Create a gist now

Instantly share code, notes, and snippets.

Convert Brakeman ignore config file for 3.1

To run, download the raw file. Then run:

ruby convert_ignore.rb your_new_report.json old_brakeman.ignore > new_brakeman.ignore

Then test by pointing Brakeman at the new file and checking the number of ignored warnings matches expected:

brakeman -i new_brakeman.ignore

Assuming all is well, copy the new ignore file to the old location.

Please comment here with questions/problems or open an issue.

require 'json'
abort "convert_ignore.rb [JSON report] [ignore file]" unless ARGV[1]
report = JSON.parse ARGV[0]
warnings = report["warnings"]
ignore = JSON.parse ARGV[1]
ignored = ignore["ignored_warnings"]
output = {
ignored_warnings: [],
brakeman_version: report["scan_info"]["brakeman_version"]
compare_keys = %w{warning_type message file line link code user_input confidence}
# If a warning was already ignored, the fingerprint hasn't changed and it can
# be added directly
report["ignored_warnings"].each do |w|
deleted = ignored.delete_if { |i| i["fingerprint"] == w["fingerprint"] }
if deleted.empty?
w["note"] = ""
w["note"] = deleted.first["note"]
output[:ignored_warnings] << w
# Add all ignored warnings with matching fingerprints or matching except for
# expected changes. Including a changed warning code for low confidence XSS.
warnings.each do |w|
ignored.each do |i|
if i["fingerprint"] == w["fingerprint"] or
compare_keys.all? { |k| w[k] == i[k] } # Probably a match
if w["warning_code"] == i["warning_code"] or
(w["warning_code"] == 2 and i["warning_code"] == 5) # Changed/fixed in 3.1
w["note"] = i["note"]
output[:ignored_warnings] << w
puts JSON.pretty_generate output
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment