Brakeman not skipping Gemfile.lock with --skip-files param

Question

I'm adding Brakeman to a Rails product but I'm running into an issue. I want it to ignore my Gemfile and Gemfile.lock but when I run it with a command like

brakeman --skip-files Gemfile.lock,Gemfile

it's still touching the files. We use other systems to monitor our gems, but is it not possible to ignore the gem files completely? I can use a brakeman.ignore file of course but would prefer not to. Thanks for any assistance.

Answer 1

I believe this is the check to which you are referring: https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/scanner.rb#L39-L40

Brakeman.notify "Processing gems..."
process_gems

The process_gems function is defined here: https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/scanner.rb#L131-L152

  #Process Gemfile
  def process_gems
    gem_files = {}
    if @app_tree.exists? "Gemfile"
      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
    elsif @app_tree.exists? "gems.rb"
      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
    end

    if @app_tree.exists? "Gemfile.lock"
      gem_files[:gemlock] = { :src => @app_tree.read("Gemfile.lock"), :file => "Gemfile.lock" }
    elsif @app_tree.exists? "gems.locked"
      gem_files[:gemlock] = { :src => @app_tree.read("gems.locked"), :file => "gems.locked" }
    end

    if gem_files[:gemfile] or gem_files[:gemlock]
      @processor.process_gems gem_files
    end
  rescue => e
    Brakeman.notify "[Notice] Error while processing Gemfile."
    tracker.error e.exception(e.message + "\nWhile processing Gemfile"), e.backtrace
  end

The AppTree::exists? function is defined here: https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/app_tree.rb#L82-L84

def exists?(path)
  File.exist?(File.join(@root, path))
end

The GemProcessor::process_gems function is defined here: https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/processors/gem_processor.rb#L11

...lots of code...

I don't see any code that would skip this functionality if a certain switch is provided to brakeman. It also looks like the AppTree::exists? function does not take into account if a file was provided to the --skip-files option.

Unfortunately, I believe the current answer is that you can not ignore the gem files completely.

You could create a PR to do what you want and see if the Brakeman team includes it in the next build: https://brakemanscanner.org/docs/contributing/

Let us know if you discover a way to solve your problem.