Contributing to Sensu: Updating Rubocop to resolve CVE-2017–8418

This is a guest post to the Sensu Blog from Ben Abrams, one of the lead maintainers of the Sensu Plugins organization.

Vulnerabilities are something that, when they come up, are important to resolve. One low priority one is in the form of CVE-2017–8418 and affects rubocop. Rubocop is used in every single (Ruby-based) Sensu Plugin, which means there are close to 200 repositories that need to be updated.

While this issue isn’t urgent, it is something I take to heart: I want everyone using Sensu to have safe and secure software running when they use a community plugin. I would also love your help to get us there.

On the most recent Sensu Community Chat, I walked listeners through updating the Cassandra Plugin to resolving this vulnerability. Here is the full video, completely unscripted, on how to work through one of these updates on a repo:

Here is more of a step-by-step guide below so you can follow along with links. I write up these notes in hope that you will setup your environment and go update one of the other plugins that still needs it from this list. It’d be great to have your contribution and I promise you will learn how to use Ruby a little bit better by doing so.

Before you Begin

I recommend you have the following installed to make your life much easier during this:

Having these configured will make everything else a lot easier.

CVE-2017 The “meta” issue that tracks updates across our many plugins.

(1) Claim a plugin

Go to the meta-issue that explains the need across the community: https://github.com/sensu-plugins/community/issues/77

Find an unchecked box next to a plugin, then scroll to the very bottom and add a comment saying you’ll cover it (making sure someone else hasn’t claimed it along the way):

Picking-up

(2) Fork and clone that plugin

Click the fork button to make your own remote copy of the repository, then clone it locally. So assuming I’m working on the Cassandra plugin, I would:

Now it’s ready to open in your IDE.

(3) Pin to the new rubocop version

Updating rubocop is as easy as updating the .gemspec file in the directory. You will see a line that looks like:

s.add_development_dependency 'rubocop', '~> 0.41.0'

And update it to:

s.add_development_dependency 'rubocop', '~> 0.51.0'

And run bundle to install the new version:

Install New Version

We’re using rubocop 0.51.0 across all repositories, even though newer versions have come out since then, so everyone can have the same version of rubocop across the board. It makes maintaining plugins easier as a user of Sensu.

(4) Resolve rubocop linting violations

Now that rubocop is updated, it will include new rules. If you open up your IDE with the recommended plugins installed (rubocop linter and autocorrect), you’ll be able to work through these quickly. A few tips to do so:

  • Use # rubocop:disable $THING where $THING is the rubocop violation
  • Don’t use # rubocop:disable all but stick with the above
  • Never add disable all to the top of a file please

Disable all Using a specific disable

EDIT (03/02/2018): You should not change any code to use .match?(/SOME_REGEX/) as it does not exist in ruby < 2.4 you can add this to the rubocop.yml:

# .match?() only exists in ruby 2.4
Performance/RegexpMatch:
  Enabled: false

(5) Update the Changelog

We want to make sure other users of this plugin know what is in the next release. To do so, we ask that you update the CHANGELOG.md file. These changes will go under the ### Security section of ## Unreleased and a maintainer will move it to the next release section. Here’s an example from this PR:

## [Unreleased]

### Security
- updated `rubocop` dependency to `~> 0.51.0` per: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8418. (@majormoses)

### Breaking Changes
- in order to bring in new rubocop dependency we need to drop ruby 2.0 support as it is EOL and aligns with out support policy. (@majormoses)

Feel free to copy and paste this and replace your username.

(6) Open the Pull Request and participate in review

Once you’ve committed your changes to your local branch and pushed them to your remote fork, you can open a Pull Request.

The quick way to do this is to navigate to the plugin you updated, like sensu-plugins/sensu-plugins-cassandra, and click the prompt.

Similar Prompt A similar prompt to this will pop up for you.

At this point a maintainer will get engaged and may ask you changes or feedback. Please keep in mind this is done with the understanding that no one is perfect, especially me, and we will improve this code together. To make sure you don’t miss any updates, be sure to subscribe to notifications on the right-hand side of the Pull Request page.

Notification

(7) Merge and release (Maintainers step)

Once your code receives a 👍 from a maintainer, that maintainer will merge and cut a release. You can see that process here.

Updating Rubocop Find the latest version under the Releases tab

Once complete, you can go to the Releases tab on that plugin and download your contribution!

Rinse and Repeat

By following these (rough) steps you will make a very helpful contribution to the Sensu Community and learn a lot about the GitHub workflow. Along the way you will also learn Rubocop’s linting requirements, which have taught me to be a much better developer.

I hope after you finish your first plugin you will start on your second! There’s a long list and a lot to learn. Slowly we will work through this together. As always, if you need help in anyway, tag me on GitHub @majormoses or reach out on Sensu Community Slack.

This is a guest post to the Sensu Blog from Ben Abrams, one of the lead maintainers of the Sensu Plugins organization.