brakeman-min 4.9.0 → 5.0.0

data/lib/brakeman/report/report_junit.rb

@@ -47,7 +47,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
       warning.add_attribute 'brakeman:file', warning_file(w)
       warning.add_attribute 'brakeman:line', w.line
       warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[w.confidence]
+      warning.add_attribute 'brakeman:confidence', w.confidence_name 
       warning.add_attribute 'brakeman:code', w.format_code
       warning.add_text w.to_s
     }
@@ -88,7 +88,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
           failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
           failure.add_attribute 'brakeman:file', warning_file(warning)
           failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', TEXT_CONFIDENCE[warning.confidence]
+          failure.add_attribute 'brakeman:confidence', warning.confidence_name 
           failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }

data/lib/brakeman/report/report_sarif.rb

@@ -0,0 +1,114 @@
+class Brakeman::Report::SARIF < Brakeman::Report::Base
+  def generate_report
+    sarif_log = {
+      :version => '2.1.0',
+      :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
+      :runs => runs,
+    }
+    JSON.pretty_generate sarif_log
+  end
+
+  def runs
+    [
+      {
+        :tool => {
+          :driver => {
+            :name => 'Brakeman',
+            :informationUri => 'https://brakemanscanner.org',
+            :semanticVersion => Brakeman::Version,
+            :rules => rules,
+          },
+        },
+        :results => results,
+      },
+    ]
+  end
+
+  def rules
+    @rules ||= unique_warnings_by_warning_code.map do |warning|
+      rule_id = render_id warning
+      check_name = warning.check_name
+      check_description = render_message check_descriptions[check_name]
+      {
+        :id => rule_id,
+        :name => "#{check_name}/#{warning.warning_type}",
+        :fullDescription => {
+          :text => check_description,
+        },
+        :helpUri => warning.link,
+        :help => {
+          :text => "More info: #{warning.link}.",
+          :markdown => "[More info](#{warning.link}).",
+        },
+        :properties => {
+          :tags => [check_name],
+        },
+      }
+    end
+  end
+
+  def results
+    @results ||= all_warnings.map do |warning|
+      rule_id = render_id warning
+      result_level = infer_level warning
+      message_text = render_message warning.message.to_s
+      result = {
+        :ruleId => rule_id,
+        :ruleIndex => rules.index { |r| r[:id] == rule_id },
+        :level => result_level,
+        :message => {
+          :text => message_text,
+        },
+        :locations => [
+          :physicalLocation => {
+            :artifactLocation => {
+              :uri => warning.file.relative,
+              :uriBaseId => '%SRCROOT%',
+            },
+            :region => {
+              :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
+            },
+          },
+        ],
+      }
+
+      result
+    end
+  end
+
+  # Returns a hash of all check descriptions, keyed by check namne
+  def check_descriptions
+    @check_descriptions ||= Brakeman::Checks.checks.map do |check|
+      [check.name.gsub(/^Check/, ''), check.description]
+    end.to_h
+  end
+
+  # Returns a de-duplicated set of warnings, used to generate rules
+  def unique_warnings_by_warning_code
+    @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
+  end
+
+  def render_id warning
+    # Include alpha prefix to provide 'compiler error' appearance
+    "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
+  end
+
+  def render_message message
+    # Ensure message ends with a period
+    if message.end_with? "."
+      message
+    else
+      "#{message}."
+    end
+  end
+
+  def infer_level warning
+    # Infer result level from warning confidence
+    @@levels_from_confidence ||= Hash.new('warning').update({
+      0 => 'error',    # 0 represents 'high confidence', which we infer as 'error'
+      1 => 'warning',  # 1 represents 'medium confidence' which we infer as 'warning'
+      2 => 'note',     # 2 represents 'weak, or low, confidence', which we infer as 'note'
+    })
+    @@levels_from_confidence[warning.confidence]
+  end
+end

data/lib/brakeman/report/report_sonar.rb

@@ -0,0 +1,38 @@
+class Brakeman::Report::Sonar < Brakeman::Report::Base
+  def generate_report
+    report_object = {
+      issues: all_warnings.map { |warning| issue_json(warning) }
+    }
+    return JSON.pretty_generate report_object
+  end
+  
+  private
+  
+  def issue_json(warning)
+    {
+      engineId: "Brakeman",
+      ruleId: warning.warning_code,
+      type: "VULNERABILITY",
+      severity: severity_level_for(warning.confidence),
+      primaryLocation: {
+        message: warning.message,
+        filePath: warning.file.relative,
+        textRange: {
+          "startLine": warning.line || 1,
+          "endLine": warning.line || 1,
+        }
+      },
+      effortMinutes: (4 - warning.confidence) * 15
+    }
+  end
+
+  def severity_level_for(confidence)
+    if confidence == 0
+      "CRITICAL"
+    elsif confidence == 1
+      "MAJOR"
+    else
+      "MINOR"
+    end
+  end
+end

data/lib/brakeman/report/report_tabs.rb

@@ -10,7 +10,7 @@ class Brakeman::Report::Tabs < Brakeman::Report::Table
       self.send(meth).map do |w|
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
-        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"
+        "#{(w.file.absolute)}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{w.confidence_name}"
       end.join "\n"
 
     end.join "\n"

data/lib/brakeman/report/report_text.rb

@@ -160,7 +160,7 @@ class Brakeman::Report::Text < Brakeman::Report::Base
     when :category
       label('Category', w.warning_type.to_s)
     when :check
-      label('Check', w.check.gsub(/^Brakeman::Check/, ''))
+      label('Check', w.check_name)
     when :message
       label('Message', w.message)
     when :code

data/lib/brakeman/rescanner.rb

@@ -132,10 +132,11 @@ class Brakeman::Rescanner < Brakeman::Scanner
     template_name = template_path_to_name(path)
 
     tracker.reset_template template_name
-    fp = Brakeman::FileParser.new(tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
     template_parser.parse_template path, path.read
-    process_template fp.file_list[:templates].first
+    tracker.add_errors(fp.errors)
+    process_template fp.file_list.first
 
     @processor.process_template_alias tracker.templates[template_name]
 
@@ -390,9 +391,10 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
   def parse_ruby_files list
     paths = list.select(&:exists?)
-    file_parser = Brakeman::FileParser.new(tracker)
-    file_parser.parse_files paths, :rescan
-    file_parser.file_list[:rescan]
+    file_parser = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
+    file_parser.parse_files paths
+    tracker.add_errors(file_parser.errors)
+    file_parser.file_list
   end
 end
 

data/lib/brakeman/scanner.rb

@@ -7,6 +7,7 @@ begin
   require 'brakeman/app_tree'
   require 'brakeman/file_parser'
   require 'brakeman/parsers/template_parser'
+  require 'brakeman/processors/lib/file_type_detector'
 rescue LoadError => e
   $stderr.puts e.message
   $stderr.puts "Please install the appropriate dependency."
@@ -23,7 +24,10 @@ class Brakeman::Scanner
     @app_tree = Brakeman::AppTree.from_options(options)
 
     if (!@app_tree.root || !@app_tree.exists?("app")) && !options[:force_scan]
-      raise Brakeman::NoApplication, "Please supply the path to a Rails application (looking in #{@app_tree.root})."
+      message = "Please supply the path to a Rails application (looking in #{@app_tree.root}).\n" <<
+                "  Use `--force` to run a scan anyway."
+
+      raise Brakeman::NoApplication, message
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
@@ -43,6 +47,8 @@ class Brakeman::Scanner
     process_config
     Brakeman.notify "Parsing files..."
     parse_files
+    Brakeman.notify "Detecting file types..."
+    detect_file_types
     Brakeman.notify "Processing initializers..."
     process_initializers
     Brakeman.notify "Processing libs..."
@@ -65,29 +71,47 @@ class Brakeman::Scanner
   end
 
   def parse_files
-    fp = Brakeman::FileParser.new tracker
-
-    files = {
-      :initializers => @app_tree.initializer_paths,
-      :controllers => @app_tree.controller_paths,
-      :models => @app_tree.model_paths
-    }
-
-    unless options[:skip_libs]
-      files[:libs] = @app_tree.lib_paths
-    end
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
 
-    files.each do |name, paths|
-      fp.parse_files paths, name
-    end
+    fp.parse_files tracker.app_tree.ruby_file_paths
 
     template_parser = Brakeman::TemplateParser.new(tracker, fp)
 
-    fp.read_files(@app_tree.template_paths, :templates) do |path, contents|
+    fp.read_files(@app_tree.template_paths) do |path, contents|
       template_parser.parse_template path, contents
     end
 
-    @file_list = fp.file_list
+    # Collect errors raised during parsing
+    tracker.add_errors(fp.errors)
+
+    @parsed_files = fp.file_list
+  end
+
+  def detect_file_types
+    @file_list = {
+      controllers: [],
+      initializers: [],
+      libs: [],
+      models: [],
+      templates: [],
+    }
+
+    detector = Brakeman::FileTypeDetector.new
+
+    @parsed_files.each do |file|
+      if file.is_a? Brakeman::TemplateParser::TemplateFile
+        @file_list[:templates] << file
+      else
+        type = detector.detect_type(file)
+        unless type == :skip
+          if @file_list[type].nil?
+            raise type.to_s
+          else
+            @file_list[type] << file
+          end
+        end
+      end
+    end
   end
 
   #Process config/environment.rb and config/gems.rb
@@ -115,6 +139,8 @@ class Brakeman::Scanner
     if @app_tree.exists? ".ruby-version"
       tracker.config.set_ruby_version @app_tree.file_path(".ruby-version").read
     end
+
+    tracker.config.load_rails_defaults
   end
 
   def process_config_file file
@@ -325,7 +351,7 @@ class Brakeman::Scanner
   end
 
   def parse_ruby_file file
-    fp = Brakeman::FileParser.new(self.tracker)
+    fp = Brakeman::FileParser.new(tracker.app_tree, tracker.options[:parser_timeout])
     fp.parse_ruby(file.read, file)
   end
 end

data/lib/brakeman/tracker.rb

@@ -68,6 +68,12 @@ class Brakeman::Tracker
     }
   end
 
+  def add_errors exceptions
+    exceptions.each do |e|
+      error(e)
+    end
+  end
+
   #Run a set of checks on the current information. Results will be stored
   #in Tracker#checks.
   def run_checks

data/lib/brakeman/tracker/config.rb

@@ -79,7 +79,9 @@ module Brakeman
                   # Only used by Rails2ConfigProcessor right now
                   extract_version(version)
                 else
-                  gem_version(:rails) || gem_version(:railties)
+                  gem_version(:rails) ||
+                    gem_version(:railties) ||
+                    gem_version(:activerecord)
                 end
 
       if version
@@ -147,5 +149,78 @@ module Brakeman
     def session_settings
       @rails.dig(:action_controller, :session)
     end
+
+
+    # Set Rails config option value
+    # where path is an array of attributes, e.g.
+    #
+    #   :action_controller, :perform_caching
+    #
+    # then this will set
+    #
+    #   rails[:action_controller][:perform_caching] = value
+    def set_rails_config value, *path
+      config = self.rails
+
+      path[0..-2].each do |o|
+        config[o] ||= {}
+
+        option = config[o]
+
+        if not option.is_a? Hash
+          Brakeman.debug "[Notice] Skipping config setting: #{path.map(&:to_s).join(".")}"
+          return
+        end
+
+        config = option
+      end
+
+      config[path.last] = value
+    end
+
+    # Load defaults based on config.load_defaults value
+    # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
+    def load_rails_defaults
+      return unless number? tracker.config.rails[:load_defaults]
+
+      version = tracker.config.rails[:load_defaults].value
+      true_value = Sexp.new(:true)
+      false_value = Sexp.new(:false)
+
+      if version >= 5.0
+        set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
+        set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
+        set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
+        # Note: this may need to be changed, because ssl_options is a Hash
+        set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
+      end
+
+      if version >= 5.1
+        set_rails_config(false_value, :assets, :unknown_asset_fallback)
+        set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
+      end
+
+      if version >= 5.2
+        set_rails_config(true_value, :active_record, :cache_versioning)
+        set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
+        set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
+        set_rails_config(true_value, :active_support, :use_sha1_digests)
+        set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
+        set_rails_config(true_value, :action_view, :form_with_generates_ids)
+      end
+
+      if version >= 6.0
+        set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
+        set_rails_config(false_value, :action_view, :default_enforce_utf8)
+        set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
+        set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
+        set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
+        set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
+        set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
+        set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
+        set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
+        set_rails_config(true_value, :active_record, :collection_cache_versioning)
+      end
+    end
   end
 end

data/lib/brakeman/tracker/controller.rb

@@ -125,7 +125,7 @@ module Brakeman
         value = args[-1][2]
         case value.node_type
         when :array
-          filter[option] = value[1..-1].map {|v| v[1] }
+          filter[option] = value.sexp_body.map {|v| v[1] }
         when :lit, :str
           filter[option] = value[1]
         else

data/lib/brakeman/util.rb

@@ -321,7 +321,7 @@ module Brakeman::Util
       if node_type? current, :class
         return true
       elsif sexp? current
-        todo = current[1..-1].concat todo
+        todo = current.sexp_body.concat todo
       end
     end
 
@@ -334,7 +334,7 @@ module Brakeman::Util
     if args.empty? or args.first.empty?
       #nothing to do
     elsif node_type? args.first, :arglist
-      call.concat args.first[1..-1]
+      call.concat args.first.sexp_body
     elsif args.first.node_type.is_a? Sexp #just a list of args
       call.concat args.first
     else
@@ -368,8 +368,13 @@ module Brakeman::Util
   #
   # views/test/something.html.erb -> test/something
   def template_path_to_name path
-    names = path.relative.split("/")
+    names = path.relative.split('/')
     names.last.gsub!(/(\.(html|js)\..*|\.(rhtml|haml|erb|slim))$/, '')
-    names[(names.index("views") + 1)..-1].join("/").to_sym
+
+    if names.include? 'views'
+      names[(names.index('views') + 1)..-1]
+    else
+      names
+    end.join('/').to_sym
   end
 end