False positives (warnings about potential vulnerabilities which are not actual vulnerabilities) are present in any security tool. Before ignoring a false positive, be certain it is actually a false positive and also consider reporting it in case changes can be made to Railroader to prevent the false positive in the future.
The ignore configuration is a JSON file containing a list of warnings. This is essentially the same as the JSON report, except the warnings can also have a
A minimal configuration might look like this, although the auto-generated one will have more information:
"note": "ignore foo"
"note": "ignore bar"
This functionality was introduced in Railroader 2.1.0.
Creating and Managing an Ignore File
-I option (or
--interactive-ignore if you are not into the whole brevity thing) is the simplest way to create and manage an ignore configuration.
-I option with a regular run of Railroader.
After the scan, Railroader will ask for an existing configuration file to load:
Input file: |config/railroader.ignore|
Unless there is an existing file somewhere else, just press enter to continue. If the file does not exist, Railroader will prompt
No such file. Continue with empty config?
y unless there is an existing file.
Next, Railroader will ask what to do:
1. Inspect all warnings
2. Hide previously ignored warnings
3. Skip - use current ignore configuration
1 to step through all warnings. Enter
2 to step through all warnings except those which were already ignored. Enter
3 to skip the whole process and leave things as-is.
2, Railroader will now present each warning in turn and ask what to do with them:
These are the options:
i - Add warning to ignore list
n - Add warning to ignore list and add note
s - Skip this warning (will remain ignored or shown)
u - Remove this warning from ignore list
a - Ignore this warning and all remaining warnings
k - Skip this warning and all remaining warnings
q - Quit, do not update ignored warnings
? - Display this help
After stepping through the warnings, Railroader will ask if the changes should be saved:
1. Save changes
2. Start over
3. Quit, do not save changes
1 to save the changes to a file. Enter
2 to step through the warnings again. Enter
3 to not save any changes.
1, Railroader will ask where to save the file. The default
config/railroader.ignore is recommended.
After that, the scan report will be generated, with the specified warnings ignored.
Specifying an Ignore File
By default, Railroader will look in the
config directory of the application being scanned for a file named
railroader.ignore. If this file exists, it will automatically be loaded and used.
Otherwise, the location of the configuration file can be set using
--ignore-config with the file name, relative to the root of the Rails application.
When Warnings are Ignored
JSON reports include an array of
ignored_warnings, HTML reports have a table of ignored warnings which is hidden by default, and the basic text output will include the number of warnings ignored, if any.
Reducing false positives