Happy new year and apologies for the delay in releases! Brakeman should now return to the normal 1-2 month release cycle. There are already pull requests lined up for the next release.
This release includes a number of fixes and new features. In particular, please note there are large changes to how reports and warning messages are generated. Please report any issues!
brakeman gem version of this release no longer supports use of Slim with Ruby 1.9.3. See below for details.
As noted previously, due to the Synopsys acquisition Brakeman is now distributed under a non-OSS license. See below for details.
Changes since 4.3.1:
- Add check for CVE-2018-3760
--enable option to enable optional checks
- Add Dockerfile to run Brakeman inside Docker (Ryan Kemper)
- Handle empty
secrets.yml files (Naoki Kimura)
- Ignore Tempfiles in FileAccess warnings (Christina Koller)
- Avoid warning about command injection when
Shellwords.shelljoin are used (George Ogata)
if not like
- Fix Rails 4 configuration handling
- Set default encoding to UTF-8
- Support reading gem versions from gemspecs
- Support gem versions which are just major.minor (e.g. 3.0)
- Correctly set
rel="noreferrer" in HTML reports
- Fix thread-safety issue in CallIndex
- Fix trim mode for ERb templates in old Rails versions
nil errors when concatenating arrays
- Add rendered template information to render paths
- Trim some unnecessary files from bundled gems
- Deadcode and typo fixes found via Coverity
- Complete overhaul of warning message construction
- Update to Slim 4.0.1 (Jake Peterson)
- Update to RubyParser 3.12.0
- Updated license
A new check was added for CVE-2018-3760 (Sprockets path traversal vulnerability).
Brakeman will warn about use of the affected Sprockets version and
config.assets.compile = true.
Enable Optional Checks
Brakeman has options to enable all checks, to disable some checks, and to enable a subset of checks, but not to enable default+some optional checks.
--enable option has been added to allow enabling individual optional checks.
Thanks to Ryan Kemper, Brakeman now has a Dockerfile to enable local building and running of Brakeman inside Docker.
Additionally, there is now a Docker image available for Brakeman:
docker pull presidentbeef/brakeman
docker run -v "$(pwd)":/code brakeman --color
See the Brakeman README for more details.
Please note the Docker image is built from the master Brakeman branch. The master branch is typically stable, but it will typically be ahead of the gem release.
Thanks to Naoki Kimura, Brakeman will no longer show an error when the
secrets.yml file is empty.
File Access with Tempfiles
Thanks to Christina Koller, Brakeman will no longer warn about file access issues when Tempfiles are used.
Shellescape and Command Injection
Thanks to George Ogata, Brakeman will no longer warn about command injection when
shellescape are used.
Rails 4 Configuration
When implementing the check for CVE-2018-3760, it was discovered that Brakeman was not handling the Rails 4 configuration format properly:
Brakeman was not picking up any configuration options if this format was used:
Brakeman now sets the default external encoding to
UTF-8 to avoid issues where the environment might set a different encoding.
Brakeman can now read gem versions from
gemspec files. This is common for Rails engines.
Additionally, Brakeman now understands versions which only specify major/minor versions (e.g.
The order of precedence is
No Referrer in HTML Reports
Brakeman has unfortunately been setting
rel="no-referrer" instead of
rel="noreferrer" in HTML reports.
Thread-Safety in Call Index
In rare cases (heavy CPU load?), accessing the CallIndex when running checks caused thread-unsafe behavior. This would have been reflected in a Ruby error about modifying the index during iteration, although checks don’t actual modify the CallIndex.
ERb Trim Mode
Brakeman has been accidentally setting the “trim mode” to the template file path (oops!) which silently (!) worked in tests. This only affects Rails 2.x.
This has been corrected and Ruby will now warn about incorrect trim modes.
This release fixes a
nil error when attempting to concatenate arrays.
Rendered Template Information
Template “render paths” now include which template was rendered.
This is reflected in the JSON report:
In the future this information may be used to improve other report formats as well.
Reduced Gem Size
brakeman gem bundles all its dependencies, which makes the gem a bit big.
This change removes some of the unneeded files (such as tests) and reduces the file size by about a third.
Dead Code and Typos
A few bits of dead code and minor typos were found via Coverity and fixed.
Warning Message Overhaul
Brakeman warning messages were previously just strings.
In order to introduce some formatting flexibility, Brakeman warning messages are now constructed as arrays of
These objects specify the type of the message string (e.g. “code” or “plain”). At report generation time, the messages can be converted to a particular format,
such as HTML, plaintext, etc.
Along with this change, quite a bit of cleanup was performed on report generation in general.
These changes make it easier to produce consistent messages as well as potentially supporting translation in the future.
You may notice warning message text and/or formatting has changed as a result of these changes.
Please report any issues.
Thanks to Jake Peterson, the Slim dependency has been updated to 4.0.1 to support newer syntax.
Note that Slim 4.x not longer supports Ruby 1.9.3. You may need to use the
brakeman-lib gem or update your Ruby version.
RubyParser has been updated to 3.12.0 which includes some added syntax support and is faster!
Brakeman is now distributed under the Brakeman Public Use License which restricts commercial use of Brakeman.
It does not restrict use of Brakeman to scan your own code or your organization’s code, regardless of whether that code is proprietary, commercial, free, open source, etc.
Feel free to message @presidentbeef if you have questions.
The SHA256 sums for this release are:
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.