From 6719d269e387e3be578460a2e4f3242d9d4082c8 Mon Sep 17 00:00:00 2001
From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 22 Jul 2020 13:37:38 +0200
Subject: [PATCH] Use Brakeman for static code analysis

---
 .travis.yml         | 1 +
 CONTRIBUTING.md     | 8 ++++++++
 Gemfile             | 1 +
 Gemfile.lock        | 2 ++
 config/brakeman.yml | 9 +++++++++
 5 files changed, 21 insertions(+)
 create mode 100644 config/brakeman.yml

diff --git a/.travis.yml b/.travis.yml
index ce0a625ec..6acf89e48 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -31,6 +31,7 @@ script:
   - bundle exec rubocop -f fuubar
   - bundle exec rake eslint
   - bundle exec erblint .
+  - bundle exec brakeman -q
   - bundle exec rake db:structure:dump
   - sed -e "/idle_in_transaction_session_timeout/d" -e 's/ IMMUTABLE / /' -e "/^--/d" db/structure.sql > db/structure.actual
   - diff -uw db/structure.expected db/structure.actual
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 439e2e95f..568566c17 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -41,6 +41,14 @@ You can view test coverage statistics by browsing the `coverage` directory.
 The tests are automatically run on Pull Requests and other commits with the
 results shown on [Travis CI](https://travis-ci.org/openstreetmap/openstreetmap-website).
 
+## Static Analysis
+
+We also perform static analysis of our code. You can run the analysis yourself with:
+
+```
+bundle exec brakeman -q
+```
+
 ## Comments
 
 Sometimes it's not apparent from the code itself what it does, or,
diff --git a/Gemfile b/Gemfile
index 1cd0edca7..540f61634 100644
--- a/Gemfile
+++ b/Gemfile
@@ -138,6 +138,7 @@ end
 
 # Gems needed for running tests
 group :test do
+  gem "brakeman"
   gem "capybara", ">= 2.15"
   gem "coveralls", :require => false
   gem "erb_lint", :require => false
diff --git a/Gemfile.lock b/Gemfile.lock
index cc8dcaefb..2828142dc 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -110,6 +110,7 @@ GEM
       autoprefixer-rails (>= 9.1.0)
       popper_js (>= 1.14.3, < 2)
       sassc-rails (>= 2.0.0)
+    brakeman (4.8.2)
     browser (4.2.0)
     builder (3.2.4)
     bzip2-ffi (1.0.0)
@@ -484,6 +485,7 @@ DEPENDENCIES
   binding_of_caller
   bootsnap (>= 1.4.2)
   bootstrap (~> 4.5.0)
+  brakeman
   browser
   bzip2-ffi
   cancancan
diff --git a/config/brakeman.yml b/config/brakeman.yml
new file mode 100644
index 000000000..f8fab871e
--- /dev/null
+++ b/config/brakeman.yml
@@ -0,0 +1,9 @@
+:skip_checks:
+# These checks are skipped, but should be considered TODO
+- CheckCrossSiteScripting
+- CheckExecute
+- CheckFileAccess
+- CheckRedirect
+- CheckRender
+- CheckSendFile
+- CheckSQL
-- 
2.45.1