To run, download the raw file. Then run:
ruby convert_ignore.rb your_new_report.json old_brakeman.ignore > new_brakeman.ignore
Then test by pointing Brakeman at the new file and checking the number of ignored warnings matches expected:
brakeman -i new_brakeman.ignore
Assuming all is well, copy the new ignore file to the old location.
Please comment here with questions/problems or open an issue.
| require 'json' | |
| abort "convert_ignore.rb [JSON report] [ignore file]" unless ARGV[1] | |
| report = JSON.parse File.read ARGV[0] | |
| warnings = report["warnings"] | |
| ignore = JSON.parse File.read ARGV[1] | |
| ignored = ignore["ignored_warnings"] | |
| output = { | |
| ignored_warnings: [], | |
| updated: Time.now.to_s, | |
| brakeman_version: report["scan_info"]["brakeman_version"] | |
| } | |
| compare_keys = %w{warning_type message file line link code user_input confidence} | |
| # If a warning was already ignored, the fingerprint hasn't changed and it can | |
| # be added directly | |
| report["ignored_warnings"].each do |w| | |
| deleted = ignored.delete_if { |i| i["fingerprint"] == w["fingerprint"] } | |
| if deleted.empty? | |
| w["note"] = "" | |
| else | |
| w["note"] = deleted.first["note"] | |
| end | |
| output[:ignored_warnings] << w | |
| end | |
| # Add all ignored warnings with matching fingerprints or matching except for | |
| # expected changes. Including a changed warning code for low confidence XSS. | |
| warnings.each do |w| | |
| ignored.each do |i| | |
| if i["fingerprint"] == w["fingerprint"] or | |
| compare_keys.all? { |k| w[k] == i[k] } # Probably a match | |
| if w["warning_code"] == i["warning_code"] or | |
| (w["warning_code"] == 2 and i["warning_code"] == 5) # Changed/fixed in 3.1 | |
| w["note"] = i["note"] | |
| output[:ignored_warnings] << w | |
| end | |
| end | |
| end | |
| end | |
| puts JSON.pretty_generate output |