[openstreetmap/openstreetmap-website] Use Brakeman for static code analysis (#2723)

[Andy Allan]

> I know in the original I expressed concern about the false positive rate though I'm not sure what I was using to evaluate that because I can't see any sort of human readable report anywhere on that ticket, presumably because they had again all been suppressed, all be it in a different way.

So IIRC in the original PR the command was set to not fail the build, so you could see all the output in the travis logs. That might be where you saw the list?

Many of the reports have been fixed already (e.g. in #2570 #2597), and more likely to disappear due to refactoring, so I think any list of remaining false positives, if there are ever any, is going to be small. 

> If we accept that false positives are unavoidable and that they will need to be suppressed, presumably using the mechanism from the original pull request, then my question is how robust is that suppression mechanism?

I've no idea. This PR takes a different approach of switching off types of test as a whole. So another option is to avoid the false-positives fingerprints list altogether, and just switch off the type of test if there are any false positives found in that type. Even then, we'll still be getting a lot of benefit from all the other active types.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2723#issuecomment-662443670
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20200722/9c6dad34/attachment.htm>