Brakeman Versions Save

A static analysis security vulnerability scanner for Ruby on Rails applications

v5.2.2

2 years ago
  • Respect equality in if conditions (#1683)
  • Update message for unsafe reflection (Pedro Baracho)
  • Handle nil when joining values (Dan Buettner)
  • Add additional String methods for SQL injection check (#1669)
  • Update ruby_parser for Ruby 3.1 support (Merek Skubela)

v5.2.1

2 years ago
  • Add warning codes for EOL software warnings (#1671)

v5.2.0

2 years ago
  • Initial Rails 7 support (#1653)
  • Require Ruby 2.5.0+ (#1649)
  • Fix issue with calls to foo.root in routes (#1640)
  • Ignore I18n.locale in SQL queries (#1597)
  • Do not treat sanitize_sql_like as safe
  • Add new checks for unsupported Ruby and Rails version
  • Bundled version of ruby_parser updated to 3.18.1

v5.1.2

2 years ago
  • Updated ruby_parser (Ryan Davis)
  • Fix issue where the previous output is still visible (Jason Frey)
  • Handle cases where enums are not symbols (#1627)
  • Support newer Haml with ::Haml::AttributeBuilder.build
  • Fix sorting with nil line numbers

v5.1.1

2 years ago
  • Unrefactor IgnoreConfig's use of Brakeman::FilePath

(Fixes bugs with -I and also relative paths for -i.)

v5.1.0

2 years ago
  • Report Formats
  • Performance
    • Read and parse files in parallel
  • Ruby Interpretation
    • Initial support for ActiveRecord enums (#1492)
    • Interprocedural dataflow from very simple class methods
    • Support Array#fetch and Hash#fetch (#1571)
    • Support Array#push
    • Support Array#*
    • Better Array#join support
    • Support Hash#values and Hash#values_at
    • Support Hash#include?
  • SQL Injection
    • Update SQL injection check for Rails 6.0/6.1
    • Add --sql-safe-methods option (Esty Scheiner)
    • Ignore dates in SQL
    • Ignore sanitize_sql_like in SQL (#1571)
    • Ignore method calls on numbers in SQL (#1571)
  • Other Fixes
    • Ignore renderables in dynamic render path check (Brad Parker)
    • Fix false positive in command injection with Open3.capture (Richard Fitzgerald)
    • Fix infinite loop on mixin self-includes (Andrew Szczepanski)
    • Check for user-controlled evaluation even if it's a call target (#1590)
  • Refactoring
    • Refactor cookie?/param? methods (Keenan Brock)
    • Better method definition tracking and lookup

v5.0.4

2 years ago
  • Update bundled ruby_parser to include argument forwarding support (brakeman gem only)

v5.0.2

2 years ago
  • Fix Loofah version check

v5.0.1

3 years ago
  • Support loading slim/smart (#1570)
  • Set more line numbers on Sexps (#1579)
  • Detect ::Rails.application.configure too (#1584)
  • Always ignore slice/only calls for mass assignment
  • Don't fail if $HOME/$USER are not defined
  • Convert splat array arguments to arguments
  • Bundle unreleased RubyParser changes

v5.0.0

3 years ago
  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected