DEV Community

n350071πŸ‡―πŸ‡΅
n350071πŸ‡―πŸ‡΅

Posted on • Edited on

static security analysis for Rails app by using Breakman

πŸ”— Parent Note

How to use

Run the brakeman

According to Brakeman repository, run following command on the root directory of the app.

bundle exec brakeman
Enter fullscreen mode Exit fullscreen mode

Result

You might get the result like this. Sometimes, the result is so long, so that you can search the new alert by using "new": [ keyword.

{
  "new": [
    {
      "warning_type": "File Access",
      "warning_code": 16,
      "fingerprint": "xxx",
      "check_name": "SendFile",
      "message": "Parameter value used in file name",
      "file": "app/controllers/download_controller.rb",
      "line": xx,
      "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
      "code": "send_file(params[:file_name])",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "DownloadController",
        "method": "file_download"
      },
      "user_input": "params[:file_name]",
      "confidence": "Weak"
    },
Enter fullscreen mode Exit fullscreen mode

specific files

bundle exec brakeman --only-files path/to/file/,path/to2/ --compare ./brakeman-result.json | grep '"new": ' -A25
Enter fullscreen mode Exit fullscreen mode

Run on CI server

bundle exec brakeman -z ./
Enter fullscreen mode Exit fullscreen mode
  • -z: return 0 as the exit code. Breakman returns non-0 code as default if it detects any security warnings. This option helps CI.

Compare with last one

bundle exec brakeman ./ --compare ./ci/brakeman-scan-result.json
Enter fullscreen mode Exit fullscreen mode

In the Case of FalsePositive

Write it to ignore file.

bundle exec brakeman -I ./
Enter fullscreen mode Exit fullscreen mode

Breakman will ask you if it detects any warning, then I think the option n is good. n means Add warning to ignore list and add note. Note is a comment.

  • -I: --interactive-ignore. (explain at the FalsePositive)

πŸ“š Brakeman: Ignoring False Positives

Top comments (0)