# Copyright (c) 2022 Contrast Security, Inc. See https://www.contrastsecurity.com/enduser-terms-0317a for more details. # frozen_string_literal: true require 'contrast/utils/object_share' module Contrast module Agent module Assess module Policy # This is how we scan our customer's code. It provides a way to analyze # the classes we need to observe to find vulnerabilities in the context # of a file vs data flow, such as the detection of Hardcoded Passwords # or Keys. module PolicyScanner class << self # Use the given trace_point, built from an :end event, to determine # where the loaded code lives and scan that code for policy # violations. # # @param trace_point [TracePoint] the TracePoint generated by an # :end event at the end of a Module definition. def scan trace_point return unless ::Contrast::ASSESS.enabled? return unless ::Contrast::ASSESS.require_scan? provider_values = policy.providers.values return if provider_values.all?(&:disabled?) return unless trace_point.path return if trace_point.path.start_with?(Gem.dir) mod = trace_point.self return if mod.cs__frozen? || mod.singleton_class? different_ruby_version trace_point, provider_values, mod end def different_ruby_version trace_point, provider_values, mod # TODO: RUBY-1014 - remove non-AST approach if RUBY_VERSION >= '2.6.0' # TODO: RUBY-714 EOL 2.5. That check will be removed and the code will be brought back in here. ast = RubyVM::AbstractSyntaxTree.parse_file(trace_point.path) provider_values.each do |provider| provider.parse(trace_point, ast) end else provider_values.each do |provider| provider.analyze(mod) end end end def policy Contrast::Agent::Assess::Policy::Policy.instance end end end end end end end