Skip to content

Instantly share code, notes, and snippets.

Last active Aug 31, 2015
What would you like to do?
Convert Brakeman ignore config file for 3.1

To run, download the raw file. Then run:

ruby convert_ignore.rb your_new_report.json old_brakeman.ignore > new_brakeman.ignore

Then test by pointing Brakeman at the new file and checking the number of ignored warnings matches expected:

brakeman -i new_brakeman.ignore

Assuming all is well, copy the new ignore file to the old location.

Please comment here with questions/problems or open an issue.

require 'json'
abort "convert_ignore.rb [JSON report] [ignore file]" unless ARGV[1]
report = JSON.parse ARGV[0]
warnings = report["warnings"]
ignore = JSON.parse ARGV[1]
ignored = ignore["ignored_warnings"]
output = {
ignored_warnings: [],
brakeman_version: report["scan_info"]["brakeman_version"]
compare_keys = %w{warning_type message file line link code user_input confidence}
# If a warning was already ignored, the fingerprint hasn't changed and it can
# be added directly
report["ignored_warnings"].each do |w|
deleted = ignored.delete_if { |i| i["fingerprint"] == w["fingerprint"] }
if deleted.empty?
w["note"] = ""
w["note"] = deleted.first["note"]
output[:ignored_warnings] << w
# Add all ignored warnings with matching fingerprints or matching except for
# expected changes. Including a changed warning code for low confidence XSS.
warnings.each do |w|
ignored.each do |i|
if i["fingerprint"] == w["fingerprint"] or
compare_keys.all? { |k| w[k] == i[k] } # Probably a match
if w["warning_code"] == i["warning_code"] or
(w["warning_code"] == 2 and i["warning_code"] == 5) # Changed/fixed in 3.1
w["note"] = i["note"]
output[:ignored_warnings] << w
puts JSON.pretty_generate output
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment