<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.expertiza.ncsu.edu/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Jhkhamba</id>
	<title>Expertiza_Wiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.expertiza.ncsu.edu/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Jhkhamba"/>
	<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=Special:Contributions/Jhkhamba"/>
	<updated>2026-07-06T17:23:45Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.41.0</generator>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89974</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89974"/>
		<updated>2014-10-27T19:08:44Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
''Task Supervision Diagram''&lt;br /&gt;
&lt;br /&gt;
[[File:Diagram1.jpg]]&lt;br /&gt;
&lt;br /&gt;
''Task Projection Diagram''&lt;br /&gt;
&lt;br /&gt;
[[File:Diagram2.jpg]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89973</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89973"/>
		<updated>2014-10-27T19:08:24Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
''Task Supervision Diagram''&lt;br /&gt;
[[File:Diagram1.jpg]]&lt;br /&gt;
&lt;br /&gt;
''Task Projection Diagram''&lt;br /&gt;
[[File:Diagram2.jpg]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89972</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89972"/>
		<updated>2014-10-27T19:06:55Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:Diagram1.jpg]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89971</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89971"/>
		<updated>2014-10-27T19:06:32Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:Example1.jpg]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89970</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89970"/>
		<updated>2014-10-27T19:05:02Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:Example.jpg]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89969</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89969"/>
		<updated>2014-10-27T19:02:59Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[https://github.com/mozilla/servo/wiki/tasks-sup.png]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89968</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89968"/>
		<updated>2014-10-27T19:02:44Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:https://github.com/mozilla/servo/wiki/tasks-sup.png]]&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ Created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ Created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89965</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89965"/>
		<updated>2014-10-27T18:45:24Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background Information */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
We are planning to use parameterized variation of factory method design pattern to create instances of either html parser or Xml parser based on the HTTP Content-Type header. In html.rs file, instead of directly creating instances of ServoHtmlParser(like ServoHtmlParser::new..) ,we would be calling a function like build_parser by passing in HTTP Content-Type header as parameter. This build_parser method will return either instance of ServoHtmlParser or XML Parser based on the content type parameter. Here, build_parser will be acting as factory method .&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89964</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89964"/>
		<updated>2014-10-27T18:45:13Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Integrating an XML Parser */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
We are planning to use parameterized variation of factory method design pattern to create instances of either html parser or Xml parser based on the HTTP Content-Type header. In html.rs file, instead of directly creating instances of ServoHtmlParser(like ServoHtmlParser::new..) ,we would be calling a function like build_parser by passing in HTTP Content-Type header as parameter. This build_parser method will return either instance of ServoHtmlParser or XML Parser based on the content type parameter. Here, build_parser will be acting as factory method .&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89963</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89963"/>
		<updated>2014-10-27T18:40:10Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= Design Patterns =&lt;br /&gt;
We have followed “Programming to Interfaces, not an implementation” design principle while implementing initial step of our project. We have modified the code of html.rs to invoke Parser trait’s parse_chunk method instead of directly invoking instead of directly invoking the methods of ServoHtmlParser .Thereby in future , if in case we use any other parser instance instead of ServoHtmlParser , we need not modify the invocation logic in html.rs function.(Traits are similar  to interfaces in other languages).&lt;br /&gt;
&lt;br /&gt;
We are planning to use parameterized variation of factory method design pattern to create instances of either html parser or Xml parser based on the HTTP Content-Type header. In html.rs file, instead of directly creating instances of ServoHtmlParser(like ServoHtmlParser::new..) ,we would be calling a function like build_parser by passing in HTTP Content-Type header as parameter. This build_parser method will return either instance of ServoHtmlParser or XML Parser based on the content type parameter. Here, build_parser will be acting as factory method .&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89962</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89962"/>
		<updated>2014-10-27T18:36:05Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, Mozilla are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89961</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89961"/>
		<updated>2014-10-27T18:35:41Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background Information */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
[https://github.com/servo/servo Servo] is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89960</id>
		<title>CSC/ECE 517 Fall 2014</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89960"/>
		<updated>2014-10-27T18:34:49Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;*[[CSC/ECE_517_Fall_2014/sample_page]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 22 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 19 mx]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 3 zq]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 lf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 wl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a a7 ch]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 rs]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 jf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 os]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 15 gs]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 10 hu]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 kv]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 21 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 24 sa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 6 rl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 2 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 16 av]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 rm]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 sj]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 23 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 rn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 22 sp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 gn]]&lt;br /&gt;
&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 13 va]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 aa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 kn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 11 ap]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 ks]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 7 kz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_6_bn]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 10 zz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 16 va]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a F1415 rv]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_3_cp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1b 26 sa]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_28_cg]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 29 ry]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 30 cs]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_33_jy]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_27_js]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss E1465 oak]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_M1456_kdv]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_M1453_sst]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_E1456_akk]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_M1455_asa]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_E1458_sst]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_E1457_ags]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/OSS_E1466_gjf]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_M1452_jns]]&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89958</id>
		<title>CSC/ECE 517 Fall 2014</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89958"/>
		<updated>2014-10-27T18:34:23Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;*[[CSC/ECE_517_Fall_2014/sample_page]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 22 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 19 mx]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 3 zq]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 lf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 wl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a a7 ch]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 rs]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 jf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 os]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 15 gs]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 10 hu]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 kv]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 21 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 24 sa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 6 rl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 2 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 16 av]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 rm]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 sj]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 23 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 rn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 22 sp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 gn]]&lt;br /&gt;
&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 13 va]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 aa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 kn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 11 ap]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 ks]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 7 kz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_6_bn]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 10 zz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 16 va]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a F1415 rv]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_3_cp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1b 26 sa]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_28_cg]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 29 ry]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 30 cs]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_33_jy]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_27_js]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss E1465 oak]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_M1456_kdv]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_M1453_sst]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/oss_E1456_akk]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_M1455_asa]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_E1458_sst]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/oss_E1457_ags]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/OSS_E1466_gjf]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/OSS_M1452_jns]]&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89955</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89955"/>
		<updated>2014-10-27T18:28:08Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Steps of Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;code&amp;gt;/components/script/dom/servohtmlparser.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified &amp;lt;code&amp;gt;servo/components/script/parse/html.rs&amp;lt;/code&amp;gt; to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89954</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89954"/>
		<updated>2014-10-27T18:27:32Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Steps of Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:   &amp;lt;code&amp;gt; servo/components/script/parse/mod.rs&amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo &amp;lt;/components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89953</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89953"/>
		<updated>2014-10-27T18:26:37Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Steps of Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
    pub mod html;&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo /components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89952</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89952"/>
		<updated>2014-10-27T18:26:20Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Steps of Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
    pub mod html;&lt;br /&gt;
&lt;br /&gt;
    pub trait Parser {&lt;br /&gt;
        fn parse_chunk(&amp;amp;self,input: String);&lt;br /&gt;
        fn finish(&amp;amp;self);&lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo /components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
    impl Parser for ServoHTMLParser{&lt;br /&gt;
        fn parse_chunk(&amp;amp;self, input: String) {&lt;br /&gt;
  	    self.tokenizer().borrow_mut().feed(input);&lt;br /&gt;
        }&lt;br /&gt;
        fn finish(&amp;amp;self){&lt;br /&gt;
  	    self.tokenizer().borrow_mut().end();&lt;br /&gt;
        }  &lt;br /&gt;
    }&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
     InputString(s) =&amp;gt; {&lt;br /&gt;
            parser.parse_chunk(s);&lt;br /&gt;
        }&lt;br /&gt;
&lt;br /&gt;
    InputUrl(url) =&amp;gt; {&lt;br /&gt;
            let load_response = load_response.unwrap();&lt;br /&gt;
            match load_response.metadata.content_type {&lt;br /&gt;
                Some((ref t, _)) if t.as_slice().eq_ignore_ascii_case(&amp;quot;image&amp;quot;) =&amp;gt; {&lt;br /&gt;
                    let page = format!(&amp;quot;&amp;lt;html&amp;gt;&amp;lt;body&amp;gt;&amp;lt;img src='{:s}' /&amp;gt;&amp;lt;/body&amp;gt;&amp;lt;/html&amp;gt;&amp;quot;, base_url.as_ref().unwrap().serialize());&lt;br /&gt;
                    parser.parse_chunk(page);&lt;br /&gt;
                },&lt;br /&gt;
    &lt;br /&gt;
    Payload(data) =&amp;gt; {&lt;br /&gt;
                                // FIXME: use Vec&amp;lt;u8&amp;gt; (html5ever #34)&lt;br /&gt;
                                let data = UTF_8.decode(data.as_slice(), DecodeReplace).unwrap();&lt;br /&gt;
                                parser.parse_chunk(data);&lt;br /&gt;
                            }&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89948</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89948"/>
		<updated>2014-10-27T18:15:43Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Steps of Implementation */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
→ We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo / components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89947</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89947"/>
		<updated>2014-10-27T18:15:01Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Prerequisites =&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
= Steps of Implementation =&lt;br /&gt;
&lt;br /&gt;
We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo / components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89946</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89946"/>
		<updated>2014-10-27T18:14:33Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background Information */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
== Steps of Implementation ==&lt;br /&gt;
&lt;br /&gt;
We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo / components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
= References =&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89945</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89945"/>
		<updated>2014-10-27T18:14:03Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
== Steps of Implementation ==&lt;br /&gt;
&lt;br /&gt;
We created a new file mod.rs in the following directory:    servo/components/script/parse/mod.rs&lt;br /&gt;
&lt;br /&gt;
→ We have created a Parser Trait with the parse_chunk method in this mod.rs&lt;br /&gt;
&lt;br /&gt;
→ Implementation of this Parser trait for the ServoHTML Parser struct is in the servo / components/script/dom/servohtmlparser.rs&lt;br /&gt;
&lt;br /&gt;
→ We have modified servo/components/script/parse/html.rs to invoke the parse_chunk method appropriately.&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89943</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89943"/>
		<updated>2014-10-27T18:06:01Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Prerequisites */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
'''Building Servo''' &lt;br /&gt;
&lt;br /&gt;
''Normal Build''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ./mach build&lt;br /&gt;
    ./mach run tests/html/about-mozilla.html &lt;br /&gt;
&lt;br /&gt;
''Building for Android target''&lt;br /&gt;
&lt;br /&gt;
    git clone https://github.com/servo/servo&lt;br /&gt;
    cd servo&lt;br /&gt;
    ANDROID_TOOLCHAIN=/path/to/toolchain ANDROID_NDK=/path/to/ndk PATH=$PATH:/path/to/toolchain/bin ./mach build --android&lt;br /&gt;
    cd ports/android&lt;br /&gt;
    ANDROID_SDK=/path/to/sdk make install&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89941</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89941"/>
		<updated>2014-10-27T18:03:13Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Prerequisites */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo'''  &lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The list of commands to install the dependencies on various platforms are&amp;lt;ref name = github&amp;gt;[https://github.com/servo/servo Servo Github]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89939</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89939"/>
		<updated>2014-10-27T18:01:54Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Prerequisites */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo''' &lt;br /&gt;
The list of commands to install the dependencies on various platforms are&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
    brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
    pip install virtualenv&lt;br /&gt;
&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
    sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
    sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
    sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
        freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
        fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
        rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
    pushd .&lt;br /&gt;
    cd /tmp&lt;br /&gt;
    wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
    rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
    sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
    popd&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
    sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89938</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89938"/>
		<updated>2014-10-27T18:00:37Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Prerequisites ==&lt;br /&gt;
'''Installing Dependencies for Servo''' &lt;br /&gt;
The list of commands to install the dependencies on various platforms are&lt;br /&gt;
&lt;br /&gt;
On OS X (homebrew):&lt;br /&gt;
&lt;br /&gt;
brew install automake pkg-config python glfw3 cmake&lt;br /&gt;
pip install virtualenv&lt;br /&gt;
On OS X (MacPorts):&lt;br /&gt;
&lt;br /&gt;
sudo port install python27 py27-virtualenv cmake&lt;br /&gt;
On Debian-based Linuxes:&lt;br /&gt;
&lt;br /&gt;
sudo apt-get install curl freeglut3-dev \&lt;br /&gt;
    libfreetype6-dev libgl1-mesa-dri libglib2.0-dev xorg-dev \&lt;br /&gt;
    msttcorefonts gperf g++ cmake python-virtualenv \&lt;br /&gt;
    libssl-dev libglfw-dev&lt;br /&gt;
On Fedora:&lt;br /&gt;
&lt;br /&gt;
sudo yum install curl freeglut-devel libtool gcc-c++ libXi-devel \&lt;br /&gt;
    freetype-devel mesa-libGL-devel glib2-devel libX11-devel libXrandr-devel gperf \&lt;br /&gt;
    fontconfig-devel cabextract ttmkfdir python python-virtualenv expat-devel \&lt;br /&gt;
    rpm-build openssl-devel glfw-devel cmake&lt;br /&gt;
pushd .&lt;br /&gt;
cd /tmp&lt;br /&gt;
wget http://corefonts.sourceforge.net/msttcorefonts-2.5-1.spec&lt;br /&gt;
rpmbuild -bb msttcorefonts-2.5-1.spec&lt;br /&gt;
sudo yum install $HOME/rpmbuild/RPMS/noarch/msttcorefonts-2.5-1.noarch.rpm&lt;br /&gt;
popd&lt;br /&gt;
On Arch Linux:&lt;br /&gt;
&lt;br /&gt;
sudo pacman -S base-devel git python2 python2-virtualenv mesa glfw ttf-font cmake&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89937</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89937"/>
		<updated>2014-10-27T17:56:45Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Integrating an XML Parser */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89935</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89935"/>
		<updated>2014-10-27T17:55:43Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Integrating an XML Parser */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
Servo is an experimental web browser layout engine being developed by Mozilla Research. The prototype seeks to create a highly parallel environment, in which many components (such as rendering, layout, HTML parsing, image decoding, etc.) are handled by fine-grained, isolated tasks. The project has a symbiotic relationship with the Rust programming language, in which it is being developed.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89933</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89933"/>
		<updated>2014-10-27T17:48:52Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Servo */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
This wiki is about the project M 1452: Integrate an XML Parser, which is a part of the ongoing development on the Servo browser. Below you can find a brief description about the servo project, rust programming language, requirements of this particular project, setting up of the development environment and other relevant details.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
Servo is an experimental project to build a Web browser engine for a new generation of hardware: mobile devices, multi-core processors and high-performance GPUs. With Servo, we are rethinking the browser at every level of the technology stack — from input parsing to page layout to graphics rendering — to optimize for power efficiency and maximum parallelism.&lt;br /&gt;
&lt;br /&gt;
Servo builds on top of Rust to provide a secure and reliable foundation. Memory safety at the core of the platform ensures a high degree of assurance in the browser’s trusted computing base. Rust’s lightweight task mechanism also promises to allow fine-grained isolation between browser components, such as tabs and extensions, without the need for expensive runtime protection schemes, like operating system process isolation.&amp;lt;ref name=Rust&amp;gt;&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89932</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89932"/>
		<updated>2014-10-27T17:46:23Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Rust */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
This wiki is about the project M 1452: Integrate an XML Parser, which is a part of the ongoing development on the Servo browser. Below you can find a brief description about the servo project, rust programming language, requirements of this particular project, setting up of the development environment and other relevant details.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rust combines powerful and flexible modern programming constructs with a clear performance model to make program efficiency predictable and manageable. One important way it achieves this is by allowing fine-grained control over memory allocation through contiguous records and stack allocation. This control is balanced with the absolute requirement of safety: Rust’s type system and runtime guarantee the absence of data races, buffer overflow, stack overflow or access to uninitialized or deallocated memory. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89930</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89930"/>
		<updated>2014-10-27T17:44:48Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Rust */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
This wiki is about the project M 1452: Integrate an XML Parser, which is a part of the ongoing development on the Servo browser. Below you can find a brief description about the servo project, rust programming language, requirements of this particular project, setting up of the development environment and other relevant details.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/ Overview of Mozilla Research Projects]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89929</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89929"/>
		<updated>2014-10-27T17:44:19Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Rust */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
This wiki is about the project M 1452: Integrate an XML Parser, which is a part of the ongoing development on the Servo browser. Below you can find a brief description about the servo project, rust programming language, requirements of this particular project, setting up of the development environment and other relevant details.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
It's designed to support concurrency and parallelism in building platforms that take full advantage of modern hardware. Its static type system is safe and expressive and it provides strong guarantees about isolation, concurrency execution and memory safety. &amp;lt;ref name=Rust&amp;gt;[https://www.mozilla.org/en-US/research/projects/]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89928</id>
		<title>CSC/ECE 517 Fall 2014/oss M1452 jns</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/oss_M1452_jns&amp;diff=89928"/>
		<updated>2014-10-27T17:42:30Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Integrating an XML Parser =&lt;br /&gt;
This wiki is about the project M 1452: Integrate an XML Parser, which is a part of the ongoing development on the Servo browser. Below you can find a brief description about the servo project, rust programming language, requirements of this particular project, setting up of the development environment and other relevant details.&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
= Background Information =&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Rust ==&lt;br /&gt;
[http://www.rust-lang.org/ Rust] is a systems language for writing high performance applications that are usually written in C or C++ but it was developed to prevent some of the problems related to invalid memory accesses that generate segmentation faults. It covers imperative, functional and object-oriented programming.&lt;br /&gt;
&lt;br /&gt;
== Servo ==&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89528</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89528"/>
		<updated>2014-10-13T20:18:09Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix. &amp;lt;ref name=confreaks&amp;gt;[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on track with Brakeman]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&amp;lt;ref name=comp&amp;gt;[https://www.ruby-toolbox.com/categories/security_tools Rails Security Scanners]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Further Reading==&lt;br /&gt;
&lt;br /&gt;
[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on Track with Brakeman]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89527</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89527"/>
		<updated>2014-10-13T20:17:25Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix. &amp;lt;ref name=confreaks&amp;gt;[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on track with Brakeman&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&amp;lt;ref name=comp&amp;gt;[https://www.ruby-toolbox.com/categories/security_tools Rails Security Scanners]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Further Reading==&lt;br /&gt;
&lt;br /&gt;
[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on Track with Brakeman]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89525</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89525"/>
		<updated>2014-10-13T20:16:56Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix. &amp;lt;ref name=brakeman&amp;gt;[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on track with Brakeman&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&amp;lt;ref name=comp&amp;gt;[https://www.ruby-toolbox.com/categories/security_tools Rails Security Scanners]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Further Reading==&lt;br /&gt;
&lt;br /&gt;
[http://www.confreaks.com/videos/890-railsconf2012-keeping-rails-applications-on-track-with-brakeman Keeping Rails Applications on Track with Brakeman]&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89517</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89517"/>
		<updated>2014-10-13T18:38:59Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Comparison with other Security Scanners */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&amp;lt;ref name=comp&amp;gt;[https://www.ruby-toolbox.com/categories/security_tools Rails Security Scanners]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89516</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89516"/>
		<updated>2014-10-13T18:38:19Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&amp;lt;ref name=comp&amp;gt;[https://www.ruby-toolbox.com/categories/security_tools ]&amp;lt;/ref&amp;gt;&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89515</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89515"/>
		<updated>2014-10-13T18:37:27Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Comparison with other Security Scanners */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
Here is a comparison of Brakeman with other security scanners&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89514</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89514"/>
		<updated>2014-10-13T18:35:43Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Comparison with other Security Scanners */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || 769667|| 623965|| 24151&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || about a month ago|| about a month ago|| about a year ago&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || Active|| Less Active|| Inactive&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || 2.644|| 1.071 || 0.449&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89513</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89513"/>
		<updated>2014-10-13T18:33:45Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Comparison with other Security Scanners */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! !! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| '''No. of Downloads''' || ExampleR1C1 || ExampleR1C2 || ExampleR1C3&lt;br /&gt;
|-&lt;br /&gt;
| '''Activity''' || ExampleR2C1 || ExampleR2C2 || ExampleR2C3&lt;br /&gt;
|-&lt;br /&gt;
| '''Last Release''' || ExampleR3C1 || ExampleR3C2 || ExampleR3C3&lt;br /&gt;
|-&lt;br /&gt;
| '''Security Score''' || ExampleR1C1 || ExampleR1C2 || ExampleR1C3&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89512</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89512"/>
		<updated>2014-10-13T18:31:19Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
==Comparison with other Security Scanners==&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Brakeman!! Loofah!! Tarantula&lt;br /&gt;
|-&lt;br /&gt;
| ExampleR1C1 || ExampleR1C2 || ExampleR1C3&lt;br /&gt;
|-&lt;br /&gt;
| ExampleR2C1 || ExampleR2C2 || ExampleR2C3&lt;br /&gt;
|-&lt;br /&gt;
| ExampleR3C1 || ExampleR3C2 || ExampleR3C3&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89511</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89511"/>
		<updated>2014-10-13T18:13:48Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=VulnerabilityScanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Vulnerability Scanning]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89510</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89510"/>
		<updated>2014-10-13T18:13:18Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside.&amp;lt;ref name=Vulnerability Scanning&amp;gt;[http://www.redant.com.au/automated-testing/vulnerability-scanning-ruby-on-rails/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89509</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89509"/>
		<updated>2014-10-13T18:11:52Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Background */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
Brakeman is a vulnerability scanner that scans your code from the inside. This allows Brakeman to view the database structure and the logic and structure of the application. This is smart scanning as it does not need to scan 100's of webpages that all use the same application code. It only scans that piece of code once.&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89257</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89257"/>
		<updated>2014-10-06T23:11:32Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;'''Software security in Ruby on Rails web applications using Brakeman scanner'''&amp;lt;br&amp;gt;&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89254</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89254"/>
		<updated>2014-10-06T23:10:07Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Software security in Ruby on Rails web applications using Brakeman scanner&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89251</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89251"/>
		<updated>2014-10-06T23:06:51Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Software security in Ruby on Rails web applications using Brakeman scanner&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89219</id>
		<title>CSC/ECE 517 Fall 2014</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014&amp;diff=89219"/>
		<updated>2014-10-06T21:33:14Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;*[[CSC/ECE_517_Fall_2014/sample_page]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 22 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 19 mx]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 3 zq]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 lf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 4 wl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a a7 ch]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 jf]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 os]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 8 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 15 gs]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 10 hu]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 kv]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 21 as]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 24 sa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 sn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 6 rl]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 2 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 16 av]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 rm]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 1 sj]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 23 ss]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 20 rn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 22 sp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 26 gn]]&lt;br /&gt;
&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 13 va]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 aa]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 9 kn]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 11 ap]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 25 ks]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1a 7 kz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_6_bn]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 10 zz]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a 16 va]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a F1415 rv]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1a_3_cp]]&lt;br /&gt;
*[[CSC/ECE 517 Fall 2014/ch1b 26 sa]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_28_cg]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 29 ry]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b 30 cs]]&lt;br /&gt;
*[[CSC/ECE_517_Fall_2014/ch1b_33_jy]]&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
	<entry>
		<id>https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89210</id>
		<title>CSC/ECE 517 Fall 2014/ch1b 33 jy</title>
		<link rel="alternate" type="text/html" href="https://wiki.expertiza.ncsu.edu/index.php?title=CSC/ECE_517_Fall_2014/ch1b_33_jy&amp;diff=89210"/>
		<updated>2014-10-06T20:09:49Z</updated>

		<summary type="html">&lt;p&gt;Jhkhamba: /* Introduction */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Software security in Ruby on Rails web applications using Brakeman scanner&lt;br /&gt;
==Introduction==&lt;br /&gt;
[http://brakemanscanner.org/ Brakeman] is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt;&lt;br /&gt;
Lift borrows fro  Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.&lt;br /&gt;
&lt;br /&gt;
[https://docs.google.com/document/d/1--CEtBpSUACsjSSXtDB5bNIOBzHoMJPr8W0DSqasO_4/edit?usp=sharing Writeup Page]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
&lt;br /&gt;
==Background==&lt;br /&gt;
&lt;br /&gt;
* 2011 - v1.0 released - Brakeman can now be used as a library&lt;br /&gt;
* v1.2 - Added rake options to create rake task to run Brakeman&lt;br /&gt;
* v1.3 - Added skip files option&lt;br /&gt;
* v1.5 - Added JSON Report Format &lt;br /&gt;
* v1.7 - Improved processing of Rails 3 routes&lt;br /&gt;
* v1.9 -  Updated to RubyParser 3&lt;br /&gt;
* v2.0 - Combine deserialization checks into single check&lt;br /&gt;
* v2.1 - Support for ignoring warnings&lt;br /&gt;
* v2.2 - Reduce command injection false positives&lt;br /&gt;
* v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’&lt;br /&gt;
* v2.6 - Parse most files upfront instead of on demand&lt;br /&gt;
&lt;br /&gt;
==Installation&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/install/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
One can install Brakeman in 3 ways.&lt;br /&gt;
===Using RubyGems===&lt;br /&gt;
Brakeman can be installed by executing below gem install command at ruby prompt.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
If you are among those people who are skeptical about installing unsigned gems, we have good news for you, Brakeman gems are now signed.&lt;br /&gt;
To verify the Brakeman gem, one must add the [https://github.com/presidentbeef/brakeman/blob/master/brakeman-public_cert.pem public Brakeman certificate] to their trusted list by using below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem cert --add &amp;lt;(curl -Ls https://raw.github.com/presidentbeef/brakeman/master/brakeman-public_cert.pem)&amp;lt;/pre&amp;gt;&lt;br /&gt;
certificate can also be added to trusted list by manually downloading and adding it.&lt;br /&gt;
Once certificate is added gems can be installed with trust policy.&lt;br /&gt;
*HighSecurity trust policy implies that all dependent gems must be signed and verified. &lt;br /&gt;
*MediumSecurity trust policy implies that all signed dependent gems must be verified.&lt;br /&gt;
Since all the dependent dependencies are not yet signed by their authors at this time, only MediumSecurity can be enforced.&lt;br /&gt;
&amp;lt;pre&amp;gt;gem install brakeman -P MediumSecurity&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Bundle install===&lt;br /&gt;
Brakeman can be added to a Gemfile using below line&lt;br /&gt;
&amp;lt;pre&amp;gt;gem &amp;quot;brakeman&amp;quot;, :require =&amp;gt; false&amp;lt;/pre&amp;gt;&lt;br /&gt;
Adding Brakeman gem to Gemfile enables it to be installed as part of bundle install.&lt;br /&gt;
&lt;br /&gt;
===Source code===&lt;br /&gt;
If you would like to have latest version of Brakeman you can always clone the Brakeman git project, build the gem yourself and install it.&lt;br /&gt;
Following are the commands used to install Brakeman from source code.&lt;br /&gt;
&amp;lt;pre&amp;gt;git clone git://github.com/presidentbeef/brakeman.git&lt;br /&gt;
cd brakeman&lt;br /&gt;
gem build brakeman.gemspec&lt;br /&gt;
gem install brakeman-*.gem&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Running Brakeman==&lt;br /&gt;
You can run Brakeman in 2 ways.&lt;br /&gt;
===Running brakeman from your rails app directory===&lt;br /&gt;
&amp;lt;pre&amp;gt;cd your_rails_app/&lt;br /&gt;
brakeman&amp;lt;/pre&amp;gt;&lt;br /&gt;
This will scan the application in the current directory and output a report to the command line.&lt;br /&gt;
===Supplying path as an option to Brakeman===&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman your_rails_app&amp;lt;/pre&amp;gt;&lt;br /&gt;
where your_rails_app is the path to your rails application.&lt;br /&gt;
&lt;br /&gt;
==Options&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/options/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
===Output Options===&lt;br /&gt;
====Output File====&lt;br /&gt;
To specify an output file for the results:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o output_file&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Output Format====&lt;br /&gt;
The output format is determined by the file extension used with the -o option or by using the -f option. Current options are: text, html, tabs, and csv.&lt;br /&gt;
For example, to output an HTML report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Message Length===&lt;br /&gt;
By default, brakeman truncates warning messages to 100 characters. The --message-limit option can be used to adjust this. Setting the limit to -1 will disable truncation completely.&lt;br /&gt;
===Quiet Operation===&lt;br /&gt;
To suppress informational warnings and just output the report:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -q&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Debugging Information===&lt;br /&gt;
To see all kinds of debugging information:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -d&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Scanning Options===&lt;br /&gt;
====Specify Path to Application====&lt;br /&gt;
Usually the path to the Rails app is the last argument. Optionally, the --path option can be used to specify a path.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --path your_rails_app -o report.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Manually Turn on XSS Protection====&lt;br /&gt;
If you are using the rails_xss gem or some other plugin, but Brakeman is not detecting it, the --escape-html option will use Erubis for rendering ERB files and turn on HTML escaping for ERB and HAML.&lt;br /&gt;
====Manually Turn on Rails 3 Support====&lt;br /&gt;
Brakeman should detect Rails 3 applications, but if not the -3 will switch Brakeman to Rails 3 mode.&lt;br /&gt;
====Specifying Which Checks to Run====&lt;br /&gt;
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes&amp;lt;/pre&amp;gt;&lt;br /&gt;
Multiple checks should be separated by a comma:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -x DefaultRoutes,Redirect&amp;lt;/pre&amp;gt;&lt;br /&gt;
To do the opposite and only run a certain set of tests:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -t SQL,ValidationRegex&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Report Routes====&lt;br /&gt;
To see what actions brakeman has detected as being routes, use the --routes option.&lt;br /&gt;
===Warning Options===&lt;br /&gt;
====Ignore Safe Methods====&lt;br /&gt;
To indicate certain methods are “safe”:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -s benign_method,totally_safe&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Assume Unknown Methods are Safe====&lt;br /&gt;
By default, brakeman will assume that unknown methods involving untrusted data are dangerous. For example, this would raise a warning (in Rails 2.x):&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(:option =&amp;gt; params[:input]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To only raise warnings only when untrusted data is being directly used:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -r&amp;lt;/pre&amp;gt;&lt;br /&gt;
====Ignore Model Output====&lt;br /&gt;
By default, brakeman will report unescaped model attributes as dangerous. To disregard these warnings, use --ignore-model-output.&lt;br /&gt;
====Set Minimum Confidence Level====&lt;br /&gt;
To only report warnings at or above a certain confidence level, use the -w option. &lt;br /&gt;
#Weak confidence&lt;br /&gt;
#Medium confidence&lt;br /&gt;
#High confidence&lt;br /&gt;
For example, to only show high confidence warnings:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman -w3&amp;lt;/pre&amp;gt;&lt;br /&gt;
 &lt;br /&gt;
==Confidence Levels&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/confidence/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman assigns each warning a confidence level. This rating is intended to indicate how certain Brakeman is that the given warning is a real problem.&lt;br /&gt;
The following guidelines are used:&lt;br /&gt;
*High - Either this is a simple warning or user input is very likely being used in unsafe ways.&lt;br /&gt;
*Medium - This generally indicates an unsafe use of a variable, but the variable may or may not be user input.&lt;br /&gt;
*Weak - Typically means user input was indirectly used in a potentially unsafe manner.&lt;br /&gt;
However, Brakeman can easily guess wrong, so it is best to read through all warnings and assess their importance manually.&lt;br /&gt;
&lt;br /&gt;
==Warning Types&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/warning_types/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Below are list of warnings Brakeman can detect and report in an application. You can know more about a warning by clicking on that warning.&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting Cross Site Scripting]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross_site_scripting_to_json Cross Site Scripting (JSON)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/content_tag Cross Site Scripting (Content Tag)]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/sql_injection SQL Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/command_injection Command Injection]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/mass_assignment Mass Assignment]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/attribute_restriction Attribute Restriction]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery Cross-Site Request Forgery]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/redirect Unsafe Redirects]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/default_routes Default Routes]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/format_validation Format Validation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/denial_of_service Denial of Service]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dynamic_render_paths Dynamic Render Paths]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_evaluation Dangerous Evaluation]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/unsafe_deserialization Unsafe Deserialization]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/file_access File Access]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/basic_authentication Basic Authentication]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/session_setting Session Settings]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/information_disclosure Information Disclosure]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/dangerous_send Dangerous Send]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/CVE-2011-0446 Mail Link]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution Remote Code Execution]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/remote_code_execution_yaml_load Remote Execution in YAML.load]&lt;br /&gt;
*[http://brakemanscanner.org/docs/warning_types/ssl_verification_bypass SSL Verification Bypass]&lt;br /&gt;
&lt;br /&gt;
==Reducing False Positives&amp;lt;ref&amp;gt;http://brakemanscanner.org/docs/reducing_false_positives/&amp;lt;/ref&amp;gt;==&lt;br /&gt;
Brakeman tries to report maximum number of warning. As of now there is no method for Brakeman to know certain items are actually safe or not. Hence false positives can become overwhelming. For this reason Brakeman provides options for customizing reports and reduce false positives.&lt;br /&gt;
===Specify Checks to Run===&lt;br /&gt;
One can specify Brakeman to run a specific set of checks/tests using --test.&lt;br /&gt;
For example, to only check for SQL injection and cross-site scripting:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --test CheckSQL,CheckCrossSiteScripting&amp;lt;/pre&amp;gt;&lt;br /&gt;
One can also specify Brakeman to exclude certain checks/test using --except.&lt;br /&gt;
To exclude checks for dynamic render paths:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --except CheckRender&amp;lt;/pre&amp;gt;&lt;br /&gt;
(‘Check’ can actually be omitted from the names.)&lt;br /&gt;
Both --test and --except options take a comma-separated list of check names, which are case-sensitive.&lt;br /&gt;
To get list of checks supported by Brakeman one can use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --checks&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Set Confidence Threshold===&lt;br /&gt;
Brakeman allows to set the confidence levels of warnings one would like to see in the report by using -w&lt;br /&gt;
For example if you want Brakeman to report high and medium confidence warnings only use below command.&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman –w2&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Mark Methods as Safe===&lt;br /&gt;
If you want Brakeman to ignore some methods, this can be achieved by using --safe-methods option. This option can take methods as a comma-separated list.&lt;br /&gt;
For example:&lt;br /&gt;
&amp;lt;pre&amp;gt;brakeman --safe-methods this_one,that_one,totally_safe,my_sanitizer&amp;lt;/pre&amp;gt;&lt;br /&gt;
===Only Reporting Direct Vulnerabilities===&lt;br /&gt;
With the default settings, Brakeman will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.&lt;br /&gt;
For example, this will raise a warning unless some_method is marked as safe like above:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;%= some_method(params[:blah]) %&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
To ignore this kind of output, use the --report-direct option. This also applies to some other situations, such as checking calls to redirect_to.&lt;br /&gt;
===Ignoring Model Attributes===&lt;br /&gt;
Brakeman assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the --ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.&lt;br /&gt;
&lt;br /&gt;
==Using Brakeman as a Library==&lt;br /&gt;
&lt;br /&gt;
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
require 'brakeman'&lt;br /&gt;
tracker = Brakeman.run &amp;quot;my/app&amp;quot;&lt;br /&gt;
puts tracker.report&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.&amp;lt;ref name=brakeman&amp;gt;[http://brakemanscanner.org/docs/introduction/ Brakeman Scanner Introduction]&amp;lt;/ref&amp;gt; This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks.&lt;br /&gt;
Brakeman can be run with a host of command-line options:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Brakeman.run :app_path =&amp;gt; &amp;quot;my/app&amp;quot;&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
*app_path - path to root of Rails app (required)&lt;br /&gt;
*assume_all_routes - assume all methods are routes (default: false)&lt;br /&gt;
*check_arguments - check arguments of methods (default: true)&lt;br /&gt;
*collapse_mass_assignment - report unprotected models in single warning (default: true)&lt;br /&gt;
*combine_locations - combine warning locations (default: true)&lt;br /&gt;
*config_file - configuration file&lt;br /&gt;
*escape_html - escape HTML by default (automatic)&lt;br /&gt;
*exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)&lt;br /&gt;
*html_style - path to CSS file&lt;br /&gt;
*ignore_model_output - consider models safe (default: false)&lt;br /&gt;
*message_limit - limit length of messages&lt;br /&gt;
*min_confidence - minimum confidence (0-2, 0 is highest)&lt;br /&gt;
*output_file - file for output&lt;br /&gt;
*output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)&lt;br /&gt;
*parallel_checks - run checks in parallel (default: true)&lt;br /&gt;
*print_report - if no output file specified, print to stdout (default: false)&lt;br /&gt;
*quiet - suppress most messages (default: true)&lt;br /&gt;
*rails3 - force Rails 3 mode (automatic)&lt;br /&gt;
*report_routes - show found routes on controllers (default: false)&lt;br /&gt;
*run_checks - array of checks to run (run all if not specified)&lt;br /&gt;
*safe_methods - array of methods to consider safe&lt;br /&gt;
*skip_libs - do not process lib/ directory (default: false)&lt;br /&gt;
*skip_checks - checks not to run (run all if not specified)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Advantages==&lt;br /&gt;
1. No Configuration Necessary - &lt;br /&gt;
:Once Brakeman has been installed, no configuration is required. It can directly be run.&lt;br /&gt;
2. Run It Anytime - &lt;br /&gt;
:Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.&lt;br /&gt;
3. Better Coverage - &lt;br /&gt;
:Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.&lt;br /&gt;
4. Best Practices - &lt;br /&gt;
:Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.&lt;br /&gt;
5. Flexible Testing - &lt;br /&gt;
:Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.&lt;br /&gt;
6. Speed - &lt;br /&gt;
:Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==Disadvantages==&lt;br /&gt;
1. False Positives - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.&amp;lt;br&amp;gt;&lt;br /&gt;
2. Unusual Configurations - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.&amp;lt;br&amp;gt;&lt;br /&gt;
3. Only Knows Code - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman cannot scan the entire application stack,, but only the software code.&amp;lt;br&amp;gt;&lt;br /&gt;
4. Isn’t Omniscient - &amp;lt;br&amp;gt;&lt;br /&gt;
:Brakeman may miss certain things or misunderstand them.&amp;lt;br&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== References ==&lt;br /&gt;
&amp;lt;references&amp;gt;&amp;lt;/references&amp;gt;&lt;/div&gt;</summary>
		<author><name>Jhkhamba</name></author>
	</entry>
</feed>