search

presidentbeef / brakeman

A static analysis security vulnerability scanner for Ruby on Rails applications
https://brakemanscanner.org/
Other
6.97k stars 726 forks source link

Support non-standard gemfile naming for dual booting Rails apps #1840

Open eliotsykes opened 4 months ago

eliotsykes commented 4 months ago

Brakeman version: 6.1.2

Is your feature request related to a problem? Please describe. In a CI environment, for a dual booting Rails app (e.g. Gemfile = Rails 6.1, Gemfile.next = Rails 7), to get brakeman to use a gemfile not named Gemfile(.lock), I shuffle files around so brakeman uses the correct gemfile. E.g. for a gemfile named Gemfile.next:

# This command does *not* work as intended, Gemfile.next is ignored,
# brakeman uses Gemfile in the scan:
BUNDLE_GEMFILE=Gemfile.next bundle exec brakeman

# This does work:
rm Gemfile Gemfile.lock
cp Gemfile.next Gemfile
cp Gemfile.next.lock Gemfile.lock
bundle exec brakeman

Describe the solution you'd like This command would work as expected, where ENV['BUNDLE_GEMFILE']/Gemfile.next(.lock) is used by Brakeman::Scanner#process_gems, instead of the hardcoded Gemfile(.lock)

BUNDLE_GEMFILE=Gemfile.next bundle exec brakeman

Describe alternatives you've considered Shuffling gemfiles around works:

rm Gemfile Gemfile.lock
cp Gemfile.next Gemfile
cp Gemfile.next.lock Gemfile.lock
bundle exec brakeman
presidentbeef commented 3 months ago

Sure, that seems reasonable.