You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’d like to report some unexpected false negatives noticed when running with the --skip-libs option.
Documentation [1] states that to “To skip processing of the lib/ directory…”, one should add --skip-libs. However this results in Brakeman ignoring much of the app/ directory as well, in fact it appears that only the contents of app/models/ and app/controllers/ are included in this mode. If one wants to skip the lib/ directory, --skip-files lib/ seems to be a better approach.
I believe this is due to file type detection at [2] assuming code is “library” code unless it fits into a small number of alternative classifications. The last sentence in [3] seems to support this.
Admittedly, options.MD also includes the following:
brakeman --faster
This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.
But given the other mention of --skip-libs applying to lib/, a reasonable reader might assume that --no-branching is the cause for the above warning.
Hi @kevinjacobs - you are right, thank you for reporting this. It should be equivalent to --skip-files lib/ (or maybe --skip-files /lib/) but due to the change to scan (almost) every Ruby file, it no longer matches.
Background
Brakeman version: 5.4.0
Rails version: 4.0.8
Ruby version: 3.1.2
Issue
I’d like to report some unexpected false negatives noticed when running with the
--skip-libs
option.Documentation [1] states that to “To skip processing of the lib/ directory…”, one should add
--skip-libs
. However this results in Brakeman ignoring much of theapp/
directory as well, in fact it appears that only the contents ofapp/models/
andapp/controllers/
are included in this mode. If one wants to skip thelib/
directory,--skip-files lib/
seems to be a better approach.I believe this is due to file type detection at [2] assuming code is “library” code unless it fits into a small number of alternative classifications. The last sentence in [3] seems to support this.
Admittedly,
options.MD
also includes the following:But given the other mention of
--skip-libs
applying tolib/
, a reasonable reader might assume that--no-branching
is the cause for the above warning.Reproducer:
Expected results: Given that there are no warnings from
lib/
, both outputs should include the same warnings.Actual results:
skip_libs.json
misses a warning inapp/helpers/sessions_helper.rb
.If this behavior is intended (as it appears to be), the documentation should more clearly state the potential impact of running with
--skip-libs
.Thanks!
[1] https://brakemanscanner.org/docs/options/
[2] https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/processors/lib/file_type_detector.rb#L16
[3] #1554
The text was updated successfully, but these errors were encountered: