-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False negatives due to --skip-libs ignoring app/ files. #1839
Comments
Hi @kevinjacobs - you are right, thank you for reporting this. It should be equivalent to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background
Brakeman version: 5.4.0
Rails version: 4.0.8
Ruby version: 3.1.2
Issue
I’d like to report some unexpected false negatives noticed when running with the
--skip-libs
option.Documentation [1] states that to “To skip processing of the lib/ directory…”, one should add
--skip-libs
. However this results in Brakeman ignoring much of theapp/
directory as well, in fact it appears that only the contents ofapp/models/
andapp/controllers/
are included in this mode. If one wants to skip thelib/
directory,--skip-files lib/
seems to be a better approach.I believe this is due to file type detection at [2] assuming code is “library” code unless it fits into a small number of alternative classifications. The last sentence in [3] seems to support this.
Admittedly,
options.MD
also includes the following:But given the other mention of
--skip-libs
applying tolib/
, a reasonable reader might assume that--no-branching
is the cause for the above warning.Reproducer:
Expected results: Given that there are no warnings from
lib/
, both outputs should include the same warnings.Actual results:
skip_libs.json
misses a warning inapp/helpers/sessions_helper.rb
.If this behavior is intended (as it appears to be), the documentation should more clearly state the potential impact of running with
--skip-libs
.Thanks!
[1] https://brakemanscanner.org/docs/options/
[2] https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/processors/lib/file_type_detector.rb#L16
[3] #1554
The text was updated successfully, but these errors were encountered: