brakeman 0.9.2 → 1.0.rc1

data/lib/{processors → brakeman/processors}/lib/find_call.rb

@@ -1,4 +1,4 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
 
 #Finds method calls matching the given target(s).
 #
@@ -29,10 +29,10 @@ require 'processors/base_processor'
 #
 # #Find all calls to sub, sub!, gsub, or gsub!
 # FindCall.new nil, /^g?sub!?$/
-class FindCall < BaseProcessor
+class Brakeman::FindCall < Brakeman::BaseProcessor
 
-  def initialize targets, methods, in_depth = false
-    super(nil)
+  def initialize targets, methods, tracker, in_depth = false
+    super tracker
     @calls = []
     @find_targets = targets
     @find_methods = methods

data/lib/{processors → brakeman/processors}/lib/processor_helper.rb

@@ -1,5 +1,5 @@
 #Contains a couple shared methods for Processors.
-module ProcessorHelper
+module Brakeman::ProcessorHelper
 
   #Sets the current module.
   def process_module exp

data/lib/{processors → brakeman/processors}/lib/rails2_config_processor.rb

@@ -1,12 +1,9 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
-  
 #Replace block variable in
 #
 #  Rails::Initializer.run |config|
 #
 #with this value so we can keep track of it.
-RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
+Brakeman::RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG") unless defined? Brakeman::RAILS_CONFIG
 
 #Processes configuration. Results are put in tracker.config.
 #
@@ -22,7 +19,7 @@ RAILS_CONFIG = Sexp.new(:const, :"!BRAKEMAN_RAILS_CONFIG")
 #  tracker.config[:rails][:action_controller][:session_store]
 #
 #Values for tracker.config[:rails] will still be Sexps.
-class ConfigProcessor < BaseProcessor
+class Brakeman::Rails2ConfigProcessor < Brakeman::BaseProcessor
   def initialize *args
     super
     @tracker.config[:rails] ||= {}
@@ -30,7 +27,7 @@ class ConfigProcessor < BaseProcessor
 
   #Use this method to process configuration file
   def process_config src
-    res = ConfigAliasProcessor.new.process_safely(src)
+    res = Brakeman::ConfigAliasProcessor.new.process_safely(src)
     process res
   end
 
@@ -49,7 +46,7 @@ class ConfigProcessor < BaseProcessor
 
   #Look for configuration settings
   def process_attrasgn exp
-    if exp[1] == RAILS_CONFIG
+    if exp[1] == Brakeman::RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp[2].to_s[0..-2].to_sym
       if exp[3].length > 2
@@ -86,12 +83,12 @@ class ConfigProcessor < BaseProcessor
   def include_rails_config? exp
     target = exp[1]
     if call? target
-      if target[1] == RAILS_CONFIG
+      if target[1] == Brakeman::RAILS_CONFIG
         true
       else
         include_rails_config? target
       end
-    elsif target == RAILS_CONFIG
+    elsif target == Brakeman::RAILS_CONFIG
       true
     else
       false
@@ -110,7 +107,7 @@ class ConfigProcessor < BaseProcessor
       attribute = exp[2].to_s[0..-2].to_sym
       get_rails_config(exp[1]) << attribute
     elsif call? exp
-      if exp[1] == RAILS_CONFIG
+      if exp[1] == Brakeman::RAILS_CONFIG
         [exp[2]]
       else
         get_rails_config(exp[1]) << exp[2]
@@ -122,7 +119,7 @@ class ConfigProcessor < BaseProcessor
 end
 
 #This is necessary to replace block variable so we can track config settings
-class ConfigAliasProcessor < AliasProcessor
+class Brakeman::ConfigAliasProcessor < Brakeman::AliasProcessor
 
   RAILS_INIT = Sexp.new(:colon2, Sexp.new(:const, :Rails), :Initializer)
 
@@ -132,13 +129,13 @@ class ConfigAliasProcessor < AliasProcessor
   #    ...
   #  end
   #
-  #and replace config with RAILS_CONFIG
+  #and replace config with Brakeman::RAILS_CONFIG
   def process_iter exp
     target = exp[1][1]
     method = exp[1][2]
 
     if sexp? target and target == RAILS_INIT and method == :run
-      exp[2][2] = RAILS_CONFIG
+      exp[2][2] = Brakeman::RAILS_CONFIG
     end
 
     process_default exp

data/lib/{processors → brakeman/processors}/lib/rails2_route_processor.rb

@@ -1,10 +1,11 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
+
 #Processes the Sexp from routes.rb. Stores results in tracker.routes.
 #
 #Note that it is only interested in determining what methods on which
 #controllers are used as routes, not the generated URLs for routes.
-class RoutesProcessor < BaseProcessor
-  include RouteHelper
+class Brakeman::Rails2RoutesProcessor < Brakeman::BaseProcessor
+  include Brakeman::RouteHelper
 
   attr_reader :map, :nested, :current_controller
 
@@ -22,7 +23,7 @@ class RoutesProcessor < BaseProcessor
   #This method first calls RouteAliasProcessor#process_safely on the +exp+,
   #so it does not modify the +exp+.
   def process_routes exp
-    process RouteAliasProcessor.new.process_safely(exp)
+    process Brakeman::RouteAliasProcessor.new.process_safely(exp)
   end
 
   #Looking for mapping of routes
@@ -273,7 +274,7 @@ end
 
 #This is for a really specific case where a hash is used as arguments
 #to one of the map methods.
-class RouteAliasProcessor < AliasProcessor
+class Brakeman::RouteAliasProcessor < Brakeman::AliasProcessor
   
   #This replaces
   # { :some => :hash }.keys

data/lib/{processors → brakeman/processors}/lib/rails3_config_processor.rb

@@ -1,7 +1,4 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
-
-RAILS_CONFIG = Sexp.new(:call, nil, :config, Sexp.new(:arglist))
+Brakeman::RAILS_CONFIG = Sexp.new(:call, nil, :config, Sexp.new(:arglist))
   
 #Processes configuration. Results are put in tracker.config.
 #
@@ -17,7 +14,7 @@ RAILS_CONFIG = Sexp.new(:call, nil, :config, Sexp.new(:arglist))
 #  tracker.config[:rails][:active_record][:whitelist_attributes]
 #
 #Values for tracker.config[:rails] will still be Sexps.
-class ConfigProcessor < BaseProcessor
+class Brakeman::Rails3ConfigProcessor < Brakeman::BaseProcessor
   def initialize *args
     super
     @tracker.config[:rails] ||= {}
@@ -26,7 +23,7 @@ class ConfigProcessor < BaseProcessor
 
   #Use this method to process configuration file
   def process_config src
-    res = AliasProcessor.new.process_safely(src)
+    res = Brakeman::AliasProcessor.new.process_safely(src)
     process res
   end
 
@@ -56,7 +53,7 @@ class ConfigProcessor < BaseProcessor
   def process_attrasgn exp
     return exp unless @inside_config
 
-    if exp[1] == RAILS_CONFIG
+    if exp[1] == Brakeman::RAILS_CONFIG
       #Get rid of '=' at end
       attribute = exp[2].to_s[0..-2].to_sym
       if exp[3].length > 2
@@ -83,12 +80,12 @@ class ConfigProcessor < BaseProcessor
   def include_rails_config? exp
     target = exp[1]
     if call? target
-      if target[1] == RAILS_CONFIG
+      if target[1] == Brakeman::RAILS_CONFIG
         true
       else
         include_rails_config? target
       end
-    elsif target == RAILS_CONFIG
+    elsif target == Brakeman::RAILS_CONFIG
       true
     else
       false
@@ -107,7 +104,7 @@ class ConfigProcessor < BaseProcessor
       attribute = exp[2].to_s[0..-2].to_sym
       get_rails_config(exp[1]) << attribute
     elsif call? exp
-      if exp[1] == RAILS_CONFIG
+      if exp[1] == Brakeman::RAILS_CONFIG
         [exp[2]]
       else
         get_rails_config(exp[1]) << exp[2]

data/lib/{processors → brakeman/processors}/lib/rails3_route_processor.rb

@@ -2,8 +2,8 @@
 #
 #Note that it is only interested in determining what methods on which
 #controllers are used as routes, not the generated URLs for routes.
-class RoutesProcessor < BaseProcessor
-  include RouteHelper
+class Brakeman::Rails3RoutesProcessor < Brakeman::BaseProcessor
+  include Brakeman::RouteHelper
 
   attr_reader :map, :nested, :current_controller
 
@@ -126,7 +126,7 @@ class RoutesProcessor < BaseProcessor
   def process_verb exp
     args = exp[3][1..-1]
 
-    if symbol? args[0]
+    if symbol? args[0] and not hash? args[1]
       @tracker.routes[@current_controller] << args[0][1]
     elsif hash? args[1]
       hash_iterate args[1] do |k, v|
@@ -162,7 +162,9 @@ class RoutesProcessor < BaseProcessor
 
   def process_resources exp
     if exp[3] and exp[3][2] and exp[3][2][0] == :hash
+      self.current_controller = exp[3][1][1]
       #handle hash
+      add_resources_routes
     elsif exp[3][1..-1].all? { |s| symbol? s }
       exp[3][1..-1].each do |s|
         self.current_controller = s[1]
@@ -174,9 +176,15 @@ class RoutesProcessor < BaseProcessor
   end
 
   def process_resource exp
+    #Does resource even take more than one controller name?
     exp[3][1..-1].each do |s|
-      self.current_controller = s[1]
-      add_resource_routes
+      if symbol? s
+        self.current_controller = pluralize(s[1].to_s)
+        add_resource_routes
+      else
+        #handle something else, like options
+        #or something?
+      end
     end
 
     exp

data/lib/{processors → brakeman/processors}/lib/render_helper.rb

@@ -1,7 +1,7 @@
 require 'digest/sha1'
 
 #Processes a call to render() in a controller or template
-module RenderHelper
+module Brakeman::RenderHelper
 
   #Process s(:render, TYPE, OPTIONS)
   def process_render exp
@@ -50,7 +50,7 @@ module RenderHelper
     name = name.to_s.gsub(/^\//, "")
     template = @tracker.templates[name.to_sym]
     unless template
-      warn "[Notice] No such template: #{name}" if OPTIONS[:debug]
+      warn "[Notice] No such template: #{name}" if @tracker.options[:debug]
       return 
     end
 
@@ -99,13 +99,21 @@ module RenderHelper
           end
         end
 
-        template_env[Sexp.new(:call, nil, variable, Sexp.new(:arglist))] = Sexp.new(:call, Sexp.new(:const, Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+        template_env[Sexp.new(:call, nil, variable, Sexp.new(:arglist))] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+      end
+
+      #Set original_line for values so it is clear
+      #that values came from another file
+      template_env.all.each do |var, value|
+        unless value.original_line
+          value.original_line = value.line
+        end
       end
 
       #Run source through AliasProcessor with instance variables from the
       #current environment.
       #TODO: Add in :locals => { ... } to environment
-      src = TemplateAliasProcessor.new(@tracker, template).process_safely(template[:src], template_env)
+      src = Brakeman::TemplateAliasProcessor.new(@tracker, template).process_safely(template[:src], template_env)
 
       #Run alias-processed src through the template processor to pull out
       #information and outputs.

data/lib/{processors → brakeman/processors}/lib/route_helper.rb

@@ -1,4 +1,4 @@
-module RouteHelper
+module Brakeman::RouteHelper
   #Manage Controller prefixes
   #@prefix is an Array, but this method returns a string
   #suitable for prefixing onto a controller name.

data/lib/{processors → brakeman/processors}/library_processor.rb

@@ -1,13 +1,13 @@
-require 'processors/base_processor'
-require 'processors/alias_processor'
+require 'brakeman/processors/base_processor'
+require 'brakeman/processors/alias_processor'
 
 #Process generic library and stores it in Tracker.libs
-class LibraryProcessor < BaseProcessor
+class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
 
   def initialize tracker
     super
     @file_name = nil
-    @alias_processor = AliasProcessor.new
+    @alias_processor = Brakeman::AliasProcessor.new
   end
 
   def process_library src, file_name = nil

data/lib/{processors → brakeman/processors}/model_processor.rb

@@ -1,7 +1,7 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
 
 #Processes models. Puts results in tracker.models
-class ModelProcessor < BaseProcessor
+class Brakeman::ModelProcessor < Brakeman::BaseProcessor
   def initialize tracker
     super 
     @model = nil
@@ -19,7 +19,7 @@ class ModelProcessor < BaseProcessor
   #s(:class, NAME, PARENT, s(:scope ...))
   def process_class exp
     if @model
-      warn "[Notice] Skipping inner class: #{class_name exp[1]}" if OPTIONS[:debug]
+      warn "[Notice] Skipping inner class: #{class_name exp[1]}" if @tracker.options[:debug]
       ignore
     else
       @model = { :name => class_name(exp[1]),

data/lib/{processors → brakeman/processors}/output_processor.rb

@@ -1,13 +1,12 @@
-require 'rubygems'
 require 'ruby2ruby'
-require 'util'
+require 'brakeman/util'
 
 #Produces formatted output strings from Sexps.
 #Recommended usage is
 #
 #  OutputProcessor.new.format(Sexp.new(:str, "hello"))
-class OutputProcessor < Ruby2Ruby
-  include Util
+class Brakeman::OutputProcessor < Ruby2Ruby
+  include Brakeman::Util
 
   #Copies +exp+ and then formats it.
   def format exp
@@ -20,7 +19,7 @@ class OutputProcessor < Ruby2Ruby
     begin
       super exp if sexp? exp and not exp.empty?
     rescue Exception => e
-      warn "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" if OPTIONS[:debug]
+      warn "While formatting #{exp}: #{e}\n#{e.backtrace.join("\n")}" if @tracker.options[:debug]
     end
   end
 
@@ -203,7 +202,7 @@ class OutputProcessor < Ruby2Ruby
   end
 
   def process_const exp
-    if exp[0] == Tracker::UNKNOWN_MODEL
+    if exp[0] == Brakeman::Tracker::UNKNOWN_MODEL
       exp.clear
       "(Unresolved Model)"
     else

data/lib/{processors → brakeman/processors}/params_processor.rb

@@ -1,9 +1,8 @@
-require 'rubygems'
 require 'sexp_processor'
 require 'set'
 
 #Looks for request parameters. Not used currently.
-class ParamsProcessor < SexpProcessor
+class Brakeman::ParamsProcessor < SexpProcessor
   attr_reader :result
 
   def initialize

data/lib/brakeman/processors/route_processor.rb

@@ -0,0 +1,17 @@
+require 'brakeman/processors/base_processor'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/route_helper'
+require 'brakeman/util'
+require 'brakeman/processors/lib/rails3_route_processor.rb'
+require 'brakeman/processors/lib/rails2_route_processor.rb'
+require 'set'
+
+class Brakeman::RoutesProcessor
+  def self.new tracker
+    if tracker.options[:rails3]
+      Brakeman::Rails3RoutesProcessor.new tracker
+    else
+      Brakeman::Rails2RoutesProcessor.new tracker
+    end
+  end
+end

data/lib/{processors → brakeman/processors}/template_alias_processor.rb

@@ -1,11 +1,11 @@
 require 'set'
-require 'processors/alias_processor'
-require 'processors/lib/render_helper'
+require 'brakeman/processors/alias_processor'
+require 'brakeman/processors/lib/render_helper'
 
 #Processes aliasing in templates.
 #Handles calls to +render+.
-class TemplateAliasProcessor < AliasProcessor
-  include RenderHelper
+class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
+  include Brakeman::RenderHelper
 
   FORM_METHODS = Set.new([:form_for, :remote_form_for, :form_remote_for])
 
@@ -44,7 +44,7 @@ class TemplateAliasProcessor < AliasProcessor
         if model == target[1]
           env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, model, :new, Sexp.new(:arglist))
         else
-          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+          env[Sexp.new(:lvar, args[1])] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
         end
         
         process block if sexp? block

data/lib/{processors → brakeman/processors}/template_processor.rb

@@ -1,7 +1,7 @@
-require 'processors/base_processor'
+require 'brakeman/processors/base_processor'
 
 #Base Processor for templates/views
-class TemplateProcessor < BaseProcessor
+class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
 
   #Initializes template information.
   def initialize tracker, template_name, called_from = nil, file_name = nil

data/lib/{report.rb → brakeman/report.rb}

@@ -1,9 +1,8 @@
-require 'rubygems'
 require 'cgi'
 require 'set'
 require 'ruport'
-require 'processors/output_processor'
-require 'util'
+require 'brakeman/processors/output_processor'
+require 'brakeman/util'
 
 #Fix for Ruport under 1.9
 #as reported here: https://github.com/ruport/ruport/pull/7
@@ -19,8 +18,8 @@ end
 #Generates a report based on the Tracker and the results of
 #Tracker#run_checks. Be sure to +run_checks+ before generating
 #a report.
-class Report
-  include Util
+class Brakeman::Report
+  include Brakeman::Util
 
   attr_reader :tracker, :checks
 
@@ -47,10 +46,10 @@ class Report
     #Add number of high confidence warnings in summary.
     #Skipping for CSV because it makes the cell text instead of
     #a number.
-    unless OPTIONS[:output_format] == :to_csv
+    unless tracker.options[:output_format] == :to_csv
       summary = warnings_summary
 
-      if OPTIONS[:output_format] == :to_html
+      if tracker.options[:output_format] == :to_html
         warnings = "#{warnings} <span class='high-confidence'>(#{summary[:high_confidence]})</span>"
       else
         warnings = "#{warnings} (#{summary[:high_confidence]})"
@@ -84,9 +83,9 @@ class Report
       
      
       tracker.errors.each do |w|
-        p w if OPTIONS[:debug]
+        p w if tracker.options[:debug]
 
-        if OPTIONS[:output_format] == :to_html
+        if tracker.options[:output_format] == :to_html
           w[:error] = CGI.escapeHTML w[:error]
         end
 
@@ -103,10 +102,10 @@ class Report
   def generate_warnings
     table = Ruport::Data::Table(["Confidence", "Class", "Method", "Warning Type", "Message"])
     checks.warnings.each do |warning|
-      next if warning.confidence > OPTIONS[:min_confidence]
+      next if warning.confidence > tracker.options[:min_confidence]
       w = warning.to_row
 
-      if OPTIONS[:output_format] == :to_html
+      if tracker.options[:output_format] == :to_html
         w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
         w["Message"] = with_context warning, w["Message"]
       else
@@ -133,10 +132,10 @@ class Report
     unless checks.template_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Template", "Warning Type", "Message"])
       checks.template_warnings.each do |warning|
-        next if warning.confidence > OPTIONS[:min_confidence]
+        next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :template
 
-        if OPTIONS[:output_format] == :to_html
+        if tracker.options[:output_format] == :to_html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -164,10 +163,10 @@ class Report
     unless checks.model_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Model", "Warning Type", "Message"])
       checks.model_warnings.each do |warning|
-        next if warning.confidence > OPTIONS[:min_confidence]
+        next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :model
 
-        if OPTIONS[:output_format] == :to_html
+        if tracker.options[:output_format] == :to_html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -195,10 +194,10 @@ class Report
     unless checks.controller_warnings.empty?
       table = Ruport::Data::Table(["Confidence", "Controller", "Warning Type", "Message"])
       checks.controller_warnings.each do |warning|
-        next if warning.confidence > OPTIONS[:min_confidence]
+        next if warning.confidence > tracker.options[:min_confidence]
         w = warning.to_row :controller
 
-        if OPTIONS[:output_format] == :to_html
+        if tracker.options[:output_format] == :to_html
           w["Confidence"] = HTML_CONFIDENCE[w["Confidence"]]
           w["Message"] = with_context warning, w["Message"]
         else
@@ -259,13 +258,13 @@ class Report
 
   #Generate listings of templates and their output
   def generate_templates
-    out_processor = OutputProcessor.new
+    out_processor = Brakeman::OutputProcessor.new
     table = Ruport::Data::Table(["Name", "Output"])
     tracker.templates.each do |name, template|
       unless template[:outputs].empty?
         template[:outputs].each do |out|
           out = out_processor.format out
-          out = CGI.escapeHTML(out) if OPTIONS[:output_format] == :to_html
+          out = CGI.escapeHTML(out) if tracker.options[:output_format] == :to_html
           table << { "Name" => name,
             "Output" => out.gsub("\n", ";").gsub(/\s+/, " ") }
         end
@@ -281,12 +280,12 @@ class Report
     generate_overview.to_html << "<br/>" <<
     generate_warning_overview.to_html
 
-    if OPTIONS[:report_routes] or OPTIONS[:debug]
+    if tracker.options[:report_routes] or tracker.options[:debug]
       out << "<h2>Controllers</h2>" <<
       generate_controllers.to_html
     end
 
-    if OPTIONS[:debug]
+    if tracker.options[:debug]
       out << "<h2>Templates</h2>" <<
       generate_templates.to_html
     end
@@ -318,12 +317,12 @@ class Report
     generate_overview.to_s << "\n" <<
     generate_warning_overview.to_s << "\n"
 
-    if OPTIONS[:report_routes] or OPTIONS[:debug]
+    if tracker.options[:report_routes] or tracker.options[:debug]
       out << "+CONTROLLERS+\n" <<
       generate_controllers.to_s << "\n"
     end
 
-    if OPTIONS[:debug]
+    if tracker.options[:debug]
       out << "+TEMPLATES+\n\n" <<
       generate_templates.to_s << "\n"
     end
@@ -353,12 +352,12 @@ class Report
     generate_overview.to_csv << "\n" <<
     generate_warning_overview.to_csv << "\n"
 
-    if OPTIONS[:report_routes] or OPTIONS[:debug]
+    if tracker.options[:report_routes] or tracker.options[:debug]
       out << "CONTROLLERS\n" <<
       generate_controllers.to_csv << "\n"
     end
 
-    if OPTIONS[:debug]
+    if tracker.options[:debug]
       out << "TEMPLATES\n\n" <<
       generate_templates.to_csv << "\n"
     end
@@ -389,19 +388,19 @@ class Report
   def rails_version
     if version = tracker.config[:rails_version]
       return version
-    elsif OPTIONS[:rails3]
+    elsif tracker.options[:rails3]
       return "3.x"
     else
       return "Unknown"
     end
   end
 
-  #Return header for HTML output. Uses CSS from OPTIONS[:html_style]
+  #Return header for HTML output. Uses CSS from tracker.options[:html_style]
   def html_header
-    if File.exist? OPTIONS[:html_style]
-      css = File.read OPTIONS[:html_style]
+    if File.exist? tracker.options[:html_style]
+      css = File.read tracker.options[:html_style]
     else
-      raise "Cannot find CSS stylesheet for HTML: #{OPTIONS[:html_style]}"
+      raise "Cannot find CSS stylesheet for HTML: #{tracker.options[:html_style]}"
     end
 
     <<-HTML
@@ -410,11 +409,15 @@ class Report
     <head>
     <title>Brakeman Report</title>
     <script type="text/javascript">
-      function toggle(context){
-        if (document.getElementById(context).style.display != "block")
-          document.getElementById(context).style.display = "block";
+      function toggle(context) {
+        var elem = document.getElementById(context);
+
+        if (elem.style.display != "block")
+          elem.style.display = "block";
         else
-          document.getElementById(context).style.display = "none";
+          elem.style.display = "none";
+          
+        elem.parentNode.scrollIntoView();
       }
     </script>
     <style type="text/css"> 
@@ -431,7 +434,7 @@ class Report
         <th>Checks Performed</th>
       </tr>
       <tr>
-        <td>#{File.expand_path OPTIONS[:app_path]}</td>
+        <td>#{File.expand_path tracker.options[:app_path]}</td>
         <td>#{rails_version}</td>
         <td>#{Time.now}</td>
         <td>#{checks.checks_run.sort.join(", ")}</td>
@@ -442,13 +445,13 @@ class Report
 
   #Generate header for text output
   def text_header
-    "\n+BRAKEMAN REPORT+\n\nApplication path: #{File.expand_path OPTIONS[:app_path]}\nRails version: #{rails_version}\nGenerated at #{Time.now}\nChecks run: #{checks.checks_run.sort.join(", ")}\n"
+    "\n+BRAKEMAN REPORT+\n\nApplication path: #{File.expand_path tracker.options[:app_path]}\nRails version: #{rails_version}\nGenerated at #{Time.now}\nChecks run: #{checks.checks_run.sort.join(", ")}\n"
   end
 
   #Generate header for CSV output
   def csv_header
     header = Ruport::Data::Table(["Application Path", "Report Generation Time", "Checks Performed", "Rails Version"])
-    header << [File.expand_path(OPTIONS[:app_path]), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version]
+    header << [File.expand_path(tracker.options[:app_path]), Time.now.to_s, checks.checks_run.sort.join(", "), rails_version]
     "BRAKEMAN REPORT\n\n" << header.to_csv
   end
 
@@ -465,10 +468,13 @@ class Report
         checks.template_warnings].each do |warnings|
 
       warnings.each do |warning|
-        summary[warning.warning_type.to_s] += 1
+        unless warning.confidence > tracker.options[:min_confidence]
+
+          summary[warning.warning_type.to_s] += 1
 
-        if warning.confidence == 0
-          high_confidence_warnings += 1
+          if warning.confidence == 0
+            high_confidence_warnings += 1
+          end
         end
       end
     end
@@ -480,7 +486,7 @@ class Report
   #Return file name related to given warning. Uses +warning.file+ if it exists
   def file_for warning
     if warning.file
-      File.expand_path warning.file, OPTIONS[:app_path]
+      File.expand_path warning.file, tracker.options[:app_path]
     else
       case warning.warning_set
       when :controller
@@ -518,7 +524,7 @@ class Report
       end
     end
 
-    path = OPTIONS[:app_path]
+    path = tracker.options[:app_path]
 
     case type
     when :controller
@@ -584,15 +590,15 @@ class Report
     context = context_for warning
     full_message = nil
 
-    if OPTIONS[:message_limit] and
-      OPTIONS[:message_limit] > 0 and 
-      message.length > OPTIONS[:message_limit]
+    if tracker.options[:message_limit] and
+      tracker.options[:message_limit] > 0 and 
+      message.length > tracker.options[:message_limit]
 
       full_message = message
-      message = message[0..OPTIONS[:message_limit]] << "..."
+      message = message[0..tracker.options[:message_limit]] << "..."
     end
 
-    if context.empty?
+    if context.empty? and not full_message
       return CGI.escapeHTML(message)
     end
 
@@ -665,7 +671,7 @@ class Report
       [:model_warnings, "Model"], [:template_warnings, "Template"]].map do |meth, category|
 
       checks.send(meth).map do |w|
-        next if w.confidence > OPTIONS[:min_confidence]
+        next if w.confidence > tracker.options[:min_confidence]
         line = w.line || 0
         w.warning_type.gsub!(/[^\w\s]/, ' ')
         "#{file_for w}\t#{line}\t#{w.warning_type}\t#{category}\t#{w.format_message}\t#{TEXT_CONFIDENCE[w.confidence]}"