]> git.openstreetmap.org Git - rails.git/commitdiff
Use Brakeman for static code analysis
authorAndy Allan <git@gravitystorm.co.uk>
Wed, 22 Jul 2020 11:37:38 +0000 (13:37 +0200)
committerAndy Allan <git@gravitystorm.co.uk>
Wed, 22 Jul 2020 11:37:38 +0000 (13:37 +0200)
.travis.yml
CONTRIBUTING.md
Gemfile
Gemfile.lock
config/brakeman.yml [new file with mode: 0644]

index ce0a625ec42b50adc741fb96d1952b37845a79c0..6acf89e48fbcf52187baf1b4bbd2ec6f0a06287c 100644 (file)
@@ -31,6 +31,7 @@ script:
   - bundle exec rubocop -f fuubar
   - bundle exec rake eslint
   - bundle exec erblint .
+  - bundle exec brakeman -q
   - bundle exec rake db:structure:dump
   - sed -e "/idle_in_transaction_session_timeout/d" -e 's/ IMMUTABLE / /' -e "/^--/d" db/structure.sql > db/structure.actual
   - diff -uw db/structure.expected db/structure.actual
index 439e2e95f982b18452a261f445b7f5482d7a9c8d..568566c17ed8ba00e7019214486c7d864fe90a48 100644 (file)
@@ -41,6 +41,14 @@ You can view test coverage statistics by browsing the `coverage` directory.
 The tests are automatically run on Pull Requests and other commits with the
 results shown on [Travis CI](https://travis-ci.org/openstreetmap/openstreetmap-website).
 
+## Static Analysis
+
+We also perform static analysis of our code. You can run the analysis yourself with:
+
+```
+bundle exec brakeman -q
+```
+
 ## Comments
 
 Sometimes it's not apparent from the code itself what it does, or,
diff --git a/Gemfile b/Gemfile
index 1cd0edca7373f46657cef56c9385087cfe1ca485..540f616343d91a6eced60d9dc5e7d00dcae80571 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -138,6 +138,7 @@ end
 
 # Gems needed for running tests
 group :test do
+  gem "brakeman"
   gem "capybara", ">= 2.15"
   gem "coveralls", :require => false
   gem "erb_lint", :require => false
index cc8dcaefbe4c2bf864a2a430a793946e6ba8518f..2828142dcb8c29a3ed995261f2dd2ccf1dd125c4 100644 (file)
@@ -110,6 +110,7 @@ GEM
       autoprefixer-rails (>= 9.1.0)
       popper_js (>= 1.14.3, < 2)
       sassc-rails (>= 2.0.0)
+    brakeman (4.8.2)
     browser (4.2.0)
     builder (3.2.4)
     bzip2-ffi (1.0.0)
@@ -484,6 +485,7 @@ DEPENDENCIES
   binding_of_caller
   bootsnap (>= 1.4.2)
   bootstrap (~> 4.5.0)
+  brakeman
   browser
   bzip2-ffi
   cancancan
diff --git a/config/brakeman.yml b/config/brakeman.yml
new file mode 100644 (file)
index 0000000..f8fab87
--- /dev/null
@@ -0,0 +1,9 @@
+:skip_checks:
+# These checks are skipped, but should be considered TODO
+- CheckCrossSiteScripting
+- CheckExecute
+- CheckFileAccess
+- CheckRedirect
+- CheckRender
+- CheckSendFile
+- CheckSQL