This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate platform!
Changes since 3.1.2:
- Add Code Climate output format (Ashley Baldwin-Hunter / Devon Blandin / John Pignata / Michael Bernstein)
- Restore minimum Highline version (Kevin Glowacz)
- Depend on safe_yaml 1.0 or later (#753)
- Check for session secret in secrets.yml (#760)
- Avoid warning on
without_protection: truewith hash literal (#769)
exit_on_warnin config file (#771)
- Avoid outputting false for
- Iteratively replace variables
- CallIndex improvements
- Improved tests for the Brakeman module (Bethany Rentz)
- Make sure a
before_filterwith block is a call (#763)
Code Climate Platform
Thanks to the folks at Code Climate, this release adds the ability to run Brakeman as an analysis engine on Code Climate’s platform. You can now run Brakeman as part of Code Climate’s hosted analysis, or on your command line with their open source CLI. Brakeman can be integrated with results from your other favorite static analysis tools, giving you a unified view of issues in your code.
Brakeman 3.1.0 relaxed the Highline dependency (to support Highline 1.7.x and up) and Brakeman 3.1.2 added a dependency on safe_yaml without specifying a minimum version. Both of these changes resulted in some issues if combined with an application that depends on older versions of these libraries.
Highline and safe_yaml now have minimum versions specified.
Production session secrets stored in
config/secrets.yml will now raise a warning.
Mass Assignment False Positive
Previously, Brakeman would warn on any mass assignment using
without_protection: true. This blog post noted Brakeman would even warn if the values for mass assignment were a hash literal. This has been fixed.
Harcode Mode in Config
Brakeman now supports turning on “hardcore mode” (setting
:exit_on_warn: true) in a config file. This causes Brakeman return a non-zero exit code if any warnings are found.
A refactoring caused some values of
user_input in JSON reports to be
false instead of
nil. This has been corrected.
More Variable Replacement
A long time ago, Brakeman used to do two passes for data flow analysis, just in case one substitution could be replaced with yet another value. The second pass was removed when it turned out not to be that helpful in reality. However, there are some cases where it is helpful. Now Brakeman will attempt substitutions if there are more matches, but with a hard limit of 5 replacements to avoid infinite loops. This will reduce false positives in some situations.
Fixed a small bug where
params was not a valid target when searching chained methods, as well as making it possible to search for chains beginning with a method call. Additionally, all the tests for CallIndex were broken and not testing anything.
Improved Test Coverage
Thanks to Bethany Rentz, test coverage was nudged up over 90%. Plenty of low-hanging fruit remains, see this issue for suggestions of how to contribute!
Another small announcement: the first public release of Brakeman Pro (the commercial version of Brakeman) is now available for purchase. If you are looking to financially support development of Brakeman, would like paid support, need a commercial license, or just want a slick GUI, consider checking out Brakeman Pro.
For some clarification regarding the future of Brakeman and Brakeman Pro, please see this email from earlier in the year.
The SHA256 sums for this release are
57b0edcc289eb74359d2042a38ea519f96f606c89dc879e5fb53971d3d656707 brakeman-3.1.3.gem 85473af3a55c440959ea91f94fe14177ac58aa35b44fbb007c93cd742803eae6 brakeman-min-3.1.3.gem
Thank you to everyone who reported bugs and contributed improvements in this release.
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.