Brakeman 3.3.0 introduces a new packaging method for Brakeman which vendors all dependencies and does not include any gem dependencies in the gemspec. Please test and provide feedback if it does not work as expected.
Changes since 3.2.1:
- Bundle all dependencies in gem
- Return exit code
4if no Rails application is detected (#869)
- Add optional check for secrets in source code (#201)
- Track constants globally
- Skip if branches with
- Skip processing obviously false if branches (more broadly)
- Handle HAML
find_and_preservewith a block (#837)
- Allow non-Hash arguments in
- Avoid warning about
uhelper (Chad Dollins)
- Avoid warning about mass assignment and SQL injection with
- Avoid warning about
- Avoid warning on
popenwith array (#851)
- [Code Climate engine] When possible, output to /dev/stdout (Gordon Diggs)
- [Code Climate engine] Remove nil entries from
- [Code Climate engine] Report end lines for issues (Gordon Diggs)
In its gem form, Brakeman no longer declares any external dependencies. Its dependencies are bundled with the gem itself. This should prevent the conflicts which sometimes occur when Brakeman is declared as a dependency of a Rails application. The disadvantage is you will no longer be able to update Brakeman dependencies (like RubyParser) without updating Brakeman itself.
As this is a new way of distributing Brakeman, please report any issues that may arise.
New Exit Code
A new exit code has been added for the case when Brakeman does not detect a Rails application.
For reference, these are Brakeman’s current exit codes:
0- Normal exit
3- Warnings found (with
4- No Rails application detected
A new optional check has been added to look for hard-coded secrets in the source code. It will warn when constants like
PASSWORD are assigned string literals. To run the new check, use
-t Secrets or
-A to run all checks including optional ones.
This release includes initial support for tracking and matching constants across the application. For example, if a model contains a constant
Model::KEYS which is used elsewhere, Brakeman should be able to track this value. This helps prevents false positives when safe values have been declared as constants.
Skipping Test Code
Brakeman will now ignore
if branches that check
Rails.env.test?. Additionally, branch skipping behavior (e.g.
if false...) has been expanded to most of Brakeman’s processing instead of just in data flow analysis.
Brakeman will now handle uses of
find_and_preserve in HAML with a block.
Array#first will be replaced with the first value in the array when known.
Jason Yeo provided a fix for when Brakeman encounters a non-Hash argument to
Chad Dollins fixed XSS false positives when the
u alias for
url_encode is used.
slice False Positives
Brakeman should no longer warn when using
params.slice in mass assignment, SQL injection, links, and open redirects.
Brakeman will no longer warn about uses of
popen when the argument is an array, in which case the arguments are escaped.
Code Climate Engine
Gordon Diggs provided several improvements to the Code Climate Engine in this release:
nilentries from the
- Force output to stdout when possible
- Report end lines to conform with spec
The SHA256 sums for this release are
c01ec64d35218887fc5ea2ae8babc88e9e0e7cc3c161b020725d2b17c4189858 brakeman-3.3.0.gem f1adce1a696799342dc9f50b51975024060360dc9018358c5d8e34c1c4681bd1 brakeman-min-3.3.0.gem
Thank you to everyone who reported bugs and contributed improvements in this release.
Also consider following @brakeman on Twitter and hanging out on Gitter for questions and discussion. Please note the mailing list is no longer in use and has apparently not been delivering mail for some time.