From 0e62e8dd6c4e0a9c23f574089440f4f8c912df98 Mon Sep 17 00:00:00 2001
From: Jason Frey <fryguy9@gmail.com>
Date: Mon, 3 Mar 2025 17:49:12 -0500
Subject: [PATCH] Add interactive-ignore support through test:security:brakeman

Building the brakeman.ignore file requires us to have our patches in
place so that the values are built correctly to have the right
fingerprint. Thus, we can't just run brakeman -I directly. This change
allows us to pass `-I` or `--interactive-ignore` to the rake task, which
aids in updating the brakeman.ignore file.
---
 lib/extensions/brakeman_fingerprint_patch.rb |  2 --
 lib/tasks/test_security_helper.rb            | 12 +++++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/lib/extensions/brakeman_fingerprint_patch.rb b/lib/extensions/brakeman_fingerprint_patch.rb
index 0f1d685657f..25d29ea5e30 100644
--- a/lib/extensions/brakeman_fingerprint_patch.rb
+++ b/lib/extensions/brakeman_fingerprint_patch.rb
@@ -77,8 +77,6 @@ def fingerprint
   def to_hash(absolute_paths: true)
     super.tap do |h|
       h[:file] = (absolute_paths ? self.file.absolute : file_string)
-      h[:file_rel] = self.file.relative
-      h[:file_abs] = self.file.absolute
     end
   end
 end
diff --git a/lib/tasks/test_security_helper.rb b/lib/tasks/test_security_helper.rb
index 43d140b5f22..6a6984ddf61 100644
--- a/lib/tasks/test_security_helper.rb
+++ b/lib/tasks/test_security_helper.rb
@@ -4,6 +4,9 @@ class TestSecurityHelper
   class SecurityTestFailed < StandardError; end
 
   def self.brakeman(format: "human")
+    args = ARGV.drop_while { |arg| arg != "--" }.drop(1)
+    interactive_ignore = (args & %w[-I --interactive-ignore]).any?
+
     require "vmdb/plugins"
     require "brakeman"
 
@@ -43,11 +46,18 @@ def self.brakeman(format: "human")
       :report_progress => $stderr.tty?,
       :use_prism       => true,
     }
-    if format == "json"
+    case format
+    when "json"
+      raise ArgumentError, "cannot pass --interactive-ignore with json output" if interactive_ignore
+
       options[:output_files] = [
         Rails.root.join("log/brakeman.json").to_s,
         Rails.root.join("log/brakeman.log").to_s
       ]
+    when "human"
+      options[:interactive_ignore] = true if interactive_ignore
+    else
+      raise ArgumentError, "Unknown format #{format.inspect}"
     end
 
     tracker = Brakeman.run(options)