loaded code lives and scan that code for policy
# violations.
#
# @param trace_point [TracePoint] the TracePoint generated by an
# :end event at the end of a Module definition.
def scan trace_point
return unless ASSESS.enabled?
return unless ASSESS.require_scan?
provider_values = policy.providers.values
return if provider_values.all?(&:disabled?)
return unless trace_point.path
return if trace_point.path.start_with?(Gem.dir)
mod = trace_point.self
return if mod.cs__frozen? || mod.singleton_class?
# TODO: RUBY-1014 - remove non-AST approach
if RUBY_VERSION >= '2.6.0'
ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path)
provider_values.each do |provider|
provider.parse(trace_point, ast)
end
else
provider_values.each do |provider|
provider.analyze(mod)
end
end
end
def policy
Contrast::Agent::Assess::Policy::Policy.instance
end
end
end
end
end
end
end