[openstreetmap/openstreetmap-website] Add static code checks in Travis CI (#2229)

Andy Allan notifications at github.com
Wed Jun 12 13:36:33 UTC 2019

I've had a look through the output, and while sure some are false positives, it's picking up a lot of dodgy coding practices that we've otherwise overlooked. Particularly the SQL injection stuff, where some small changes to the code would reduce the opportunity for mishaps later.

So I'm in principle happy to add Brakeman, the question is the best way to do it. If we add it with the return code disabled (as now), then we haven't achieved much since we could add new vulnerabilities without triggering a build failure. So I'd prefer to approach it the way we do with rubocop and erblint, that is to create a configuration that ignores existing problems, but will alert on new problems. We can then work our way through the todo list.

>From looking at [the brakeman docs](https://brakemanscanner.org/docs/options/), we can create a config file and ignore the failing tests for now.

For this PR, it would also be best to just focus on the installation and configuration of brakeman. The regexp fixes would be valid in a standalone PR.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20190612/671ad0c5/attachment-0001.html>

More information about the rails-dev mailing list