CONTRIBUTING.md development section is missing a small note about the need to setup some basic env vars so tests run and the existance of .envrc.example.

Without this running tests as described in this file will fail and its confusing!

Add docs reference page on setting up a config file. May not be necessary given the mirroring of flags, but displaying the default file can provide value.

Adding custom detectors currently requires work in the core more frequently than we'd like.

We've also been prioritising progress over refactoring/re-architecting, so there is also potential for improving the separation of concerns / readability of the codebase.

Run custom detectors and convert output to legacy detections format.

• Construct generic and ruby detectors
• Create executor for ruby using those detectors
• Call from detectors.ExtractWithDetectors ?
• Translate detections to legacy format

As the basics technical requirements of each laws are similar in their requirements (maintain an inventory of assets, know what data types are shared with 3rd parties, ensure data is adequately protected), we can make a Privacy Report that will tackle a large range of laws while automating the laborious tasks that legal teams require engineering to perform.

This feature will leverage Curio's detections capabilities and put it in a format that will make exploitation by legal teams easier. Our goal is to reduce the friction between engineering and legal teams.

1. Subjects and Data-types Inventory

This report will compute together all Subjects and Data Types detected through codebase scan.

To detect subject, we will use the "object" item when they are classified as a type of person. Our current list of Subjects is :

{TO-DO: retrieve the list of subjects we currently have embedded in the codebase}

Curio will also report the number of policies tested against the data found in the codebase. It will list how many are failing, their severity, and how many have passed.

Output format:

Cardinality: one line per data-type per subject.

Must-Have output format is CSV. Other formats are nice to have.

2. Third-Parties Data Sharing Inventory

Curio has the ability to detect Third Party usage through codebase inspection. Read more about this here.

For each detected Third-Party, Curio will list all Subjects & Data Types determined to be exchanged through the integration. If Curio isn't capable of determining what Data are exchanged with a Third party, it will report an unknown state.

Curio will also report the number of policies tested against the data found in the codebase. It will list how many are failing, their severity, and how many have passed.

Output file:

Cardinality: one line per Third-Party per Subject

Must-Have output format is CSV. Other formats are nice to have.

What Curio's privacy report won't provide

• GDPR Processing Activities: to the best of our experience and knowledge, there isn't a one-size-fits-all for Processing Activities legal requirement. Each organization will have its own legal implementation of processing activities. As there isn't any clue in the codebase to build that part of the legal requirements of GDPR, we deliberately leave out of the feature that concept.

Description

We have a secret detection feature but aren't showing these in the report nor have a policy setup for it.

https://github.com/Bearer/curio/blob/main/pkg/detectors/gitleaks/gitleaks.go

We should have them showing up in the dataflow report (in risk) and have them raise a critical policy

Description

The Rails JWT custom detection currently detects the following code.

JWT.encode(ENV.fetch("SOME_SECRET"))

Expected Behavior

The above code should not be detected.

Actual Behavior

The above code is detected.

Your Environment

• Version used: v0.19.0
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version:
• Link to your project or code sample:

Description

The Ruby file custom detection currently detects CSV.open and File.open; it should support IO.open as well.

Expected Behavior

IO.open should be detected.

Actual Behavior

IO.open is not detected.

Your Environment

• Version used: v0.19.0
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version:
• Link to your project or code sample:

Description

Installation script isn't sufficient to have curio working on some Linux distributions

Expected Behavior

Actual Behavior

[centos@centos-brr-test ~]$ ./bin/curio scan bear-publishing/
./bin/curio: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by ./bin/curio)
./bin/curio: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by ./bin/curio)
./bin/curio: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by ./bin/curio)
./bin/curio: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by ./bin/curio)

[cloudlinux@archlinux-brr-test ~]$ ./bin/curio scan bear-publishing/
./bin/curio: /lib64/libc.so.6: version `GLIBC_2.34' not found (required by ./bin/curio)
./bin/curio: /lib64/libc.so.6: version `GLIBC_2.32' not found (required by ./bin/curio)

debian@debion-brr-test:~$ ./bin/curio scan bear-publishing/
./bin/curio: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./bin/curio)
./bin/curio: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./bin/curio)

Possible Fix

Make the install script install the required libs ?

Steps to Reproduce

Try installing curio on Debian / ArchiLniux / CentOS vanilla.

Context

QA Test

Your Environment

• Version used: v0.19
• Target codebase stack (e.g. Ruby): bear-publishing
• Operating System and version: CentOS 7 , Debian 11, ArchLinux/CloudLinux 8

When a scan doesn't return any data found, the display is not very adapted.

Description

Here is an example:

Expected Behavior

Possible options:

• Remove the line when nothing is found
• Then, make sure, if nothing has been found at all, change the whole block.
• Or change the sentence by "No data type found"

Actual Behavior

Bad display

Your Environment

• Version used: 0.19

We are currently setting the risk content to a dummy value. It should be the pattern that matched.

When running policy scan on a project that doesn't support policy scans (JS), curio presents an incorrect command for running a dataflow scan.

Description

The final line of the output provides incorrect instructions

curio scan .
Scanning target .
 └ 100% [===============] (984/984, 56 files/s) [17s]
Running Detectors
Generating dataflow

The policy report is not yet available for your stack. Learn more at https://curio.sh/explanations/reports/

Though this doesn’t mean the curious bear comes empty-handed, it found:

- 13 unique data type(s), representing 66 occurrences, including PII, Personal Data (Sensitive).
- 2 database(s) storing 13 data type(s) including 0 encrypted data type(s).
- 3 external service(s).

Run the data flow report if you want the full output using: curio scan --report dataflow

Expected Behavior

curio scan --report dataflow [PATH]

Actual Behavior

curio scan --report data flow

Your Environment

• Version used: 0.21.1
• Target codebase stack (e.g. Ruby): javascript
• Operating System and version:
• Link to your project or code sample:

detect_encrypted_ruby_class_properties is the verifier we use to mark a SQL detection as encrypted.

We could add this new processor here that would automatically flag the fields that are prefixed by encrypted_ as encrypted.

package bearer.db_encrypted

 import future.keywords

 default encrypted := false

 encrypted = true {
     startswith(lower(input.target.value.field_name),  "encrypted_")
 }

 verified_by := [
     {
         "detector": "db_encrypted",
     }

The flow analysis is currently fairly basic and doesn't handle all the cases the legacy "variable reconciliation" logic does.

The object detector from the spike doesn't handle all the cases we support in the legacy data types implementation.

• Classes
• Calls
• Element reference

Description

We would like to support "direct" installation — and, therefore, upgrades — via the most common Linux package managers.

The most common Linux package managers are those based on dpkg and rpm: specifically, apt-get and yum, respectively.

Proposed solution

We can use nFPM to build .deb and .rpm packages, and this tool integrates directly with GoReleaser. The build packages will be pushed into a separate curio-repo repository, to which users can point their package managers.

Trivy uses a setup from which we can draw inspiration:

User-facing interface to released packages

• A dedicated repository is used to store the built packages; this repository is configured as a GitHub Pages site
• The README file of the trivy-repo repository provides installation instructions for the supported package managers

Internal build mechanism for packages

• The "release" entry point is a GitHub Action
• The nfpms section of the GoReleaser configuration describes the specifics of the package build
• Each package format has a dedicated script to update the released package in the trivy-repo repository: .deb, .rpm
• Releases (and docker manifests) are signed using cosign

Description

The --workers option appears not to be respected.

Expected Behavior

The --workers option should control the number of workers that are spawned.

Actual Behavior

The --workers option appears to have no effect on the number of workers that are spawned.

Possible Fix

Perhaps we should remove the --workers option entirely, hiding it from the end user?

Your Environment

• Version used: v0.19.0
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version:
• Link to your project or code sample:

We need to support OR and min/max integer constant value

The current config file is becoming way too big. It contains detectors and policies and its content.
We need to keep this folder as slim as possible

Let's add external folders for detectors and policies

current

policy:
    only-policy: []
    skip-policy: []

report:
    format: ""
    output: ""
    report: policies

scan:
    context: ""
    debug: false
    disable-domain-resolution: true
    domain-resolution-timeout: 3s
    force: false
    internal-domains: []
    custom_detector: # <--- to be removed
      # Long content
    policies: # <--- to be removed
      # Long content

after

policy:
    only-policy: []
    skip-policy: []

detector:
    only-detector: [] # <--- to add
    skip-detector: [] # <--- to add
  
report:
    format: ""
    output: ""
    report: policies

scan:
    context: ""
    debug: false
    disable-domain-resolution: true
    domain-resolution-timeout: 3s
    force: false
    internal-domains: []
    external-detector-dir: [] #  <--- to add
    external-policy-dir: [] # <--- to add

Implement custom rule settings/options that aren't yet supported

Folders/file present /gitignore are scanned.

Description

Folders and files referenced in a .gitignore shouldn't be scanned.

Expected Behavior

Avoid scanning files and folder present in a .gitignore

Steps to Reproduce

1. Add a folder/file folder_to_ignore/test.txt in a sample app and add folder_to_ignore folder in the app .gitignore
2. Scan the sample app in debug mode .
3. Notice that it scan the files present in the folder_to_ignore folder.

Context

It slows down the scan a lot.

Your Environment

• Version used: 0.19.0
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version: Mac OS 13
• Link to your project or code sample: n/a

As this work is starting from a spike, there are no tests currently.

Description

Google Cloud APIs are matching with a wildcard *.googleapis.com but ajax.googleapis.com shouldn't be considered.

Expected Behavior

ajax.googleapis.com should not be classified and present in the component section

Actual Behavior

ajax.googleapis.com is classified as a Google API and is present in the component section

Docker seems like an interesting option to help people get started with curio on any setup very easily.
In the end, it should be as simple as running docker pull bearer/curio:latest.

We should use a small image like alpine to run the binary

Links

• https://goreleaser.com/customization/docker/?h=dockers
• https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml#L98-L148

We have the battle tests that we used to check the stats on the top 5k repositories per language.
It is being triggered by this workflow

Now that we have the policies in place, we would like to update the battle tests a bit to allow it to run the policies and to send the output of the policies on S3 (so that we can review the results).

NB: This means only run it on the Ruby projects only

Description

When the curio scan command is run on a project that is not supporting policies, it provides a summary of finding and an explainer on how to run the dataflow report - but the command provided is misleading users by not including the "repo" name to scan.

Possible Fix

Dynamically adapt the command reference curio scan --report dataflow by appending it the repo path used to run the original command. That way, the user can simply copy/paste the explainer line and it will work!

Steps to Reproduce

1. Run curio scan path-to-project on a project not support policies
2. Read the last line of the output that tell to run the report dataflow command

Context

We've seen quite a few people trusting the command explainer and see it failing because it didn't include their repo name into it, leading to user getting list.

Your Environment

• Version used: 0.21
• Target codebase stack (e.g. Ruby): anything else that Ruby

Description

.browserslistrc is a fairly common file used to indicate supported browsers in a webapp

Expected Behavior

Should not trigger CR-025

Actual Behavior

CRITICAL: Do not leak secrets. [CR-025]
https://curio.sh/reference/policies/#CR-025

Detected: Sensitive file name
File: .../.browserslistrc:1

file had the following content

defaults

Possible Fix

ignore this file

Steps to Reproduce

1. create a file called .browserslistrc
2. run curio scan

Your Environment

• Version used: 0.22.0
• Target codebase stack (e.g. Ruby): Ruby

Currently, policy output displays a name, id, and section of code where the failure happened. For policies that may have multiple detection sub-types (like secret detection), it would be valuable to know specifically which sub-type caused the failure. Here are two possible proposals:

Option 1: Append details to the end of the name, without modifying the existing name.

CRITICAL: Do not leak secrets. AWS Access Token detected. [CR-025]
...

Option 2: Create new line in output block.

CRITICAL: Do not leak secrets. [CR-025]
https://curio.sh/reference/policies/#CR-025

Detected: AWS Access Token
File: integration/policies/testdata/leak/aws.js:1
...
...

we should decouple schema classification and its types.
Schema classification should have and use its own types instead of being tightly integrated with schema.Datatype

Description

I had to update the SHA based on the checksums.txt from the release after the latest release https://github.com/Bearer/curio/actions/runs/3750808752/jobs/6371000717

Bearer/homebrew-tap@07689b9

I downloaded the checksums.txt and I updated them.

Expected Behavior

brew update && brew upgrade curio doesn't raise an error for mismatch sha256

❯ brew upgrade curio
Warning: Treating curio as a formula. For the cask, use homebrew/cask/curio
==> Upgrading 1 outdated package:
bearer/curio/curio 0.19.0 -> 0.20.1
==> Fetching bearer/curio/curio
==> Downloading https://github.com/Bearer/curio/releases/download/v0.20.1/curio_0.20.1_darwin_arm64.tar.gz
Already downloaded: /Users/user/Library/Caches/Homebrew/downloads/adbf6450f6898eb4e4a9221bcca466404a0a3c2845ff13ba1740ad4ef6220782--curio_0.20.1_darwin_arm64.tar.gz
==> Upgrading bearer/curio/curio
  0.19.0 -> 0.20.1

🍺  /usr/local/homebrew/Cellar/curio/0.20.1: 5 files, 56.6MB, built in 2 seconds
==> Running `brew cleanup curio`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /usr/local/homebrew/Cellar/curio/0.19.0... (5 files, 56.4MB)
Removing: /Users/user/Library/Caches/Homebrew/curio--0.19.0.tar.gz... (11.6MB)

Actual Behavior

❯ brew upgrade curio
Warning: Treating curio as a formula. For the cask, use homebrew/cask/curio
==> Upgrading 1 outdated package:
bearer/curio/curio 0.19.0 -> 0.20.1
==> Fetching bearer/curio/curio
==> Downloading https://github.com/Bearer/curio/releases/download/v0.20.1/curio_0.20.1_darwin_arm64.tar.gz
Already downloaded: /Users/user/Library/Caches/Homebrew/downloads/adbf6450f6898eb4e4a9221bcca466404a0a3c2845ff13ba1740ad4ef6220782--curio_0.20.1_darwin_arm64.tar.gz
Error: SHA256 mismatch
Expected: 5363835145d3dac64bc7dc6db6ee9c871fa0c3d343ed459f818adf856d4cdf9a
  Actual: 8098cf491f8f83843dfb2e6ae587aaadae099594f7727fa4c040669e74889db5

Context

This file is being used to generate and publish

https://github.com/Bearer/curio/blob/bf3b9056005881a2788e53fb40d5d742c8676470/goreleaser/publish_brew.yaml

Add a page to the docs and/or contribution guide on how to add individual recipes.

Proposal

We can improve our rules by adding some rules for the following monitoring tools, I've also looked at the number of downloads for their gems to give a rough idea of popularity.

• NewRelic (119M)

  • log collection on by default in latest version
  • config options we could check and Tracer Options
  • Manual Errors aka notice

• Sentry (83M) old gem

  • Check Fitering of params
  • Tagging and Tracing

• Rollbar (44M)

  • Rollbar.error etc.
  • before_process
  • transform
  • custom_data_method
  • log_payload?
  • person_method (and individual config options)
  • scrub_fields

• Datadog (44M) - log collection @didroe

  • Filtering params
  • https://docs.datadoghq.com/logs/log_collection/ruby/
  • Spans - https://docs.datadoghq.com/tracing/guide/add_span_md_and_graph_it/?code-lang=ruby
  • Scrubbing data

• Airbrake (37M)

  • Notify @elsapet #514
  • Filtering params

• Bugsnag (33M) @cfabianski

  • #509
  • Various things here like notify, user identification, breadcrumbs, diagnostic data.

• HoneyBadger (22M) @cfabianski

  • #509
  • Notify similar to sentry
  • Tagging

• Scout APM (12M) @didroe

  • Custom instrumentation

OpenTelemetry

• limited ruby support (just tracing) #520
• Tracing we might want to monitor https://opentelemetry.io/docs/instrumentation/ruby/manual/#get-the-current-span

Used By

• Appdynamics

Others to keep an eye on

• Splunk
  • Gem Deprecated (2017) https://github.com/splunk/splunk-sdk-ruby
  • Integration now though REST API - covered by other policies?

GoReleaser can be customized and has a particularly interesting option announce that we should be using.

It supports

• Discord
• LinkedIn
• Mastodon
• Mattermost
• Reddit
• Slack
• SMTP
• Teams
• Telegram
• Twitter
• Webhook

Create the string detector for Ruby.

• string_content has literal value
• interpolation:
  • identifier is string detection of the identifier (or * when there was no detection)

     a = "abc" # detection "abc"
     "#{a}sdaffds" # detection "abcsdaffds"
    
     a = call() # no detection
     "#{a}sdaffds" # detection "*sdaffds"

  • anything else is *
• concatenation (+ operator, string node)

Description

We cache the detections based on the SHA of the repo being scanned and the version of curio to get faster results after the first scan.
Though, if the scan hasn't successfully completed (killed, ctrl-c, ...) we still reuse the cached version.

Expected Behavior

We should use the cached detections only if the previous scan has been successful.

Actual Behavior

We use the cached detections even when the previous scan has been killed.

Possible Fix

• Use a temporary name and rename it once the process is complete.
  • Check for the final name and not the temporary one
• Add a line at the end of the report and only reuse this file if this line is included

Description

We should filter out the data category passwords from showing up in application missing encryption policy.

Expected Behavior

Considering the table below, you should not see an alert for password missing application encryption

CREATE TABLE public.users (
  -- ...
  first_name character varying,
  password character varying,
  -- ...
)

Actual Behavior

You see an alert

Description

The CI seems to hang when running the integration tests.
This PR #250 attempted to address this but this behaviour seems to still be happening

See this actions https://github.com/Bearer/curio/actions/runs/3708056420/jobs/6285192136

Expected Behavior

The CI is reliable

Actual Behavior

The CI hangs

Possible Fix

• Separate integration tests and Unit Tests from the CI
• Fix the integration tests on GitHub Action

Steps to Reproduce

1. Issue a PR
2. Check the CI

Context

Only seems to happen on GitHub Actions.
I don't seem to be able to reproduce it locally for now.

Description

Curio errors when processing symlink that does not exist in the project

Expected Behavior

The file is skipped

Actual Behavior

./curio scan  ~/development/mastodon/
Error: filesystem scan error: stat /Users/gotbadger/development/mastodon//public/500.html: no such file or directory
filesystem scan error: stat /Users/gotbadger/development/mastodon//public/500.html: no such file or directory

Possible Fix

Steps to Reproduce

1. clone https://github.com/mstdn/Mastodon
2. run curio scan

Context

Looks like https://github.com/mstdn/Mastodon/blob/main/public/500.html points to a file that does not exist initally in the project.

Your Environment

• Version used: 0.21.1
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version: Darwin
• Link to your project or code sample: https://github.com/mstdn/Mastodon

Description

It's unclear from the description what the --timeout-file-second-per-bytes does. Ideally, it would be clear without context of how other flags or functionality works.

Multiple node types are needed for the detect_rails_cookies rule

At the moment we are exporting detections to report from inside composition in an ugly way, it feels very repetitive to do it for every type with type switches, It might be good that each detection handles its own export and that we introduce interface for exporting detection.

eg:

type Detection struct {
   MatchNode tree.Node
   ContextNode tree.Node
   Data Data
}

interface Data {
     Export() source.Source, schema.Schema 
}

// compositions parsefilefunc
func parseFile() {
  //....
   for _, detectorType := range []string{"class", "datatype"} {
	detections, err := evaluator.ForTree(tree.RootNode(), detectorType)
	for _, detection := range detection {
	   source, schema := detection.Export()
	   report.addDetection(detectorType, source, schema)
	}
   }
}

Description

When a cookie is encrypted, we shouldn't raise an errors.

Expected Behavior

cookies.encrypted[:user_email] = user.email

Is not detected and doesn't throw a policy breach

Actual Behavior

cookies.encrypted[:user_email] = user.email

Is detected and throws a policy breach

Installation of curio requires to run a script https://github.com/Bearer/curio/blob/main/contrib/install.sh

This is good but MacOS user are more used to homebrew.

Provide a GitHub Action as a way to integrate to the CI.

Only performs a full scan for now.
Fail when any policies are detected

Add classification logic to the datatype detector. The current implementation is a dummy one.

Insecure URLs are strings which start with http:

This will be a generic detector (not language specific).

Description

The Rails cookies and session custom detectors currently return unique identifiers (author.user_id, for example) as policy breaches.

Expected Behavior

Unique Identifiers should be regarded as safe, and should not be reported as policy breaches.

Actual Behavior

Unique Identifiers are reported as policy breaches.

Possible Fix

Should we be triggering the policies at all for Unique Identifiers? Or should these just be regarded as not being risks?

Your Environment

• Version used: v0.19.0
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version:
• Link to your project or code sample:

Description

Running --only-policy (or --skip-policy) doesn't check if the policy IDs exist, leading to bad UX and misleading output.

Expected Behavior

Throw an error if using a policy ID that doesn't exist

Actual Behavior

Fail silently

Possible Fix

Check if policy IDs exist first

Steps to Reproduce

1. curio scan . --only-policy CR-000
2. curio scan . --skip-policy CR-000

Your Environment

• Version used: 0.21.1
• Target codebase stack (e.g. Ruby): Ruby
• Operating System and version: Mac

Description

Curio seems unable to create the json file at begining of scan without sudo permissions on Ubuntu 22.10.

Expected Behavior

Curio should be able to scan without super user permissions.

Actual Behavior

Works only with super user permissions .

ubuntu@d2-8-sbg5:~$ ./bin/curio scan bear-publishing/
{"level":"error","time":"2022-12-19T07:20:10Z","message":"failed to create path /tmpe566c0f8c7ffb00cb50b8bc7fa842e58801f054d-b1bbbdcccc1cda1137e82d75f34a6e7d8b134707.jsonl, open /tmpe566c0f8c7ffb00cb50b8bc7fa842e58801f054d-b1bbbdcccc1cda1137e82d75f34a6e7d8b134707.jsonl: permission denied, (*os.File)(nil)"}
Scanning target bear-publishing/
Error: filesystem scan error: open /tmpe566c0f8c7ffb00cb50b8bc7fa842e58801f054d-b1bbbdcccc1cda1137e82d75f34a6e7d8b134707.jsonl: permission denied

ubuntu@d2-8-sbg5:~$ sudo ./bin/curio scan bear-publishing/
Scanning target bear-publishing/
 └  26% [==>            ] (47/177, 28 files/s) [1s:4s]^C

Possible Fix

Maybe a yml path issue ?

Steps to Reproduce

1. Install curio with the script on Ubuntu 22.10
2. try to scan a repo in current user home
3. see it fail
4. retry with sudo

Context

Your Environment

• Version used: v0.19
• Target codebase stack (e.g. Ruby): ruby
• Operating System and version: Ubuntu 22.10
• Link to your project or code sample: https://github.com/Bearer/bear-publishing

Description

Curio works with detectors and policies. Detectors are there to enrich the dataflow report, policies are there to look at the dataflow report and apply policies based on the output.

For example:

• a detector would be located in /pkg/commands/process/settings/custom_detectors/ (e.g. /pkg/commands/process/settings/custom_detectors/ruby_loggers.yml)
• a policy would be located in pkg/commands/process/settings/policies/ (e.g. /pkg/commands/process/settings/policies/leakage.rego and an entry inside /pkg/commands/process/settings/policies.yml)

Whenever we implement a new detection, we either rely on an existing policy (e.g. leakage applies to both cookies and session), either we enrich the collection of policies.

It might be a bit difficult for a new comer to know where to start especially as we introduce the remediation layer on top.

Proposal

We could have a structure like this

/policies/ruby/shared/shared.rego
/policies/ruby/CR-001/detectors/loggers.yml
/policies/ruby/CR-001/leakage.rego
/policies/ruby/CR-001/rule.yml
/policies/ruby/CR-001/README.md

We could end up repeating the policies (like leakage.rego would be similar for both session and cookies) but that would definitely help any new comer to understand where to start and to contribute.