Remove Security Alerts functionality

- GitHub's Security Advisories tooling (https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies) gives us this for free, in a UI that we all look at more regularly. Even the Cyber Security team here trust it! - Let's stop maintaining quite so much custom code here.
alphagov-mirror · Nov 6, 2019 · 4ff8fea · 4ff8fea
1 parent 3c10331
commit 4ff8fea
Show file tree

Hide file tree

Showing 23 changed files with 0 additions and 765 deletions.
diff --git a/Gemfile b/Gemfile
@@ -2,7 +2,6 @@ source "https://rubygems.org"
 
 ruby File.read(".ruby-version").chomp
 
-gem "bundler-audit", git: "https://github.com/rubysec/bundler-audit", branch: "master"
 gem "octokit", "~> 4.3"
 gem "rake", "~> 12.3.0"
 gem "sinatra"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,12 +1,3 @@
-GIT
-  remote: https://github.com/rubysec/bundler-audit
-  revision: b84d88f76c4d656421c1d810c9760b0fdea5d13a
-  branch: master
-  specs:
-    bundler-audit (0.6.0)
-      bundler (~> 1.2)
-      thor (~> 0.18)
-
 GEM
   remote: https://rubygems.org/
   specs:
@@ -97,7 +88,6 @@ GEM
       tilt (~> 2.0)
     slack-poster (2.2.1)
       faraday (~> 0.9)
-    thor (0.20.0)
     tilt (2.0.8)
     timecop (0.9.1)
     unicode-display_width (1.6.0)
@@ -114,7 +104,6 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler-audit!
   climate_control (~> 0.2)
   govuk-lint
   octokit (~> 4.3)

diff --git a/README.md b/README.md
@@ -3,7 +3,6 @@
 A tool for:
 - Viewing all of the outstanding open pull requests made by Dependabot to GOV.UK repos
 - Sending Slack messages to GDS Teams reminding them of open Dependabot PRs for their applications
-- Viewing security alerts for old gems found in Gemfile.lock
 
 ## Screenshots
 
@@ -25,7 +24,6 @@ by Dependabot and groups them in various ways:
 ### Dependencies
 
 - [octokit/octokit.rb](https://github.com/octokit/octokit.rb) - Used for interacting with the GitHub API
-- [bundler-audit](https://github.com/rubysec/bundler-audit) - Security scanner for identifying CVEs
 
 ### Running the application
 
@@ -50,28 +48,3 @@ If you find yourself being rate limited by GitHub - you can define the `GITHUB_T
 This needs to be a token generated from GitHub, however as the repositories are all public it needs no special
 permissions.
 
-### Security Alerts
-
-![screenshot](https://user-images.githubusercontent.com/1215147/36216867-e2141466-11a7-11e8-8511-7a8942b55395.png)
-
-When navigating to the security alerts page (`/security-alerts`) it will update the local advisory-db copy, download, and save the
-gemfiles for every ruby project defined within [apps.json](docs.publishing.service.gov.uk/apps.json).
-
-#### Gemfiles
-
-When downloading gemfiles for each application when checking for security alerts, they can be found within `tmp/{application_name}_gemfile.lock`
-
-#### Advisory DB
-
-The security alerts feature works by using [bundler-audit](https://github.com/rubysec/bundler-audit) which relies on having
-a local copy of the [ruby-advisory-db](https://github.com/rubysec/ruby-advisory-db/). Without this, the security alerts page
-will show that there are no security alerts even if some exist.
-
-To update this database you can run:
-
-`bundle exec rake update_advisory_db`
-
-Additionally, to update this within code you can run:
-
-`Bundler::Audit::Database.update!`
-
diff --git a/Rakefile b/Rakefile
@@ -1,5 +1,4 @@
 require_relative "dependapanda"
-require "bundler/audit/database"
 require "vcr"
 require "net/http"
 
@@ -20,18 +19,6 @@ task :dependapanda_loud do
   Dependapanda.new.send_full_message
 end
 
-task :save_application_gemfiles do
-  UseCases::Gemfiles::Save.new(
-    fetch_gemfiles: UseCases::Gemfiles::Fetch.new(
-      teams_use_case: UseCases::Teams::Fetch.new,
-    ),
-  ).execute
-end
-
-task :update_advisory_db do
-  Bundler::Audit::Database.update!
-end
-
 desc "Recreate the vcr cassettes. For example `rake record_cassette[org:alphagov topic:govuk]`"
 task :record_cassette, [:search_string] do |_, args|
   octokit = Octokit::Client.new(auto_paginate: true)

diff --git a/app.rb b/app.rb
@@ -58,20 +58,4 @@ class GovukDependencies < Sinatra::Base
     ).execute(team: params.fetch(:team))
     "[ok]"
   end
-
-  get "/security-alerts" do
-    cache :security_alerts, 43200 do
-      Bundler::Audit::Database.update!(quiet: true)
-
-      UseCases::Gemfiles::Save.new(
-        fetch_gemfiles: UseCases::Gemfiles::Fetch.new(
-          teams_use_case: UseCases::Teams::Fetch.new,
-        ),
-      ).execute
-
-      application_security_alerts = UseCases::SecurityAlerts::Fetch.new.execute
-
-      erb :security_alerts, locals: { application_security_alerts: application_security_alerts }, layout: :layout
-    end
-  end
 end
diff --git a/lib/domain/gemfile.rb b/lib/domain/gemfile.rb
diff --git a/lib/gateways/file.rb b/lib/gateways/file.rb
diff --git a/lib/gateways/gemfile.rb b/lib/gateways/gemfile.rb
diff --git a/lib/gateways/security_alert.rb b/lib/gateways/security_alert.rb
diff --git a/lib/use_cases/gemfiles/fetch.rb b/lib/use_cases/gemfiles/fetch.rb
diff --git a/lib/use_cases/gemfiles/save.rb b/lib/use_cases/gemfiles/save.rb
diff --git a/lib/use_cases/security_alerts/fetch.rb b/lib/use_cases/security_alerts/fetch.rb
diff --git a/public/assets/application.css b/public/assets/application.css
@@ -31,11 +31,6 @@ nav a, nav a:visited {
   text-decoration: none;
 }
 
-.security-alerts-link {
-  float: right;
-  font-size: 1em;
-}
-
 .apps {
   font-size: 1.2em;
   list-style: none;
@@ -100,31 +95,6 @@ h2 {
   margin-bottom: 10px;
 }
 
-h2.security-alert-title {
-  color: #735c0f;
-  display: inline;
-  font-weight: bold;
-  margin-left: 5px;
-}
-
-.security-alerts {
-  margin-top: 15px;
-  padding: 0;
-}
-
-.security-apps {
-  margin: 0 45px;
-}
-
-.security-app {
-  background-color: #fffbdd;
-  border-radius: 10px;
-  color: #735c0f;
-  list-style-type: none;
-  padding: 20px 10px 10px;
-  margin: 10px;
-}
-
 .pull-request-status {
   color: #777;
 }
@@ -159,17 +129,6 @@ h2.security-alert-title {
   text-decoration: underline;
 }
 
-.no-security-alerts {
-  position: absolute;
-  top: 50%;
-  left: 50%;
-  margin: -100px 0 0 -200px;
-}
-
-.no-security-alerts h1 {
-  color: #777;
-}
-
 .stats {
   font-size: 1.5em;
   margin: 40px 0;

diff --git a/spec/acceptance/app_spec.rb b/spec/acceptance/app_spec.rb
@@ -249,28 +249,4 @@ def app() described_class end
       expect(last_response.body).to include("Total PRs opened by Dependabot: 4")
     end
   end
-
-  context "Security Alerts Page" do
-    before do
-      stub_request(:get, "https://docs.publishing.service.gov.uk/apps.json")
-        .to_return(
-          body: File.read("spec/fixtures/team_with_a_single_application.json"),
-          headers: { "Content-Type" => "application/json" },
-        )
-
-      stub_request(:get, "https://raw.githubusercontent.com/alphagov/publisher/master/Gemfile.lock")
-      .to_return(
-        body: File.read("spec/fixtures/Gemfile.lock"),
-        headers: { "Content-Type" => "application/json" },
-      )
-    end
-
-    it "should display the total PRs opened by dependabot" do
-      get "/security-alerts"
-      expect(last_response).to be_ok
-      expect(last_response.body).to include("rubocop")
-      expect(last_response.body).to include("Criticality")
-      expect(last_response.body).to include("low")
-    end
-  end
 end