brakeman-lib 3.3.1

data/FEATURES

@@ -0,0 +1,16 @@
+Can detect:
+-Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
+-Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
+-String interpolation in find_by_sql (SQL Injection)
+-String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
+-Unrestricted mass assignments
+-Global restriction of mass assignment
+-Missing call to protect_from_forgery in ApplicationController (CSRF protection)
+-Default routes, per-controller and globally
+-Redirects based on params (probably too broad currently)
+-Validation regexes not using \A and \z
+-Calls to render with dynamic paths
+
+General capabilities:
+-Search for method calls based on target class and/or method name
+-Determine 'output' of templates using ERB, Erubis, or HAML. Can handle automatic escaping

data/README.md

@@ -0,0 +1,169 @@
+[![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
+[![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
+
+[![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
+[![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
+[![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
+[![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
+
+# Brakeman
+
+Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
+
+Check out [Brakeman Pro](https://brakemanpro.com/) if you are looking for a commercially-supported version with a GUI and advanced features.
+
+# Installation
+
+Using RubyGems:
+
+    gem install brakeman
+
+Using Bundler:
+
+    group :development do
+      gem 'brakeman', :require => false
+    end
+
+# Usage
+
+From a Rails application's root directory:
+
+    brakeman
+
+Outside of Rails root:
+
+    brakeman /path/to/rails/application
+
+# Compatibility
+
+Brakeman works with Rails 2.x, 3.x, and 4.x.
+
+# Basic Options
+
+For a full list of options, use `brakeman --help` or see the [OPTIONS.md](OPTIONS.md) file.
+
+To specify an output file for the results:
+
+    brakeman -o output_file
+
+The output format is determined by the file extension or by using the `-f` option. Current options are: `text`, `html`, `tabs`, `json`, `markdown`, `csv`, and `codeclimate`.
+
+Multiple output files can be specified:
+
+    brakeman -o output.html -o output.json
+
+To suppress informational warnings and just output the report:
+
+    brakeman -q
+
+Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
+
+To see all kinds of debugging information:
+
+    brakeman -d
+
+Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (`DefaultRoutes`):
+
+    brakeman -x DefaultRoutes
+
+Multiple checks should be separated by a comma:
+
+    brakeman -x DefaultRoutes,Redirect
+
+To do the opposite and only run a certain set of tests:
+
+    brakeman -t SQL,ValidationRegex
+
+If Brakeman is running a bit slow, try
+
+    brakeman --faster
+
+This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
+
+By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
+
+    brakeman -z
+
+To skip certain files or directories that Brakeman may have trouble parsing, use:
+
+    brakeman --skip-files file1,/path1/,path2/
+
+To compare results of a scan with a previous scan, use the JSON output option and then:
+
+    brakeman --compare old_report.json
+
+This will output JSON with two lists: one of fixed warnings and one of new warnings.
+
+Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/brakeman.ignore`.
+To create and manage this file, use:
+
+    brakeman -I
+
+# Warning information
+
+See [WARNING\_TYPES](WARNING_TYPES) for more information on the warnings reported by this tool.
+
+# Warning context
+
+The HTML output format provides an excerpt from the original application source where a warning was triggered. Due to the processing done while looking for vulnerabilities, the source may not resemble the reported warning and reported line numbers may be slightly off. However, the context still provides a quick look into the code which raised the warning.
+
+# Confidence levels
+
+Brakeman assigns a confidence level to each warning. This provides a rough estimate of how certain the tool is that a given warning is actually a problem. Naturally, these ratings should not be taken as absolute truth.
+
+There are three levels of confidence:
+
+ + High - Either this is a simple warning (boolean value) or user input is very likely being used in unsafe ways.
+ + Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.
+ + Weak - Typically means user input was indirectly used in a potentially unsafe manner.
+
+To only get warnings above a given confidence level:
+
+    brakeman -w3
+
+The `-w` switch takes a number from 1 to 3, with 1 being low (all warnings) and 3 being high (only highest confidence warnings).
+
+# Configuration files
+
+Brakeman options can stored and read from YAML files. To simplify the process of writing a configuration file, the `-C` option will output the currently set options.
+
+Options passed in on the commandline have priority over configuration files.
+
+The default config locations are `./config/brakeman.yml`, `~/.brakeman/config.yml`, and `/etc/brakeman/config.yml`
+
+The `-c` option can be used to specify a configuration file to use.
+
+# Continuous Integration
+
+There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenkins/Hudson.
+
+For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
+
+# Building
+
+    git clone git://github.com/presidentbeef/brakeman.git
+    cd brakeman
+    gem build brakeman.gemspec
+    gem install brakeman*.gem
+
+# Who is Using Brakeman?
+
+* [Code Climate](https://codeclimate.com/)
+* [GitHub](https://github.com/)
+* [Groupon](http://www.groupon.com/)
+* [New Relic](http://newrelic.com)
+* [Twitter](https://twitter.com/)
+
+[..and more!](http://brakemanscanner.org/brakeman_users)
+
+# Homepage/News
+
+Website: http://brakemanscanner.org/
+
+Twitter: https://twitter.com/brakeman
+
+Chat: https://gitter.im/presidentbeef/brakeman
+
+# License
+
+see [MIT-LICENSE](MIT-LICENSE)

data/WARNING_TYPES

@@ -0,0 +1,95 @@
+This file describes the various warning types reported by this tool.
+
+# Attribute Restriction
+
+This warning comes up if a model does not limit what attributes can be set through mass assignment.
+
+In particular, this check looks for `attr_accessible` inside model definitions. If it is not found, this warning will be issued.
+
+Note that disabling mass assignment globally will suppress these warnings.
+
+# Authentication
+
+# Basic Auth
+
+# Command Injection
+
+Request parameters or string interpolation has been detected in a `system` call. This can lead to someone executing arbitrary commands. Use the safe form of `system` instead, which will pass in arguments safely.
+
+See http://guides.rubyonrails.org/security.html#command-line-injection for details.
+
+# Cross Site Scripting
+
+Cross site scripting warnings are raised when a parameter or model attribute is output through a view without being escaped.
+
+See http://guides.rubyonrails.org/security.html#cross-site-scripting-xss for details.
+
+# Cross-Site Request Forgery
+
+No call to `protect_from_forgery` was found in `ApplicationController`. This method prevents CSRF.
+
+See http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf for details.
+
+# Dangerous Eval
+
+# Dangerous Send
+
+# Default Routes
+
+The general default routes warning means there is a call to `map.connect ":controller/:action/:id"` in config/routes.rb. This allows any public method on any controller to be called as an action.
+
+If this warning is reported for a particular controller, it means there is a route to that controller containing `:action`.
+
+Default routes can be dangerous if methods are made public which are not intended to be used as URLs or actions.
+
+# Denial of Service
+
+# Dynamic Render Path
+
+When a call to `render` uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
+
+This warning is shown whenever the path to be rendered is not a static string or symbol.
+
+# File Access
+
+# Format Validation
+
+Calls to `validates_format_of ..., :with => //` which do not use `\A` and `\z` as anchors will cause this warning. Using `^` and `$` is not sufficient, as `$` will only match up to a new line. This allows an attacker to put whatever malicious input they would like after a new line character.
+
+See http://guides.rubyonrails.org/security.html#regular-expressions for details.
+
+# Information Disclosure
+
+# Mail Link
+
+# Mass Assignment
+
+Mass assignment is a method for initializing models. If the attributes which are set is not restricted, someone may set the attributes to any value they wish.
+
+Mass assignment can be disabled globally.
+
+Please see http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment for more details.
+
+# Nested Attributes
+
+# Redirect
+
+Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
+
+This warning is shown when request parameters are used inside a call to `redirect_to`.
+
+See http://www.owasp.org/index.php/Top_10_2010-A10 for more information.
+
+# Remote Code Execution
+
+# Response Splitting
+
+# Session Setting
+
+# SQL Injection
+
+String interpolation or concatenation has been detected in an SQL query. Use parameterized queries instead.
+
+See http://guides.rubyonrails.org/security.html#sql-injection for details.
+
+# SSL Verification Bypass

data/bin/brakeman

@@ -0,0 +1,89 @@
+#!/usr/bin/env ruby
+#Adjust path in case called directly and not through gem
+$:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
+
+require 'brakeman'
+require 'brakeman/options'
+require 'brakeman/version'
+
+#Parse options
+begin
+  options, parser = Brakeman::Options.parse! ARGV
+rescue OptionParser::ParseError => e
+  $stderr.puts e.message.capitalize
+  $stderr.puts "Please see `brakeman --help` for valid options"
+  exit(-1)
+end
+
+#Exit early for these options
+if options[:list_checks] or options[:list_optional_checks]
+  Brakeman.list_checks options
+  exit
+elsif options[:create_config]
+  Brakeman.dump_config options
+  exit
+elsif options[:show_help]
+  puts parser
+  exit
+elsif options[:show_version]
+  puts "brakeman #{Brakeman::Version}"
+  exit
+elsif options[:install_rake_task]
+  Brakeman.install_rake_task
+  exit
+end
+
+#Set application path according to the commandline arguments
+unless options[:app_path]
+  if ARGV[-1].nil?
+    options[:app_path] = "."
+  else
+    options[:app_path] = ARGV[-1]
+  end
+end
+
+trap("INT") do
+  $stderr.puts "\nInterrupted - exiting."
+
+  if options[:debug]
+    $stderr.puts caller
+  end
+
+  exit!
+end
+
+if options[:quiet].nil?
+  options[:quiet] = :command_line
+end
+
+begin
+  if options[:previous_results_json]
+    require 'json'
+    vulns = Brakeman.compare options.merge(:quiet => options[:quiet])
+
+    if options[:comparison_output_file]
+      File.open options[:comparison_output_file], "w" do |f|
+        f.puts JSON.pretty_generate(vulns)
+      end
+
+      Brakeman.notify "Comparison saved in '#{options[:comparison_output_file]}'"
+    else
+      puts JSON.pretty_generate(vulns)
+    end
+
+    if options[:exit_on_warn] && vulns[:new].count > 0
+      exit Brakeman::Warnings_Found_Exit_Code
+    end
+  else
+    #Run scan and output a report
+    tracker = Brakeman.run options.merge(:print_report => true, :quiet => options[:quiet])
+
+    #Return error code if --exit-on-warn is used and warnings were found
+    if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
+      exit Brakeman::Warnings_Found_Exit_Code
+    end
+  end
+rescue Brakeman::NoApplication => e
+  $stderr.puts e.message
+  exit Brakeman::No_App_Found_Exit_Code
+end

data/lib/brakeman.rb

@@ -0,0 +1,495 @@
+require 'set'
+
+module Brakeman
+
+  #This exit code is used when warnings are found and the --exit-on-warn
+  #option is set
+  Warnings_Found_Exit_Code = 3
+
+  #Exit code returned when no Rails application is detected
+  No_App_Found_Exit_Code = 4
+
+  @debug = false
+  @quiet = false
+  @loaded_dependencies = []
+  @vendored_paths = false
+
+  #Run Brakeman scan. Returns Tracker object.
+  #
+  #Options:
+  #
+  #  * :app_path - path to root of Rails app (required)
+  #  * :additional_checks_path - array of additional directories containing additional out-of-tree checks to run
+  #  * :additional_libs_path - array of additional application relative lib directories (ex. app/mailers) to process
+  #  * :assume_all_routes - assume all methods are routes (default: true)
+  #  * :check_arguments - check arguments of methods (default: true)
+  #  * :collapse_mass_assignment - report unprotected models in single warning (default: false)
+  #  * :combine_locations - combine warning locations (default: true)
+  #  * :config_file - configuration file
+  #  * :escape_html - escape HTML by default (automatic)
+  #  * :exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
+  #  * :github_repo - github repo to use for file links (user/repo[/path][@ref])
+  #  * :highlight_user_input - highlight user input in reported warnings (default: true)
+  #  * :html_style - path to CSS file
+  #  * :ignore_model_output - consider models safe (default: false)
+  #  * :index_libs - add libraries to call index (default: true)
+  #  * :interprocedural - limited interprocedural processing of method calls (default: false)
+  #  * :message_limit - limit length of messages
+  #  * :min_confidence - minimum confidence (0-2, 0 is highest)
+  #  * :output_files - files for output
+  #  * :output_formats - formats for output (:to_s, :to_tabs, :to_csv, :to_html)
+  #  * :parallel_checks - run checks in parallel (default: true)
+  #  * :print_report - if no output file specified, print to stdout (default: false)
+  #  * :quiet - suppress most messages (default: true)
+  #  * :rails3 - force Rails 3 mode (automatic)
+  #  * :report_routes - show found routes on controllers (default: false)
+  #  * :run_checks - array of checks to run (run all if not specified)
+  #  * :safe_methods - array of methods to consider safe
+  #  * :skip_libs - do not process lib/ directory (default: false)
+  #  * :skip_checks - checks not to run (run all if not specified)
+  #  * :absolute_paths - show absolute path of each file (default: false)
+  #  * :summary_only - only output summary section of report
+  #                    (does not apply to tabs format)
+  #
+  #Alternatively, just supply a path as a string.
+  def self.run options
+    options = set_options options
+
+    @quiet = !!options[:quiet]
+    @debug = !!options[:debug]
+
+    if @quiet
+      options[:report_progress] = false
+    end
+    scan options
+  end
+
+  #Sets up options for run, checks given application path
+  def self.set_options options
+    if options.is_a? String
+      options = { :app_path => options }
+    end
+
+    if options[:quiet] == :command_line
+      command_line = true
+      options.delete :quiet
+    end
+
+    options = default_options.merge(load_options(options)).merge(options)
+
+    if options[:quiet].nil? and not command_line
+      options[:quiet] = true
+    end
+
+    options[:output_formats] = get_output_formats options
+    options[:github_url] = get_github_url options
+
+    options
+  end
+
+  #Load options from YAML file
+  def self.load_options line_options
+    custom_location = line_options[:config_file]
+    quiet = line_options[:quiet]
+    app_path = line_options[:app_path]
+
+    #Load configuration file
+    if config = config_file(custom_location, app_path)
+      require 'date' # https://github.com/dtao/safe_yaml/issues/80
+      self.load_brakeman_dependency 'safe_yaml/load'
+      options = SafeYAML.load_file config, :deserialize_symbols => true
+
+      if options
+        options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
+
+        # After parsing the yaml config file for options, convert any string keys into symbols.
+        options.keys.select {|k| k.is_a? String}.map {|k| k.to_sym }.each {|k| options[k] = options[k.to_s]; options.delete(k.to_s) }
+
+        # notify if options[:quiet] and quiet is nil||false
+        notify "[Notice] Using configuration in #{config}" unless (options[:quiet] || quiet)
+        options
+      else
+        notify "[Notice] Empty configuration file: #{config}" unless quiet
+        {}
+      end
+    else
+      {}
+    end
+  end
+
+  CONFIG_FILES = [
+    File.expand_path("~/.brakeman/config.yml"),
+    File.expand_path("/etc/brakeman/config.yml")
+  ]
+
+  def self.config_file custom_location, app_path
+    app_config = File.expand_path(File.join(app_path, "config", "brakeman.yml"))
+    supported_locations = [File.expand_path(custom_location || ""), app_config] + CONFIG_FILES
+    supported_locations.detect {|f| File.file?(f) }
+  end
+
+  #Default set of options
+  def self.default_options
+    { :assume_all_routes => true,
+      :skip_checks => Set.new,
+      :check_arguments => true,
+      :safe_methods => Set.new,
+      :min_confidence => 2,
+      :combine_locations => true,
+      :collapse_mass_assignment => false,
+      :highlight_user_input => true,
+      :ignore_redirect_to_model => true,
+      :ignore_model_output => false,
+      :index_libs => true,
+      :message_limit => 100,
+      :parallel_checks => true,
+      :relative_path => false,
+      :report_progress => true,
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css"
+    }
+  end
+
+  #Determine output formats based on options[:output_formats]
+  #or options[:output_files]
+  def self.get_output_formats options
+    #Set output format
+    if options[:output_format] && options[:output_files] && options[:output_files].size > 1
+      raise ArgumentError, "Cannot specify output format if multiple output files specified"
+    end
+    if options[:output_format]
+      get_formats_from_output_format options[:output_format]
+    elsif options[:output_files]
+      get_formats_from_output_files options[:output_files]
+    else
+      begin
+        self.load_brakeman_dependency 'terminal-table', :allow_fail
+        return [:to_s]
+      rescue LoadError
+        return [:to_json]
+      end
+    end
+  end
+
+  def self.get_formats_from_output_format output_format
+    case output_format
+    when :html, :to_html
+      [:to_html]
+    when :csv, :to_csv
+      [:to_csv]
+    when :pdf, :to_pdf
+      [:to_pdf]
+    when :tabs, :to_tabs
+      [:to_tabs]
+    when :json, :to_json
+      [:to_json]
+    when :markdown, :to_markdown
+      [:to_markdown]
+    when :cc, :to_cc, :codeclimate, :to_codeclimate
+      [:to_codeclimate]
+    else
+      [:to_s]
+    end
+  end
+  private_class_method :get_formats_from_output_format
+
+  def self.get_formats_from_output_files output_files
+    output_files.map do |output_file|
+      case output_file
+      when /\.html$/i
+        :to_html
+      when /\.csv$/i
+        :to_csv
+      when /\.pdf$/i
+        :to_pdf
+      when /\.tabs$/i
+        :to_tabs
+      when /\.json$/i
+        :to_json
+      when /\.md$/i
+        :to_markdown
+      when /(\.cc|\.codeclimate)$/i
+        :to_codeclimate
+      else
+        :to_s
+      end
+    end
+  end
+  private_class_method :get_formats_from_output_files
+
+  def self.get_github_url options
+    if github_repo = options[:github_repo]
+      full_repo, ref = github_repo.split '@', 2
+      name, repo, path = full_repo.split '/', 3
+      unless name && repo && !(name.empty? || repo.empty?)
+        raise ArgumentError, "Invalid GitHub repository format"
+      end
+      path.chomp '/' if path
+      ref ||= 'master'
+      ['https://github.com', name, repo, 'blob', ref, path].compact.join '/'
+    else
+      nil
+    end
+  end
+  private_class_method :get_github_url
+
+  #Output list of checks (for `-k` option)
+  def self.list_checks options
+    require 'brakeman/scanner'
+
+    add_external_checks options
+
+    if options[:list_optional_checks]
+      $stderr.puts "Optional Checks:"
+      checks = Checks.optional_checks
+    else
+      $stderr.puts "Available Checks:"
+      checks = Checks.checks
+    end
+
+    format_length = 30
+
+    $stderr.puts "-" * format_length
+    checks.each do |check|
+      $stderr.printf("%-#{format_length}s%s\n", check.name, check.description)
+    end
+  end
+
+  #Installs Rake task for running Brakeman,
+  #which basically means copying `lib/brakeman/brakeman.rake` to
+  #`lib/tasks/brakeman.rake` in the current Rails application.
+  def self.install_rake_task install_path = nil
+    if install_path
+      rake_path = File.join(install_path, "Rakefile")
+      task_path = File.join(install_path, "lib", "tasks", "brakeman.rake")
+    else
+      rake_path = "Rakefile"
+      task_path = File.join("lib", "tasks", "brakeman.rake")
+    end
+
+    if not File.exist? rake_path
+      raise RakeInstallError, "No Rakefile detected"
+    elsif File.exist? task_path
+      raise RakeInstallError, "Task already exists"
+    end
+
+    require 'fileutils'
+
+    if not File.exist? "lib/tasks"
+      notify "Creating lib/tasks"
+      FileUtils.mkdir_p "lib/tasks"
+    end
+
+    path = File.expand_path(File.dirname(__FILE__))
+
+    FileUtils.cp "#{path}/brakeman/brakeman.rake", task_path
+
+    if File.exist? task_path
+      notify "Task created in #{task_path}"
+      notify "Usage: rake brakeman:run[output_file]"
+    else
+      raise RakeInstallError, "Could not create task"
+    end
+  end
+
+  #Output configuration to YAML
+  def self.dump_config options
+    require 'yaml'
+    if options[:create_config].is_a? String
+      file = options[:create_config]
+    else
+      file = nil
+    end
+
+    options.delete :create_config
+
+    options.each do |k,v|
+      if v.is_a? Set
+        options[k] = v.to_a
+      end
+    end
+
+    if file
+      File.open file, "w" do |f|
+        YAML.dump options, f
+      end
+      notify "Output configuration to #{file}"
+    else
+      notify YAML.dump(options)
+    end
+  end
+
+  #Run a scan. Generally called from Brakeman.run instead of directly.
+  def self.scan options
+    #Load scanner
+    notify "Loading scanner..."
+
+    begin
+      require 'brakeman/scanner'
+    rescue LoadError
+      raise NoBrakemanError, "Cannot find lib/ directory."
+    end
+
+    add_external_checks options
+
+    #Start scanning
+    scanner = Scanner.new options
+    tracker = scanner.tracker
+
+    notify "Processing application in #{tracker.app_path}"
+    scanner.process
+
+    if options[:parallel_checks]
+      notify "Running checks in parallel..."
+    else
+      notify "Runnning checks..."
+    end
+
+    tracker.run_checks
+
+    self.filter_warnings tracker, options
+
+    if options[:output_files]
+      notify "Generating report..."
+
+      write_report_to_files tracker, options[:output_files]
+    elsif options[:print_report]
+      notify "Generating report..."
+
+      write_report_to_formats tracker, options[:output_formats]
+    end
+
+    tracker
+  end
+
+  def self.write_report_to_files tracker, output_files
+    output_files.each_with_index do |output_file, idx|
+      File.open output_file, "w" do |f|
+        f.write tracker.report.format(tracker.options[:output_formats][idx])
+      end
+      notify "Report saved in '#{output_file}'"
+    end
+  end
+  private_class_method :write_report_to_files
+
+  def self.write_report_to_formats tracker, output_formats
+    output_formats.each do |output_format|
+      puts tracker.report.format(output_format)
+    end
+  end
+  private_class_method :write_report_to_formats
+
+  #Rescan a subset of files in a Rails application.
+  #
+  #A full scan must have been run already to use this method.
+  #The returned Tracker object from Brakeman.run is used as a starting point
+  #for the rescan.
+  #
+  #Options may be given as a hash with the same values as Brakeman.run.
+  #Note that these options will be merged into the Tracker.
+  #
+  #This method returns a RescanReport object with information about the scan.
+  #However, the Tracker object will also be modified as the scan is run.
+  def self.rescan tracker, files, options = {}
+    require 'brakeman/rescanner'
+
+    tracker.options.merge! options
+
+    @quiet = !!tracker.options[:quiet]
+    @debug = !!tracker.options[:debug]
+
+    Rescanner.new(tracker.options, tracker.processor, files).recheck
+  end
+
+  def self.notify message
+    $stderr.puts message unless @quiet
+  end
+
+  def self.debug message
+    $stderr.puts message if @debug
+  end
+
+  # Compare JSON ouptut from a previous scan and return the diff of the two scans
+  def self.compare options
+    require 'json'
+    require 'brakeman/differ'
+    raise ArgumentError.new("Comparison file doesn't exist") unless File.exist? options[:previous_results_json]
+
+    begin
+      previous_results = JSON.parse(File.read(options[:previous_results_json]), :symbolize_names => true)[:warnings]
+    rescue JSON::ParserError
+      self.notify "Error parsing comparison file: #{options[:previous_results_json]}"
+      exit!
+    end
+
+    tracker = run(options)
+
+    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
+
+    Brakeman::Differ.new(new_results, previous_results).diff
+  end
+
+  def self.load_brakeman_dependency name, allow_fail = false
+    return if @loaded_dependencies.include? name
+
+    unless @vendored_paths
+      path_load = "#{File.expand_path(File.dirname(__FILE__))}/../bundle/load.rb"
+
+      if File.exist? path_load
+        require path_load
+      end
+
+      @vendored_paths = true
+    end
+
+    begin
+      require name
+    rescue LoadError => e
+      if allow_fail
+        raise e
+      else
+        $stderr.puts e.message
+        $stderr.puts "Please install the appropriate dependency: #{name}."
+        exit!(-1)
+      end
+    end
+  end
+
+  def self.filter_warnings tracker, options
+    require 'brakeman/report/ignore/config'
+
+    app_tree = Brakeman::AppTree.from_options(options)
+
+    if options[:ignore_file]
+      file = options[:ignore_file]
+    elsif app_tree.exists? "config/brakeman.ignore"
+      file = app_tree.expand_path("config/brakeman.ignore")
+    elsif not options[:interactive_ignore]
+      return
+    end
+
+    notify "Filtering warnings..."
+
+    if options[:interactive_ignore]
+      require 'brakeman/report/ignore/interactive'
+      config = InteractiveIgnorer.new(file, tracker.warnings).start
+    else
+      notify "[Notice] Using '#{file}' to filter warnings"
+      config = IgnoreConfig.new(file, tracker.warnings)
+      config.read_from_file
+      config.filter_ignored
+    end
+
+    tracker.ignored_filter = config
+  end
+
+  def self.add_external_checks options
+    options[:additional_checks_path].each do |path|
+      Brakeman::Checks.initialize_checks path
+    end if options[:additional_checks_path]
+  end
+
+  class DependencyError < RuntimeError; end
+  class RakeInstallError < RuntimeError; end
+  class NoBrakemanError < RuntimeError; end
+  class NoApplication < RuntimeError; end
+end