Remove updated entry in brakeman.ignore

[tobyhs]

This entry is prone to merge conflicts.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the functionality and testing of the Brakeman security scanner for Ruby on Rails applications, including the removal of the "updated" field, enhancements to the ignore configuration management, and the enforcement of ignore notes.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on improving the functionality and testing of the Brakeman security scanner for Ruby on Rails applications. The key changes include:

1. Removal of "updated" field: The "updated" field, which contained the timestamp of the last configuration update, has been removed from the Brakeman configuration files and the output JSON format. This simplifies the configuration file format but may impact the ability to track the history of changes to the ignore configuration.

2. Improvements to ignore configuration management: The changes include enhancements to the IgnoreConfig class, which is responsible for managing the configuration file that allows developers to ignore certain security warnings reported by Brakeman. This includes adding tests to ensure the reliability and correctness of the ignore configuration functionality.

3. Enforcement of ignore notes: The changes include a new command-line option (--ensure-ignore-notes) that enforces the requirement for all ignored warnings to have a non-empty note. This helps maintain better visibility and accountability around security decisions.

From an application security perspective, these changes do not directly address any specific security vulnerabilities. However, they demonstrate the ongoing effort to improve the security tooling and processes for Ruby on Rails applications. Regularly reviewing and updating security tools, as well as maintaining a robust ignore configuration management process, are important practices for maintaining the overall security posture of an application.

Files Changed:

1. test/tests/brakeman.rb: This file contains changes related to the Brakeman test suite, specifically the removal of the "updated" field from the expected JSON output in two test cases.
2. test/apps/rails4/config/brakeman.ignore and test/apps/rails2/config/brakeman.ignore: These changes are related to the Brakeman configuration files for Ruby on Rails 4 and 2 applications, respectively. The changes include the removal of the "updated" field and the review of the ignored security warnings.
3. lib/brakeman/report/ignore/config.rb: This file contains changes related to the management of the Brakeman ignore configuration, including the removal of the "updated" field and enhancements to the functionality for ignoring, unignoring, and adding notes to specific warnings.
4. test/tests/ignore.rb: This file includes changes to the test suite for the IgnoreConfig class, which is responsible for managing the Brakeman ignore configuration.
5. test/tests/commandline.rb: This file contains changes related to the Brakeman command-line interface, specifically the addition of a test case for the --ensure-ignore-notes option, which ensures that all ignored warnings have a non-empty note.

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.