brakeman 5.2.1 → 6.1.2

data/lib/brakeman/report/templates/controller_warnings.html.erb

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Controller</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -14,6 +15,7 @@
       <td><%= warning['Confidence']%></td>
       <td><%= warning['Controller']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -6,6 +6,7 @@
         <th>Confidence</th>
         <th>File</th>
         <th>Warning Type</th>
+        <th>CWE ID</th>
         <th>Message</th>
         <th>Note</th>
       </tr>
@@ -16,6 +17,7 @@
         <td><%= warning['Confidence']%></td>
         <td><%= warning['File']%></td>
         <td><%= warning['Warning Type']%></td>
+        <td><%= warning['CWE ID']%></td>
         <td><%= warning['Message']%></td>
         <td><%= warning['Note']%></td>
       </tr>

data/lib/brakeman/report/templates/model_warnings.html.erb

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Model</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -14,6 +15,7 @@
       <td><%= warning['Confidence']%></td>
       <td><%= warning['Model']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/security_warnings.html.erb

@@ -6,6 +6,7 @@
       <th>Class</th>
       <th>Method</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -16,6 +17,7 @@
       <td><%= warning['Class']%></td>
       <td><%= warning['Method']%></td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/report/templates/view_warnings.html.erb

@@ -5,6 +5,7 @@
       <th>Confidence</th>
       <th>Template</th>
       <th>Warning Type</th>
+      <th>CWE ID</th>
       <th>Message</th>
     </tr>
   </thead>
@@ -27,6 +28,7 @@
         <% end %>
       </td>
       <td><%= warning['Warning Type']%></td>
+      <td><%= warning['CWE ID']%></td>
       <td><%= warning['Message']%></td>
     </tr>
   <% end %>

data/lib/brakeman/rescanner.rb

@@ -6,7 +6,7 @@ require 'brakeman/differ'
 class Brakeman::Rescanner < Brakeman::Scanner
  include Brakeman::Util
   KNOWN_TEMPLATE_EXTENSIONS = Brakeman::TemplateParser::KNOWN_TEMPLATE_EXTENSIONS
-  SCAN_ORDER = [:config, :gemfile, :initializer, :lib, :routes, :template,
+  SCAN_ORDER = [:gemfile, :config, :initializer, :lib, :routes, :template,
     :model, :controller]
 
   #Create new Rescanner to scan changed files
@@ -332,6 +332,8 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :routes
     when /\/config\/.+\.(rb|yml)/
       :config
+    when /\.ruby-version/
+      :config
     when /Gemfile|gems\./
       :gemfile
     else

data/lib/brakeman/scanner.rb

@@ -1,6 +1,5 @@
 begin
   Brakeman.load_brakeman_dependency 'ruby_parser'
-  Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'
@@ -31,6 +30,7 @@ class Brakeman::Scanner
     end
 
     @processor = processor || Brakeman::Processor.new(@app_tree, options)
+    @show_timing = tracker.options[:debug] || tracker.options[:show_timing]
   end
 
   #Returns the Tracker generated from the scan
@@ -38,35 +38,89 @@ class Brakeman::Scanner
     @processor.tracked_events
   end
 
+  def process_step description
+    Brakeman.notify "#{description}...".ljust(40)
+
+    if @show_timing
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
+
+  def process_step_file description
+    if @show_timing
+      Brakeman.notify "Processing #{description}"
+
+      start_t = Time.now
+      yield
+      duration = Time.now - start_t
+
+      Brakeman.notify "(#{description}) Duration: #{duration} seconds"
+    else
+      yield
+    end
+  end
+
   #Process everything in the Rails application
   def process
-    Brakeman.notify "Processing gems...                    "
-    process_gems
-    guess_rails_version
-    Brakeman.notify "Processing configuration...           "
-    process_config
-    Brakeman.notify "Parsing files...                      "
-    parse_files
-    Brakeman.notify "Detecting file types...               "
-    detect_file_types
-    Brakeman.notify "Processing initializers...            "
-    process_initializers
-    Brakeman.notify "Processing libs...                    "
-    process_libs
-    Brakeman.notify "Processing routes...                  "
-    process_routes
-    Brakeman.notify "Processing templates...               "
-    process_templates
-    Brakeman.notify "Processing data flow in templates...  "
-    process_template_data_flows
-    Brakeman.notify "Processing models...                  "
-    process_models
-    Brakeman.notify "Processing controllers...             "
-    process_controllers
-    Brakeman.notify "Processing data flow in controllers..."
-    process_controller_data_flows
-    Brakeman.notify "Indexing call sites...                "
-    index_call_sites
+    process_step 'Processing gems' do
+      process_gems
+    end
+
+    process_step 'Processing configuration' do
+      guess_rails_version
+      process_config
+    end
+
+    process_step 'Parsing files' do
+      parse_files
+    end
+
+    process_step 'Detecting file types' do
+      detect_file_types
+    end
+
+    process_step 'Processing initializers' do
+      process_initializers
+    end
+
+    process_step 'Processing libs' do
+      process_libs
+    end
+
+    process_step 'Processing routes' do
+      process_routes
+    end
+
+    process_step 'Processing templates' do
+      process_templates
+    end
+
+    process_step 'Processing data flow in templates' do
+      process_template_data_flows
+    end
+
+    process_step 'Processing models' do
+      process_models
+    end
+
+    process_step 'Processing controllers' do
+      process_controllers
+    end
+
+    process_step 'Processing data flow in controllers' do
+      process_controller_data_flows
+    end
+
+    process_step 'Indexing call sites' do
+      index_call_sites
+    end
+
     tracker
   end
 
@@ -138,7 +192,7 @@ class Brakeman::Scanner
 
     if @app_tree.exists? ".ruby-version"
       if version = @app_tree.file_path(".ruby-version").read[/(\d\.\d.\d+)/]
-        tracker.config.set_ruby_version version
+        tracker.config.set_ruby_version version, @app_tree.file_path(".ruby-version"), 1
       end
     end
 
@@ -215,8 +269,9 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.initializers
   def process_initializers
     track_progress @file_list[:initializers] do |init|
-      Brakeman.debug "Processing #{init[:path]}"
-      process_initializer init
+      process_step_file init[:path] do
+        process_initializer init
+      end
     end
   end
 
@@ -235,8 +290,9 @@ class Brakeman::Scanner
     end
 
     track_progress @file_list[:libs] do |lib|
-      Brakeman.debug "Processing #{lib.path}"
-      process_lib lib
+      process_step_file lib.path do
+        process_lib lib
+      end
     end
   end
 
@@ -267,8 +323,9 @@ class Brakeman::Scanner
   #Adds processed controllers to tracker.controllers
   def process_controllers
     track_progress @file_list[:controllers] do |controller|
-      Brakeman.debug "Processing #{controller.path}"
-      process_controller controller
+      process_step_file controller.path do
+        process_controller controller
+      end
     end
   end
 
@@ -276,9 +333,10 @@ class Brakeman::Scanner
     controllers = tracker.controllers.sort_by { |name, _| name.to_s }
 
     track_progress controllers, "controllers" do |name, controller|
-      Brakeman.debug "Processing #{name}"
-      controller.src.each do |file, src|
-        @processor.process_controller_alias name, src, nil, file
+      process_step_file name do
+        controller.src.each do |file, src|
+          @processor.process_controller_alias name, src, nil, file
+        end
       end
     end
 
@@ -301,8 +359,9 @@ class Brakeman::Scanner
     templates = @file_list[:templates].sort_by { |t| t[:path] }
 
     track_progress templates, "templates" do |template|
-      Brakeman.debug "Processing #{template[:path]}"
-      process_template template
+      process_step_file template[:path] do
+        process_template template
+      end
     end
   end
 
@@ -314,8 +373,9 @@ class Brakeman::Scanner
     templates = tracker.templates.sort_by { |name, _| name.to_s }
 
     track_progress templates, "templates" do |name, template|
-      Brakeman.debug "Processing #{name}"
-      @processor.process_template_alias template
+      process_step_file name do
+        @processor.process_template_alias template
+      end
     end
   end
 
@@ -324,8 +384,9 @@ class Brakeman::Scanner
   #Adds the processed models to tracker.models
   def process_models
     track_progress @file_list[:models] do |model|
-      Brakeman.debug "Processing #{model[:path]}"
-      process_model model[:path], model[:ast]
+      process_step_file model[:path] do
+        process_model model[:path], model[:ast]
+      end
     end
   end
 

data/lib/brakeman/tracker/config.rb

@@ -20,9 +20,7 @@ module Brakeman
 
     def default_protect_from_forgery?
       if version_between? "5.2.0.beta1", "9.9.9"
-        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
-          return false
-        else
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
           return true
         end
       end
@@ -129,8 +127,9 @@ module Brakeman
       @rails_version
     end
 
-    def set_ruby_version version
+    def set_ruby_version version, file, line
       @ruby_version = extract_version(version)
+      add_gem :ruby, @ruby_version, file, line
     end
 
     def extract_version version
@@ -166,7 +165,7 @@ module Brakeman
     # then this will set
     #
     #   rails[:action_controller][:perform_caching] = value
-    def set_rails_config value, *path
+    def set_rails_config value:, path:, overwrite: false
       config = self.rails
 
       path[0..-2].each do |o|
@@ -182,51 +181,99 @@ module Brakeman
         config = option
       end
 
-      config[path.last] = value
+      if overwrite || config[path.last].nil?
+        config[path.last] = value
+      end
     end
 
     # Load defaults based on config.load_defaults value
     # as documented here: https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
     def load_rails_defaults
-      return unless number? tracker.config.rails[:load_defaults]
+      return unless node_type? tracker.config.rails[:load_defaults], :lit, :str
+
+      version = tracker.config.rails[:load_defaults].value.to_s
+
+      unless version.match? /^\d+\.\d+$/
+        Brakeman.debug "[Notice] Unknown version: #{tracker.config.rails[:load_defaults]}"
+        return
+      end
 
-      version = tracker.config.rails[:load_defaults].value
       true_value = Sexp.new(:true)
       false_value = Sexp.new(:false)
 
-      if version >= 5.0
-        set_rails_config(true_value, :action_controller, :per_form_csrf_tokens)
-        set_rails_config(true_value, :action_controller, :forgery_protection_origin_check)
-        set_rails_config(true_value, :active_record, :belongs_to_required_by_default)
+      if version >= '5.0'
+        set_rails_config(value: true_value, path: [:action_controller, :per_form_csrf_tokens])
+        set_rails_config(value: true_value, path: [:action_controller, :forgery_protection_origin_check])
+        set_rails_config(value: true_value, path: [:active_record, :belongs_to_required_by_default])
         # Note: this may need to be changed, because ssl_options is a Hash
-        set_rails_config(true_value, :ssl_options, :hsts, :subdomains)
+        set_rails_config(value: true_value, path: [:ssl_options, :hsts, :subdomains])
+      end
+
+      if version >= '5.1'
+        set_rails_config(value: false_value, path: [:assets, :unknown_asset_fallback])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_remote_forms])
+      end
+
+      if version >= '5.2'
+        set_rails_config(value: true_value, path: [:active_record, :cache_versioning])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_authenticated_cookie_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_authenticated_message_encryption])
+        set_rails_config(value: true_value, path: [:active_support, :use_sha1_digests])
+        set_rails_config(value: true_value, path: [:action_controller, :default_protect_from_forgery])
+        set_rails_config(value: true_value, path: [:action_view, :form_with_generates_ids])
       end
 
-      if version >= 5.1
-        set_rails_config(false_value, :assets, :unknown_asset_fallback)
-        set_rails_config(true_value, :action_view, :form_with_generates_remote_forms)
+      if version >= '6.0'
+        set_rails_config(value: Sexp.new(:lit, :zeitwerk), path: [:autoloader])
+        set_rails_config(value: false_value, path: [:action_view, :default_enforce_utf8])
+        set_rails_config(value: true_value, path: [:action_dispatch, :use_cookies_with_metadata])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), path: [:action_mailer, :delivery_job])
+        set_rails_config(value: true_value, path: [:active_job, :return_false_on_aborted_enqueue])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_analysis), path: [:active_storage, :queues, :analysis])
+        set_rails_config(value: Sexp.new(:lit, :active_storage_purge), path: [:active_storage, :queues, :purge])
+        set_rails_config(value: true_value, path: [:active_storage, :replace_on_assign_to_many])
+        set_rails_config(value: true_value, path: [:active_record, :collection_cache_versioning])
       end
 
-      if version >= 5.2
-        set_rails_config(true_value, :active_record, :cache_versioning)
-        set_rails_config(true_value, :action_dispatch, :use_authenticated_cookie_encryption)
-        set_rails_config(true_value, :active_support, :use_authenticated_message_encryption)
-        set_rails_config(true_value, :active_support, :use_sha1_digests)
-        set_rails_config(true_value, :action_controller, :default_protect_from_forgery)
-        set_rails_config(true_value, :action_view, :form_with_generates_ids)
+      if version >= '6.1'
+        set_rails_config(value: true_value, path: [:action_controller, :urlsafe_csrf_tokens])
+        set_rails_config(value: Sexp.new(:lit, :lax), path: [:action_dispatch, :cookies_same_site_protection])
+        set_rails_config(value: Sexp.new(:lit, 308), path: [:action_dispatch, :ssl_default_redirect_status])
+        set_rails_config(value: false_value, path: [:action_view, :form_with_generates_remote_forms])
+        set_rails_config(value: true_value, path: [:action_view, :preload_links_header])
+        set_rails_config(value: Sexp.new(:lit, 0.15), path: [:active_job, :retry_jitter])
+        set_rails_config(value: true_value, path: [:active_record, :has_many_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :legacy_connection_handling])
+        set_rails_config(value: true_value, path: [:active_storage, :track_variants])
       end
 
-      if version >= 6.0
-        set_rails_config(Sexp.new(:lit, :zeitwerk), :autoloader)
-        set_rails_config(false_value, :action_view, :default_enforce_utf8)
-        set_rails_config(true_value, :action_dispatch, :use_cookies_with_metadata)
-        set_rails_config(false_value, :action_dispatch, :return_only_media_type_on_content_type)
-        set_rails_config(Sexp.new(:str, 'ActionMailer::MailDeliveryJob'), :action_mailer, :delivery_job)
-        set_rails_config(true_value, :active_job, :return_false_on_aborted_enqueue)
-        set_rails_config(Sexp.new(:lit, :active_storage_analysis), :active_storage, :queues, :analysis)
-        set_rails_config(Sexp.new(:lit, :active_storage_purge), :active_storage, :queues, :purge)
-        set_rails_config(true_value, :active_storage, :replace_on_assign_to_many)
-        set_rails_config(true_value, :active_record, :collection_cache_versioning)
+      if version >= '7.0'
+        video_args =
+          Sexp.new(:str, "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2")
+        hash_class = s(:colon2, s(:colon2, s(:const, :OpenSSL), :Digest), :SHA256)
+
+        set_rails_config(value: true_value, path: [:action_controller, :raise_on_open_redirects])
+        set_rails_config(value: true_value, path: [:action_controller, :wrap_parameters_by_default])
+        set_rails_config(value: Sexp.new(:lit, :json), path: [:action_dispatch, :cookies_serializer])
+        set_rails_config(value: false_value, path: [:action_dispatch, :return_only_request_media_type_on_content_type])
+        set_rails_config(value: Sexp.new(:lit, 5), path: [:action_mailer, :smtp_timeout])
+        set_rails_config(value: false_value, path: [:action_view, :apply_stylesheet_media_default])
+        set_rails_config(value: true_value, path: [:ction_view, :button_to_generates_button_tag])
+        set_rails_config(value: true_value, path: [:active_record, :automatic_scope_inversing])
+        set_rails_config(value: false_value, path: [:active_record, :partial_inserts])
+        set_rails_config(value: true_value, path: [:active_record, :verify_foreign_keys_for_fixtures])
+        set_rails_config(value: true_value, path: [:active_storage, :multiple_file_field_include_hidden])
+        set_rails_config(value: Sexp.new(:lit, :vips), path: [:active_storage, :variant_processor])
+        set_rails_config(value: video_args, path: [:active_storage, :video_preview_arguments])
+        set_rails_config(value: Sexp.new(:lit, 7.0), path: [:active_support, :cache_format_version])
+        set_rails_config(value: true_value, path: [:active_support, :disable_to_s_conversion])
+        set_rails_config(value: true_value, path: [:active_support, :executor_around_test_case])
+        set_rails_config(value: hash_class, path: [:active_support, :hash_digest_class])
+        set_rails_config(value: Sexp.new(:lit, :thread), path: [:active_support, :isolation_level])
+        set_rails_config(value: hash_class, path: [:active_support, :key_generator_hash_digest_class])
+        set_rails_config(value: true_value, path: [:active_support, :remove_deprecated_time_with_zone_name])
+        set_rails_config(value: true_value, path: [:active_support, :use_rfc4122_namespaced_uuids])
       end
     end
   end

data/lib/brakeman/tracker/controller.rb

@@ -120,16 +120,20 @@ module Brakeman
         filter[:methods] << a[1] if a.node_type == :lit
       end
 
-      if args[-1].node_type == :hash
-        option = args[-1][1][1]
-        value = args[-1][2]
-        case value.node_type
-        when :array
-          filter[option] = value.sexp_body.map {|v| v[1] }
-        when :lit, :str
-          filter[option] = value[1]
-        else
-          Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+      options = args.last
+
+      if hash? options
+        # Probably only one option,
+        # but this also avoids issues with kwsplats
+        hash_iterate(options) do |option, value|
+          case value.node_type
+          when :array
+            filter[option.value] = value.sexp_body.map {|v| v[1] }
+          when :lit, :str
+            filter[option.value] = value[1]
+          else
+            Brakeman.debug "[Notice] Unknown before_filter value: #{option} => #{value}"
+          end
         end
       else
         filter[:all] = true

data/lib/brakeman/tracker.rb

@@ -245,7 +245,7 @@ class Brakeman::Tracker
       end
 
       # Not in any included modules, check the parent
-      @method_cache[cache_key] = find_method(method_name, klass.parent)
+      @method_cache[cache_key] = find_method(method_name, klass.parent, method_type)
     end
   end
 
@@ -371,7 +371,7 @@ class Brakeman::Tracker
       end
     end
 
-    @models.delete model_name
+    @models.delete(model_name)
   end
 
   #Clear information related to model

data/lib/brakeman/util.rb

@@ -265,15 +265,31 @@ module Brakeman::Util
     false
   end
 
-  def request_env? exp
-    call? exp and (exp == REQUEST_ENV or exp[1] == REQUEST_ENV)
+  # Only return true when accessing request headers via request.env[...]
+  def request_headers? exp
+    return unless sexp? exp
+
+    if exp[1] == REQUEST_ENV
+      if exp.method == :[]
+        if string? exp.first_arg
+          # Only care about HTTP headers, which are prefixed by 'HTTP_'
+          exp.first_arg.value.start_with?('HTTP_'.freeze)
+        else
+          true # request.env[something]
+        end
+      else
+        false # request.env.something
+      end
+    else
+      false
+    end
   end
 
-  #Check if exp is params, cookies, or request_env
+  #Check if exp is params, cookies, or request_headers
   def request_value? exp
     params? exp or
     cookies? exp or
-    request_env? exp
+    request_headers? exp
   end
 
   def constant? exp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.2.1"
+  Version = "6.1.2"
 end

data/lib/brakeman/warning.rb

@@ -5,7 +5,7 @@ require 'brakeman/messages'
 
 #The Warning class stores information about warnings
 class Brakeman::Warning
-  attr_reader :called_from, :check, :class, :confidence, :controller,
+  attr_reader :called_from, :check, :class, :confidence, :controller, :cwe_id,
     :line, :method, :model, :template, :user_input, :user_input_type,
     :warning_code, :warning_set, :warning_type
 
@@ -31,6 +31,7 @@ class Brakeman::Warning
     :class => :@class,
     :code => :@code,
     :controller => :@controller,
+    :cwe_id => :@cwe_id,
     :file => :@file,
     :gem_info => :@gem_info,
     :line => :@line,
@@ -219,6 +220,7 @@ class Brakeman::Warning
   def to_row type = :warning
     @row = { "Confidence" => TEXT_CONFIDENCE[self.confidence],
       "Warning Type" => self.warning_type.to_s,
+      "CWE ID" => self.cwe_id,
       "Message" => self.message }
 
     case type
@@ -302,7 +304,8 @@ class Brakeman::Warning
       :render_path => render_path,
       :location => self.location(false),
       :user_input => (@user_input && self.format_user_input(false)),
-      :confidence => self.confidence_name
+      :confidence => self.confidence_name,
+      :cwe_id => cwe_id
     }
   end
 

data/lib/brakeman/warning_codes.rb

@@ -125,6 +125,12 @@ module Brakeman::WarningCodes
     :eol_ruby => 121,
     :pending_eol_rails => 122,
     :pending_eol_ruby => 123,
+    :CVE_2022_32209 => 124,
+    :pathname_traversal => 125,
+    :insecure_rsa_padding_mode => 126,
+    :missing_rsa_padding_mode => 127,
+    :small_rsa_key_size => 128,
+    :ransack_search => 129,
 
     :custom_check => 9090,
   }

data/lib/brakeman.rb

@@ -128,9 +128,8 @@ module Brakeman
 
     #Load configuration file
     if config = config_file(custom_location, app_path)
-      require 'date' # https://github.com/dtao/safe_yaml/issues/80
-      self.load_brakeman_dependency 'safe_yaml/load'
-      options = SafeYAML.load_file config, :deserialize_symbols => true
+      require 'yaml'
+      options = YAML.safe_load_file config, permitted_classes: [Symbol], symbolize_names: true
 
       if options
         options.each { |k, v| options[k] = Set.new v if v.is_a? Array }
@@ -493,10 +492,14 @@ module Brakeman
     end
 
     tracker = run(options)
+    new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
 
-    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
+    new_results = new_report[:warnings]
+    obsolete_ignored = tracker.unused_fingerprints
 
-    Brakeman::Differ.new(new_results, previous_results).diff
+    Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
+      diff[:obsolete] = obsolete_ignored
+    end
   end
 
   def self.load_brakeman_dependency name, allow_fail = false