Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add '#nohusky' tag to Brakeman scans #508

Closed
rafaveira3 opened this issue Sep 30, 2020 · 3 comments · May be fixed by #521
Closed

Add '#nohusky' tag to Brakeman scans #508

rafaveira3 opened this issue Sep 30, 2020 · 3 comments · May be fixed by #521
Labels
feature-request New feature request

Comments

@rafaveira3
Copy link
Contributor

rafaveira3 commented Sep 30, 2020
edited

Motivation

Users nowadays can add the tag #nohusky in their code to avoid false positives in Python and in Go projects. However, this feature is not present yet for Ruby files that use Brakeman as a Security Test (and others).

It would be great if

Any Ruby line of code that has vulnerabilities be skipped by huskyCI analysis if a comment #nohusky is found. If applicable, do the same logic to all security tests? :)

What we expect

If huskyCI finds a code like this one, the following output must be ignored and be set as a NoSecHusky vuln:

 [HUSKYCI][!] Title: Vulnerable Dependency: Command Injection Possible command injection
 [HUSKYCI][!] Language: Ruby
 [HUSKYCI][!] Tool: Brakeman
 [HUSKYCI][!] Confidence: Medium
 [HUSKYCI][!] Details: https://brakemanscanner.org/docs/warning_types/command_injection/
 [HUSKYCI][!] File: app/controllers/application_controller.rb
 [HUSKYCI][!] Line: 4
 [HUSKYCI][!] Code: system("ls #{options}")
 [HUSKYCI][!] Type: Command Injection

Tips
@rafaveira3 rafaveira3 added the hacktoberfest2022 https://opensource.globo.com/hacktoberfest label Sep 30, 2020
@MatheusMuriel
Copy link

I go try work on it.

@victormazevedo
Copy link

victormazevedo commented Oct 11, 2020
edited

Hey @rafaveira3 ! I'm analyzing this issue and I have a question:

  • I've made some changes in brakeman.go to understand and verify if I'm on the right way to solve this issue but I want to understand more how to test it. I tried to run make run-client with poc-ruby-brakeman but it seems that my changes doesn't reflect in it. Am I right or I need to do something else?

Thank you in advance!

@rafaveira3
Copy link
Contributor Author

Hey, @victormazevedo! Thanks for taking a look at this issue. What kinds of changes have you done so far? I will be very happy to review any PR related to this. What do you think of opening one with the WIP tag? We can discuss it better there! 😄

@victormazevedo victormazevedo mentioned this issue Oct 12, 2020
Open
@Krlier Krlier added feature-request New feature request and removed hacktoberfest2022 https://opensource.globo.com/hacktoberfest labels Nov 9, 2020
@GabhenDM GabhenDM mentioned this issue Mar 16, 2021
Merged
@fguisso fguisso closed this as completed Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Add '#nohusky' tag to Brakeman victormazevedo/huskyCI
5 participants
@fguisso @rafaveira3 @MatheusMuriel @victormazevedo @Krlier