Ability to tag/ignore "known good" code? #136

tserong opened this Issue Apr 30, 2013 · 0 comments


None yet
1 participant

tserong commented Apr 30, 2013

Say I have code like this:

crm_status = %x[/usr/sbin/crm_mon -s 2>&1].chomp

It triggers the following warnings:

- [high] ./app/models/cib.rb:240: Execute system commands can lead the system to run dangerous code (CWE-88, CWE-78)
- [high] ./app/models/cib.rb:240: The "`" method passes the executed command through shell expansion. (CWE-88, CWE-78)

Now, in my case, executing that command is both necessary (I need that command's output) and completely safe (unless I'm missing something). Is there some way I can tag it so that Scanny will shut up about it? :-)

Or, should I be using some construct other than %x[ ... ] ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment