Sobelow Versions Save

Security-focused static analysis for the Phoenix Framework

v0.13.0

7 months ago

v0.13.0

  • Removed
    • Support for minimum Elixir versions 1.5 & 1.6 (POTENTIALLY BREAKING - only applies if you relied on Elixir 1.5 or 1.6, 1.7+ is still supported)
  • Enhancements
    • Fixed all credo warnings
    • Implemented all credo "Code Readability" adjustments
    • Took advantage of some credo refactoring opportunities
    • Added (sub)module documentation that was missing for some vulnerabilities and unified presentation of others
  • Bug fixes
    • Fixed --details / -d not displaying correct information
    • Fixed incompatibility issue with Elixir 1.15
  • Misc
    • Added mix credo --strict to project
    • Improvements to GitHub CI
      • Hex Audit
      • Compiler Warnings as Errors
      • Checks Formatting
    • Added helper mix test.all alias

v0.12.2

11 months ago

v0.12.2

  • Bug fixes
    • Removed :castore and introduced :verify_none to quiet warning and unblock escript usage, see #133 for more context on why this is necessary

v0.12.1

11 months ago

v0.12.1

  • Bug fixes
    • Lowered required version of :castore to remove upgrade path issues
    • Reconfigured :verify_peer to actually use CAStore and remove warning

v0.12.0

11 months ago

v0.12.0

Please note it has been quite some time between GitHub releases - please refer to the CHANGELOG for more information on what has changed since v0.8.0, the changelog below is ONLY for the changes between v.0.11.1 and v.0.12.0

  • Removed
    • Support for minimum Elixir version 1.4 (POTENTIALLY BREAKING - only applies if you relied on Elixir 1.4, 1.5+ is still supported)
    • Enhancements
      • Adds support for HEEx to XSS.Raw
      • Adds --version CLI flag
      • README Improvements
        • Umbrella App usage
        • Clearer installation process
        • Layout changes
      • Updated dependencies
    • Bug fixes
      • Adds to_string() to exit_on
      • Sets SSL opt verify_peer in version check
      • Reworks -v, --verbose printing to not use the now deprecated Macro.to_string/2
    • Misc
      • Allows atom values for threshold in config file
      • Uses SPDX ID for licenses in mixfile
      • Fixed typo

v0.8.0

4 years ago

v0.8.0

  • Enhancements

    • Improve output consistency
      • All JSON findings contain type, file, and line keys
      • "Line" output now refers directly to the vulnerable line
      • Default output headers have been normalized

    Note: If you depend on the structure of the output, this may be a breaking change. More information can be found at https://sobelow.io.

v0.7.8

4 years ago

v0.7.8

  • Enhancements

    • Add --threshold flag
    • Add module names to finding output
  • Deprecations

    • File/Path check has been deprecated
  • Bug Fixes

    • Fix inaccurate CSRF details

v0.7.2

5 years ago

v0.7.2

  • Enhancements
    • Add router path to config findings
    • Add --out flag for writing to file

v0.7.1

5 years ago

v0.7.1

  • Enhancements
    • Improved handling of JSON format
    • Additional checks for File functions

v0.7.0

5 years ago

v0.7.0

  • Enhancements

    • Improved handling of vulnerabilities within templates.
  • Bug Fixes

    • Sobelow no longer incorrectly flags :binary send_download functions.

v0.6.9

6 years ago

v0.6.9

  • Enhancements

    • Improve template parsing and validation.
    • Support multiple routers, and improve route discovery.
  • Misc.

    • Update language for missing directory.