Rubocop style enable/disable comments for ignoring warnings

[KieranP]

When coming across false positives, having to find the fingerprint of each brakeman error we want to ignore is a bit tedious. And then if the code around the error changes, the fingerprint needs updating. I'd like to suggest brakeman add support for rubocop style enable/disable comments, which would be much more convenient.

# brakeman:disable sql_injection
User.where(....).....
# brakeman:enable sql_injection

[henrik]

Yes! It's not just a matter of convenience but also of security.

As I understand it, the current fingerprints are only based on the code being flagged and the file they're in etc, but not on surrounding code.

This means that if I flag this as safe:

klass = params[:class_name].constantize
raise "unsafe!" unless klass < AcceptableParentClass

I can then remove the raise … guard and it remains flagged as safe. With comments, I could put those around the whole expression so that anyone editing the code would see in context that it's this whole expression that we consider safe.