Merge pull request #527 from GabhenDM/add-brakeman-ignore-support

feat: adding brakeman.ignore support to huskyci
globocom · Mar 22, 2021 · dd7fea4 · dd7fea4
2 parents 8dacdfc + c68f9a5
commit dd7fea4
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/api/config.yaml b/api/config.yaml
@@ -129,11 +129,19 @@ brakeman:
     GIT_TERMINAL_PROMPT=0 git clone -b %GIT_BRANCH% --single-branch %GIT_REPO% code --quiet 2> /tmp/errorGitCloneBrakeman
     if [ $? -eq 0 ]; then
       if [ -d /code/app ]; then
-        brakeman -q -o results.json /code
+        if [ -f /code/brakeman.ignore ]; then
+          brakeman -q -i /code/brakeman.ignore -o results.json /code
+        else
+          brakeman -q -o results.json /code
+        fi
         jq -j -M -c . results.json
       else
         mv code app
-        brakeman -q -o results.json .
+        if [ -f /app/brakeman.ignore ]; then
+          brakeman -q -i /app/brakeman.ignore -o results.json .
+        else
+          brakeman -q -o results.json .
+        fi
         jq -j -M -c . results.json
       fi
     else

diff --git a/api/securitytest/brakeman.go b/api/securitytest/brakeman.go
@@ -16,6 +16,7 @@ import (
 // BrakemanOutput is the struct that holds issues and stats found on a Brakeman scan.
 type BrakemanOutput struct {
 	Warnings []WarningItem `json:"warnings"`
+	IgnoredWarnings []WarningItem `json:"ignored_warnings"`
 }
 
 // WarningItem is the struct that holds all detailed information of a vulnerability found.
@@ -78,6 +79,20 @@ func (brakemanScan *SecTestScanInfo) prepareBrakemanVulns() {
 			huskyCIbrakemanResults.LowVulns = append(huskyCIbrakemanResults.LowVulns, brakemanVuln)
 		}
 	}
+	for _, ignoredWarning := range brakemanOutput.IgnoredWarnings {
+		brakemanVuln := types.HuskyCIVulnerability{}
+		brakemanVuln.Language = "Ruby"
+		brakemanVuln.SecurityTool = "Brakeman"
+		brakemanVuln.Confidence = ignoredWarning.Confidence
+		brakemanVuln.Title = fmt.Sprintf("Vulnerable Dependency: %s %s", ignoredWarning.Type, ignoredWarning.Message)
+		brakemanVuln.Severity = "NOSEC"
+		brakemanVuln.Details = ignoredWarning.Details
+		brakemanVuln.File = ignoredWarning.File
+		brakemanVuln.Line = strconv.Itoa(ignoredWarning.Line)
+		brakemanVuln.Code = ignoredWarning.Code
+		brakemanVuln.Type = ignoredWarning.Type
+		huskyCIbrakemanResults.NoSecVulns = append(huskyCIbrakemanResults.NoSecVulns, brakemanVuln)
+	}
 
 	brakemanScan.Vulnerabilities = huskyCIbrakemanResults
 }
diff --git a/client/analysis/output.go b/client/analysis/output.go
@@ -123,6 +123,7 @@ func prepareAllSummary(analysis types.Analysis) {
 	}
 
 	// Brakeman summary
+	outputJSON.Summary.BrakemanSummary.NoSecVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.NoSecVulns)
 	outputJSON.Summary.BrakemanSummary.LowVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.LowVulns)
 	outputJSON.Summary.BrakemanSummary.MediumVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.MediumVulns)
 	outputJSON.Summary.BrakemanSummary.HighVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.HighVulns)
@@ -198,7 +199,7 @@ func prepareAllSummary(analysis types.Analysis) {
 		types.FoundInfo = true
 	}
 
-	totalNoSec = outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln
+	totalNoSec = outputJSON.Summary.BrakemanSummary.NoSecVuln + outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln
 
 	totalLow = outputJSON.Summary.BrakemanSummary.LowVuln + outputJSON.Summary.SafetySummary.LowVuln + outputJSON.Summary.BanditSummary.LowVuln + outputJSON.Summary.GosecSummary.LowVuln + outputJSON.Summary.NpmAuditSummary.LowVuln + outputJSON.Summary.YarnAuditSummary.LowVuln + outputJSON.Summary.GitleaksSummary.LowVuln + outputJSON.Summary.SpotBugsSummary.LowVuln + outputJSON.Summary.TFSecSummary.LowVuln