Ruby on Rails Static Analysis Security Tool

Brakeman 1.6 Released

A lot of code has changed in this release, particularly with the removal of the Ruport library for reporting. While Ruport worked pretty well, it caused some issues just due to the large number of (out-dated) dependencies it brought with it.

Also, this release changes the JSON report output. This is a backwards incompatible change. But, given how useless the previous JSON reports were, hopefully this will not affect too many people.

Changes since 1.5.3:

  • Remove the Ruport dependency (Neil Matatall)
  • Add more informational JSON output (Neil Matatall)
  • Add comparison to previous JSON report (Neil Matatall)
  • Add highlighting of dangerous values in HTML/text reports
  • Model#update_attribute should not raise mass assignment warning (Dave Worth)
  • Don’t check find_by_* method for SQL injection
  • Fix duplicate reporting of mass assignment and SQL injection
  • Fix rescanning of deleted files
  • Properly check for rails_xss in Gemfile

No More Ruport

Ruport is a nice library, but it also has not been updated in over two years and its dependency tree was ridiculous.

Thanks to Neil Matatall, Brakeman no longer depends on Ruport, but the reports should look essentially the same. The HTML reports are now rendered through ERB templates, so it should not be too difficult to customize the reports if desired.

Better JSON Output

JSON output now includes meta-information about the scan, errors raised during the scan, and line numbers for each warning.

JSON Report Comparison

Being able to compare Brakeman reports is essential for tracking warnings over time. Prior to this release, the only decent way of doing that was via the Jenkins plugin. But now Brakeman can compare results to the JSON report from a previous scan.

For example:

brakeman -o report.json
brakeman --compare report.json

This will run another scan, then output a comparison of the reports (in JSON). The report includes a list of fixed warnings and a list of new warnings that were found.

User Input Highlighted in Reports

Sometimes it is unclear exactly what value has caused Brakeman to issue a particular warning. This release adds highlighting the detected user input in most warnings. (Some warnings, the code that is reported is the detected user input). This information is also available in the JSON reports.

User Input Highlight

Fewer Mass Assignment and SQL Injection Methods

Dave Worth pointed out that Brakeman was a little overzealous in which methods it considered susceptible to mass assignment and SQL injection attacks.

Brakeman will no longer check update_attribute for mass assignment or the find_by_* dynamic methods for SQL injection.

Fewer Mass Assignment and SQL Injection Duplicates

Pesky duplicate reports of mass assignment and SQL injection were turning up as template warnings. This occurred when the results of the mass assignment or SQL query were assigned to a variable which was then used in a template. This should now be fixed.

More details than are probably desired are available here.

Rescanning Fixes

Rescanning of deleted files is now supported, and there some other issues with rescanning that are now resolved as well.

Brakeman has a sweet new logo, thanks to Janelle Lawless!

Brakeman Logo

Updates to the website to reflect this awesomeness are coming soon.

Reporting Issues

Please report any issues with this release!

Also consider joining the mailing list or following @brakeman on Twitter.

And don’t forget to check out the Brakeman talk at RailsConf in a few days.