Consider getting rid of the brakeman gem
It seems we don't use Brakeman except for the brakeman
rake task (lib/tasks/brakeman.rake: if system(*%w(brakeman --no-progress --skip-files lib/backup/repository.rb -w3 -z))
), which I think no one is actually using since we have a brakeman-sast
job in our pipelines: .gitlab/ci/reports.gitlab-ci.yml:brakeman-sast
.
Here is the result of git grep brakeman -- :^doc
:
.gitlab/ci/reports.gitlab-ci.yml:brakeman-sast:
.gitlab/ci/reports.gitlab-ci.yml: name: "$SAST_ANALYZER_IMAGE_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
CHANGELOG.md:- Bring SAST to Core - brakeman. !34217
CHANGELOG.md:- Bring SAST to Core - brakeman. !34217
Gemfile: gem 'brakeman', '~> 4.10.0', require: false
Gemfile.lock: brakeman (4.10.1)
Gemfile.lock: brakeman (~> 4.10.0)
app/validators/json_schemas/security_ci_configuration_schemas/sast_ui_schema.json: "name": "brakeman",
changelogs/archive-10.md:- Update brakeman 3.6.1 to 4.2.1. !18122 (Takuya Noguchi)
changelogs/archive.md:- Add brakeman (security scanner for Ruby on Rails)
ee/spec/frontend/security_configuration/sast/mock_data.js: name: 'brakeman',
ee/spec/lib/ee/gitlab/background_migration/populate_vulnerability_feedback_pipeline_id_spec.rb: build = builds.create!(project_id: project_id, name: 'brakeman', retried: false, commit_id: pipeline.id, type: 'Ci::Build')
ee/spec/lib/gitlab/ci/reports/security/identifier_spec.rb: external_type: 'brakeman_warning_code',
ee/spec/lib/gitlab/ci/reports/security/identifier_spec.rb: url: 'https://brakemanscanner.org/docs/warning_types/cross_site_scripting/'
ee/spec/lib/gitlab/ci/reports/security/identifier_spec.rb: external_type: 'brakeman_warning_code',
ee/spec/lib/gitlab/ci/reports/security/identifier_spec.rb: url: 'https://brakemanscanner.org/docs/warning_types/cross_site_scripting/'
ee/spec/lib/gitlab/ci/reports/security/identifier_spec.rb: 'CVE' | '2018-1234' | 'brakeman_code' | '2018-1234' | false | 'when external_type is different'
ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb: external_id: 'brakeman',
ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb: external_id: 'brakeman',
ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb: 'brakeman' | 'brakeman' | true | 'when external_id is equal'
ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb: 'brakeman' | 'bandit' | false | 'when external_id is different'
ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb: 'Ruby' | { 'config/routes.rb' => '' } | {} | %w(brakeman-sast)
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml: SAST_DEFAULT_ANALYZERS: "bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, sobelow, pmd-apex, kubesec, mobsf, semgrep"
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml:brakeman-sast:
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml: SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/brakeman:$SAST_ANALYZER_IMAGE_TAG"
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml: - if: $SAST_EXCLUDED_ANALYZERS =~ /brakeman/
lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml: $SAST_DEFAULT_ANALYZERS =~ /brakeman/
lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml: bandit, brakeman, gosec, spotbugs, flawfinder, phpcs-security-audit, security-code-scan, nodejs-scan, eslint, secrets, sobelow, pmd-apex, kubesec,
lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml:brakeman:
lib/gitlab/ci/templates/Security/Secure-Binaries.gitlab-ci.yml: $SECURE_BINARIES_ANALYZERS =~ /\bbrakeman\b/
lib/security/ci_configuration/sast_build_actions.rb: SAST_DEFAULT_ANALYZERS = 'bandit, brakeman, eslint, flawfinder, gosec, kubesec, nodejs-scan, phpcs-security-audit, pmd-apex, security-code-scan, sobelow, spotbugs'
lib/tasks/brakeman.rake:desc 'Security check via brakeman'
lib/tasks/brakeman.rake:task :brakeman do
lib/tasks/brakeman.rake: if system(*%w(brakeman --no-progress --skip-files lib/backup/repository.rb -w3 -z))
lib/tasks/gitlab/test.rake: %w(rake brakeman),
qa/qa/specs/features/ee/browser_ui/secure/enable_sast_from_configuration_spec.rb: expect(pipeline).to have_no_job('brakeman-sast')
qa/qa/specs/features/ee/browser_ui/secure/enable_sast_from_configuration_spec.rb: expect(pipeline).to have_job('brakeman-sast')
spec/graphql/types/project_type_spec.rb: expect(analyzer['name']).to eq('brakeman')
spec/lib/security/ci_configuration/sast_build_actions_spec.rb: 'name' => "brakeman",
spec/lib/security/ci_configuration/sast_build_actions_spec.rb: 'name' => "brakeman",
spec/lib/security/ci_configuration/sast_build_actions_spec.rb: stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'bandit, brakeman, flawfinder')
spec/lib/security/ci_configuration/sast_build_actions_spec.rb: stub_const('Security::CiConfiguration::SastBuildActions::SAST_DEFAULT_ANALYZERS', 'brakeman, flawfinder')
spec/services/ci/create_pipeline_service_spec.rb: expect(pipeline.builds.map(&:name)).to match_array(%w[brakeman-sast build code_quality eslint-sast secret_detection_default_branch test])
spec/services/security/ci_configuration/sast_parser_service_spec.rb: let(:brakeman) { configuration['analyzers'][0] }
spec/services/security/ci_configuration/sast_parser_service_spec.rb: let(:sast_brakeman_level) { brakeman['variables'][0] }
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(brakeman['enabled']).to be(true)
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(sast_brakeman_level['default_value']).to eql('1')
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(brakeman['enabled']).to be(false)
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(sast_brakeman_level['value']).to eql('2')
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(brakeman['enabled']).to be(false)
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(brakeman['enabled']).to be(false)
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(brakeman['enabled']).to be(true)
spec/services/security/ci_configuration/sast_parser_service_spec.rb: expect(sast_brakeman_level['value']).to eql('1')
spec/support/gitlab_stubs/gitlab_ci_for_sast.yml: SAST_DEFAULT_ANALYZERS: "bandit, brakeman"
spec/support/gitlab_stubs/gitlab_ci_for_sast.yml: SAST_EXCLUDED_ANALYZERS: "brakeman"
spec/support/gitlab_stubs/gitlab_ci_for_sast_excluded_analyzers.yml: SAST_EXCLUDED_ANALYZERS: "brakeman"
We should also take the opportunity to get rid of the gitlab:test
rake task which runs
%w(rake brakeman),
%w(rake rubocop),
%w(rake spec),
%w(rake karma)
which I believe no one would ever run considering the duration of these tasks (especially rubocop
and spec
)!