Use Prism parser by default (#1897)

Default to using Prism parser if available

Author: presidentbeef

.circleci/config.yml

@@ -40,15 +40,6 @@ jobs:
     <<: *default
     docker:
       - image: cimg/ruby:3.2
-  test-with-prism:
-    <<: *default
-    steps:
-      - checkout
-      - run: bundle check || bundle install
-      - run:
-          command: |
-            gem install prism
-            TEST_PRISM=true bundle exec rake
   upload-coverage:
     <<: *default
     working_directory: ~/repo
@@ -65,7 +56,6 @@ workflows:
       - default
       - test-3-1
       - test-3-2
-      - test-with-prism
       - upload-coverage:
           requires:
             - test-3-1

Gemfile

@@ -6,6 +6,5 @@ unless ENV['BM_PACKAGE']
   group :test do
     gem 'rake'
     gem 'minitest'
-    gem 'prism'
   end
 end

brakeman.gemspec

@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
     s.files += Dir['bundle/ruby/*/gems/**/*'].reject do |path|
       # Skip unnecessary files in dependencies
       path =~ %r{^bundle/ruby/\d\.\d\.\d/gems/[^\/]+/(Rakefile|benchmark|bin|doc|example|man|site|spec|test)} or
-        path =~ %r{/gems/(io-console|racc|strscan)/}
+        path =~ %r{/gems/(io-console|prism|racc|strscan)/}
     end
 
     # racc is not only a built-in gem, but also has native code which we cannot

build.rb

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 require 'fileutils'
-bundle_exclude = %w[io-console racc strscan]
+bundle_exclude = %w[io-console prism racc strscan]
 
 puts 'Packaging Brakeman gem...'
 

gem_common.rb

@@ -22,6 +22,7 @@ def self.extended_dependencies spec
       spec.add_dependency "haml", "~>5.1"
       spec.add_dependency "slim", ">=1.3.6", "< 5.3"
       spec.add_dependency "rexml", "~>3.0"
+      spec.add_dependency "prism", "~>1.3"
     end
   end
 end

lib/brakeman.rb

@@ -84,6 +84,15 @@ def self.run options
       options[:report_progress] = false
     end
 
+    if options[:use_prism]
+      begin
+        require 'prism'
+        notify '[Notice] Using Prism parser'
+      rescue LoadError => e
+        Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+      end
+    end
+
     scan options
   end
 
@@ -196,6 +205,7 @@ def self.default_options
       :pager => true,
       :parallel_checks => true,
       :parser_timeout => 10,
+      :use_prism => true,
       :relative_path => false,
       :report_progress => true,
       :safe_methods => Set.new,

lib/brakeman/file_parser.rb

@@ -13,8 +13,9 @@ def initialize app_tree, timeout, parallel = true, use_prism = false
       if @use_prism
         begin
           require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
         rescue LoadError => e
-          Brakeman.debug "Asked to use Prism, but failed to load: #{e}"
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
           @use_prism = false
         end
       end

lib/brakeman/options.rb

@@ -161,14 +161,13 @@ def create_option_parser options
 
         opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
           if use_prism
-            prism_version = '1.0'
+            min_prism_version = '1.3.0'
 
             begin
-              # Specifying minimum version here,
-              # since it can't be in the gem dependency list because it is optional
-              gem 'prism', ">=#{prism_version}"
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
             rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
-              $stderr.puts "Please install `prism` version #{prism_version} or newer:"
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
               raise e
             end
           end

test/tests/rails52.rb

@@ -104,10 +104,6 @@ def test_sql_injection_foreign_key
   end
 
   def test_sql_injection_user_input
-    if ENV['TEST_PRISM']
-      skip 'Un-skip as soon as Prism >1.2.0 is released'
-    end
-
     assert_warning :type => :warning,
       :warning_code => 0,
       :fingerprint => "f7affe2dfe9e3a48f39f1fb86224e150e60555a73f2e78fb499eadd298233625",

test/tests/rails8.rb

@@ -7,7 +7,7 @@ class Rails8Tests < Minitest::Test
   def report
     @@report ||=
       Date.stub :today, Date.parse("2024-05-13") do
-        BrakemanTester.run_scan "rails8", "Rails 8", run_all_checks: true, use_prism: true
+        BrakemanTester.run_scan "rails8", "Rails 8", run_all_checks: true, use_prism: false
       end
   end