brakeman-lib 4.8.1 → 4.10.1

data/lib/brakeman/commandline.rb

@@ -102,6 +102,13 @@ module Brakeman
           app_path = "."
         end
 
+        if options[:ensure_ignore_notes] and options[:previous_results_json]
+          warn '[Notice] --ensure-ignore-notes may not be used at the same ' \
+               'time as --compare. Deactivating --ensure-ignore-notes. ' \
+               'Please see `brakeman --help` for valid options'
+          options[:ensure_ignore_notes] = false
+        end
+
         return options, app_path
       end
 
@@ -115,7 +122,20 @@ module Brakeman
 
       # Runs a regular report based on the options provided.
       def regular_report options
-        tracker = run_brakeman options 
+        tracker = run_brakeman options
+
+        ensure_ignore_notes_failed = false
+        if tracker.options[:ensure_ignore_notes]
+          fingerprints = Brakeman::ignore_file_entries_with_empty_notes tracker.ignored_filter&.file
+
+          unless fingerprints.empty?
+            ensure_ignore_notes_failed = true
+            warn '[Error] Notes required for all ignored warnings when ' \
+              '--ensure-ignore-notes is set. No notes provided for these ' \
+              'warnings: '
+            fingerprints.each { |f| warn f }
+          end
+        end
 
         if tracker.options[:exit_on_warn] and not tracker.filtered_warnings.empty?
           quit Brakeman::Warnings_Found_Exit_Code
@@ -124,6 +144,10 @@ module Brakeman
         if tracker.options[:exit_on_error] and tracker.errors.any?
           quit Brakeman::Errors_Found_Exit_Code
         end
+
+        if ensure_ignore_notes_failed
+          quit Brakeman::Empty_Ignore_Note_Exit_Code
+        end
       end
 
       # Actually run Brakeman.

data/lib/brakeman/file_parser.rb

@@ -33,7 +33,12 @@ module Brakeman
       end
     end
 
+    # _path_ can be a string or a Brakeman::FilePath
     def parse_ruby input, path
+      if path.is_a? Brakeman::FilePath
+        path = path.relative
+      end
+
       begin
         Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout

data/lib/brakeman/options.rb

@@ -67,6 +67,10 @@ module Brakeman::Options
           options[:ensure_latest] = true
         end
 
+        opts.on "--ensure-ignore-notes", "Fail when an ignored warnings does not include a note" do
+          options[:ensure_ignore_notes] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -225,7 +229,7 @@ module Brakeman::Options
 
         opts.on "-f",
           "--format TYPE",
-          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
+          [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
           "Specify output formats. Default is text" do |type|
 
           type = "s" if type == :text
@@ -301,6 +305,22 @@ module Brakeman::Options
           options[:github_repo] = repo
         end
 
+        opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
+          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+
+          options[:text_fields] = format.map(&:to_sym)
+
+          if options[:text_fields] == [:all]
+            options[:text_fields] = valid_options
+          else
+            invalid_options = (options[:text_fields] - valid_options)
+
+            unless invalid_options.empty?
+              raise OptionParser::ParseError, "\nInvalid format options: #{invalid_options.inspect}"
+            end
+          end
+        end
+
         opts.on "-w",
           "--confidence-level LEVEL",
           ["1", "2", "3"],

data/lib/brakeman/processors/alias_processor.rb

@@ -82,7 +82,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def replace exp, int = 0
     return exp if int > 3
 
-
     if replacement = env[exp] and not duplicate? replacement
       replace(replacement.deep_clone(exp.line), int + 1)
     elsif tracker and replacement = tracker.constant_lookup(exp) and not duplicate? replacement
@@ -237,7 +236,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         env[target_var] = target
         return target
       elsif string? target and string_interp? first_arg
-        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg[2..-1])
+        exp = Sexp.new(:dstr, target.value + first_arg[1]).concat(first_arg.sexp_body(2))
         env[target_var] = exp
       elsif string? first_arg and string_interp? target
         if string? target.last
@@ -731,14 +730,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
     exp.first_arg.nil? and
-    all_literals? exp.target
+    (all_literals? exp.target or dir_glob? exp.target)
   end
 
   #Sets @inside_if = true
@@ -942,7 +941,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     args = exp.args
     exp.pop # remove last arg
     if args.length > 1
-      exp.arglist = args[1..-1]
+      exp.arglist = args.sexp_body
     end
   end
 

data/lib/brakeman/processors/controller_processor.rb

@@ -202,7 +202,7 @@ class Brakeman::ControllerProcessor < Brakeman::BaseProcessor
     end
 
     if node_type? exp.block, :block
-      block_inner = exp.block[1..-1]
+      block_inner = exp.block.sexp_body
     else
       block_inner = [exp.block]
     end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -76,6 +76,13 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  ESCAPE_METHODS = [
+    :html_escape,
+    :html_escape_without_haml_xss,
+    :escape_once,
+    :escape_once_without_haml_xss
+  ]
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -105,7 +112,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and exp.method == :html_escape
+      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -10,7 +10,7 @@ module Brakeman
     def join_arrays lhs, rhs, original_exp = nil
       if array? lhs and array? rhs
         result = Sexp.new(:array)
-        result.line(lhs.line || rhs.line)
+        result.line(lhs.line || rhs.line || 1)
         result.concat lhs[1..-1]
         result.concat rhs[1..-1]
         result

data/lib/brakeman/processors/lib/find_all_calls.rb

@@ -20,6 +20,7 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
     @current_template = opts[:template]
     @current_file = opts[:file]
     @current_call = nil
+    @full_call = nil
     process exp
   end
 
@@ -137,7 +138,8 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
                 :call => exp,
                 :nested => false,
                 :location => make_location,
-                :parent => @current_call }.freeze
+                :parent => @current_call,
+                :full_call => @full_call }.freeze
   end
 
   #Gets the target of a call as a Symbol
@@ -214,34 +216,47 @@ class Brakeman::FindAllCalls < Brakeman::BasicProcessor
   #Return info hash for a call Sexp
   def create_call_hash exp
     target = get_target exp.target
-
-    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
-      already_in_target = @in_target
-      @in_target = true
-      process target
-      @in_target = already_in_target
-
-      target = get_target(target, :include_calls)
-    end
+    target_symbol = get_target(target, :include_calls)
 
     method = exp.method
 
     call_hash = {
-      :target => target,
+      :target => target_symbol,
       :method => method,
       :call => exp,
       :nested => @in_target,
       :chain => get_chain(exp),
       :location => make_location,
-      :parent => @current_call
+      :parent => @current_call,
+      :full_call => @full_call
     }
 
+    unless @in_target
+      @full_call = call_hash
+    end
+
+    # Process up the call chain
+    if call? target or node_type? target, :dxstr # need to index `` even if target of a call
+      already_in_target = @in_target
+      @in_target = true
+      process target
+      @in_target = already_in_target
+    end
+
+    # Process call arguments
+    # but add the current call as the 'parent'
+    # to any calls in the arguments
     old_parent = @current_call
     @current_call = call_hash
 
+    # Do not set @full_call when processing arguments
+    old_full_call = @full_call
+    @full_call = nil
+
     process_call_args exp
 
     @current_call = old_parent
+    @full_call = old_full_call
 
     call_hash
   end

data/lib/brakeman/processors/output_processor.rb

@@ -88,7 +88,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
 
   def process_iter exp
     call = process exp[1]
-    block = process_rlist exp[3..-1]
+    block = process_rlist exp.sexp_body(3)
     out = "#{call} do\n #{block}\n end"
 
     out

data/lib/brakeman/processors/template_alias_processor.rb

@@ -20,6 +20,11 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
 
   #Process template
   def process_template name, args, _, line = nil
+    # Strip forward slash from beginning of template path.
+    # This also happens in RenderHelper#process_template but
+    # we need it here too to accurately avoid circular renders below.
+    name = name.to_s.gsub(/^\//, "")
+
     if @called_from
       if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template.name} to #{name}"

data/lib/brakeman/report.rb

@@ -43,6 +43,8 @@ class Brakeman::Report
     when :to_junit
       require_report 'junit'
       Brakeman::Report::JUnit
+    when :to_sarif
+      return self.to_sarif
     else
       raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
     end
@@ -85,6 +87,11 @@ class Brakeman::Report
   alias to_plain to_text
   alias to_s to_text
 
+  def to_sarif
+    require_report 'sarif'
+    generate Brakeman::Report::SARIF
+  end
+
   def generate reporter
     reporter.new(@tracker).generate_report
   end

data/lib/brakeman/report/ignore/config.rb

@@ -94,6 +94,10 @@ module Brakeman
       end
     end
 
+    def already_ignored_entries_with_empty_notes
+      @already_ignored.select { |i| i if i[:note].strip.empty? }
+    end
+
     # Read configuration to file
     def read_from_file file = @file
       if File.exist? file

data/lib/brakeman/report/report_sarif.rb

@@ -0,0 +1,114 @@
+class Brakeman::Report::SARIF < Brakeman::Report::Base
+  def generate_report
+    sarif_log = {
+      :version => '2.1.0',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :runs => runs,
+    }
+    JSON.pretty_generate sarif_log
+  end
+
+  def runs
+    [
+      {
+        :tool => {
+          :driver => {
+            :name => 'Brakeman',
+            :informationUri => 'https://brakemanscanner.org',
+            :semanticVersion => Brakeman::Version,
+            :rules => rules,
+          },
+        },
+        :results => results,
+      },
+    ]
+  end
+
+  def rules
+    @rules ||= unique_warnings_by_warning_code.map do |warning|
+      rule_id = render_id warning
+      check_name = warning.check.gsub(/^Brakeman::Check/, '')
+      check_description = render_message check_descriptions[check_name]
+      {
+        :id => rule_id,
+        :name => "#{check_name}/#{warning.warning_type}",
+        :fullDescription => {
+          :text => check_description,
+        },
+        :helpUri => warning.link,
+        :help => {
+          :text => "More info: #{warning.link}.",
+          :markdown => "[More info](#{warning.link}).",
+        },
+        :properties => {
+          :tags => [check_name],
+        },
+      }
+    end
+  end
+
+  def results
+    @results ||= all_warnings.map do |warning|
+      rule_id = render_id warning
+      result_level = infer_level warning
+      message_text = render_message warning.message.to_s
+      result = {
+        :ruleId => rule_id,
+        :ruleIndex => rules.index { |r| r[:id] == rule_id },
+        :level => result_level,
+        :message => {
+          :text => message_text,
+        },
+        :locations => [
+          :physicalLocation => {
+            :artifactLocation => {
+              :uri => warning.file.relative,
+              :uriBaseId => '%SRCROOT%',
+            },
+            :region => {
+              :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
+            },
+          },
+        ],
+      }
+
+      result
+    end
+  end
+
+  # Returns a hash of all check descriptions, keyed by check namne
+  def check_descriptions
+    @check_descriptions ||= Brakeman::Checks.checks.map do |check|
+      [check.name.gsub(/^Check/, ''), check.description]
+    end.to_h
+  end
+
+  # Returns a de-duplicated set of warnings, used to generate rules
+  def unique_warnings_by_warning_code
+    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+  end
+
+  def render_id warning
+    # Include alpha prefix to provide 'compiler error' appearance
+    "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
+  end
+
+  def render_message message
+    # Ensure message ends with a period
+    if message.end_with? "."
+      message
+    else
+      "#{message}."
+    end
+  end
+
+  def infer_level warning
+    # Infer result level from warning confidence
+    @@levels_from_confidence ||= Hash.new('warning').update({
+      0 => 'error',    # 0 represents 'high confidence', which we infer as 'error'
+      1 => 'warning',  # 1 represents 'medium confidence' which we infer as 'warning'
+      2 => 'note',     # 2 represents 'weak, or low, confidence', which we infer as 'note'
+    })
+    @@levels_from_confidence[warning.confidence]
+  end
+end

data/lib/brakeman/report/report_text.rb

@@ -145,24 +145,45 @@ class Brakeman::Report::Text < Brakeman::Report::Base
   end
 
   def output_warning w
-    out = [
-      label('Confidence', confidence(w.confidence)),
-      label('Category', w.warning_type.to_s),
-      label('Check', w.check.gsub(/^Brakeman::Check/, '')),
+    text_format = tracker.options[:text_fields] ||
+      [:confidence, :category, :check, :message, :code, :file, :line]
+
+    text_format.map do |option|
+      format_line(w, option)
+    end.compact
+  end
+
+  def format_line w, option
+    case option
+    when :confidence
+      label('Confidence', confidence(w.confidence))
+    when :category
+      label('Category', w.warning_type.to_s)
+    when :check
+      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+    when :message
       label('Message', w.message)
-    ]
-
-    if w.code
-      out << label('Code', format_code(w))
-    end
-
-    out << label('File', warning_file(w))
-
-    if w.line
-      out << label('Line', w.line)
+    when :code
+      if w.code
+        label('Code', format_code(w))
+      end
+    when :file
+      label('File', warning_file(w))
+    when :line
+      if w.line
+        label('Line', w.line)
+      end
+    when :link
+      label('Link', w.link)
+    when :fingerprint
+      label('Fingerprint', w.fingerprint)
+    when :category_id
+      label('Category ID', w.warning_code)
+    when :render_path
+      if w.called_from
+        label('Render Path', w.called_from.join(" > "))
+      end
     end
-
-    out
   end
 
   def double_space title, values