From ee9de40562ca2b45dc805e9e0e3c2e469f8bb00a Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Sun, 29 Dec 2024 18:42:46 -0700 Subject: [PATCH] Use Prism parser by default (#1897) Default to using Prism parser if available --- .circleci/config.yml | 10 ---------- Gemfile | 1 - brakeman.gemspec | 2 +- build.rb | 2 +- gem_common.rb | 1 + lib/brakeman.rb | 10 ++++++++++ lib/brakeman/file_parser.rb | 3 ++- lib/brakeman/options.rb | 9 ++++----- test/tests/rails52.rb | 4 ---- test/tests/rails8.rb | 2 +- 10 files changed, 20 insertions(+), 24 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c92561b76..366d18516 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -40,15 +40,6 @@ jobs: <<: *default docker: - image: cimg/ruby:3.2 - test-with-prism: - <<: *default - steps: - - checkout - - run: bundle check || bundle install - - run: - command: | - gem install prism - TEST_PRISM=true bundle exec rake upload-coverage: <<: *default working_directory: ~/repo @@ -65,7 +56,6 @@ workflows: - default - test-3-1 - test-3-2 - - test-with-prism - upload-coverage: requires: - test-3-1 diff --git a/Gemfile b/Gemfile index 0e78a8b6e..4b14763f7 100644 --- a/Gemfile +++ b/Gemfile @@ -6,6 +6,5 @@ unless ENV['BM_PACKAGE'] group :test do gem 'rake' gem 'minitest' - gem 'prism' end end diff --git a/brakeman.gemspec b/brakeman.gemspec index fda666a6f..199681aab 100644 --- a/brakeman.gemspec +++ b/brakeman.gemspec @@ -30,7 +30,7 @@ Gem::Specification.new do |s| s.files += Dir['bundle/ruby/*/gems/**/*'].reject do |path| # Skip unnecessary files in dependencies path =~ %r{^bundle/ruby/\d\.\d\.\d/gems/[^\/]+/(Rakefile|benchmark|bin|doc|example|man|site|spec|test)} or - path =~ %r{/gems/(io-console|racc|strscan)/} + path =~ %r{/gems/(io-console|prism|racc|strscan)/} end # racc is not only a built-in gem, but also has native code which we cannot diff --git a/build.rb b/build.rb index 90d8b4115..9838e14b5 100755 --- a/build.rb +++ b/build.rb @@ -1,6 +1,6 @@ #!/usr/bin/env ruby require 'fileutils' -bundle_exclude = %w[io-console racc strscan] +bundle_exclude = %w[io-console prism racc strscan] puts 'Packaging Brakeman gem...' diff --git a/gem_common.rb b/gem_common.rb index ae6429a1e..558b499b3 100644 --- a/gem_common.rb +++ b/gem_common.rb @@ -22,6 +22,7 @@ def self.extended_dependencies spec spec.add_dependency "haml", "~>5.1" spec.add_dependency "slim", ">=1.3.6", "< 5.3" spec.add_dependency "rexml", "~>3.0" + spec.add_dependency "prism", "~>1.3" end end end diff --git a/lib/brakeman.rb b/lib/brakeman.rb index a9a84c72c..3c4b0bbec 100644 --- a/lib/brakeman.rb +++ b/lib/brakeman.rb @@ -84,6 +84,15 @@ def self.run options options[:report_progress] = false end + if options[:use_prism] + begin + require 'prism' + notify '[Notice] Using Prism parser' + rescue LoadError => e + Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}" + end + end + scan options end @@ -196,6 +205,7 @@ def self.default_options :pager => true, :parallel_checks => true, :parser_timeout => 10, + :use_prism => true, :relative_path => false, :report_progress => true, :safe_methods => Set.new, diff --git a/lib/brakeman/file_parser.rb b/lib/brakeman/file_parser.rb index f4e6b3129..1d5be54b4 100644 --- a/lib/brakeman/file_parser.rb +++ b/lib/brakeman/file_parser.rb @@ -13,8 +13,9 @@ def initialize app_tree, timeout, parallel = true, use_prism = false if @use_prism begin require 'prism' + Brakeman.debug '[Notice] Using Prism parser' rescue LoadError => e - Brakeman.debug "Asked to use Prism, but failed to load: #{e}" + Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}" @use_prism = false end end diff --git a/lib/brakeman/options.rb b/lib/brakeman/options.rb index c3f7ce392..cde0b522e 100644 --- a/lib/brakeman/options.rb +++ b/lib/brakeman/options.rb @@ -161,14 +161,13 @@ def create_option_parser options opts.on "--[no-]prism", "Use the Prism parser" do |use_prism| if use_prism - prism_version = '1.0' + min_prism_version = '1.3.0' begin - # Specifying minimum version here, - # since it can't be in the gem dependency list because it is optional - gem 'prism', ">=#{prism_version}" + gem 'prism', ">=#{min_prism_version}" + require 'prism' rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e - $stderr.puts "Please install `prism` version #{prism_version} or newer:" + $stderr.puts "Please install `prism` version #{min_prism_version} or newer:" raise e end end diff --git a/test/tests/rails52.rb b/test/tests/rails52.rb index ff5a0015d..86506a1e6 100644 --- a/test/tests/rails52.rb +++ b/test/tests/rails52.rb @@ -104,10 +104,6 @@ def test_sql_injection_foreign_key end def test_sql_injection_user_input - if ENV['TEST_PRISM'] - skip 'Un-skip as soon as Prism >1.2.0 is released' - end - assert_warning :type => :warning, :warning_code => 0, :fingerprint => "f7affe2dfe9e3a48f39f1fb86224e150e60555a73f2e78fb499eadd298233625", diff --git a/test/tests/rails8.rb b/test/tests/rails8.rb index 21f6d0f63..84f1600b6 100644 --- a/test/tests/rails8.rb +++ b/test/tests/rails8.rb @@ -7,7 +7,7 @@ class Rails8Tests < Minitest::Test def report @@report ||= Date.stub :today, Date.parse("2024-05-13") do - BrakemanTester.run_scan "rails8", "Rails 8", run_all_checks: true, use_prism: true + BrakemanTester.run_scan "rails8", "Rails 8", run_all_checks: true, use_prism: false end end