First Brakeman release of 2012!
Changes since 1.1:
- Speed improvements for CheckExecute and CheckRender
scopefor SQL injection
--rakeoption to create rake task to run Brakeman
--summaryoption to only output summary
- Add experimental support for rescanning a subset of files
- Fix a problem with Rails 3 routes
Besides those, there has also been quite a bit of code improvement internally.
The checks for command injection and dynamic render paths should be considerably faster now.
More SQL Injection Checks
Thanks to a5sk4s for pointing out that Brakeman was not checking
named_scope for SQL injection. This has been rectified. For Rails 3.1 and up,
scope will be checked.
Also, it seems common to use
Model.table_name inside SQL statements. This will no longer raise a warning.
Brakeman Rake Task
--rake option can now be used to install a Rake task for running Brakeman. The task will be copied to
To use, run this from the root of the Rails app:
Then, to run Brakeman:
Naturally, this requires Rake to be installed.
To output to a specific file:
More actions may be added in the future.
Sometimes the specifics of a scan are not needed. The
--summary option will limit the report output to just the summary section.
Rescan for Subset of Files
This release adds experimental support for rescanning a subset of paths in a Rails application. Please see this example.