-
Notifications
You must be signed in to change notification settings - Fork 722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI example? #697
Comments
Hi Benjamin, Thank you for the detailed report! Brakeman needs HAML to process HAML templates. That's the only time it should be loading the HAML library. Some other comments (feel free to ignore):
|
Definitely over-complicated... Thanks for the tips. In the end, I've had to just install full-on brakeman. Do you have any public apps that run something like this (or cleaner?) |
I'm not sure anyone is doing exactly what you are doing, sorry. |
I would think this is the main use-case. That's why I opened this issue to see what I might be missing. Again, goals from the description
Anything less is just running with the 'factory defaults' and just getting an html report with no diffing, right? |
Ah, sure. Those are easily obtainable. Here's a bash script that does that: if [ -e "reports/brakeman.json" ]
then
brakeman -c config/brakeman.yml --compare reports/brakeman.json -o /dev/stdout -o reports/brakeman.json -o reports/brakeman.html -z
else
brakeman -c config/brakeman.yml -o reports/brakeman.json -o reports/brakeman.html -z
fi The input and output files for JSON comparison can be the same. The diff is always sent to the first What this is missing is printing out just the summary. It's not currently possible to both summarize and generate full reports. |
Thanks. I got the sense that you use the command-line interface more than the Ruby, Rake, or YAML ones. (There's some inconsistency in the code about what options are accepted and what some are called. I might make a PR...) |
If you can point me at where it discovers it wants to parse a haml file but it doesn't have haml, I'll write a better error message :) I thought it was coming from the gem install :) |
Yes, it's true the command line options don't always line up with internal option names. Internal names make sense according to what's happening internally and command line options are supposed to make sense externally...but I realize it's confusing some times. Optional dependencies are all loaded through this method. It's much less confusing when running Brakeman normally... |
Ok, so this is what I've ended up with https://gist.github.com/bf4/2aec0697234627bb82d0 I think it works pretty nicely, thanks! Now I just need to get a handle on ignoring false positives #!/usr/bin/env bash
# Does not install the latest brakeman if already installed
gem install brakeman --conservative
# Only the output configurations are specified below. The remaining configuration
# is in config/brakeman.yml and any ignored warnings in config/brakeman.ignore
# see https://github.com/presidentbeef/brakeman/blob/master/OPTIONS.md
# config template generated by running:
# brakeman -z -w2 -q -A --routes --message-limit 200 --table-width 200 --github-repo org_name/repo_name -4 -i config/brakeman.ignore -d -p . --summary --skip-files config/database.yml --safe-methods banana --url-safe-methods banana_url --compare reports/brakeman.json -o /dev/stdout -o reports/brakeman.json -o reports/brakeman.html -o /dev/stdout -C > config/brakeman.yml
# https://github.com/presidentbeef/brakeman/issues/697#issuecomment-129612973
# The input and output files for JSON comparison can be the same.
# The diff is always sent to the first -o option, so in this case printed to the console.
# What this is missing is printing out just the summary.
# It's not currently possible to both summarize and generate full reports.
if [ -e "reports/brakeman.json" ]
then
brakeman -c config/brakeman.yml --compare reports/brakeman.json -o /dev/stdout -o reports/brakeman.json -o reports/brakeman.html -o /dev/stdout
else
brakeman -c config/brakeman.yml -o reports/brakeman.json -o reports/brakeman.html -o /dev/stdout
fi |
Cool, glad it is working for you 🎸 You could do |
|
Yeah, I mean to look into if i can add ignore items without using -I (i imagine not all the info it writes is required)
|
I think this has been answered. |
fwiw https://twitter.com/presidentbeef/status/591250085314428928 if [ -e "report.json" ]
then
brakeman --compare report.json -o diff.json -o report.json -z
else
brakeman -o report.json -z
fi though I'm not sure how to cache report.json on CI right now, that's not really brakeman's issue :) |
I'm happy to make a PR
I added brakeman to rubygems/rubygems.org#1025 and was wondering how that compares to how you would configure a CI run to
Summary of the above PR for convenience
script/brakeman
config/brakeman.yml
.travis.yml
lib/tasks/brakeman.rake
Besides that implementation that cannibalizes the Rake task to run externally with some fancy output, I've tried running without a Rake task but I've gotten errors
adding to the
config/brakeman.yml
script/brakeman
.travis.yml
Which results in the TravisCI failure
But I can't figure out what might be trying to require haml.
If I also install haml on the cli, it then fails that it's missing sass.
So, now I have in
script/brakeman
[ -z "$CI" ] && gem install haml sass --conservative # because CI is crazy
The text was updated successfully, but these errors were encountered: