Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Maciej Mensfeld
@mensfeld
I have a licence related question as I want to publish an open source project that uses brakemen as one of the libs
Justin
@presidentbeef
@mensfeld sure, justin@presidentbeef.com
Maciej Mensfeld
@mensfeld
Thanks @presidentbeef writing an email as we speak
Justin
@presidentbeef
Brakeman 4.4.0 is out! https://brakemanscanner.org/blog/2019/01/17/brakeman-4-dot-4-dot-0-released
I know it's been a loooonnnnngggg time, so I apologize and thank everyone for your patience.
I expect to return to doing a release every 1-2 months. There is already a backlog of PRs for the next release.
Justin
@presidentbeef
New release is pending...! Expect to have it out this evening. The minimum required Ruby version to run Brakeman will be raised from 1.9.3 (!!) to 2.3.0.
Additionally, the new version of RubyParser will fix a lot (all?) of the parsing issues folks have been seeing.
Maciej Mensfeld
@mensfeld
@presidentbeef will you update the license?
Rubygems still say non standard
which is really broad
also @presidentbeef is the license document for breakman open source or not? :D
That is, can the license it self be used in other software? :D
Justin
@presidentbeef
So I didn't get the release out yet. Shouldn't have estimated the time when there's an external dependency..
@mensfeld when the release is out the license on rubygems
Will be updated
The license is based on the WPScan license... So I guess it's fine to take and adapt it if it fits your needs? Probably should ask a lawyer...
Maciej Mensfeld
@mensfeld
:D
OK their license is public
I will reuse it than
I have a lot of OSS that I want to release on the same license as Brakeman
that is - completely free to run as long as it runs within the organization (not when it is executed as a service by someone else for the organization)
Justin
@presidentbeef
@mensfeld a couple notes:
1 - It's not an "open source" license, it does not meet the definition of open source by the OSI: https://opensource.org/osd
2 - The lawyer who wrote the Brakeman license said the WPScan license is flawed because it does not include a "Grant" section
Justin
@presidentbeef
As noted earlier, the minimum Ruby version to run Brakeman is now 2.3.0. Finally, we can use modern Ruby syntax!
Maciej Mensfeld
@mensfeld
@presidentbeef thanks
Maciej Mensfeld
@mensfeld
@presidentbeef one more note
Brakeman Public Use License
I think it should be Brakeman Public Use License 1.0 :D
or something lik that
to easily indicate changes in the future
Justin
@presidentbeef
@mensfeld Noted...but not planning on making the change at this point. If there is an updated license, the version number can be added then.
Maciej Mensfeld
@mensfeld
Jup :) just wanted to point that out
thanks!
linosgian
@linosgian
Hello! I was wondering whether the ruby 1.9.3 requirement under https://github.com/presidentbeef/brakeman/blob/master/CONTRIBUTING.md is up to date
Justin
@presidentbeef
@linosgian it is not... 2.3.0 is the current minimum
linosgian
@linosgian
I thought so since it's discontinued for so long, just making sure before I start developing. Cheers!
Justin
@presidentbeef
@/all Hi folks - if you are interested in "incremental scans" - scanning only a subset of files for e.g. a git commit hook or IDE integration, I would appreciate your feedback here: presidentbeef/brakeman#1368
linosgian
@linosgian
In the case of a function call (e.g. func(var1, var2)), variables will appear as :call right? Is this because of the () being optional in Ruby? Is there a way to distinguish the no-argument function call vs variable passing in brakeman (aka statically)?
Justin
@presidentbeef
@linosgian it depends on context. In Ruby, if x is not a local variable then it is a method call. If you only parse blah(x) then x will be a call. But if it were like x = 1; blah(x) then x would be an lvar according to ruby_parser
linosgian
@linosgian

I see, if the variable is in a function's definition as such:

def myfunc(x):
  blah(x)

then x would appear as an lvar I guess?

Boris
@raidenz_gitlab
Hi Everyone! We are trying to add brakeman to our CI and I can't find a way for brakeman (cli) to return success(0) only if no High confidence were found. I don't want it to return non-zero [errors] on medium/weak confidence. Any ideas?
So if only any high confidence exists, then I want it to return a non-zero result code.
Boris
@raidenz_gitlab
I tried brakeman -z3 and even thought all high confidence are ignored [we have an ignore file], brakeman is returning a result code of '7'
err -w3
Justin
@presidentbeef
@raidenz_gitlab 7 means errors were encountered during analysis. It's separate from warnings
if you want to ignore errors, you can use --no-exit-on-error
Justin
@presidentbeef
I should say, if you don't want analysis errors to impact the return code, use that option. The errors will still be in the report.
Chris Thompson
@yegct_twitter
Morning, brakeman folks! A coworker just filed presidentbeef/brakeman#1387 and we'd be happy to provide more information if it would be useful. If you already think it'd be easy to fix and have pointers, we could attempt a fix. No promises (time commitments, no guarantee of ability, etc.), but we fully understand this is open-source software. Very happy to discuss further.
Justin
@presidentbeef
Hi @yegct_twitter - yes, I saw. Haven't poked at it yet, but I'm guessing it's not easy to fix.
Chris Thompson
@yegct_twitter
Yeah. That's our guess, too. :(
Justin
@presidentbeef
Brakeman 4.6.1 is out to correct a typo in the reverse tabnabbing warning message: https://brakemanscanner.org/blog/2019/07/24/brakeman-4-dot-6-dot-1-released