Steps to add ruby Breakman to Sonar Source

Hi All,

I’m evaluating a static code and security analyser for my current companies codebase (ruby/rails 6 app) and I very much like sonarqube/sonarcloud and looks like it does what I need to do.

However, as per the security analytics, I would like to run breakman . I did a search on the forum and only related topic I found was a feature request “Feature request: Add brakeman sensor to Ruby plugin”, and a reply was to use a Generic Issue format.

I’m trying to see if anyone actually done that, because I’m not exactly clear on how to setup this on sonarcloud. (I already setup sonarcloud for one of my open source ruby project to test)

Can anyone will be able to send me the right direction with bit more details, thanks

cheers

Sam

We have our main project set up to pull brakeman issues into sonarcloud. You just need to use their generic JSON input format. I can maybe post our rake task when I get a chance.

2 Likes

Thanks a lot Smith,

If you can post that, that would be awesome. I believe we need to update something on sonarcloud too to read the json?

we run github actions to do the CI/CD, what I can do is , integrate the rake task at that point to generate the breakman json file to read by the sonarcloud

[EDIT] - Sorry I thought I replied to you few days earlier and today I realised I just posted another message instead of replying to you, so I deleted that make the same message as a reply to you.

cheers

G’day Sameera.

Something like this would work:

json = JSON.parse(`bundle exec brakeman --format json --quiet`)

severity = Hash.new('INFO').merge!(
  'High' => 'CRITICAL',
  'Medium' => 'MAJOR',
  'Weak' => 'MINOR'
)

puts json['warnings'].each_with_object('issues' => []) { |warning, memo|
  memo['issues'] << {
    'engineId' => 'brakeman',
    'ruleId' => warning['fingerprint'],
    'type' => 'VULNERABILITY',
    'severity' => severity[warning['confidence']],
    'primaryLocation' => {
      'message' => "#{warning['warning_type']} - #{warning['check_name']} - #{warning['message']}",
      'filePath' => warning['file'],
      'textRange' => {
        'startLine' => warning['line']
      }
    }
  }
}.to_json

You can wrap this into a rake task and use it to output a JSON file and then use the sonar.externalIssuesReportPaths configuration option in Sonar to add it to your Sonar reports.

3 Likes

Thanks a lot, this should be a good starting point for me.