namespace :ci do desc 'Brakeman' task brakeman: 'ci:rugged:setup' do next unless defined?(Rails) require 'ndr_dev_support/rake_ci/brakeman_helper' # Usage: bundle exec rake ci:brakeman @metrics ||= [] @attachments ||= [] brakeman = NdrDevSupport::RakeCI::BrakemanHelper.new brakeman.commit = @commit brakeman.run(strict: false) @metrics.concat(brakeman.metrics) @attachments.concat(brakeman.attachments) brakeman.save_current_fingerprints end namespace :brakeman do desc "Brakeman (strict mode - all issues must be reviewed by Brakeman's interactive mode)" task strict: 'ci:rugged:setup' do next unless defined?(Rails) require 'ndr_dev_support/rake_ci/brakeman_helper' # Usage: bundle exec rake ci:brakeman:strict @metrics ||= [] @attachments ||= [] brakeman = NdrDevSupport::RakeCI::BrakemanHelper.new brakeman.commit = @commit brakeman.run(strict: true) @metrics.concat(brakeman.metrics) @attachments.concat(brakeman.attachments) brakeman.save_current_fingerprints end desc 'Brakeman fingerprint details' task fingerprint_details: 'ci:rugged:setup' do # Usage: bundle exec rake ci:brakeman:fingerprint_details FINGERPRINTS=fp1,fp2,... next unless defined?(Rails) require 'ndr_dev_support/rake_ci/brakeman_helper' require 'brakeman/scanner' require 'brakeman/report/report_text' fingerprints = ENV['FINGERPRINTS'].split(/,/) puts 'Scanning for fingerprints...' puts fingerprints puts brakeman = NdrDevSupport::RakeCI::BrakemanHelper.new brakeman.commit = @commit brakeman.run(strict: false) text_reporter = Brakeman::Report::Text.new(brakeman.tracker) brakeman.warnings.each do |warning| next unless fingerprints.include?(warning.fingerprint) puts puts text_reporter.label('Fingerprint', warning.fingerprint.to_s) puts text_reporter.output_warning(warning) end puts end end end