-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ignore file not working with GH Action Security Scan #1724
Comments
Hi @ds-dustenharrison - can you run with Or you can run with |
I added the -I as a start. Looks like a potential formatting issue for the ignore file. We use the ignore file today via circleci and wanted to use it in GH now. { Checks finished, collecting results... Input file: |./config/brakeman.ignore| Error: Process completed with exit code 1. |
I changed Ruby to 3.0.4 - No change |
Hi @ds-dustenharrison my suggestion is to run Brakeman locally and compare the fingerprints in the ignore file to the ones Brakeman outputs. If the fingerprints match or other reports filter the warnings, then it's an issue with the SARIF report. Otherwise, the fingerprints just need to be updated. Instead of
you could run
and see if the results change. |
I'm not getting ignoring to work with GitHub. Maybe they doesn't support suppressions in the uploaded SARIF? I can see the warning being in Here's my The JSON from
|
That is the case: github/codeql-action#1230 (comment) |
Geez, even when you try to do everything right sometimes it's still not enough 😄 |
Might have been fixed upstream. Not sure. But it's not a Brakeman issue. |
Background
Brakeman version: 5.2.3
Rails version: 3.0.4
Ruby version: 7.0.3
Link to Rails application code: I am unable to supply due to it being in a private repo.
Issue
What problem are you seeing? Here is my command line in the GH Action.
brakeman -i ./config/brakeman.ignore --format sarif --output output.sarif.json .
I see in the logs it is referencing the ignore file when running:
........
Checks finished, collecting results...
Filtering warnings...
Notice: Using './config/brakeman.ignore' to filter warnings
Generating report...
Report saved in 'output.sarif.json'
Error: Process completed with exit code 3.
.......
However, it does not seem to be using the ignore file. For example, this is from the ignore file:
{
"ignored_warnings": [
{
"warning_type": "SSL Verification Bypass",
"warning_code": 71,
"fingerprint": "6360b930243f37f472df72c8a4b09641121b6c3d32d3f24b0ee1af609afc6908",
"check_name": "SSLVerify",
"message": "SSL certificate verification was bypassed",
"file": "app/lib/secure_http_client.rb",
"line": 14,
"link": "https://brakemanscanner.org/docs/warning_types/ssl_verification_bypass/",
"code": "self.verify_mode = OpenSSL::SSL::VERIFY_NONE",
"render_path": null,
"location": {
"type": "method",
"class": "SecureHttpClient",
"method": "initialize"
},
"user_input": null,
"confidence": "High",
"note": "SSL verification is skipped in local development only"
},
However, in the GH Code Scanning results it is reporting this issue:
app/lib/secure_http_client.rb:14
self.use_ssl = true
if Rails.env.development?
logger.debug 'Disabling Open SSL verification in development environment'
self.verify_mode = OpenSSL::SSL::VERIFY_NONE
SSL certificate verification was bypassed.
Brakeman
else
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.verify_depth = 5
There are 4 entries in our ignore file, and we see all 4 in the findings uploaded to GH Security.
Other Error
Run Brakeman with
--debug
to see the full stack trace.Stack trace:
The text was updated successfully, but these errors were encountered: