Parse brakeman results

Author: ggabarrin

README.md

@@ -14,10 +14,7 @@
 
 Security Notes allows the creation of notes within source files, which can be replied to, reacted to using emojis, and assigned statuses such as "TODO", "Vulnerable" and "Not Vulnerable".
 
-Also, it allows importing the output from SAST tools into notes, making the processing of the findings much easier. Currently supported tools include:
-
-- semgrep (https://semgrep.dev/)
-- bandit (https://bandit.readthedocs.io/en/latest/)
+Also, it allows importing the output from SAST tools (such as semgrep, bandit and brakeman), into notes, making the processing of the findings much easier.
 
 Finally, collaborate with others by using a centralized database for notes that will be automatically synced in **real-time**! Create a note locally, and it will be automatically pushed to whoever is working with you on the project.
 
@@ -67,10 +64,16 @@ Naturally, you will want to collaborate with remote peers. To do so in a secure
 
 ## Importing SAST results
 
-The extension allows you to import the output from SAST tools (currently only [Semgrep](https://semgrep.dev/)) into notes, making the processing of the findings much easier:
+The extension allows you to import the output from SAST tools into notes, making the processing of the findings much easier:
 
 ![Demo for semgrep import](images/demo-semgrep-import.gif)
 
+Currently supported tools include:
+
+- semgrep (https://semgrep.dev/)
+- bandit (https://bandit.readthedocs.io/en/latest/)
+- brakeman (https://brakemanscanner.org/)
+
 ## Extension Settings
 
 Various settings for the extension can be configured in VSCode's User Settings page (`CMD+Shift+P` / `Ctrl + Shift + P` -> _Preferences: Open Settings (UI)_):

src/parsers/brakeman.ts

@@ -0,0 +1,44 @@
+'use strict';
+
+import * as vscode from 'vscode';
+import { ToolFinding } from '../models/toolFinding';
+
+class BrakemanParser {
+  static parse(fileContent: string) {
+    const toolFindings: ToolFinding[] = [];
+
+    try {
+      const brakemanFindings = JSON.parse(fileContent).warnings;
+      brakemanFindings.map((brakemanFinding: any) => {
+        // uri
+        let fullPath = '';
+        if (vscode.workspace.workspaceFolders) {
+          fullPath = vscode.workspace.workspaceFolders[0].uri.fsPath + '/';
+        }
+        const uri = vscode.Uri.file(`${fullPath}${brakemanFinding.file}`);
+
+        // range
+        const range = new vscode.Range(
+          brakemanFinding.line - 1,
+          0,
+          brakemanFinding.line - 1,
+          0,
+        );
+
+        // instantiate tool finding and add to list
+        const toolFinding = new ToolFinding(
+          uri,
+          range,
+          `${brakemanFinding.warning_type}: ${brakemanFinding.message}`,
+        );
+        toolFindings.push(toolFinding);
+      });
+    } catch {
+      /* empty */
+    }
+
+    return toolFindings;
+  }
+}
+
+export { BrakemanParser };

src/webviews/importToolResultsWebview.ts

@@ -4,6 +4,7 @@ import * as vscode from 'vscode';
 import { commentController } from '../controllers/comments';
 import { BanditParser } from '../parsers/bandit';
 import { SemgrepParser } from '../parsers/semgrep';
+import { BrakemanParser } from '../parsers/brakeman';
 import { ToolFinding } from '../models/toolFinding';
 import { saveNoteComment } from '../helpers';
 import { RemoteDb } from '../persistence/remote-db';
@@ -83,6 +84,7 @@ export class ImportToolResultsWebview implements vscode.WebviewViewProvider {
             <select id="toolSelect">
             <option value="semgrep">semgrep</option>
             <option value="bandit">bandit</option>
+            <option value="brakeman">brakeman</option>
             </select>
             </p>
             <p>Select file:</p>
@@ -116,6 +118,10 @@ function processToolFile(
       toolFindings = BanditParser.parse(fileContent);
       break;
     }
+    case 'brakeman': {
+      toolFindings = BrakemanParser.parse(fileContent);
+      break;
+    }
   }
 
   if (!toolFindings.length) {