Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 7.1.0 Released

Changes since 7.0.2:

  • Add Haml 6.x support (#1914, #1841, etc.)
  • Support render model shortcut (#959, #1940, etc.)
  • Add --ensure-no-obsolete-config-entries option (viralpraxis)
  • Update JUnit report for CircleCI (Philippe Bernery)
  • Improve ignored warnings layout in HTML report (Sebastien Savater)
  • Only load escape functionality from cgi library (Earlopain)
  • Add EOL dates for Rails 8.0 and Ruby 3.4
  • Use lazy file lists for AppTree

Haml 6 Support

Brakeman now ships with and supports Haml 6.

To continue using Brakeman with Haml 5.x, please use the brakeman-lib or brakeman-min gems.

(changes)

Render Shortcuts

After many, many years, Brakeman now supports shortcuts where specific models or collections are rendered. For example: render User.find(..) or render User.all

Brakeman does not currently support rendering of collections with mixed types of models.

(changes)

Fail on Obsolete Ignored Warnings

When Brakeman is configured to ignore warnings, but then those warnings aren’t found, Brakeman reports “obsolete ignored warnings”.

viralpraxis added the --ensure-no-obsolete-config-entries option to return a failure exit code if there are obsolete entries.

(changes)

JUnit Report for CircleCI

Philippe Bernery has fixed JUnit reports to be compatible with CircleCI (again). Thanks!

(changes)

Better Ignored Warnings Layout

Speaking of ignored warnings, Sebastien Savater has improved the layout in the HTML report to make it easier to read notes for ignored warnings.

(changes)

CGI Loading

In preparation for Ruby 3.5, Earlopain updated Brakeman to explcitly load cgi/escape instead of the entire CGI library.

(changes)

Lazy File Lists

Use lazy file lists when managing files in Brakeman::AppTree. This provides a small (~9%) speed improvement for large applications.

(changes)

Checksums

The SHA256 sums for this release are:

bbc708a75a53008490c8b9600b97fa85cb3d5a8818dd1560f18e0b89475d48af  brakeman-7.1.0.gem
b5263ca27a725ad38fb98aa83908b0285eee46c29096eb4fb0b36b2795bbb082  brakeman-lib-7.1.0.gem
0a141eaf08f864680af69c6642f9cf855be3eb89c3d5a3f5b0bd182f9eba2d82  brakeman-min-7.1.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.

Brakeman 7.0.2 Released

Changes since 7.0.1:

  • Fix error with empty BUNDLE_GEMFILE env variable

Error on Empty Environment Variable

Fixed.

(changes)

Checksums

The SHA256 sums for this release are:

b602d91bcec6c5ce4d4bc9e081e01f621c304b7a69f227d1e58784135f333786  brakeman-7.0.2.gem
2ca8d1a8bc248e969e64db33cc555cb82418402af9e04efeb74c7d6ffc85aaab  brakeman-lib-7.0.2.gem
0efb841b7b5252dff97699f041e9e67d661d78f87c1874aaa789e91cb9c94b17  brakeman-min-7.0.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.

Brakeman 7.0.1 Released

Changes since 7.0.0:

  • Avoid warning on evaluation of plain strings (#1919)
  • Enable use of custom/alternative Gemfiles (#1840, #1907)
  • Fix error on directory with rb extension (viralpraxis)
  • Support terminal-table 4.0 (Chedli Bourguiba)
  • Better support Prism 1.4.0 (#1927)
  • Only output timing for each file when using --debug

Fewer Code Evaluation Warnings

Brakeman will warn on fewer cases of code evaluation of dynamic strings.

(changes)

Custom Gemfile

Which Gemfile to scan can now be configured with --gemfile or setting the BUNDLE_GEMFILE option.

(changes)

Errors Matching Directory Names

Thanks to viralpraxis for fixing an issue where directory names ending in .rb were treated like Ruby files.

(changes)

Support for Terminal Table 4.0

Thanks to Chedli Bourguiba for helping bump the terminal-table dependency to allow use of the latest version.

(changes)

Frozen Strings in Prism

This release fixes some compatibility with frozen strings in Prism 1.4.0.

These are a little hard to track down, so please report any errors that have not been fixed.

(changes)

Less Noisy Timing

Use of --timing is now a little less noisy unless --debug is also set.

Previously, processing time for each individual file was shown. Now the default is to only show processing time for each step in the scan.

(changes)

Checksums

The SHA256 sums for this release are:

ec751d439820ed9d04d4ed00ff4fb21ac91689fcbb6cc564b786a4061c8f720d  brakeman-7.0.1.gem
94c3b2801ce8c35db9354b778feb06dcfafc8273c3f09d398771912de793aa52  brakeman-lib-7.0.1.gem
a3a9b3c2ecd5f34abbc689f14ad3abd7f4380a7ffcb21c2310f7a74efc543805  brakeman-min-7.0.1.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.

Brakeman 7.0.0 Released

Happy new year!

This release of Brakeman contains several breaking changes and updates to default behavior.

Changes since 6.2.2:

  • Default to using Prism parser if available (disable with --no-prism)
  • Disable following symbolic links by default (re-enable with --follow-symlinks)
  • Remove updated entry in Brakeman ignore files (Toby Hsieh)
  • Major changes to how rescanning works
  • Fix hardcoded globally excluded paths (#1830)
  • Always warn about deserializing from Marshal
  • Update eval check to be a little noisier
  • Output originalBaseUriIds for SARIF format report (#1889)
  • Add step (and timing) for finding files
  • Fix recursion when handling multiple assignment expressions (#1877)
  • Fix array/hash unknown index handling
  • Update terminal-table version
  • Add CSV library as explicit dependency for Ruby 3.4 support
  • Raise minimum Ruby version to 3.1

Default to Prism Parser

Prism is a new parser that has quickly been adopted across many Ruby implementations and code tools. In Ruby 3.4, it is now the default parser for Ruby itself.

Thankfully, Prism has also implemented translation layers for RubyParser and other existing parsers. This has allowed Brakeman (and other tools) to adopt Prism fairly easily. Even with the translation layer, Prism is typically a little faster than RubyParser. Line numbers may also shift slightly.

Brakeman now defaults to using Prism for parsing. The --prism and --no-prism options.

There are still some small incompatibilities - please report any instances where Brakeman outputs [Format Error].

(changes)

For better performance, Brakeman will no longer default to following symbolical links for directories. This behavior was added in Brakeman 6.2.1.

To re-enable the previous behavior, use the --follow-symlinks option.

(changes)

Drop Timestamp from Ignore Files

Brakeman will no longer add an updated entry when generating or updating an ignore file.

The entry was redundant with source control and could cause unnecessary merge conflicts.

(changes)

Updates to Rescanning

“Rescanning” in Brakeman (attempting to only scan changed files) has been broken and out of date for a long time. This release drops a lot of that old code.

To improve accuracy, rescanning will now only skip the file reading/parsing step for unchanged files. The rest of the scan will continue like a regular full scan. For many code bases, the read/parse step is the slowest part of the scan. However, it is very likely the current rescanning will be slower (but more accurate) than the old version.

Hopefully there will be additional improvements in this functionality over time.

For any tools wanting to use rescanning, the initial scan must set support_rescanning: true to enable caching of the parsed files. After that, the API is the same.

(changes)

Globally Excluded Paths

Brakeman has a set of paths that it never scans:

  generators/
  lib/tasks/
  lib/templates/
  db/
  spec/
  test/
  tmp/

Previously, if any part of the path matched (e.g. db matching cool-db-adapter), it would get skipped.

Additionally, log used to be a skipped path which would match paths like catalog.

This has been fixed to only skip paths with an exact match.

(changes)

More Deserialization Warnings

Brakeman will now warn about all uses of Marshal.load or Marshal.restore.

This may be a little noisy, so please feel free to provide feedback on false positives.

(changes)

More Eval Warnings

Brakeman will now warn about evaluation of dynamic strings, even if there is no obvious user-controllable input.

In addition, Brakeman will warn about most uses of eval.

This may be a little noisy, so please feel free to provide feedback on false positives.

(changes)

SARIF Reports

SARIF reports output from Brakeman will now include the originalBaseUriIds property to enable using of absolute file paths inside of the report. This should enhance compatibility with GitHub and other tools.

See the (changes) for details of how this interacts with scan paths.

Step for Finding Files

For large applications, just listing out relevant files for Brakeman to scan can take some time.

This step was previously “invisible” but now Brakeman will output Finding files... as a descrete step which also means it will work with the --timing option to display how long that step takes.

(changes)

Dependency Updates

Brakeman no longer restricts terminal-table to an old version.

(changes)

csv is now an explicit dependency since it has moved to a bundled gem in Ruby 3.4.

(changes)

The minimum Ruby version to run Brakeman is now Ruby 3.1.0.

(changes)

Checksums

The SHA256 sums for this release are:

1a0122b0c70f17519a61548a53a332c0acc19e3aa10b445e15e025a4b13b8577  brakeman-7.0.0.gem
ecb1a4241df4d3756d0f81b6973852d0390511275a513768aee9ddc398bbfe05  brakeman-lib-7.0.0.gem
6cbe26b0cab0db59bf0a2dd77eb244386f8386d8f7081a8a843469fde6e55367  brakeman-min-7.0.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.

Brakeman 6.2.2 Released

Small release!

Changes since 6.2.1:

  • Revamp command injection detection in pipeline* calls (#1862)
  • New end-of-support dates for Rails
  • Exclude more native gems from vendored gems in brakeman gem (#1869)

Command Injection in pipeline_* calls

More specific checks for arguments to Open3 methods pipeline, pipline_r, pipeline_rw, pipeline_w, and pipeline_start to improve both true and false positive rates.

(changes)

Updated End of Support Dates for Rails

Updated based on the updated policy.

Unfortunately, timing of this Brakeman release means Brakeman is already warning about Rails 6.1 end-of-support (ended October 1st).

(changes)

Checksums

The SHA256 sums for this release are:

d502d653699f4d451b21225ff4d19a9ec9345d23eaab5576e246185ffd7bf618  brakeman-6.2.2.gem
fb7ba15cd309f995c95d15d9e0e590f3aad6f95a5dfa030854e8806f3ba196d9  brakeman-lib-6.2.2.gem
b3a5b59a14a527bfaca4d2637765e98c12ae800c8f044b1939da578d3ed31851  brakeman-min-6.2.2.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.