Ruby on Rails Static Analysis Security Tool

Brakeman 1.8.2 Released

This is a bugfix release, in particular fixing rescanning (used by guard-brakeman).

Changes since 1.8.1:

  • Fixed rescanning problems caused by 1.8.0 changes
  • Fix scope calls with single argument
  • Report specific model name in rendered collections
  • Handle overwritten JSON escape settings (Neil Matatall)
  • Add CHANGES to gemspec

Rescan Fixes

Brakeman supports rescanning a subset of files in an application, with the caveat that the previous scan must still be in memory. This functionality was broken in the the 1.8.0 release, due to the lack of tests.

This release updates rescanning to be more robust and work with the 1.8.0 changes to how “render paths” are stored. Also, a number of tests were added to help prevent breakage in the future.


Scope Calls with One Argument

Calls to scope with a single argument were causing errors in Brakeman’s SQL injection check.

The fixed error looked like:

undefined method `node_type' for nil:NilClass  /something/brakeman/lib/brakeman/checks/check_sql.rb:75:in `block (2 levels) in find_scope_calls'


Model Names for Rendered Collections

In cases like below, where a collection of models is being rendered and the model name could be known, any resulting warnings will now reference the actual model name.

<%= render 'user', :collection => User.all %>

Previously, Brakeman would report warnings with UnknownModel, whether or not the model name was actually known.


Overwritten JSON Escape Config

It is possible that a config setting in one initializer overrides a setting in a different initializer. This is now handled for the JSON escape settings.


CHANGES File in Gem

The CHANGES file is now included in the gem file as requested.


Report Issues

Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.

Also consider joining the mailing list or following @brakeman on Twitter.

Brakeman Roadmap

A rough guide to Brakeman 1.9 and 2.0 has been posted here.