Add '#nohusky' tag to Brakeman scans

[rafaveira3]

Motivation

Users nowadays can add the tag #nohusky in their code to avoid false positives in Python and in Go projects. However, this feature is not present yet for Ruby files that use Brakeman as a Security Test (and others).

It would be great if

Any Ruby line of code that has vulnerabilities be skipped by huskyCI analysis if a comment #nohusky is found. If applicable, do the same logic to all security tests? :)

What we expect

If huskyCI finds a code like this one, the following output must be ignored and be set as a NoSecHusky vuln:

 [HUSKYCI][!] Title: Vulnerable Dependency: Command Injection Possible command injection
 [HUSKYCI][!] Language: Ruby
 [HUSKYCI][!] Tool: Brakeman
 [HUSKYCI][!] Confidence: Medium
 [HUSKYCI][!] Details: https://brakemanscanner.org/docs/warning_types/command_injection/
 [HUSKYCI][!] File: app/controllers/application_controller.rb
 [HUSKYCI][!] Line: 4
 [HUSKYCI][!] Code: system("ls #{options}")
 [HUSKYCI][!] Type: Command Injection

Tips

• This is how Gosec handles false-positive tag (the tool already outputs nosec vulns in JSON this data)
• This is how Python handles false-positive tag

[MatheusMuriel]

I go try work on it.

[victormazevedo]

Hey @rafaveira3 ! I'm analyzing this issue and I have a question:

• I've made some changes in brakeman.go to understand and verify if I'm on the right way to solve this issue but I want to understand more how to test it. I tried to run make run-client with poc-ruby-brakeman but it seems that my changes doesn't reflect in it. Am I right or I need to do something else?

Thank you in advance!

[rafaveira3]

Hey, @victormazevedo! Thanks for taking a look at this issue. What kinds of changes have you done so far? I will be very happy to review any PR related to this. What do you think of opening one with the WIP tag? We can discuss it better there! :smile: