brakeman-lib 3.3.5 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aec96cc1da2d6480b8522d8b63a6ceac114256fc
-  data.tar.gz: 59525f78b3554856223bf33b70d00be2cabce334
+  metadata.gz: e27ccfd7420f1e8272480ef9ca0de23fee00b540
+  data.tar.gz: 09ed85e36994255d6634bbcb7c8ca59e8790541b
 SHA512:
-  metadata.gz: e68fb294389dcd669ae82dd91fa6b2949d3f19df3f9043dc5d5409c11865910dc64fed571e79d51134815c577445debccffdd0ca9c27b6fdcb830e37cfcb6342
-  data.tar.gz: c325feff4fcfe7c23c20cc71ec10d25ac492e17a678c670128be845a227389f6db282198e08adbd97ed614a575e7fb80974c978370e18620f18e53e885ae8f2f
+  metadata.gz: 117943f4633a23ef3a34286fdcb7f445594c2bee527a6dea48e1a9b77bdff5b0e24aa563d22703e8caf34c4094ee17cdf6a83492ad9f247bcd00473984c0588c
+  data.tar.gz: c194c2535ff1db2743fcf66893d6d0dce2d5ff89ba7fc3a358c8a15564ea6de61bd0365f595051ab36eb6c6af987680fda94eba89aaca06d5d1085a584f31708

data/CHANGES

@@ -1,3 +1,12 @@
+# 3.4.0
+
+* Add new `plain` report format
+* Add option to prune ignore file with `-I`
+* Improved Slim template support
+* Show obsolete ignore entries in reports (Jonathan Cheatham)
+* Support creating reports in non-existent paths
+* Add `--no-exit-warn`
+
 # 3.3.5
 
 * Fix bug in reports when using --debug option

data/lib/brakeman.rb

@@ -145,7 +145,8 @@ module Brakeman
       :parallel_checks => true,
       :relative_path => false,
       :report_progress => true,
-      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css"
+      :html_style => "#{File.expand_path(File.dirname(__FILE__))}/brakeman/format/style.css",
+      :output_color => true
     }
   end
 
@@ -186,6 +187,8 @@ module Brakeman
       [:to_markdown]
     when :cc, :to_cc, :codeclimate, :to_codeclimate
       [:to_codeclimate]
+    when :plain ,:to_plain
+      [:to_plain]
     else
       [:to_s]
     end
@@ -209,6 +212,8 @@ module Brakeman
         :to_markdown
       when /(\.cc|\.codeclimate)$/i
         :to_codeclimate
+      when /\.plain$/i
+        :to_plain
       else
         :to_s
       end
@@ -362,7 +367,15 @@ module Brakeman
   end
 
   def self.write_report_to_files tracker, output_files
+    require 'fileutils'
+    tracker.options[:output_color] = false
+
     output_files.each_with_index do |output_file, idx|
+      dir = File.dirname(output_file)
+      unless Dir.exist? dir
+        FileUtils.mkdir_p(dir)
+      end
+
       File.open output_file, "w" do |f|
         f.write tracker.report.format(tracker.options[:output_formats][idx])
       end
@@ -372,6 +385,10 @@ module Brakeman
   private_class_method :write_report_to_files
 
   def self.write_report_to_formats tracker, output_formats
+    unless $stdout.tty?
+      tracker.options[:output_color] = false
+    end
+
     output_formats.each do |output_format|
       puts tracker.report.format(output_format)
     end

data/lib/brakeman/options.rb

@@ -39,8 +39,8 @@ module Brakeman::Options
           options[:quiet] = quiet
         end
 
-        opts.on( "-z", "--exit-on-warn", "Exit code is non-zero if warnings found") do
-          options[:exit_on_warn] = true
+        opts.on( "-z", "--[no-]exit-on-warn", "Exit code is non-zero if warnings found") do |exit_on_warn|
+          options[:exit_on_warn] = exit_on_warn
         end
 
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
@@ -172,12 +172,12 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
           options[:output_format] = ("to_" << type.to_s).to_sym
-          end
+        end
 
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
           options[:html_style] = File.expand_path file
@@ -199,6 +199,10 @@ module Brakeman::Options
           options[:highlight_user_input] = highlight
         end
 
+        opts.on "--[no-]color", "Use ANSI colors in report (Default)" do |color|
+          options[:output_color] = color
+        end
+
         opts.on "-m", "--routes", "Report controller information" do
           options[:report_routes] = true
         end

data/lib/brakeman/processors/output_processor.rb

@@ -9,7 +9,9 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   include Brakeman::Util
 
   #Copies +exp+ and then formats it.
-  def format exp
+  def format exp, user_input = nil, &block
+    @user_input = user_input
+    @user_input_block = block
     process(exp.deep_clone) || "[Format Error]"
   end
 
@@ -17,7 +19,11 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process exp
     begin
-      super exp if sexp? exp and not exp.empty?
+      if @user_input and @user_input == exp
+        @user_input_block.call(exp, super(exp))
+      else
+        super exp if sexp? exp and not exp.empty?
+      end
     rescue => e
       Brakeman.debug "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}"
     end

data/lib/brakeman/processors/slim_template_processor.rb

@@ -7,6 +7,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
   SAFE_BUFFER = s(:call, s(:colon2, s(:const, :ActiveSupport), :SafeBuffer), :new)
   OUTPUT_BUFFER = s(:ivar, :@output_buffer)
   TEMPLE_UTILS = s(:colon2, s(:colon3, :Temple), :Utils)
+  ATTR_MERGE = s(:call, s(:call, s(:array), :reject, s(:block_pass, s(:lit, :empty?))), :join, s(:str, " "))
 
   def process_call exp
     target = exp.target
@@ -16,7 +17,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
       arg = normalize_output(exp.first_arg)
 
       if is_escaped? arg
-        add_escaped_output arg
+        add_escaped_output arg.first_arg
       elsif string? arg
         ignore
       elsif render? arg
@@ -25,11 +26,15 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
         process_inside_interp arg
       elsif node_type? arg, :ignore
         ignore
+      elsif internal_variable? arg
+        ignore
+      elsif arg == ATTR_MERGE
+        ignore
       else
         add_output arg
       end
     elsif is_escaped? exp
-      add_escaped_output exp.first_arg
+      add_escaped_output arg
     elsif target == nil and method == :render
       exp.arglist = process exp.arglist
       make_render_in_view exp
@@ -73,12 +78,25 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  def add_escaped_output exp
+    exp = normalize_output(exp)
+
+    return exp if string? exp or internal_variable? exp
+
+    super exp
+  end
+
   def is_escaped? exp
     call? exp and
     exp.target == TEMPLE_UTILS and
     (exp.method == :escape_html or exp.method == :escape_html_safe)
   end
 
+  def internal_variable? exp
+    node_type? exp, :lvar and
+    exp.value =~ /^_(temple_|slim_)/
+  end
+
   def render? exp
     call? exp and
     exp.target.nil? and

data/lib/brakeman/report.rb

@@ -6,7 +6,7 @@ require 'brakeman/report/report_base'
 class Brakeman::Report
   attr_reader :tracker
 
-  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate]
+  VALID_FORMATS = [:to_html, :to_pdf, :to_csv, :to_json, :to_tabs, :to_hash, :to_s, :to_markdown, :to_codeclimate, :to_plain]
 
   def initialize app_tree, tracker
     @app_tree = app_tree
@@ -34,6 +34,8 @@ class Brakeman::Report
       Brakeman::Report::Hash
     when :to_markdown
       return self.to_markdown
+    when :to_plain
+      return self.to_plain
     when :to_s
       return self.to_s
     when :to_pdf
@@ -72,6 +74,11 @@ class Brakeman::Report
     generate Brakeman::Report::Markdown
   end
 
+  def to_plain
+    require_report 'text'
+    generate Brakeman::Report::Text
+  end
+
   def generate reporter
     reporter.new(@app_tree, @tracker).generate_report
   end

data/lib/brakeman/report/ignore/config.rb

@@ -11,6 +11,7 @@ module Brakeman
       @new_warnings = new_warnings
       @already_ignored = []
       @ignored_fingerprints = Set.new
+      @used_fingerprints = Set.new
       @notes = {}
       @shown_warnings = @ignored_warnings = nil
       @changed = false
@@ -43,6 +44,7 @@ module Brakeman
 
     # Determine if warning should be ignored
     def ignored? warning
+      @used_fingerprints << warning.fingerprint
       @ignored_fingerprints.include? warning.fingerprint
     end
 
@@ -75,6 +77,22 @@ module Brakeman
       nil
     end
 
+    # The set of unused ignore entries
+    def obsolete_fingerprints
+      (@ignored_fingerprints - @used_fingerprints).to_a
+    end
+
+    def prune_obsolete
+      obsolete = obsolete_fingerprints.to_set
+      @ignored_fingerprints -= obsolete
+
+      @already_ignored.reject! do |w|
+        if obsolete.include? w[:fingerprint]
+          @changed = true
+        end
+      end
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/report/ignore/interactive.rb

@@ -19,6 +19,7 @@ module Brakeman
       @ignore_config.filter_ignored
 
       unless @quit
+        penultimate_menu
         final_menu
       end
 
@@ -65,6 +66,10 @@ module Brakeman
           process_warnings
         end
 
+        m.choice "Prune obsolete ignored warnings" do
+          prune_obsolete
+        end
+
         m.choice "Skip - use current ignore configuration" do
           @quit = true
           @ignore_config.filter_ignored
@@ -103,6 +108,36 @@ q - Quit, do not update ignored warnings
       end
     end
 
+    def penultimate_menu
+      obsolete = @ignore_config.obsolete_fingerprints
+      return unless obsolete.any?
+
+      if obsolete.length > 1
+        plural = 's'
+        verb = 'are'
+      else
+        plural = ''
+        verb = 'is'
+      end
+
+      say "\n#{obsolete.length} fingerprint#{plural} #{verb} unused:", :green
+      obsolete.each do |obs|
+        say obs
+      end
+
+      if yes_or_no "\nRemove fingerprint#{plural}?"
+        @ignore_config.prune_obsolete
+      end
+    end
+
+    def prune_obsolete
+      @ignore_config.filter_ignored
+      obsolete = @ignore_config.obsolete_fingerprints
+      @ignore_config.prune_obsolete
+
+      say "Removed #{obsolete.length} obsolete fingerprint#{'s' if obsolete.length > 1} from ignore config.", :yellow
+    end
+
     def final_menu
       summarize_changes
 

data/lib/brakeman/report/report_base.rb

@@ -79,6 +79,11 @@ class Brakeman::Report::Base
     render_array('error_overview', ['Error', 'Location'], values, {:tracker => tracker})
   end
 
+  def generate_obsolete
+    values = tracker.unused_fingerprints.collect{|fingerprint| [fingerprint] }
+    render_array('obsolete_ignore_entries', ['fingerprint'], values, {:tracker => tracker})
+  end
+
   def generate_warnings
     render_warnings generic_warnings,
                     :warning,

data/lib/brakeman/report/report_json.rb

@@ -2,6 +2,8 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
   def generate_report
     errors = tracker.errors.map{|e| { :error => e[:error], :location => e[:backtrace][0] }}
 
+    obsolete = tracker.unused_fingerprints
+
     warnings = convert_to_hashes all_warnings
 
     ignored = convert_to_hashes ignored_warnings
@@ -26,7 +28,8 @@ class Brakeman::Report::JSON < Brakeman::Report::Base
       :scan_info => scan_info,
       :warnings => warnings,
       :ignored_warnings => ignored,
-      :errors => errors
+      :errors => errors,
+      :obsolete => obsolete
     }
 
     JSON.pretty_generate report_info

data/lib/brakeman/report/report_table.rb

@@ -25,6 +25,7 @@ class Brakeman::Report::Table < Brakeman::Report::Base
       truncate_table(generate_templates.to_s) << "\n"
     end
 
+    output_table("+Obsolete Ignore Entries+", generate_obsolete, out)
     output_table("+Errors+", generate_errors, out)
     output_table("+SECURITY WARNINGS+", generate_warnings, out)
     output_table("Controller Warnings:", generate_controller_warnings, out)

data/lib/brakeman/report/report_text.rb

@@ -0,0 +1,193 @@
+Brakeman.load_brakeman_dependency 'highline'
+
+class Brakeman::Report::Text < Brakeman::Report::Base
+  def generate_report
+    HighLine.use_color = !!tracker.options[:output_color]
+    @output_string = "\n"
+
+    add_chunk generate_header
+    add_chunk generate_overview
+    add_chunk generate_warning_overview
+    return @output_string if tracker.options[:summary_only]
+
+    add_chunk generate_controllers if tracker.options[:debug] or tracker.options[:report_routes]
+    add_chunk generate_templates if tracker.options[:debug]
+    add_chunk generate_obsolete
+    add_chunk generate_errors 
+    add_chunk generate_warnings
+  end
+
+  def add_chunk chunk, out = @output_string
+    if chunk and not chunk.empty?
+      if chunk.is_a? Array
+        chunk = chunk.join("\n")
+      end
+
+      out << chunk << "\n\n"
+    end
+  end
+
+  def generate_header
+    [
+      header("Brakeman Report"), 
+      label("Application Path", tracker.app_path),
+      label("Rails Version", rails_version),
+      label("Brakeman Version", Brakeman::Version),
+      label("Scan Date", tracker.start_time),
+      label("Duration", "#{tracker.duration} seconds"),
+      label("Checks Run", checks.checks_run.sort.join(", "))
+    ]
+  end
+
+  def generate_overview
+    overview = [
+      header("Overview"),
+      label('Controllers', tracker.controllers.length),
+      label('Models', tracker.models.length - 1),
+      label('Templates', number_of_templates(@tracker)),
+      label('Errors', tracker.errors.length),
+      label('Security Warnings', all_warnings.length)
+    ]
+
+    unless ignored_warnings.empty?
+      overview << label('Ignored Warnings', ignored_warnings.length)
+    end
+
+    overview
+  end
+
+  def generate_warning_overview
+    warning_types = warnings_summary
+    warning_types.delete :high_confidence
+
+    warning_types.sort_by { |t, c| t }.map do |type, count|
+      label(type, count)
+    end.unshift(header('Warning Types'))
+  end
+
+  def generate_warnings
+    if tracker.filtered_warnings.empty?
+      HighLine.color("No warnings found", :bold, :green)
+    else
+      warnings = tracker.filtered_warnings.sort_by do |w|
+        [w.confidence, w.warning_type, w.fingerprint]
+      end.map do |w|
+        output_warning w
+      end
+
+      double_space "Warnings", warnings
+    end
+  end
+
+  def generate_errors
+    return if tracker.errors.empty?
+    full_trace = tracker.options[:debug]
+
+    errors = tracker.errors.map do |e|
+      trace = if full_trace
+        e[:backtrace].join("\n")
+      else
+        e[:backtrace][0]
+      end
+
+      [
+        label("Error", e[:error]),
+        label("Location", trace)
+      ]
+    end
+
+    double_space "Errors", errors
+  end
+
+  def generate_obsolete
+    return if tracker.unused_fingerprints.empty?
+
+    [header("Obsolete Ignore Entries")] + tracker.unused_fingerprints
+  end
+
+  def generate_templates
+    out_processor = Brakeman::OutputProcessor.new
+
+    template_rows = {}
+    tracker.templates.each do |name, template|
+      template.each_output do |out|
+        out = out_processor.format out
+        template_rows[name] ||= []
+        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
+      end
+    end
+
+    double_space "Template Output", template_rows.sort_by { |name, value| name.to_s }.map { |template|
+      [HighLine.new.color(template.first.to_s << "\n", :cyan)] + template[1]
+    }.compact
+  end
+
+  def output_warning w
+    out = [
+      label('Confidence', confidence(w.confidence)),
+      label('Category', w.warning_type.to_s),
+      label('Message', w.message)
+    ]
+
+    if w.code
+      out << label('Code', format_code(w))
+    end
+
+    out << label('File', warning_file(w))
+
+    if w.line
+      out << label('Line', w.line)
+    end
+
+    out
+  end
+
+  def double_space title, values
+    values = values.map { |v| v.join("\n") }.join("\n\n")
+    [header(title), values]
+  end
+
+  def format_code w
+    if @highlight_user_input and w.user_input
+      w.format_with_user_input do |exp, text|
+        HighLine.new.color(text, :yellow)
+      end
+    else
+      w.format_code
+    end
+  end
+
+  def confidence c
+    case c
+    when 0
+      HighLine.new.color("High", :red)
+    when 1
+      HighLine.new.color("Medium", :yellow)
+    when 2
+      HighLine.new.color("Weak", :none)
+    end
+  end
+
+  def label l, value, color = :green
+    "#{HighLine.new.color(l, color)}: #{value}"
+  end
+
+  def header text
+    HighLine.new.color("== #{text} ==\n", :bold, :magenta)
+  end
+
+  # ONLY used for generate_controllers to avoid duplication
+  def render_array name, cols, values, locals
+    controllers = values.map do |name, parent, includes, routes|
+      [
+        label("Controller", name),
+        label("Parent", parent),
+        label("Includes", includes),
+        label("Routes", routes)
+      ]
+    end
+
+    double_space "Controller Overview", controllers
+  end
+end
+

data/lib/brakeman/tracker.rb

@@ -185,6 +185,11 @@ class Brakeman::Tracker
     end
   end
 
+  def unused_fingerprints
+    return [] unless self.ignored_filter
+    self.ignored_filter.obsolete_fingerprints
+  end
+
   def add_constant name, value, context = nil
     @constants.add name, value, context unless @options[:disable_constant_tracking]
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.3.5"
+  Version = "3.4.0"
 end

data/lib/brakeman/warning.rb

@@ -134,6 +134,16 @@ class Brakeman::Warning
     format_ruby self.user_input, strip
   end
 
+  def format_with_user_input strip = true, &block
+    if self.user_input
+      formatted = Brakeman::OutputProcessor.new.format(code, self.user_input, &block)
+      formatted.gsub!(/(\t|\r|\n)+/, " ") if strip
+      formatted
+    else
+      format_code
+    end
+  end
+
   #Return formatted warning message
   def format_message
     return @format_message if @format_message

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-lib
 version: !ruby/object:Gem::Version
-  version: 3.3.5
+  version: 3.4.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-08-12 00:00:00.000000000 Z
+date: 2016-09-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -309,6 +309,7 @@ files:
 - lib/brakeman/report/report_markdown.rb
 - lib/brakeman/report/report_table.rb
 - lib/brakeman/report/report_tabs.rb
+- lib/brakeman/report/report_text.rb
 - lib/brakeman/report/templates/controller_overview.html.erb
 - lib/brakeman/report/templates/controller_warnings.html.erb
 - lib/brakeman/report/templates/error_overview.html.erb