Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Ability to tag/ignore "known good" code? #136

Open
tserong opened this Issue · 0 comments

1 participant

@tserong

Say I have code like this:

crm_status = %x[/usr/sbin/crm_mon -s 2>&1].chomp

It triggers the following warnings:

- [high] ./app/models/cib.rb:240: Execute system commands can lead the system to run dangerous code (CWE-88, CWE-78)
- [high] ./app/models/cib.rb:240: The "`" method passes the executed command through shell expansion. (CWE-88, CWE-78)

Now, in my case, executing that command is both necessary (I need that command's output) and completely safe (unless I'm missing something). Is there some way I can tag it so that Scanny will shut up about it? :-)

Or, should I be using some construct other than %x[ ... ] ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.