globocom
Add '#nohusky' tag to Brakeman scans
Motivation
Users nowadays can add the tag #nohusky in their code to avoid false positives in Python and in Go projects. However, this feature is not present yet for Ruby files that use Brakeman as a Security Test (and others).
It would be great if
Any Ruby line of code that has vulnerabilities be skipped by huskyCI analysis if a comment #nohusky is found. If applicable, do the same logic to all security tests? :)
What we expect
If huskyCI finds a code like this one, the following output must be ignored and be set as a NoSecHusky vuln:
[HUSKYCI][!] Title: Vulnerable Dependency: Command Injection Possible command injection
[HUSKYCI][!] Language: Ruby
[HUSKYCI][!] Tool: Brakeman
[HUSKYCI][!] Confidence: Medium
[HUSKYCI][!] Details: https://brakemanscanner.org/docs/warning_types/command_injection/
[HUSKYCI][!] File: app/controllers/application_controller.rb
[HUSKYCI][!] Line: 4
[HUSKYCI][!] Code: system("ls #{options}")
[HUSKYCI][!] Type: Command Injection
Tips
- This is how Gosec handles false-positive tag (the tool already outputs nosec vulns in JSON this data)
- This is how Python handles false-positive tag
Hey @rafaveira3 ! I'm analyzing this issue and I have a question:
- I've made some changes in
brakeman.goto understand and verify if I'm on the right way to solve this issue but I want to understand more how to test it. I tried to runmake run-clientwithpoc-ruby-brakemanbut it seems that my changes doesn't reflect in it. Am I right or I need to do something else?
Thank you in advance!
Hey, @victormazevedo! Thanks for taking a look at this issue. What kinds of changes have you done so far? I will be very happy to review any PR related to this. What do you think of opening one with the WIP tag? We can discuss it better there! :smile: