We have an app that we would like to test with Brakeman but it's not a full Rails app only an API written in Ruby. Is there a way to force Brakeman to scan the app and maybe only run certain tests? Thanks.
YMMV but I've run brakeman against a sinatra app and it was able to find some SQL/command injection, but the results are likely far from complete. You can always specify which tests to run via the -t (or conversely -x) with a list of test names to include or exclude. If it's just a straight API application, brakeman doesn't need to trace any paths, so the controller level tests may suffice (assuming you still follow the app/controllers convention). Are you getting the "please supply a path to a rails app" message? Neil Matatall @nilematotle 714-488-8893 On Friday, May 11, 2012 at 10:55 AM, Michael McCabe wrote: > > We have an app that we would like to test with Brakeman but it's not a full Rails app only an API written in Ruby. Is there a way to force Brakeman to scan the app and maybe only run certain tests? > > Thanks.
Yes, it's giving me that message. On Fri, May 11, 2012 at 2:01 PM, Neil Matatall <neilm@twitter.com> wrote: > YMMV but I've run brakeman against a sinatra app and it was able to find > some SQL/command injection, but the results are likely far from complete. > You can always specify which tests to run via the -t (or conversely -x) > with a list of test names to include or exclude. If it's just a straight > API application, brakeman doesn't need to trace any paths, so the > controller level tests may suffice (assuming you still follow the > app/controllers convention). > > Are you getting the "please supply a path to a rails app" message? > > Neil Matatall > @nilematotle > 714-488-8893 > > On Friday, May 11, 2012 at 10:55 AM, Michael McCabe wrote: > > > We have an app that we would like to test with Brakeman but it's not a > full Rails app only an API written in Ruby. Is there a way to force > Brakeman to scan the app and maybe only run certain tests? > > Thanks. > > >
Yeah, it will abort if there's no app directory. Adding an empty app dir will get you past this, but it won't find anything as it expects a rails-like structure. > abort("Please supply the path to a Rails application.") unless app_path and File.exist? app_path + "/app" If you move (or symlink) the structure, you should be able to scan. On Friday, May 11, 2012 at 11:05 AM, Michael McCabe wrote: > Yes, it's giving me that message. > > On Fri, May 11, 2012 at 2:01 PM, Neil Matatall <neilm@twitter.com (mailto:neilm@twitter.com)> wrote: > > YMMV but I've run brakeman against a sinatra app and it was able to find some SQL/command injection, but the results are likely far from complete. You can always specify which tests to run via the -t (or conversely -x) with a list of test names to include or exclude. If it's just a straight API application, brakeman doesn't need to trace any paths, so the controller level tests may suffice (assuming you still follow the app/controllers convention). > > > > Are you getting the "please supply a path to a rails app" message? > > > > Neil Matatall > > @nilematotle > > 714-488-8893 (tel:714-488-8893) > > > > > > > > On Friday, May 11, 2012 at 10:55 AM, Michael McCabe wrote: > > > > > > > > We have an app that we would like to test with Brakeman but it's not a full Rails app only an API written in Ruby. Is there a way to force Brakeman to scan the app and maybe only run certain tests? > > > > > > Thanks. > > >
Thanks Neil, I've gotten it to run now. I'll see if I can get some results. On Fri, May 11, 2012 at 2:09 PM, Neil Matatall <neilm@twitter.com> wrote: > Yeah, it will abort if there's no app directory. Adding an empty app dir > will get you past this, but it won't find anything as it expects a > rails-like structure. > > abort("Please supply the path to a Rails application.") unless app_path > and File.exist? app_path + "/app" > > > If you move (or symlink) the structure, you should be able to scan. > > On Friday, May 11, 2012 at 11:05 AM, Michael McCabe wrote: > > Yes, it's giving me that message. > > On Fri, May 11, 2012 at 2:01 PM, Neil Matatall <neilm@twitter.com> wrote: > > YMMV but I've run brakeman against a sinatra app and it was able to find > some SQL/command injection, but the results are likely far from complete. > You can always specify which tests to run via the -t (or conversely -x) > with a list of test names to include or exclude. If it's just a straight > API application, brakeman doesn't need to trace any paths, so the > controller level tests may suffice (assuming you still follow the > app/controllers convention). > > Are you getting the "please supply a path to a rails app" message? > > Neil Matatall > @nilematotle > 714-488-8893 > > On Friday, May 11, 2012 at 10:55 AM, Michael McCabe wrote: > > > We have an app that we would like to test with Brakeman but it's not a > full Rails app only an API written in Ruby. Is there a way to force > Brakeman to scan the app and maybe only run certain tests? > > Thanks. > > > > >