Brakeman 6.0 drops parsing support for Ruby 1.8/1.9, and raises the minimum Ruby version to run Brakeman to 3.0.
Changes since 5.4.1:
- Drop support for Ruby 1.8/1.9 syntax
- Raise minimum Ruby version to 3.0
- Add obsolete fingerprints to comparison report (#1758)
- Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
- Fix false positive with
content_tag in newer Rails (#1778)
- Scan directories that include the word
- Fix end-of-life dates for Ruby
Ruby Parsing Version Support
This version of Brakeman no longer supports parsing Ruby 1.8/1.9 syntax.
ruby_parser, the gem Brakeman depends on for parsing Ruby, dropped support quite a while ago. Brakeman was depending on the
ruby_parser-legacy gem for these older versions. But since it has been eight years since Ruby 1.9 has been unmaintained… it is time to let go.
Minimum Ruby Version
The minimum Ruby version to run Brakeman is now 3.0.0.
Official support for the 2.x line of Ruby has ended, so it is a good time to bump up the minimum requirement and adopt more modern language features.
Missing CSRF Protection Warning
Since Rails 5.2.0, new applications have had cross-site request forgery protection enabled. Brakeman assumed the protection was enabled based on the Rails version. However, this was incorrect.
Now Brakeman correctly handles the default configuration values.
Content Tag Attributes
Brakeman will no longer warn about user input in
content_tag attribute names in Rails 6.1.6+
Obsolete Warnings in Comparison Report
When using the
--compare option, the output JSON will now include an
obsolete key with an array of fingerprints.
These fingerprints are warnings that are configured to be ignored, but no longer exist.
Note that the report will include all fingerprints in the ignore configuration that are not in the current report, even if they were already obsolete.
This report format matches the
The report will resemble:
"new": [ ... ],
"fixed": [ ... ],
Scan ‘public’ Directories
In the old days, Brakeman tried to scan only the “standard” Rails directories, mostly within
/app/. With the 5.0 release, Brakeman was revised to make very few assumptions about what kinds of files live where, instead making decisions based on the content of files rather than their location.
However, there was a lingering exception. Brakeman would ignore any directories that included
This exception has been removed.
EOL Dates for Ruby
Fixed end-of-life date for Ruby 3.0 and added expected dates for 3.1 and 3.2.
The SHA256 sums for this release are:
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.