Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Michael Hagar
@mehagar
Where can I find out why certain checks are optional? Are they just slow, or produce too many false positives? I would like to know more about why some are marked as optional.
Justin Collins
@presidentbeef
@mehagar They are noisier/produce more false positives.
Michael Hagar
@mehagar
Thanks! I'm confused because some of these optional checks have code that would produce a "high" or "medium" confidence level.
Justin Collins
@presidentbeef
Michael Hagar
@mehagar
Nice, I appreciate the protected_attributes fix. This will reduce a lot of noise in a Rails 4.2 app we're developing.
Justin Collins
@presidentbeef
Brakeman 4.10.0 released: https://brakemanscanner.org/blog/2020/09/28/brakeman-4-dot-10-dot-0-released
Only change here is the new SARIF report format.
Joel Brewer
@joelbrewer
Quick question! I'm working on clearing out some Brakeman warnings on our application and I've run into several File Access warnings. In some instances, we were using the incoming filename as the filename on our end (not good), so I've started using hashes instead. However, I don't want to lose the file extension, but I haven't found a way to tack that on without Brakeman getting upset. Any recommendations?
image.png
Here's what Brakeman is mad at because uploaded_io is coming from params[:file]
Victor Azevedo
@victormazevedo
Hello, how are you? I have a question: is it possible in Code attribute in output, that I see all the code including comments?
e.g. I have this line system("ls #{options}") #foo of code that returns Command Injection. In output, I only can see system("ls #{options}") but I need to see the comment too. Is there a way to run brakeman to see comments in code lines, or this does not exist in Brakeman?
Thanks in advance!
Justin Collins
@presidentbeef
@victormazevedo Brakeman doesn't really store comment information. However, if you look at the HTML report, you can expand findings to show nearby code.

@joelbrewer Not sure what to suggest there, really. Do you have a list of allowed extensions? You may be able to remove the Brakeman warning by putting your code behind a condition like

if [".txt", ".pdf", ".png"].include? extension
  path = ...
end

It takes kind of specific code, but for something like the above, Brakeman will know that extension must be one of those values inside the if expression.

Thomas M. DuBuisson
@TomMD

@victormazevedo With muse (https://github.com/marketplace/muse-dev) what you ask is the default behavior. You make PRs, Muse runs Brakeman (among others) and posts new results as line comments so you see the line in the github PR stream. If you look in the console then brakeman results link to the github source view (but the source isn't inline in the console).

For command line behavior I think you're reduced to writing your own shell wrapper that will parse the file name from brakeman results and find the line of interest to then output. If you can assume jq is installed then this shouldn't be too heavy of a lift.

Justin Collins
@presidentbeef
Brakeman 4.10.1 was released Christmas Eve to fix some Ruby 3.0 incompatibilities: https://brakemanscanner.org/blog/2020/12/24/brakeman-4-dot-10-dot-1-released
and a couple other bugs. 4.10.1 was branched from 4.10, so there are still a number of pending changes which will be released in Brakeman 5.0
Andres Camilo Santana
@Niordsid
Good morning, I have a dumb question, but maybe you can help me, I'm implementing brakeman in a project but a question has arisen that I have not been able to solve: this gem can be implemented over an internal gem that is used in the project? any way to implement brakeman on gems?
Justin Collins
@presidentbeef
@Niordsid can you clarify? You want to scan a gem? or you want to include scanning the gem as part of scanning the Rails application? (Brakeman doesn't scan dependencies normally)
Andres Camilo Santana
@Niordsid
@presidentbeef thanks for your answer, answering your question, basically what I want is to scan a gem, is this possible? I've defined a pipeline in gitlab for this gem (internal gem), where I want to implement brakeman to analyze the code of this gem.
Justin Collins
@presidentbeef
@Niordsid yes, it's possible. You'll probably need to use the --force option. But there's no guarantee the results will be useful if it's not a Rails application. (This will improve a little in Brakeman 5.0 if I can ever get it released)
Justin Collins
@presidentbeef
Brakeman 5.0 is now released!! https://brakemanscanner.org/blog/2021/01/26/brakeman-5-dot-0-dot-0-released
The biggest change here is that Brakeman now scans (almost) all Ruby files in an application!
This will relieve a lot of confusion about why Brakeman doesn't "see" some files.
There are also two new checks, support for Sonarqube report format, and a bunch of other updates.
carlos
@carlosjpr-collab
hi
can start docker image to scan local rails file
George Terezakis
@GiwrgosTerezakis
hello everyone! I try to make brakeman work as a linter for my company and I'm searching for all the file extensions that Brakeman checks.
Justin Collins
@presidentbeef
@GiwrgosTerezakis Generally, *.rb, *.html.erb, *.html.haml, *.html.slim. But I'm curious why it matters? You shouldn't need to worry about which files it checks.
Zamir Martins Filho
@zmartins_gitlab
Hello everyone. By reading https://brakemanscanner.org/blog/2021/01/26/brakeman-5-dot-0-dot-0-released and I was wondering if this is to be seen as a wide scope of ruby files within the context of RoR or if there has been some effort in support for non-rails ruby code?
1 reply
Justin Collins
@presidentbeef
@zmartins_gitlab wider scope of Ruby files within the scope of a Ruby on Rails application. As before, you could use it on non-Rails code (usually need to use --force) but it's not supported or really recommended.
Justin Collins
@presidentbeef
Brakeman 5.1.0 is released! https://brakemanscanner.org/blog/2021/07/19/brakeman-5-dot-1-dot-0-released
This is a huge release (in terms of number of changes). Take a look!
Esty Scheiner
@escheiner
Hey everyone! Is anyone using the brakeman comparison feature in an enterprise environment?
How have others dealt with line number changes affecting security finding fingerprints? It seems like the fingerprint uses the location_string to calculate the value.
Justin Collins
@presidentbeef
Hi @escheiner! Line numbers do not affect fingerprints.
(location doesn't include line number... or file)
Esty Scheiner
@escheiner
Interesting! I've been seeing this issue where the fingerprints change for ignored vulnerabilities or the comparison file, thereby creating an alert that there is a new vulnerability. I figured it was because the line number had changed
Have you seen that issue before? Wondering if you have any ideas..
Justin Collins
@presidentbeef
If code moves around or changes in certain ways or sometimes due to Brakeman changes between releases, fingerprints can change.
Esty Scheiner
@escheiner
Okay thanks @presidentbeef!!
Mickael Gaspar
@migasar
Hello @presidentbeef , is there a technical reason why Brakeman doesn't scan dependencies ? (I was interested in building a dependency scanner for Ruby, as a school project, but I am not sure that’s feasible and/or useful )
Justin Collins
@presidentbeef
@migasar Mainly speed.
You can bundle install --path vendor to install dependencies into a local path and then brakeman --no-skip-vendor.
Results very much not guaranteed.
There's probably some work to be done around ignoring certain files/directions and interpreting things correctly... the further one strays from "regular" Rails application code the less accurate Brakeman becomes
Benjamin Bock
@bb
Hi! I'm getting the following error in CI (gitlab, running using image ruby:3.0.2) but not locally (ruby 3.0.2 via rvm on macOS): Error: "scss" filter's sassc dependency missing: try installing it or adding it to your Gemfile. I have gem "sassc-rails" in my Gemfile (which depends on sassc) and also tried adding sassc directly but neither helped. Any ideas? Something slightly non-standard which I didn't yet investigate: I'm using the hamlit Gem, not haml.
1 reply
cwidstrom
@cwidstrom
Hello @presidentbeef! We are looking at using Brakeman at my company, but I wanted to verify how far along is Brakeman in supporting Ruby 2.7.4? It looks like there has been some work put into it, but unclear how far that went
Justin Collins
@presidentbeef
@cwidstrom just waiting on the next release of ruby_parser which I believe will support all of 2.7 and 3.0 syntax.
cwidstrom
@cwidstrom
@presidentbeef thanks for the quick response and that sounds like a plan. Hopefully they will release soon 🙏
Heinrich Blatt
@c23omega
Hello @presidentbeef ! We also want to use brakeman four our company to check our software, but i'm wondering whether this is legally ok?
Justin Collins
@presidentbeef
@c23omega Yes, using Brakeman on your own software (proprietary or otherwise) is allowed
Heinrich Blatt
@c23omega
Thanks very much for your response
Justin Collins
@presidentbeef
Hi everyone! Going forward discussions can take place on https://github.com/presidentbeef/brakeman/discussions/
I don't really hang out here (I rely on "unread message" emails) and it's yet-another-site to log into.
Roy Cruz
@rcruzpolanco:matrix.org
[m]
Hi I notice that brakeman is being used on the gitlab SAST tool. To check vulnerabilities on the code. In our code we also implement bundler-audit which checks checks for vulnerable versions of gem, I want to know if brakeman check for those or we should we continue using both.
Justin Collins
@presidentbeef
Hi @rcruzpolanco:matrix.org - you should use both. Brakeman does not do dependency analysis (for the most part) and it's better to have a dedicated tool for detecting vulnerable dependencies.
Roy Cruz
@rcruzpolanco:matrix.org
[m]
thanks Justin have a nice day