This is entirely a bugfix release, no new features. However, the fixes may cause line numbers and warning fingerprints to change.
Changes since 3.0.1:
- Fix HTML reports with GitHub repos (#624)
- Handle processing of explictly shadowed block arguments (#612)
- Fix CSV output when there are no warnings (#615)
ruby_parserto ~> 3.6.2
table_name_suffixas safe in SQL
- Fix using
- Alias process methods called in class scope on models
- Avoid warning about mass assignment with string literals
- Only report original regex DoS locations
- Report correct file for
simple_formatusage CVE warning
- Ignore case value in XSS checks
HTML Reports with GitHub Repo
HTML reports were sometimes causing an error when linking to a GitHub repo.
Shadowed Block Arguments
There was an error handling explicitly shadowed block arguments like this:
some_array.each do |item; x, y| # Stuff end
Empty tables caused the CSV report to fail.
Brakeman has been very behind on RubyParser versions due to a line number issue which is nearly always present in HAML templates. As a workaround, Brakeman now strips newline literals from HAML templates. While this does cause some line numbers to be off, but typically newline literals are caused by HAML formatting. Removing them allows Brakeman to use the latest RubyParser.
Brakeman now requires RubyParser 3.6.2 as a minimum.
(HAML changes, dependency change)
More SQL-safe Methods
Brakeman will no longer warn about
table_name_suffix in SQL.
Compare with External Checks
Fix an issue when using
Process Class-Scope Method Calls
Previously, Brakeman would process method calls at the class scope (e.g.,
belongs_to) in models and then throw away the call. This meant the call never received data flow analysis. This was particularly noticeable when those calls involved blocks. This has been fixed and has improved results, especially where constants are used.
Mass Assignment with Literals
Brakeman no longer warns about mass assignment if the arguments are a string or symbol. In those cases it probably isn’t an ActiveRecord subclass in any case.
Reduce Regex DoS Duplicates
Duplicate regular expression denial of service warnings were being reported due to data flow analysis.
File for simple_format CVE
Warnings regarding the old
simple_format CVE will now point to the file where
simple_format was called, not the Gemfile.
Ignore Case Value
Do not report about XSS regarding the value used in
The SHA1 sums for this release are
87413b544b5eae0cac9f037e2b62b1fe3f0fee5e brakeman-3.0.2.gem cfcf3080a992ca173c64dd98fe239e8bd9bb0eaa brakeman-min-3.0.2.gem
Please report any issues with this release! Take a look at this guide to reporting Brakeman problems.
Also consider following @brakeman on Twitter and joining the mailing list.