search

globocom / huskyCI

Performing security tests inside your CI
https://huskyci.opensource.globo.com
BSD 3-Clause "New" or "Revised" License
572 stars 137 forks source link

feat: adding brakeman.ignore support to huskyci #527

Closed GabhenDM closed 3 years ago

GabhenDM commented 3 years ago

Description

This PR aims to add brakeman.ignore file support to HuskyCI.

Since there is no current implementation for utilizing "#nohusky" as referenced in #508 adding support to brakeman.ignore will help dealing with false-positives on the CI flow.

Proposed Changes

Adding to the api/config.yaml in the brakeman section a if statement verifying if there is a brakeman.ignore file on the target project root folder, if yes run brakeman with the file as a parameter.

It requires a bit of manual work to generate the ignore file, since it is only generated by brakeman itself, one would have to run it manually, validate the findings and ignore them as the tools documentation

Testing

The branch of poc-ruby-brakeman on my forked repo contains a brakeman.ignore removing two other warnings that would show up at a HuskyCI analysis result.

Running this current build agaisnt that repo should be enough to validate the implementation.

🐼

gustavocovas commented 3 years ago

Looks good to me! Do you think we need to have some integration tests, @joserenatosilva, @rafaveira3 or @Krlier?

rafaveira3 commented 3 years ago

Hello, everyone! Glad to know that we are now able to skip a few tests in Brakeman! :smile:

@gustavocovas, a good strategy here might be adding vulnerable code into this branch and adding a brakeman.ignore as well. huskyCI should now skip them and not return a 190 status code.

Another topic we must be aware of is reporting this metric in the output as the "NoSecHusky" type. It would be a good idea saving it just like we do on other languages like Python, as follows:

[HUSKYCI][SUMMARY] Python -> huskyci/bandit:1.6.2
[HUSKYCI][SUMMARY] High: 0
[HUSKYCI][SUMMARY] Medium: 1
[HUSKYCI][SUMMARY] Low: 1
[HUSKYCI][SUMMARY] NoSecHusky: 1

[HUSKYCI][SUMMARY] Total
[HUSKYCI][SUMMARY] High: 0
[HUSKYCI][SUMMARY] Medium: 1
[HUSKYCI][SUMMARY] Low: 1
[HUSKYCI][SUMMARY] NoSecHusky: 1
GabhenDM commented 3 years ago

Hello, everyone! Glad to know that we are now able to skip a few tests in Brakeman! smile

@gustavocovas, a good strategy here might be adding vulnerable code into this branch and adding a brakeman.ignore as well. huskyCI should now skip them and not return a 190 status code.

Another topic we must be aware of is reporting this metric in the output as the "NoSecHusky" type. It would be a good idea saving it just like we do on other languages like Python, as follows:

[HUSKYCI][SUMMARY] Python -> huskyci/bandit:1.6.2
[HUSKYCI][SUMMARY] High: 0
[HUSKYCI][SUMMARY] Medium: 1
[HUSKYCI][SUMMARY] Low: 1
[HUSKYCI][SUMMARY] NoSecHusky: 1

[HUSKYCI][SUMMARY] Total
[HUSKYCI][SUMMARY] High: 0
[HUSKYCI][SUMMARY] Medium: 1
[HUSKYCI][SUMMARY] Low: 1
[HUSKYCI][SUMMARY] NoSecHusky: 1

Great idea! I checked that brakeman does output ignored warnings to it's json file, being quite easy to add as a nosechusky metric.

Will also open a PR to the poc-ruby-brakeman branch in order to add a brakeman.ignore test.