Say I have code like this:
crm_status = %x[/usr/sbin/crm_mon -s 2>&1].chomp
It triggers the following warnings:
- [high] ./app/models/cib.rb:240: Execute system commands can lead the system to run dangerous code (CWE-88, CWE-78)
- [high] ./app/models/cib.rb:240: The "`" method passes the executed command through shell expansion. (CWE-88, CWE-78)
Now, in my case, executing that command is both necessary (I need that command's output) and completely safe (unless I'm missing something). Is there some way I can tag it so that Scanny will shut up about it? :-)
Or, should I be using some construct other than %x[ ... ] ?