globocom · victormazevedo · Oct 12, 2020
diff --git a/api/go.sum b/api/go.sum
@@ -53,6 +53,7 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/globocom/glbgelf v0.0.0-20190310030100-36e52796d86a h1:4xPuLeesHeiGJkHlUqTDNMt8lsM76UTiheumSY0+NAM=
 github.com/globocom/glbgelf v0.0.0-20190310030100-36e52796d86a/go.mod h1:V9F16sV6PJnoYnOmyswcE8nB/vOyaFPjg/4Ie6q6EyQ=
+github.com/globocom/huskyCI v0.3.0 h1:T7zqrCGeQp/LMiFfZWBtX/NGVZcc/8Bt0PQ1VoUDCKY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=

diff --git a/api/securitytest/brakeman.go b/api/securitytest/brakeman.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/globocom/huskyCI/api/log"
 	"github.com/globocom/huskyCI/api/types"
+	"github.com/globocom/huskyCI/api/util"
 )
 
 // BrakemanOutput is the struct that holds issues and stats found on a Brakeman scan.
@@ -61,6 +62,10 @@ func (brakemanScan *SecTestScanInfo) prepareBrakemanVulns() {
 		brakemanVuln := types.HuskyCIVulnerability{}
 		brakemanVuln.Language = "Ruby"
 		brakemanVuln.SecurityTool = "Brakeman"
+		noHuskyInLine := util.VerifyNoHusky(warning.Code, warning.Line, brakemanVuln.SecurityTool)
+		if noHuskyInLine {
+			warning.Confidence = "NoSec"
+		}
 		brakemanVuln.Confidence = warning.Confidence
 		brakemanVuln.Title = fmt.Sprintf("Vulnerable Dependency: %s %s", warning.Type, warning.Message)
 		brakemanVuln.Details = warning.Details
@@ -70,6 +75,8 @@ func (brakemanScan *SecTestScanInfo) prepareBrakemanVulns() {
 		brakemanVuln.Type = warning.Type
 
 		switch brakemanVuln.Confidence {
+		case "NoSec":
+			huskyCIbrakemanResults.NoSecVulns = append(huskyCIbrakemanResults.NoSecVulns, brakemanVuln)
 		case "High":
 			huskyCIbrakemanResults.HighVulns = append(huskyCIbrakemanResults.HighVulns, brakemanVuln)
 		case "Medium":

diff --git a/api/util/util.go b/api/util/util.go
@@ -239,7 +239,8 @@ func banditCase(code string, lineNumber int) bool {
 // VerifyNoHusky verifies if the code string is marked with the #nohusky tag.
 func VerifyNoHusky(code string, lineNumber int, securityTool string) bool {
 	m := map[string]types.NohuskyFunction{
-		"Bandit": banditCase,
+		"Bandit":   banditCase,
+		"Brakeman": banditCase,
 	}
 
 	return m[securityTool](code, lineNumber)

diff --git a/api/util/util_test.go b/api/util/util_test.go
@@ -304,6 +304,9 @@ Line4`
 		rawLineNumberSliceInteger := []int{1, 2}
 		rawSecurityToolSliceString := []string{"Bandit"}
 
+		rawBrakemanCodeSliceString := []string{"1 def test(options)\n2 system('ls #{options}') # #nohusky"}
+		rawBrakemanSecurityToolSliceString := []string{"Brakeman"}
+
 		Context("Bandit: When line number doesn't match the one in the code string", func() {
 			It("Should return false.", func() {
 				Expect(util.VerifyNoHusky(rawBanditCodeSliceString[0], rawLineNumberSliceInteger[0], rawSecurityToolSliceString[0])).To(BeFalse())
@@ -321,5 +324,24 @@ Line4`
 				Expect(util.VerifyNoHusky(rawBanditCodeSliceString[0], rawLineNumberSliceInteger[0], rawSecurityToolSliceString[0])).To(BeFalse())
 			})
 		})
+
+		Context("Brakeman: When line number doesn't match the one in the code string", func() {
+			It("Should return false.", func() {
+				Expect(util.VerifyNoHusky(rawBrakemanCodeSliceString[0], rawLineNumberSliceInteger[0], rawBrakemanSecurityToolSliceString[0])).To(BeFalse())
+			})
+		})
+
+		Context("Brakeman: When line number matches the one in the code string", func() {
+			It("Should return true.", func() {
+				Expect(util.VerifyNoHusky(rawBrakemanCodeSliceString[0], rawLineNumberSliceInteger[1], rawBrakemanSecurityToolSliceString[0])).To(BeTrue())
+			})
+		})
+
+		Context("Brakeman: When line number doesn't match the one in the code string", func() {
+			It("Should return false.", func() {
+				Expect(util.VerifyNoHusky(rawBrakemanCodeSliceString[0], rawLineNumberSliceInteger[0], rawBrakemanSecurityToolSliceString[0])).To(BeFalse())
+			})
+		})
+
 	})
 })
diff --git a/client/analysis/output.go b/client/analysis/output.go
@@ -75,7 +75,7 @@ func printSTDOUTOutput(analysis types.Analysis) {
 	printAllSummary(analysis)
 }
 
-// prepareAllSummary prepares how many low, medium and high vulnerabilites were found.
+// prepareAllSummary prepares how many low, medium, high and nosec vulnerabilites were found.
 func prepareAllSummary(analysis types.Analysis) {
 	var totalNoSec, totalLow, totalMedium, totalHigh int
 
@@ -123,6 +123,7 @@ func prepareAllSummary(analysis types.Analysis) {
 	}
 
 	// Brakeman summary
+	outputJSON.Summary.BrakemanSummary.NoSecVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.NoSecVulns)
 	outputJSON.Summary.BrakemanSummary.LowVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.LowVulns)
 	outputJSON.Summary.BrakemanSummary.MediumVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.MediumVulns)
 	outputJSON.Summary.BrakemanSummary.HighVuln = len(outputJSON.RubyResults.HuskyCIBrakemanOutput.HighVulns)
@@ -198,7 +199,7 @@ func prepareAllSummary(analysis types.Analysis) {
 		types.FoundInfo = true
 	}
 
-	totalNoSec = outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln
+	totalNoSec = outputJSON.Summary.BanditSummary.NoSecVuln + outputJSON.Summary.GosecSummary.NoSecVuln + outputJSON.Summary.GitleaksSummary.NoSecVuln + outputJSON.Summary.BrakemanSummary.NoSecVuln
 
 	totalLow = outputJSON.Summary.BrakemanSummary.LowVuln + outputJSON.Summary.SafetySummary.LowVuln + outputJSON.Summary.BanditSummary.LowVuln + outputJSON.Summary.GosecSummary.LowVuln + outputJSON.Summary.NpmAuditSummary.LowVuln + outputJSON.Summary.YarnAuditSummary.LowVuln + outputJSON.Summary.GitleaksSummary.LowVuln + outputJSON.Summary.SpotBugsSummary.LowVuln + outputJSON.Summary.TFSecSummary.LowVuln
 

diff --git a/deployments/scripts/generate-local-token.sh b/deployments/scripts/generate-local-token.sh
diff --git a/huskyCI/huskyCI_Placeholder_File b/huskyCI/huskyCI_Placeholder_File
@@ -0,0 +1,4 @@
+
+Placeholder file indicating that no file was associated with this vulnerability.
+This usually means that the vulnerability is related to a missing file
+or is not associated with any specific file, i.e.: vulnerable dependency versions.