Open victormazevedo opened 4 years ago
I don't know how to debug properly and be sure of this, but it seems like Brakeman ignores comments in code (I'm reading Brakeman doc to understand more how it works under the table). In that way, when VerifyNoHusy
is called with the warning.Code
in parameter, the func doesn't recognize #nohusky.
Edited:
After reading almost all doc of Brakeman and make some local tests, it seems the output does not include comments in Code
attribute. So what I thought? When call VerifyNoHusy
to Brakeman codes, get warning.File
and warning.Line
and take the line code from original source instead Brakeman's output. And then verify the #nohusky
tag.
In a conversation with Brakeman's maintainer, there's many types of output files. In HTML the whole code is presented, including comments. I'm trying to think in a logic to parse html and compare the file and line code, and save and use HTML's line code instead json's line code.
@rafaveira3 analyzing all scenarios, I think the best is to try to contribute with brakeman to create a feature that enables user to choose if reports will include in warnings code with comments or doesn't (I'll try to do that.). Otherwise, I don't know if you have other ideas.
Things I thought:
.html
files are painful to read and extract some information.jq
and after this getting the content of line using sed
. But after this, I've started to think about performance, and well, I don't think this is the best approach considering we may have a lot of warnings in a scan and almost them doesn't present the #nohusky
tag.With all modifications that I've already done, I think if the Brakeman could return warnings with comments, #nohuksy
would work.
Hi, @victormazevedo! Thanks for being interested in this issue and taking the time to contribute to huskyCI!
I've read the scenarios you proposed and I believe what suits us best is to contribute to Brakeman's project with this change to allow commented code to show up in the code
output.
By doing this, just as you first proposed, we could reuse some of Bandit's ignore functions. If needed, we could rename than to serve a more general purpose such as this one.
What do you think?
Hey, @victormazevedo! Sorry for the long response, I am not handling globocom hacktoberfest issues anymore. Thanks a lot for the incredible effort you have done so far on this one. :smiley:
Hi, @victormazevedo! Thanks for being interested in this issue and taking the time to contribute to huskyCI!
I've read the scenarios you proposed and I believe what suits us best is to contribute to Brakeman's project with this change to allow commented code to show up in the
code
output.By doing this, just as you first proposed, we could reuse some of Bandit's ignore functions. If needed, we could rename than to serve a more general purpose such as this one.
What do you think?
Agreed, @Krlier! I don't know at which time I'll finish this because I've never worked with Ruby before, but this is not a problem! I'll figure out and will update you!
Description
This PR aims to add '#nohusky' tag to Ruby's files to avoid false positives.
Closes #508
Proposed Changes
api/securitytest/brakeman.go
: addVerifyNoHusky
logicapi/util/util.go
: here I usedbanditCase
func to Brakeman files. If it is the right approach, I think thebanditCase
could be renamed.api/util/util_test.go
: add some unit tests. All tests passed.Testing
I've tried to test my implementations with the step below:
In
.env
:After:
But, after this test it seems that my changes doesn't reflect in it.
Sample of output: