Add security checks and dependency audit

Introduce a rake security task that runs bundler-audit and Semgrep,
document the workflow, and pin stringio to address CVE-2024-27280.

Author: evolve75

CHANGELOG.md

@@ -88,6 +88,13 @@ Changes section to scan for breaking or behavioral changes.
 * Accept hash-like inputs (`to_hash`) in hash conversion to support Rails
   `HashWithIndifferentAccess` data (see #104).
 
+* Add `bundler-audit` to support security-focused dependency checks.
+
+* Pin `stringio` to `>= 3.0.1.1` in development to address CVE-2024-27280.
+
+* Add a `rake security` task that runs `bundler-audit` and Semgrep (when
+  installed).
+
 * Add AVL, AA, Treap, Binary Heap, and Binary Max-Heap implementations with
   ordered insert/search/delete or insert/extract operations.
 

CONTRIBUTING.md

@@ -23,6 +23,8 @@ Development dependencies (not required for installing the gem):
 * [awesome_bot][] for markdown link checking
 * [mdl][] for markdown linting
 * [RuboCop][] for linting the code
+* [bundler-audit][] for security advisory checks
+* [Semgrep][] for security-focused static analysis (optional)
 
 If RubyGems warns about ambiguous `stringio` specs in your dev gemset,
 remove the extra versions in this repo’s gemset (for example):
@@ -77,6 +79,9 @@ installed automatically by [Bundler][].
 * Run `bundle exec rake lint` and `bundle exec rake test:all` before proposing
   changes. Resolve all RuboCop offenses before committing.
 * Run `bundle exec rake doc:check` when modifying markdown documentation.
+* Run `bundle exec rake security` for dependency and static security checks.
+  Semgrep is optional; if it is not installed, the task will warn and skip it.
+  If Semgrep fails to download rules, set `SSL_CERT_FILE=/etc/ssl/cert.pem`.
 * Update `CHANGELOG.md` for notable changes and API behavior changes.
 * Update `README.md` when introducing new capabilities or new tree types.
 * Ensure YARD documentation exists for new or modified modules, classes, and
@@ -108,13 +113,15 @@ bundle exec rake bench
 [Bundler]: https://bundler.io
 [contributor_covenant]: https://www.contributor-covenant.org/version/2/1/
 [awesome_bot]: https://github.com/dkhamsing/awesome_bot
+[bundler-audit]: https://github.com/rubysec/bundler-audit
 [github_issues]: https://github.com/evolve75/RubyTree/issues
 [mdl]: https://github.com/markdownlint/markdownlint
 [Rake]: https://rubygems.org/gems/rake
 [Ruby]: https://www.ruby-lang.org
 [RSpec]: https://rspec.info/
 [RuboCop]: https://rubocop.org/
 [SCM]: https://en.wikipedia.org/wiki/Source_Code_Management
+[Semgrep]: https://semgrep.dev
 [Yard]: https://yardoc.org
 [git]: https://git-scm.com
 [rt@github]: https://github.com/evolve75/RubyTree

Gemfile.lock

@@ -10,6 +10,9 @@ GEM
     ast (2.4.3)
     awesome_bot (1.20.0)
       parallel (= 1.20.1)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
+      thor (~> 1.0)
     cgi (0.5.1)
     chef-utils (19.1.164)
       concurrent-ruby
@@ -99,9 +102,10 @@ GEM
     simplecov-html (0.13.2)
     simplecov-lcov (0.9.0)
     simplecov_json_formatter (0.1.4)
-    stringio (3.0.1)
+    stringio (3.2.0)
     test-unit (3.7.7)
       power_assert
+    thor (1.5.0)
     tomlrb (2.0.4)
     tsort (0.2.0)
     unicode-display_width (3.2.0)
@@ -115,6 +119,7 @@ PLATFORMS
 DEPENDENCIES
   awesome_bot (~> 1.20)
   bundler (~> 2.6)
+  bundler-audit (~> 0.9)
   mdl (~> 0.13)
   rake (~> 13.3)
   rdoc (~> 7.1)
@@ -126,6 +131,7 @@ DEPENDENCIES
   rubytree!
   simplecov (~> 0.22)
   simplecov-lcov (~> 0.9)
+  stringio (~> 3.0, >= 3.0.1.1)
   test-unit (~> 3.7)
   yard (~> 0.9)
 

Rakefile

@@ -66,6 +66,24 @@ end
 desc 'Run lint checks'
 task lint: %i[gemspec rubocop]
 
+# ................................ Security checks
+desc 'Run security checks (bundler-audit, semgrep)'
+task :security do
+  sh('bundle', 'exec', 'bundler-audit', 'check', '--update')
+
+  semgrep_available = system('command -v semgrep >/dev/null 2>&1')
+  unless semgrep_available
+    warn 'WARN: semgrep not found; skipping semgrep security scan.'
+    return
+  end
+
+  env = {}
+  default_cert = '/etc/ssl/cert.pem'
+  env['SSL_CERT_FILE'] = default_cert if ENV['SSL_CERT_FILE'].nil? && File.exist?(default_cert)
+
+  sh(env, 'semgrep', '--config', 'p/r2c-security-audit', '--config', 'p/ruby', 'lib')
+end
+
 # ................................ Release checks
 desc 'Run release checks (lint, tests, docs, package)'
 task 'release:check' => %i[lint test:all doc:yard gem:package]

rubytree.gemspec

@@ -82,8 +82,10 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rubocop-rspec', '~> 3.0'
   s.add_development_dependency 'simplecov', '~> 0.22'
   s.add_development_dependency 'simplecov-lcov', '~> 0.9'
+  s.add_development_dependency 'stringio', '~> 3.0', '>= 3.0.1.1'
   s.add_development_dependency 'test-unit', '~> 3.7'
   s.add_development_dependency 'yard', '~> 0.9'
+  s.add_development_dependency 'bundler-audit', '~> 0.9'
 
   s.post_install_message = <<-END_MESSAGE
     ========================================================================