Open kevinjacobs opened 2 months ago
Hi @kevinjacobs - you are right, thank you for reporting this. It should be equivalent to --skip-files lib/
(or maybe --skip-files /lib/
) but due to the change to scan (almost) every Ruby file, it no longer matches.
Should remove --skip-libs
:thinking: in Brakeman 7.0 I guess.
Background
Brakeman version: 5.4.0 Rails version: 4.0.8 Ruby version: 3.1.2
Issue
I’d like to report some unexpected false negatives noticed when running with the
--skip-libs
option.Documentation [1] states that to “To skip processing of the lib/ directory…”, one should add
--skip-libs
. However this results in Brakeman ignoring much of theapp/
directory as well, in fact it appears that only the contents ofapp/models/
andapp/controllers/
are included in this mode. If one wants to skip thelib/
directory,--skip-files lib/
seems to be a better approach.I believe this is due to file type detection at [2] assuming code is “library” code unless it fits into a small number of alternative classifications. The last sentence in [3] seems to support this.
Admittedly,
options.MD
also includes the following:But given the other mention of
--skip-libs
applying tolib/
, a reasonable reader might assume that--no-branching
is the cause for the above warning.Reproducer:
Expected results: Given that there are no warnings from
lib/
, both outputs should include the same warnings.Actual results:
skip_libs.json
misses a warning inapp/helpers/sessions_helper.rb
.If this behavior is intended (as it appears to be), the documentation should more clearly state the potential impact of running with
--skip-libs
.Thanks!
[1] https://brakemanscanner.org/docs/options/ [2] https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/processors/lib/file_type_detector.rb#L16 [3] https://github.com/presidentbeef/brakeman/pull/1554