v1.0.2

- Fixed issues with wildcards in signature paths
- Improved error-handling in various places
- Updated dependencies.

Author: chrisallenlane

app/config.js

@@ -1,7 +1,5 @@
-const expand = require('expand-tilde');
-const glob   = require('glob');
-const lodash = require('lodash');
-const rc     = require('rc');
+const glob = require('glob');
+const rc   = require('rc');
 
 module.exports = function(options, config) {
 
@@ -13,7 +11,6 @@ module.exports = function(options, config) {
 
         // HTML report date formatting 
         dateFormat : 'D MMMM YYYY, hh:mm A',
-        signatures : [],
         ignore     : [],
       },
 
@@ -26,26 +23,14 @@ module.exports = function(options, config) {
   config.glob = {};
 
   // --ignore config override
-  config.glob.ignore = (! lodash.isEmpty(options['--ignore']))
+  config.glob.ignore = (options['--ignore'])
     ? options['--ignore']
     : config.ignore ;
 
-  // process --signatures if provided
-  if (! lodash.isEmpty(options['--signatures'])) {
-    // do a glob search on --signatures to expand wildcards and such
-    config.signatures = glob.sync(expand(options['--signatures']));
-  }
-
-  // otherwise, load from the `.drekrc file`.
-  else if (! config.signatures)  {
-    var signatures = [];
-    config.signatures.forEach(function (file) {
-      // do a glob search on --signatures to expand wildcards and such
-      signatures = signatures.concat(glob.sync(expand(file)));
-    });
-
-    config.signatures = lodash(signatures).sort().uniq().value();
-  }
+  // determine the signature paths
+  config.signatures =
+    (options['--signatures']) ? [ options['--signatures'] ]:
+    (config.signatures)       ? config.signatures : [] ;
 
   // return the config object
   return config;

app/docopt.txt

@@ -29,3 +29,6 @@ Examples:
       --signatures='/path/to/signatures/*.yml' \
       --ignore='node_modules' \
       ./my-app > drek-scan.html
+
+  When using wildcards with --signatures, be certain to enclose the file paths
+  within quotation marks to avoid unwanted behavior from the shell!

app/util-load-signatures.js

@@ -3,28 +3,47 @@ const glob   = require('glob');
 const lodash = require('lodash');
 const yaml   = require('yamljs');
 
+
 module.exports = function (options, config) {
 
-  // restructure the signatures into a hash
-  var signatures = [];
+  // resolve each signature glob into signature files
+  var files = [];
+  config.signatures.forEach(function (path) {
+      files = files.concat(glob.sync(expand(path)));
+  });
+
+  // sort and de-dup the files
+  files = lodash(files).sort().uniq().value();
+
+  // throw an error is no files are specified
+  if (lodash.isEmpty(files)) {
+    throw new Error('No signatures were specified.');
+  }
 
   // iterate over each signature file
-  config.signatures.forEach(function (file) {
+  var signatures = [];
+  files.forEach(function (file) {
 
     // load each yaml file
-    const yml       = yaml.load(file);
-    const filetypes = yml.filetypes;
+    const yml = yaml.load(file);
 
     // throw an error if a yaml file is invalid
     if (! lodash.isObject(yml)) {
       throw new Error(file + ' is not a valid YAML file.');
     }
 
+    // throw an error if a yaml file contains no filetypes
+    if (lodash.isEmpty(yml.filetypes)) {
+      throw new Error(file + ' contains no filetypes.');
+    }
+
     // throw an error if a yaml file contains no patterns
     if (lodash.isEmpty(yml.patterns)) {
       throw new Error(file + ' contains no patterns.');
     }
 
+    const filetypes = yml.filetypes;
+
     // load the patterns
     yml.patterns.forEach(function (pattern) {
       signatures.push({

package.json

@@ -1,6 +1,6 @@
 {
   "name": "drek",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "A static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.",
   "homepage": "https://github.com/chrisallenlane/drek",
   "author": {
@@ -31,11 +31,11 @@
     "rc": "^1.2.1",
     "uuid-v4": "^0.1.0",
     "xmlbuilder": "^9.0.1",
-    "yamljs": "^0.2.10"
+    "yamljs": "^0.3.0"
   },
   "devDependencies": {
     "faucet": "0.0.1",
-    "jshint": "2.9.4",
+    "jshint": "2.9.5",
     "less": "^2.7.2",
     "tape": "^4.6.3"
   },

test/util-load-signatures.js

@@ -4,24 +4,51 @@ const path   = require('path');
 const test   = require('tape');
 
 
-test('util-load-signatures: it should load signature files', function (t) {
+test('util-load-signatures: it should load signatures (no wildcards)', function (t) {
   t.plan(1);
-  
+
   // stub configs
   const config = {
     signatures: [
       __dirname + '/mock/signatures/js.yml',
       __dirname + '/mock/signatures/php.yml',
     ],
   };
+
+  // expected signatures
+  const expected = [
+    { signature : '\\sconsole'     , filetypes : [ 'js'  ] } ,
+    { signature : '\\seval\\s*\\(' , filetypes : [ 'js'  ] } ,
+    { signature : '\\s\\$_GET'     , filetypes : [ 'php' ] } ,
+    { signature : '\\s\\$_POST'    , filetypes : [ 'php' ] } ,
+    { signature : '\\seval\\s*\\(' , filetypes : [ 'php' ] } ,
+  ];
+
+  // assert that the returned signatures match the expected
+  t.equals(
+    lodash.isEqual(load({}, config), expected),
+    true
+  );
+});
+
+
+test('util-load-signatures: it should load signatures (wildcards)', function (t) {
+  t.plan(1);
 
+  // stub configs
+  const config = {
+    signatures: [
+      __dirname + '/mock/signatures/*.yml',
+    ],
+  };
+
   // expected signatures
   const expected = [
     { signature : '\\sconsole'     , filetypes : [ 'js'  ] } ,
     { signature : '\\seval\\s*\\(' , filetypes : [ 'js'  ] } ,
     { signature : '\\s\\$_GET'     , filetypes : [ 'php' ] } ,
     { signature : '\\s\\$_POST'    , filetypes : [ 'php' ] } ,
-    { signature : '\\seval\\s*\\(' , filetypes : [ 'php' ] } , 
+    { signature : '\\seval\\s*\\(' , filetypes : [ 'php' ] } ,
   ];
 
   // assert that the returned signatures match the expected