Brakeman 3.5.0 Released

SQL Injection Improvements

This release includes several changes to the SQL Injection check.

First, Brakeman will no longer restrict SQL injection warnings to calls on known ActiveRecord models. While this may lead to a few false positives, there were too many reports of obvious SQL injection being missed. This reverses a decision made previously. Warnings that may involve non-models are given a lower confidence.

Next, SQL that includes calls on model targets will no longer generate warnings. There were too many false positives and no known vulnerabilities flagged by this.

Finally, Brakeman will no longer check calls to all, first, and last as they changed in Rails 4.1.

(changes)

Extensionless Templates

Templates which do not specify any extension (e.g. just .erb instead of .html.erb) will still be treated as HTML instead of being ignored.

(changes)

Check Name in Reports

The plain and JSON reports now include the name of the check that generated the warning.

(changes)

Option to Enforce Latest Brakeman

The --ensure-latest option has been added. If there is a newer version of Brakeman available, this option will cause Brakeman to exit with a non-zero exit code.

(changes)

Option to Hide Summary

When using --no-summary and either the plain or “table” output, Brakeman will only report warnings, no metadata. Probably most useful in combination with --quiet.

(changes)

Fail on Invalid Checks

When use -t or -x to control which checks are run, Brakeman will now fail if the options supplied do not match existing check names. -t None may be used to avoid running any checks.

(changes)

Handle Included Concerns

Brakeman will now handle the included block in Concerns. Additionally, to support this, Concerns are processed prior to other classes.

(changes)