diff --git a/OPTIONS.md b/OPTIONS.md index 90254d820..be0b4d13b 100644 --- a/OPTIONS.md +++ b/OPTIONS.md @@ -201,6 +201,10 @@ Brakeman will raise warnings on models that use `attr_protected`. To suppress th brakeman --ignore-protected +To show all ignored warnings without affecting the exit code (i.e. - Will return `0` if the application shows no warnings when simply running `brakeman`): + + brakeman --show-ignored + Brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would cause a warning (Rails 2): <%= some_method(:option => params[:input]) %> diff --git a/README.md b/README.md index dfbc30320..c1469fe1b 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,10 @@ To create and manage this file, use: brakeman -I +If you want to temporarily see the warnings you ignored without affecting the exit code, use: + + brakeman --show-ignored + # Warning information See [warning\_types](docs/warning_types) for more information on the warnings reported by this tool. diff --git a/lib/brakeman.rb b/lib/brakeman.rb index 69495007e..673bc11cd 100644 --- a/lib/brakeman.rb +++ b/lib/brakeman.rb @@ -65,6 +65,7 @@ module Brakeman # * :report_routes - show found routes on controllers (default: false) # * :run_checks - array of checks to run (run all if not specified) # * :safe_methods - array of methods to consider safe + # * :show_ignored - Display warnings that are usually ignored # * :sql_safe_methods - array of sql sanitization methods to consider safe # * :skip_libs - do not process lib/ directory (default: false) # * :skip_vendor - do not process vendor/ directory (default: true) @@ -198,6 +199,7 @@ def self.default_options :relative_path => false, :report_progress => true, :safe_methods => Set.new, + :show_ignored => false, :sql_safe_methods => Set.new, :skip_checks => Set.new, :skip_vendor => true, diff --git a/lib/brakeman/options.rb b/lib/brakeman/options.rb index c751e7cd2..abce61eee 100644 --- a/lib/brakeman/options.rb +++ b/lib/brakeman/options.rb @@ -295,6 +295,10 @@ def create_option_parser options options[:interactive_ignore] = true end + opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do + options[:show_ignored] = true + end + opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine| options[:combine_locations] = combine end diff --git a/lib/brakeman/report/report_text.rb b/lib/brakeman/report/report_text.rb index 827027255..094868970 100644 --- a/lib/brakeman/report/report_text.rb +++ b/lib/brakeman/report/report_text.rb @@ -21,6 +21,9 @@ def generate_report add_chunk generate_obsolete add_chunk generate_errors add_chunk generate_warnings + add_chunk generate_show_ignored_overview if tracker.options[:show_ignored] && ignored_warnings.any? + + @output_string end def add_chunk chunk, out = @output_string @@ -101,6 +104,10 @@ def generate_warnings end end + def generate_show_ignored_overview + double_space("Ignored Warnings", ignored_warnings.map {|w| output_warning w}) + end + def generate_errors return if tracker.errors.empty? full_trace = tracker.options[:debug] diff --git a/test/tests/commandline.rb b/test/tests/commandline.rb index 81f0d98bd..3c071a4e3 100644 --- a/test/tests/commandline.rb +++ b/test/tests/commandline.rb @@ -135,6 +135,13 @@ def test_exit_on_warn_no_warnings end end + # Assert default when using `--show-ignored` flag. + def test_show_ignored_warnings + assert_exit Brakeman::Warnings_Found_Exit_Code do + scan_app "--show-ignored" + end + end + def test_compare_deactivates_ensure_ignore_notes opts, = Brakeman::Commandline.parse_options [ '--ensure-ignore-notes', diff --git a/test/tests/options.rb b/test/tests/options.rb index cdf94fadc..a4b91dc7b 100644 --- a/test/tests/options.rb +++ b/test/tests/options.rb @@ -25,6 +25,7 @@ class BrakemanOptionsTest < Minitest::Test :absolute_paths => "--absolute-paths", :list_checks => "-k", :list_optional_checks => "--optional-checks", + :show_ignored => "--show-ignored", :show_version => "-v", :show_help => "-h", :force_scan => "--force-scan", @@ -252,6 +253,11 @@ def test_ignore_file_option assert_equal "dont_warn_for_these.rb", options[:ignore_file] end + def test_show_ignored_option + options = setup_options_from_input("--show-ignored") + assert options[:show_ignored] + end + def test_combine_warnings_option options = setup_options_from_input("--combine-locations") assert options[:combine_locations]