diff --git a/api/config.yaml b/api/config.yaml index edd7bc0b..1d518cb2 100644 --- a/api/config.yaml +++ b/api/config.yaml @@ -129,11 +129,19 @@ brakeman: GIT_TERMINAL_PROMPT=0 git clone -b %GIT_BRANCH% --single-branch %GIT_REPO% code --quiet 2> /tmp/errorGitCloneBrakeman if [ $? -eq 0 ]; then if [ -d /code/app ]; then - brakeman -q -o results.json /code + if [ -f /code/brakeman.ignore ]; then + brakeman -q -i /code/brakeman.ignore -o results.json /code + else + brakeman -q -o results.json /code + fi jq -j -M -c . results.json else mv code app - brakeman -q -o results.json . + if [ -f /app/brakeman.ignore ]; then + brakeman -q -i /app/brakeman.ignore -o results.json . + else + brakeman -q -o results.json . + fi jq -j -M -c . results.json fi else diff --git a/api/securitytest/brakeman.go b/api/securitytest/brakeman.go index a2afec02..a75f76c7 100644 --- a/api/securitytest/brakeman.go +++ b/api/securitytest/brakeman.go @@ -16,6 +16,7 @@ import ( // BrakemanOutput is the struct that holds issues and stats found on a Brakeman scan. type BrakemanOutput struct { Warnings []WarningItem `json:"warnings"` + IgnoredWarnings []WarningItem `json:"ignored_warnings"` } // WarningItem is the struct that holds all detailed information of a vulnerability found. @@ -78,6 +79,20 @@ func (brakemanScan *SecTestScanInfo) prepareBrakemanVulns() { huskyCIbrakemanResults.LowVulns = append(huskyCIbrakemanResults.LowVulns, brakemanVuln) } } + for _, ignoredWarning := range brakemanOutput.IgnoredWarnings { + brakemanVuln := types.HuskyCIVulnerability{} + brakemanVuln.Language = "Ruby" + brakemanVuln.SecurityTool = "Brakeman" + brakemanVuln.Confidence = ignoredWarning.Confidence + brakemanVuln.Title = fmt.Sprintf("Vulnerable Dependency: %s %s", ignoredWarning.Type, ignoredWarning.Message) + brakemanVuln.Severity = "NOSEC" + brakemanVuln.Details = ignoredWarning.Details + brakemanVuln.File = ignoredWarning.File + brakemanVuln.Line = strconv.Itoa(ignoredWarning.Line) + brakemanVuln.Code = ignoredWarning.Code + brakemanVuln.Type = ignoredWarning.Type + huskyCIbrakemanResults.NoSecVulns = append(huskyCIbrakemanResults.NoSecVulns, brakemanVuln) + } brakemanScan.Vulnerabilities = huskyCIbrakemanResults } diff --git a/client/analysis/output.go b/client/analysis/output.go index 5f100bcb..ca2a6e2f 100644 --- a/client/analysis/output.go +++ b/client/analysis/output.go @@ -123,6 +123,7 @@ func prepareAllSummary(analysis types.Analysis) { } // Brakeman summary + outputJSON.Summary.BrakemanSummary.NoSecVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.NoSecVulns) outputJSON.Summary.BrakemanSummary.LowVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.LowVulns) outputJSON.Summary.BrakemanSummary.MediumVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.MediumVulns) outputJSON.Summary.BrakemanSummary.HighVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.HighVulns) @@ -198,7 +199,7 @@ func prepareAllSummary(analysis types.Analysis) { types.FoundInfo = true } - totalNoSec = outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln + totalNoSec = outputJSON.Summary.BrakemanSummary.NoSecVuln + outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln totalLow = outputJSON.Summary.BrakemanSummary.LowVuln + outputJSON.Summary.SafetySummary.LowVuln + outputJSON.Summary.BanditSummary.LowVuln + outputJSON.Summary.GosecSummary.LowVuln + outputJSON.Summary.NpmAuditSummary.LowVuln + outputJSON.Summary.YarnAuditSummary.LowVuln + outputJSON.Summary.GitleaksSummary.LowVuln + outputJSON.Summary.SpotBugsSummary.LowVuln + outputJSON.Summary.TFSecSummary.LowVuln