Stop using CONFIDENCE[...] in checks

lib/brakeman/checks/base_check.rb

@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::Util
   attr_reader :tracker, :warnings
 
-  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
+  # This is for legacy support.
+  # Use :high, :medium, or :low instead when creating warnings.
+  CONFIDENCE = Brakeman::Warning::CONFIDENCE
 
   Match = Struct.new(:type, :match)
 

lib/brakeman/checks/check_basic_auth.rb

@@ -30,7 +30,7 @@ def check_basic_auth_filter
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
               :code => call,
-              :confidence => 0,
+              :confidence => :high,
               :file => controller.file
           break
         end
@@ -50,7 +50,7 @@ def check_basic_auth_request
               :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :confidence => 0
+              :confidence => :high
       end
     end
   end

lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -26,7 +26,7 @@ def check_basic_auth_call
         :warning_type => "Timing Attack",
         :warning_code => :CVE_2015_7576,
         :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
     end
   end

lib/brakeman/checks/check_content_tag.rb

@@ -105,17 +105,17 @@ def check_argument result, exp
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link_path => "content_tag"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
       unless IGNORE_MODEL_METHODS.include? match.method
         add_result result
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         warn :result => result,
@@ -139,7 +139,7 @@ def check_argument result, exp
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "content_tag"
     end
   end
@@ -159,9 +159,9 @@ def process_call exp
   def check_cve_2016_6316
     if cve_2016_6316?
       confidence = if @content_tags.any?
-                     CONFIDENCE[:high]
+                     :high
                    else
-                     CONFIDENCE[:med]
+                     :medium
                    end
 
       fix_version = case

lib/brakeman/checks/check_create_with.rb

@@ -51,15 +51,15 @@ def danger_level exp
     if call? exp and exp.method == :permit
       nil
     elsif request_value? exp
-      CONFIDENCE[:high]
+      :high
     elsif hash? exp
       nil
     elsif has_immediate_user_input?(exp)
-      CONFIDENCE[:high]
+      :high
     elsif include_user_input? exp
-      CONFIDENCE[:med]
+      :medium
     else
-      CONFIDENCE[:low]
+      :weak
     end
   end
 
@@ -68,7 +68,7 @@ def generic_warning
         :warning_code => :CVE_2014_3514,
         :message => @message,
         :gem_info => gemfile_or_environment,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end
 end

lib/brakeman/checks/check_cross_site_scripting.rb

@@ -77,7 +77,7 @@ def check_for_immediate_xss exp
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
       method = if call? match
@@ -90,9 +90,9 @@ def check_for_immediate_xss exp
         add_result exp
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         message = "Unescaped model attribute"
@@ -178,14 +178,14 @@ def process_call exp
           warning_code = :cross_site_scripting
 
           if @known_dangerous.include? exp.method
-            confidence = CONFIDENCE[:high]
+            confidence = :high
             if exp.method == :to_json
               message += " in JSON hash"
               link_path += "_to_json"
               warning_code = :xss_to_json
             end
           else
-            confidence = CONFIDENCE[:low]
+            confidence = :weak
           end
 
           warn :template => @current_template,

lib/brakeman/checks/check_default_routes.rb

@@ -21,7 +21,7 @@ def check_for_default_routes
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
         :line => tracker.routes[:allow_all_actions].line,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :file => "#{tracker.app_path}/config/routes.rb"
     end
   end
@@ -43,7 +43,7 @@ def check_for_action_globs
           :warning_code => :controller_default_routes,
           :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
           :line => actions[2],
-          :confidence => CONFIDENCE[:med],
+          :confidence => :medium,
           :file => "#{tracker.app_path}/config/routes.rb"
       end
     end
@@ -67,9 +67,9 @@ def check_for_cve_2014_0130
     end
 
     if allow_all_actions? or @actions_allowed_on_controller
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     warn :warning_type => "Remote Code Execution",

lib/brakeman/checks/check_deserialize.rb

@@ -36,9 +36,9 @@ def check_deserialize result, target, arg = nil
     method = result[:call].method
 
     if input = has_immediate_user_input?(arg)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = include_user_input?(arg)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     if confidence

lib/brakeman/checks/check_detailed_exceptions.rb

@@ -18,7 +18,7 @@ def check_local_request_config
       warn :warning_type => "Information Disclosure",
            :warning_code => :local_request_config,
            :message => "Detailed exceptions are enabled in production",
-           :confidence => CONFIDENCE[:high],
+           :confidence => :high,
            :file => "config/environments/production.rb"
     end
   end
@@ -32,9 +32,9 @@ def check_detailed_exceptions
 
         if method_name == :show_detailed_exceptions? and not safe? body
           if true? body
-            confidence = CONFIDENCE[:high]
+            confidence = :high
           else
-            confidence = CONFIDENCE[:med]
+            confidence = :medium
           end
 
           warn :warning_type => "Information Disclosure",

lib/brakeman/checks/check_digest_dos.rb

@@ -19,9 +19,9 @@ def run_check
     end
 
     if with_http_digest?
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:low]
+      confidence = :weak
     end
 
     warn :warning_type => "Denial of Service",

lib/brakeman/checks/check_dynamic_finders.rb

@@ -26,7 +26,7 @@ def process_result result
             :warning_type => "SQL Injection",
             :warning_code => :sql_injection_dynamic_finder,
             :message => "MySQL integer conversion may cause 0 to match any string",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :user_input => arg
 
           break

lib/brakeman/checks/check_escape_function.rb

@@ -13,7 +13,7 @@ def run_check
       warn :warning_type => 'Cross Site Scripting',
         :warning_code => :CVE_2011_2932,
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end

lib/brakeman/checks/check_evaluation.rb

@@ -29,7 +29,7 @@ def process_result result
         :message => "User input in eval",
         :code => result[:call],
         :user_input => input,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
     end
   end
 end

lib/brakeman/checks/check_execute.rb

@@ -56,9 +56,9 @@ def process_result result
     if failure and original? result
 
       if failure.type == :interp #Not from user input
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       else
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       end
 
       warn :result => result,
@@ -79,7 +79,7 @@ def check_open_calls
           :warning_code => :command_injection,
           :message => "Possible command injection in open()",
           :user_input => match,
-          :confidence => CONFIDENCE[:high]
+          :confidence => :high
       end
     end
   end
@@ -111,9 +111,9 @@ def process_backticks result
     exp = result[:call]
 
     if input = include_user_input?(exp)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = dangerous?(exp)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     else
       return
     end

lib/brakeman/checks/check_file_access.rb

@@ -32,18 +32,18 @@ def process_result result
     file_name = call.first_arg
 
     if match = has_immediate_user_input?(file_name)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif match = has_immediate_model?(file_name)
       match = Match.new(:model, match)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     elsif tracker.options[:check_arguments] and
       match = include_user_input?(file_name)
 
       #Check for string building in file name
       if call?(file_name) and (file_name.method == :+ or file_name.method == :<<)
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:low]
+        confidence = :weak
       end
     end
 

lib/brakeman/checks/check_file_disclosure.rb

@@ -23,7 +23,7 @@ def run_check
       warn :warning_type => "File Access",
         :warning_code => :CVE_2014_7829,
         :message => "Rails #{rails_version} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
     end

lib/brakeman/checks/check_filter_skipping.rb

@@ -13,7 +13,7 @@ def run_check
       warn :warning_type => "Default Routes",
         :warning_code => :CVE_2011_2929,
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
     end

lib/brakeman/checks/check_forgery_setting.rb

@@ -29,7 +29,7 @@ def run_check
             :warning_type => "Cross-Site Request Forgery",
             :warning_code => :csrf_not_protected_by_raising_exception,
             :message => "protect_from_forgery should be configured with 'with: :exception'",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :file => controller.file
           }
 
@@ -50,7 +50,7 @@ def csrf_warning opts
     opts = {
       :controller => :ApplicationController,
       :warning_type => "Cross-Site Request Forgery",
-      :confidence => CONFIDENCE[:high]
+      :confidence => :high
     }.merge opts
 
     warn opts

lib/brakeman/checks/check_header_dos.rb

@@ -18,7 +18,7 @@ def run_check
       warn :warning_type => "Denial of Service",
         :warning_code => :CVE_2013_6414,
         :message => message,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
     end

lib/brakeman/checks/check_i18n_xss.rb

@@ -21,7 +21,7 @@ def run_check
       warn :warning_type => "Cross Site Scripting",
         :warning_code => :CVE_2013_4491,
         :message => message,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :gem_info => gemfile_or_environment(:i18n),
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
     end

lib/brakeman/checks/check_jruby_xml.rb

@@ -31,7 +31,7 @@ def run_check
     warn :warning_type => "File Access",
       :warning_code => :CVE_2013_1856,
       :message => "Rails #{rails_version} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
-      :confidence => CONFIDENCE[:high],
+      :confidence => :high,
       :gem_info => gemfile_or_environment,
       :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
   end

lib/brakeman/checks/check_json_encoding.rb

@@ -16,9 +16,9 @@ def run_check
       end
 
       if tracker.find_call(:methods => [:to_json, :encode]).any?
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       else
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       end
 
       warn :warning_type => "Cross Site Scripting",