This is a guest post to the Sensu Blog from Ben Abrams, one of the lead maintainers of the Sensu Plugins organization.
Vulnerabilities are something that, when they come up, are important to resolve. One low priority one is in the form of CVE-2017–8418 and affects rubocop. Rubocop is used in every single (Ruby-based) Sensu Plugin, which means there are close to 200 repositories that need to be updated.
While this issue isn’t urgent, it is something I take to heart: I want everyone using Sensu to have safe and secure software running when they use a community plugin. I would also love your help to get us there.
On the most recent Sensu Community Chat, I walked listeners through updating the Cassandra Plugin to resolving this vulnerability. Here is the full video, completely unscripted, on how to work through one of these updates on a repo:
Here is more of a step-by-step guide below so you can follow along with links. I write up these notes in hope that you will setup your environment and go update one of the other plugins that still needs it from this list. It’d be great to have your contribution and I promise you will learn how to use Ruby a little bit better by doing so.
Before you Begin
I recommend you have the following installed to make your life much easier during this:
- A friendly text editor or IDE like VSCode or Atom (I use Atom)
- Helpful integrations, like linter-rubocop and rubocop-auto-correct
- GitHub configured, either through the Desktop App or command-line
Having these configured will make everything else a lot easier.
The “meta” issue that tracks updates across our many plugins.
(1) Claim a plugin
Go to the meta-issue that explains the need across the community: https://github.com/sensu-plugins/community/issues/77
Find an unchecked box next to a plugin, then scroll to the very bottom and add a comment saying you’ll cover it (making sure someone else hasn’t claimed it along the way):
(2) Fork and clone that plugin
Click the fork button to make your own remote copy of the repository, then clone it locally. So assuming I’m working on the Cassandra plugin, I would:
- Go to https://github.com/sensu-plugins/sensu-plugins-cassandra
- Click the Fork button in the top right corner
- Clone it locally either using the GitHub Desktop or by running
git clone
- Switch to a new branch, preferably
fix/CVE-2017-8418
for your code
Now it’s ready to open in your IDE.
(3) Pin to the new rubocop version
Updating rubocop is as easy as updating the .gemspec
file in the directory. You will see a line that looks like:
s.add_development_dependency 'rubocop', '~> 0.41.0'
And update it to:
s.add_development_dependency 'rubocop', '~> 0.51.0'
And run bundle
to install the new version:
We’re using rubocop 0.51.0 across all repositories, even though newer versions have come out since then, so everyone can have the same version of rubocop across the board. It makes maintaining plugins easier as a user of Sensu.
(4) Resolve rubocop linting violations
Now that rubocop is updated, it will include new rules. If you open up your IDE with the recommended plugins installed (rubocop linter and autocorrect), you’ll be able to work through these quickly. A few tips to do so:
- Use
# rubocop:disable $THING
where $THING is the rubocop violation - Don’t use
# rubocop:disable all
but stick with the above - Never add
disable all
to the top of a file please
Using a specific disable
EDIT (03/02/2018): You should not change any code to use .match?(/SOME_REGEX/)
as it does not exist in ruby < 2.4
you can add this to the rubocop.yml
:
# .match?() only exists in ruby 2.4
Performance/RegexpMatch:
Enabled: false
(5) Update the Changelog
We want to make sure other users of this plugin know what is in the next release. To do so, we ask that you update the CHANGELOG.md file. These changes will go under the ### Security
section of ## Unreleased
and a maintainer will move it to the next release section. Here’s an example from this PR:
## [Unreleased]
### Security
- updated `rubocop` dependency to `~> 0.51.0` per: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8418. (@majormoses)
### Breaking Changes
- in order to bring in new rubocop dependency we need to drop ruby 2.0 support as it is EOL and aligns with out support policy. (@majormoses)
Feel free to copy and paste this and replace your username.
(6) Open the Pull Request and participate in review
Once you’ve committed your changes to your local branch and pushed them to your remote fork, you can open a Pull Request.
The quick way to do this is to navigate to the plugin you updated, like sensu-plugins/sensu-plugins-cassandra, and click the prompt.
A similar prompt to this will pop up for you.
At this point a maintainer will get engaged and may ask you changes or feedback. Please keep in mind this is done with the understanding that no one is perfect, especially me, and we will improve this code together. To make sure you don’t miss any updates, be sure to subscribe to notifications on the right-hand side of the Pull Request page.
(7) Merge and release (Maintainers step)
Once your code receives a 👍 from a maintainer, that maintainer will merge and cut a release. You can see that process here.
Find the latest version under the Releases tab
Once complete, you can go to the Releases tab on that plugin and download your contribution!
Rinse and Repeat
By following these (rough) steps you will make a very helpful contribution to the Sensu Community and learn a lot about the GitHub workflow. Along the way you will also learn Rubocop’s linting requirements, which have taught me to be a much better developer.
I hope after you finish your first plugin you will start on your second! There’s a long list and a lot to learn. Slowly we will work through this together. As always, if you need help in anyway, tag me on GitHub @majormoses
or reach out on Sensu Community Slack.
This is a guest post to the Sensu Blog from Ben Abrams, one of the lead maintainers of the Sensu Plugins organization.