Ruby on Rails Static Analysis Security Tool

Brakeman 3.1.3 Released

This is a small bug fix release, except for one major new feature: Brakeman is now available as an engine on the new Code Climate platform!

Changes since 3.1.2:

  • Add Code Climate output format (Ashley Baldwin-Hunter / Devon Blandin / John Pignata / Michael Bernstein)
  • Restore minimum Highline version (Kevin Glowacz)
  • Depend on safe_yaml 1.0 or later (#753)
  • Check for session secret in secrets.yml (#760)
  • Avoid warning on without_protection: true with hash literal (#769)
  • Respect exit_on_warn in config file (#771)
  • Avoid outputting false for user_input in JSON
  • Iteratively replace variables
  • CallIndex improvements
  • Improved tests for the Brakeman module (Bethany Rentz)
  • Make sure a before_filter with block is a call (#763)

Code Climate Platform

Thanks to the folks at Code Climate, this release adds the ability to run Brakeman as an analysis engine on Code Climate’s platform. You can now run Brakeman as part of Code Climate’s hosted analysis, or on your command line with their open source CLI. Brakeman can be integrated with results from your other favorite static analysis tools, giving you a unified view of issues in your code.

(main changes)


Brakeman 3.1.0 relaxed the Highline dependency (to support Highline 1.7.x and up) and Brakeman 3.1.2 added a dependency on safe_yaml without specifying a minimum version. Both of these changes resulted in some issues if combined with an application that depends on older versions of these libraries.

Highline and safe_yaml now have minimum versions specified.

(changes here and here)

More Secrets

Production session secrets stored in config/secrets.yml will now raise a warning.


Mass Assignment False Positive

Previously, Brakeman would warn on any mass assignment using without_protection: true. This blog post noted Brakeman would even warn if the values for mass assignment were a hash literal. This has been fixed.


Harcode Mode in Config

Brakeman now supports turning on “hardcore mode” (setting :exit_on_warn: true) in a config file. This causes Brakeman return a non-zero exit code if any warnings are found.


JSON Output

A refactoring caused some values of user_input in JSON reports to be false instead of nil. This has been corrected.


More Variable Replacement

A long time ago, Brakeman used to do two passes for data flow analysis, just in case one substitution could be replaced with yet another value. The second pass was removed when it turned out not to be that helpful in reality. However, there are some cases where it is helpful. Now Brakeman will attempt substitutions if there are more matches, but with a hard limit of 5 replacements to avoid infinite loops. This will reduce false positives in some situations.


CallIndex Improvements

Fixed a small bug where params was not a valid target when searching chained methods, as well as making it possible to search for chains beginning with a method call. Additionally, all the tests for CallIndex were broken and not testing anything.


Improved Test Coverage

Thanks to Bethany Rentz, test coverage was nudged up over 90%. Plenty of low-hanging fruit remains, see this issue for suggestions of how to contribute!


Brakeman Pro

Another small announcement: the first public release of Brakeman Pro (the commercial version of Brakeman) is now available for purchase. If you are looking to financially support development of Brakeman, would like paid support, need a commercial license, or just want a slick GUI, consider checking out Brakeman Pro.

For some clarification regarding the future of Brakeman and Brakeman Pro, please see this email from earlier in the year.


The SHA256 sums for this release are

57b0edcc289eb74359d2042a38ea519f96f606c89dc879e5fb53971d3d656707  brakeman-3.1.3.gem
85473af3a55c440959ea91f94fe14177ac58aa35b44fbb007c93cd742803eae6  brakeman-min-3.1.3.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed improvements in this release.

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider following @brakeman on Twitter, joining the mailing list, or hanging out on Gitter.