subject:"\[brakeman\] Brakeman warning parsing"

Re: [brakeman] Brakeman warning parsing

2014-02-18 Thread Aleksandar Simić



> On 18 Feb 2014, at 17:46, Justin Collins  wrote:
> 
>> On 02/18/2014 01:26 AM, Aleksandar Simic wrote:
>> 
>> On 17 February 2014 17:02, Justin Collins > > wrote:
>> 
>>>On 02/17/2014 08:07 AM, Aleksandar Simic wrote:
>>> Hello list,
>>> 
>>> my first posting here.
>>> 
>>> I have a question regarding how to parse warnings issued by brakeman.
>>> 
>>> The full scenario is below.
>>> 
>>> Working on this app at the moment:
>>> 
>>> https://github.com/ministryofjustice/accelerated_claims
>>> 
>>> There is this snipped of code in config/initializers/secret_token.rb:
>>
>> https://github.com/ministryofjustice/accelerated_claims/blob/498a2c81e17ce83baf9b4063ebd74678110d891d/config/initializers/secret_token.rb#L13-L17
>>> 
>>> Which gives this warning when brakeman is run:
>>> 
>>> https://gist.github.com/dotemacs/9053206
>>> 
>>> Is there a way to ignore/omit this warning in any subsequent brakeman
>>> runs, short of grepping out the warning in question?
>>> 
>>> What I'm trying to do is have brakeman set up to run in our CI as
>>a post
>>> build task and flag up any warning should they appear in our code
>>(will
>>> use these instructions:
>>http://brakemanscanner.org/docs/jenkins/setup/ ).
>>> But I'd like to avoid issuing any warnings for know issues.
>>> 
>>> Have you dealt with an issue like this and how did you go about it?
>>> 
>>> Thank you for your time,
>>> Aleksandar
>> 
>>Hi Aleksandar,
>> 
>>It sounds like what you want is for Jenkins to only fail builds when new
>>warnings are introduced. Last I checked, this is not possible[1].
>> 
>>However, it appears it is possible to only send emails regarding
>>new/fixed warnings[2] and avoid marking the build as failed.
>> 
>>In case that's not what you meant, you can also create a configuration
>>file to ignore certain warnings[3].
>> 
>>Hope that helps.
>> 
>>-Justin
>> 
>>[1]
>>
>> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#comment-58002244
>> 
>>[2]
>>
>> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#StaticCodeAnalysisPlug-ins-email
>> 
>>[3] brakemanscanner.org/blog/2013/07/17/brakeman-2-dot-1-0-released/
>>
>> 
>> 
>> Hello Justin,
>> 
>> thanks for the thorough response.
>> 
>> 3. was what I was after.
>> 
>> Since you seemed to have integrated this with Jenkins somehow, and
>> taking into account your answer with 1., what I'm wondering is how do
>> you get warnings from new errors/warnings?
>> 
>> What do you think of this approach:
>> 
>>  shell script -
>> # capture the report
>> brakeman -o report
>> 
>> # then parse it for errors
>> # and create the error exit status manually
>> 
>> if [ $(grep -c '+SECURITY WARNINGS+') -gt 0 ];
>> then
>> cat report
>> exit 1
>> fi
>>  end of the script 
>> 
>> I'm guessing that this approach was probably considered. If it was, what
>> was/is the downside of it?
>> 
>> The script above is just a small example, I'd probably expand on it if I
>> were to add it to our CI.
>> 
>> Thanks again,
>> Aleksandar
> 
> 
> Have you tried using the Brakeman plugin for Jenkins already? It 
> provides nice graphs and different ways of drilling into reports, with 
> links to the source code. It's odd to be discussing how to integrate 
> Brakeman with Jenkins without you having tried the plugin and found out 
> what it can and cannot do.

About to be set up.

> That being said, you can use the "-z" flag in Brakeman to set the exit 
> code to non-zero when any (not ignored) warnings are found.

This is just right. Sorry for not spotting this earlier. 

Thanks for Brakeman!

Aleksandar

Re: [brakeman] Brakeman warning parsing

2014-02-18 Thread Justin Collins

On 02/18/2014 01:26 AM, Aleksandar Simic wrote:
>
> On 17 February 2014 17:02, Justin Collins  > wrote:
>
> On 02/17/2014 08:07 AM, Aleksandar Simic wrote:
>  > Hello list,
>  >
>  > my first posting here.
>  >
>  > I have a question regarding how to parse warnings issued by brakeman.
>  >
>  > The full scenario is below.
>  >
>  > Working on this app at the moment:
>  >
>  > https://github.com/ministryofjustice/accelerated_claims
>  >
>  > There is this snipped of code in config/initializers/secret_token.rb:
>  >
>  >
> 
> https://github.com/ministryofjustice/accelerated_claims/blob/498a2c81e17ce83baf9b4063ebd74678110d891d/config/initializers/secret_token.rb#L13-L17
>  >
>  > Which gives this warning when brakeman is run:
>  >
>  > https://gist.github.com/dotemacs/9053206
>  >
>  > Is there a way to ignore/omit this warning in any subsequent brakeman
>  > runs, short of grepping out the warning in question?
>  >
>  > What I'm trying to do is have brakeman set up to run in our CI as
> a post
>  > build task and flag up any warning should they appear in our code
> (will
>  > use these instructions:
> http://brakemanscanner.org/docs/jenkins/setup/ ).
>  > But I'd like to avoid issuing any warnings for know issues.
>  >
>  > Have you dealt with an issue like this and how did you go about it?
>  >
>  > Thank you for your time,
>  > Aleksandar
>
> Hi Aleksandar,
>
> It sounds like what you want is for Jenkins to only fail builds when new
> warnings are introduced. Last I checked, this is not possible[1].
>
> However, it appears it is possible to only send emails regarding
> new/fixed warnings[2] and avoid marking the build as failed.
>
> In case that's not what you meant, you can also create a configuration
> file to ignore certain warnings[3].
>
> Hope that helps.
>
> -Justin
>
> [1]
> 
> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#comment-58002244
>
> [2]
> 
> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#StaticCodeAnalysisPlug-ins-email
>
> [3] brakemanscanner.org/blog/2013/07/17/brakeman-2-dot-1-0-released/
> 
>
>
> Hello Justin,
>
> thanks for the thorough response.
>
> 3. was what I was after.
>
> Since you seemed to have integrated this with Jenkins somehow, and
> taking into account your answer with 1., what I'm wondering is how do
> you get warnings from new errors/warnings?
>
> What do you think of this approach:
>
>  shell script -
> # capture the report
> brakeman -o report
>
> # then parse it for errors
> # and create the error exit status manually
>
> if [ $(grep -c '+SECURITY WARNINGS+') -gt 0 ];
> then
>  cat report
>  exit 1
> fi
>  end of the script 
>
> I'm guessing that this approach was probably considered. If it was, what
> was/is the downside of it?
>
> The script above is just a small example, I'd probably expand on it if I
> were to add it to our CI.
>
> Thanks again,
> Aleksandar


Have you tried using the Brakeman plugin for Jenkins already? It 
provides nice graphs and different ways of drilling into reports, with 
links to the source code. It's odd to be discussing how to integrate 
Brakeman with Jenkins without you having tried the plugin and found out 
what it can and cannot do.

That being said, you can use the "-z" flag in Brakeman to set the exit 
code to non-zero when any (not ignored) warnings are found.

-Justin

Re: [brakeman] Brakeman warning parsing

2014-02-18 Thread Aleksandar Simic

On 17 February 2014 17:02, Justin Collins  wrote:

> On 02/17/2014 08:07 AM, Aleksandar Simic wrote:
> > Hello list,
> >
> > my first posting here.
> >
> > I have a question regarding how to parse warnings issued by brakeman.
> >
> > The full scenario is below.
> >
> > Working on this app at the moment:
> >
> > https://github.com/ministryofjustice/accelerated_claims
> >
> > There is this snipped of code in config/initializers/secret_token.rb:
> >
> >
> https://github.com/ministryofjustice/accelerated_claims/blob/498a2c81e17ce83baf9b4063ebd74678110d891d/config/initializers/secret_token.rb#L13-L17
> >
> > Which gives this warning when brakeman is run:
> >
> > https://gist.github.com/dotemacs/9053206
> >
> > Is there a way to ignore/omit this warning in any subsequent brakeman
> > runs, short of grepping out the warning in question?
> >
> > What I'm trying to do is have brakeman set up to run in our CI as a post
> > build task and flag up any warning should they appear in our code (will
> > use these instructions: http://brakemanscanner.org/docs/jenkins/setup/).
> > But I'd like to avoid issuing any warnings for know issues.
> >
> > Have you dealt with an issue like this and how did you go about it?
> >
> > Thank you for your time,
> > Aleksandar
>
> Hi Aleksandar,
>
> It sounds like what you want is for Jenkins to only fail builds when new
> warnings are introduced. Last I checked, this is not possible[1].
>
> However, it appears it is possible to only send emails regarding
> new/fixed warnings[2] and avoid marking the build as failed.
>
> In case that's not what you meant, you can also create a configuration
> file to ignore certain warnings[3].
>
> Hope that helps.
>
> -Justin
>
> [1]
>
> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#comment-58002244
>
> [2]
>
> https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#StaticCodeAnalysisPlug-ins-email
>
> [3] brakemanscanner.org/blog/2013/07/17/brakeman-2-dot-1-0-released/


Hello Justin,

thanks for the thorough response.

3. was what I was after.

Since you seemed to have integrated this with Jenkins somehow, and taking
into account your answer with 1., what I'm wondering is how do you get
warnings from new errors/warnings?

What do you think of this approach:

 shell script -
# capture the report
brakeman -o report

# then parse it for errors
# and create the error exit status manually

if [ $(grep -c '+SECURITY WARNINGS+') -gt 0 ];
then
cat report
exit 1
fi
 end of the script 

I'm guessing that this approach was probably considered. If it was, what
was/is the downside of it?

The script above is just a small example, I'd probably expand on it if I
were to add it to our CI.

Thanks again,
Aleksandar

Re: [brakeman] Brakeman warning parsing

2014-02-17 Thread Justin Collins

On 02/17/2014 08:07 AM, Aleksandar Simic wrote:
> Hello list,
>
> my first posting here.
>
> I have a question regarding how to parse warnings issued by brakeman.
>
> The full scenario is below.
>
> Working on this app at the moment:
>
> https://github.com/ministryofjustice/accelerated_claims
>
> There is this snipped of code in config/initializers/secret_token.rb:
>
> https://github.com/ministryofjustice/accelerated_claims/blob/498a2c81e17ce83baf9b4063ebd74678110d891d/config/initializers/secret_token.rb#L13-L17
>
> Which gives this warning when brakeman is run:
>
> https://gist.github.com/dotemacs/9053206
>
> Is there a way to ignore/omit this warning in any subsequent brakeman
> runs, short of grepping out the warning in question?
>
> What I'm trying to do is have brakeman set up to run in our CI as a post
> build task and flag up any warning should they appear in our code (will
> use these instructions: http://brakemanscanner.org/docs/jenkins/setup/ ).
> But I'd like to avoid issuing any warnings for know issues.
>
> Have you dealt with an issue like this and how did you go about it?
>
> Thank you for your time,
> Aleksandar

Hi Aleksandar,

It sounds like what you want is for Jenkins to only fail builds when new 
warnings are introduced. Last I checked, this is not possible[1].

However, it appears it is possible to only send emails regarding 
new/fixed warnings[2] and avoid marking the build as failed.

In case that's not what you meant, you can also create a configuration 
file to ignore certain warnings[3].

Hope that helps.

-Justin

[1] 
https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#comment-58002244

[2] 
https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#StaticCodeAnalysisPlug-ins-email

[3] brakemanscanner.org/blog/2013/07/17/brakeman-2-dot-1-0-released/

[brakeman] Brakeman warning parsing

2014-02-17 Thread Aleksandar Simic

Hello list,

my first posting here.

I have a question regarding how to parse warnings issued by brakeman.

The full scenario is below.

Working on this app at the moment:

https://github.com/ministryofjustice/accelerated_claims

There is this snipped of code in config/initializers/secret_token.rb:

https://github.com/ministryofjustice/accelerated_claims/blob/498a2c81e17ce83baf9b4063ebd74678110d891d/config/initializers/secret_token.rb#L13-L17

Which gives this warning when brakeman is run:

https://gist.github.com/dotemacs/9053206

Is there a way to ignore/omit this warning in any subsequent brakeman runs,
short of grepping out the warning in question?

What I'm trying to do is have brakeman set up to run in our CI as a post
build task and flag up any warning should they appear in our code (will use
these instructions: http://brakemanscanner.org/docs/jenkins/setup/ ).
But I'd like to avoid issuing any warnings for know issues.

Have you dealt with an issue like this and how did you go about it?

Thank you for your time,
Aleksandar

Re: [brakeman] Brakeman warning parsing

Re: [brakeman] Brakeman warning parsing

Re: [brakeman] Brakeman warning parsing

Re: [brakeman] Brakeman warning parsing

[brakeman] Brakeman warning parsing

5 matches

Site Navigation

Mail list logo

Footer information