brakeman-lib 3.3.1

data/lib/brakeman/report/report_table.rb

@@ -0,0 +1,107 @@
+Brakeman.load_brakeman_dependency 'terminal-table'
+
+class Brakeman::Report::Table < Brakeman::Report::Base
+  def generate_report
+    out = text_header <<
+    "\n\n+SUMMARY+\n\n" <<
+    truncate_table(generate_overview.to_s) << "\n\n" <<
+    truncate_table(generate_warning_overview.to_s) << "\n"
+
+    #Return output early if only summarizing
+    return out if tracker.options[:summary_only]
+
+    if tracker.options[:report_routes] or tracker.options[:debug]
+      out << "\n+CONTROLLERS+\n" <<
+      truncate_table(generate_controllers.to_s) << "\n"
+    end
+
+    if tracker.options[:debug]
+      out << "\n+TEMPLATES+\n\n" <<
+      truncate_table(generate_templates.to_s) << "\n"
+    end
+
+    res = generate_errors
+    out << "+Errors+\n" << truncate_table(res.to_s) if res
+
+    res = generate_warnings
+    out << "\n\n+SECURITY WARNINGS+\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_controller_warnings
+    out << "\n\n\nController Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_model_warnings
+    out << "\n\n\nModel Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    res = generate_template_warnings
+    out << "\n\nView Warnings:\n\n" << truncate_table(res.to_s) if res
+
+    out << "\n"
+    out
+  end
+
+  def generate_overview
+    num_warnings = all_warnings.length
+
+    Terminal::Table.new(:headings => ['Scanned/Reported', 'Total']) do |t|
+      t.add_row ['Controllers', tracker.controllers.length]
+      t.add_row ['Models', tracker.models.length - 1]
+      t.add_row ['Templates', number_of_templates(@tracker)]
+      t.add_row ['Errors', tracker.errors.length]
+      t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
+      t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
+    end
+  end
+
+  #Generate listings of templates and their output
+  def generate_templates
+    out_processor = Brakeman::OutputProcessor.new
+    template_rows = {}
+    tracker.templates.each do |name, template|
+      template.each_output do |out|
+        out = out_processor.format out
+        template_rows[name] ||= []
+        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
+      end
+    end
+
+    template_rows = template_rows.sort_by{|name, value| name.to_s}
+
+    output = ''
+    template_rows.each do |template|
+      output << template.first.to_s << "\n\n"
+      table = Terminal::Table.new(:headings => ['Output']) do |t|
+        # template[1] is an array of calls
+        template[1].each do |v|
+          t.add_row [v]
+        end
+      end
+
+      output << table.to_s << "\n\n"
+    end
+
+    output
+  end
+
+  def render_array template, headings, value_array, locals
+    return if value_array.empty?
+
+    Terminal::Table.new(:headings => headings) do |t|
+      value_array.each { |value_row| t.add_row value_row }
+    end
+  end
+
+  #Generate header for text output
+  def text_header
+    <<-HEADER
+
++BRAKEMAN REPORT+
+
+Application path: #{tracker.app_path}
+Rails version: #{rails_version}
+Brakeman version: #{Brakeman::Version}
+Started at #{tracker.start_time}
+Duration: #{tracker.duration} seconds
+Checks run: #{checks.checks_run.sort.join(", ")}
+HEADER
+  end
+end

data/lib/brakeman/report/report_tabs.rb

@@ -0,0 +1,17 @@
+#Generated tab-separated output suitable for the Jenkins Brakeman Plugin:
+#https://github.com/presidentbeef/brakeman-jenkins-plugin
+class Brakeman::Report::Tabs < Brakeman::Report::Base
+  def generate_report
+    [[:generic_warnings, "General"], [:controller_warnings, "Controller"],
+      [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
+
+      self.send(meth).map do |w|
+        line = w.line || 0
+        w.warning_type.gsub!(/[^\w\s]/, ' ')
+        "#{warning_file(w, :absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+      end.join "\n"
+
+    end.join "\n"
+
+  end
+end

data/lib/brakeman/report/templates/controller_overview.html.erb

@@ -0,0 +1,22 @@
+<h2>Controllers</h2>
+
+<table>
+  <thead>
+    <tr>
+      <th>Name</th>
+      <th>Parent</th>
+      <th>Includes</th>
+      <th>Routes</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% controller_rows.each do |row| %>
+    <tr>
+      <td><%= row['Name'] %></td>
+      <td><%= row['Parent'] %></td>
+      <td><%= row['Includes'] %></td>
+      <td><%= row['Routes'] %></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>

data/lib/brakeman/report/templates/controller_warnings.html.erb

@@ -0,0 +1,21 @@
+<p>Controller Warnings</p>
+<table>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Controller</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each do |warning| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Controller']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>

data/lib/brakeman/report/templates/error_overview.html.erb

@@ -0,0 +1,29 @@
+<div onClick="toggle('errors_table');">  <h2>Exceptions raised during the analysis (click to see them)</h2 ></div>
+  <div>
+    <div id='errors_table' style='display:none'> 
+      <table>
+        <thead>
+          <tr>
+            <th>Error</th>
+            <th>Location</th>
+          </tr>
+        </thead>
+        <tbody>
+        <% tracker.errors.each do |warning| %>
+          <tr>
+            <td><%= CGI.escapeHTML warning[:error] %></td>
+            <td>
+              <% if tracker.options[:debug] %>
+                <% warning[:backtrace].each do |line| %>
+                  <%= line %><br/>
+                <% end %>
+              <% else %>
+                <%= warning[:backtrace][0] %>
+              <% end %>
+            </td>
+          </tr>
+        <% end %>
+        </tbody>
+      </table>
+    </div>
+  </div>

data/lib/brakeman/report/templates/header.html.erb

@@ -0,0 +1,58 @@
+<!DOCTYPE HTML SYSTEM>
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<title>Brakeman Report</title>
+  <script type="text/javascript" src="https://code.jquery.com/jquery-2.1.4.min.js"></script>
+  <script type="text/javascript" src="https://cdn.datatables.net/1.10.9/js/jquery.dataTables.min.js"></script>
+  <script type="text/javascript">
+    function toggle(context) {
+      var elem = document.getElementById(context);
+
+      if (elem.style.display != "block")
+        elem.style.display = "block";
+      else
+        elem.style.display = "none";
+
+      elem.parentNode.scrollIntoView();
+    }
+
+    $(document).ready(function() {
+      $('table').DataTable({
+        searching: false,
+        paging:    false,
+        info:      false
+      });
+    });
+  </script>
+  <style>
+    <%= css %>
+  </style>
+</head>
+<body>
+
+<h1>Brakeman Report</h1>
+<table>
+  <thead>
+    <tr>
+      <th>Application Path</th>
+      <th>Rails Version</th>
+      <th>Brakeman Version</th>
+      <th>Report Time</th>
+      <th>Checks Performed</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td><%= tracker.app_path %></td>
+      <td><%= rails_version %></td>
+      <td><%= brakeman_version %>
+      <td>
+        <%= tracker.start_time %><br><br>
+        <%= tracker.duration %> seconds
+      </td>
+      <td><%= checks.checks_run.sort.join(", ") %></td>
+    </tr>
+  </tbody>
+</table>
+<br>

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -0,0 +1,25 @@
+<div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
+<div>
+  <table style="display:none" id="ignored_table">
+    <thead>
+      <tr>
+        <th>Confidence</th>
+        <th>File</th>
+        <th>Warning Type</th>
+        <th>Message</th>
+        <th>Note</th>
+      </tr>
+    </thead>
+    <tbody>
+    <% warnings.each do |warning| %>
+      <tr>
+        <td><%= warning['Confidence']%></td>
+        <td><%= warning['File']%></td>
+        <td><%= warning['Warning Type']%></td>
+        <td><%= warning['Message']%></td>
+        <td><%= warning['Note']%></td>
+      </tr>
+    <% end %>
+    </tbody>
+  </table>
+</div>

data/lib/brakeman/report/templates/model_warnings.html.erb

@@ -0,0 +1,21 @@
+<p>Model Warnings</p>
+<table>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Model</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each do |warning| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Model']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>

data/lib/brakeman/report/templates/overview.html.erb

@@ -0,0 +1,38 @@
+<h2 id='summary'>Summary</h2>
+<table>
+  <thead>
+    <tr>
+      <th>Scanned/Reported</th>
+      <th>Total</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Controllers</td>
+      <td><%= tracker.controllers.length %></td>
+    </tr>
+    <tr>
+      <td>Models</td>
+      <td><%= tracker.models.length - 1 %></td>
+    </tr>
+    <tr>
+      <td>Templates</td>
+      <td><%= number_of_templates %></td>
+    </tr>
+    <tr>
+      <td>Errors</td>
+      <td><%= tracker.errors.length %></td>
+    </tr>
+    <tr>
+      <td>Security Warnings</td>
+      <td><%= warnings %> <span class='high-confidence'>(<%= warnings_summary[:high_confidence] %>)</span></td>
+    </tr>
+  <% if warnings_summary['Ignored Warnings'] %>
+    <tr>
+      <td>Ignored Warnings</td>
+      <td><%= ignored_warnings %></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>
+<br>

data/lib/brakeman/report/templates/security_warnings.html.erb

@@ -0,0 +1,23 @@
+<h2>Security Warnings</h2>  
+<table>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Class</th>
+      <th>Method</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each do |warning| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td><%= warning['Class']%></td>
+      <td><%= warning['Method']%></td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>

data/lib/brakeman/report/templates/template_overview.html.erb

@@ -0,0 +1,21 @@
+<h2>Templates</h2>
+
+<% template_rows.each do |template| %>
+
+<p><%= template[0] %></p>
+<table>
+  <thead>
+    <tr>
+      <th>Output</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% template[1].each do |call| %>
+    <tr>
+      <td><%= call %></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>
+
+<% end %>

data/lib/brakeman/report/templates/view_warnings.html.erb

@@ -0,0 +1,34 @@
+<p>View Warnings</p>
+<table>
+  <thead>
+    <tr>
+      <th>Confidence</th>
+      <th>Template</th>
+      <th>Warning Type</th>
+      <th>Message</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% warnings.each_with_index do |warning, i| %>
+    <tr>
+      <td><%= warning['Confidence']%></td>
+      <td>
+        <% if warning['Called From'] and warning['Called From'].length > 1 %>
+          <div class="template_name" onClick="toggle('callers<%= i %>')" >
+            <div>
+              <%= warning['Template'] %>
+            </div>
+            <div class="render_path" id="callers<%= i %>" >
+              <%= warning['Called From'].join(' &rarr; ') %> &rarr; <%= warning['Template Name'] %>
+            </div>
+          </div>
+        <% else %>
+          <%= warning['Template']%>
+        <% end %>
+      </td>
+      <td><%= warning['Warning Type']%></td>
+      <td><%= warning['Message']%></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>

data/lib/brakeman/report/templates/warning_overview.html.erb

@@ -0,0 +1,17 @@
+<table>
+  <thead>
+    <tr>
+      <th>Warning Type</th>
+      <th>Total</th>
+    </tr>
+  </thead>
+  <tbody>
+  <% types.sort.each do |warning_type| %>
+    <tr>
+      <td><%= warning_type %></td>
+      <td><%= warnings_summary[warning_type] %></td>
+    </tr>
+  <% end %>
+  </tbody>
+</table>
+<br>