It has been a long time coming, but it is finally here! Lots of changes in this one…
Brakeman now scans (almost) all Ruby (and ERB, Haml, Slim) files in an application.
This may have a significant impact on reported warnings and scan times - see below for more information.
Changes since 4.10.1:
- Scan (almost) all Ruby files in project
- Revamp CSV report to a CSV list of warnings
- Add Sonarqube report format (Adam England)
- Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
- Add check for potential HTTP verb confusion (#1432)
uuid as a safe attribute
Tempfile#path in shell commands
- Ignore development environment
- Set Rails configuration defaults based on
- Update Ruby requirement to version 2.4.0
- Suggest using
--force if no Rails application is detected
Scan Almost All Ruby Files
Since the beginning, Brakeman has been picky about what directories it searches for files.
In general, Brakeman has looked in ‘normal’ Rails directores like
This is because Rails has some default logic based on file paths - like mapping a controller action to a given view.
But if an application varied from the norm, Brakeman would simply not scan those other directories.
This behavior led to a lot of confusion with folks wondering why Brakeman was not finding certain vulnerabilities.
Brakeman now attempts to deduce the contents of a file first, then falls back to the path name if necessary.
This has been surprisingly effective.
However, scanning more files means Brakeman runs slower and may report more false positives because the new files
are harder to reason about and less likely to be exposed as part of the attack surface.
Brakeman does ignore
vendor directories. To scan the
vendor directory as well, use
Please report any issues!
CSV Report Update
The CSV report format has been completely changed! Previously, it was meant as an ‘Excel-lite’ format, only really useful for viewing in a spreadsheet program.
Now it is regular CSV with normalized columns to mostly match the JSON report (except for nested fields).
Sonarqube Report Format
Thanks to Adam England, Brakeman now supports the Sonarqube “Generic Issue Import Format”.
(And thanks Adam for your patience.)
More Unsafe Method Reflection
A new check was added for unsafe use of
HTTP Verb Confusion Check
HEAD requests are routed like
GET requests, but
request.get? will be false.
Some code may assume if
request.get? is false, then
request.post? is true:
# Do something benign
# Do something sensitive because it's a POST
# but actually it could be a HEAD :(
Brakeman will warn when an
if expression checks
request.get? but has an
else clause instead of
UUIDs as Safe Attributes
#uuid will be treated as a safe value, particular in SQL.
Tempfile Paths in Shell Commands
Tempfile#path will be considered as safe value for command injection.
Also adds support for Tempfiles like:
Tempfile.open('...') do |file|
# Brakeman knows `file` is a Tempfile
Ignore Development Environment
Brakeman will ignore code that is guarded like
# ...whatever code
This was already true for
Brakeman will treat
This was already true for
Set Rails Defaults
Brakeman will set default values for Rails configuration options based on the version argument to
config.load_defaults which is usually called in
Requires Ruby 2.4.0
The minimal Ruby version for running Brakeman is now 2.4.0 (which is already EOL!)
Note Brakeman can analyze Ruby syntax from 1.8 to 2.6 (some 2.7+ syntax is not supported yet).
The SHA256 sums for this release are:
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.