Changes since 3.5.0:
- Branch inside of
case
expressions (#944, #972, #1002) - Check targetless SQL calls outside of known models
- Fix issue with nested interpolation inside SQL strings (#1008)
- Add
--exit-on-error
(Michael Grosser) - Only report CVE-2015-3227 when exact version is known (#933, #995)
- Print command line option errors without modification (#1010)
- Ignore GraphQL tags inside ERB templates
- Avoid recursive
Concern
s
Case Expressions
At long last, Brakeman will now treat case
expressions similarly to if
s. This includes tracking variable assignments inside of when
clauses and better handling case
expressions as values.
Note that at this time Brakeman does not handle nested case
expressions.
(changes)
Targetless SQL Calls
Brakeman 3.5.0 broadened the check for SQL injection to calls that may not be on models (because models are often defined outside the application). However, calls with no target were still checking to see if they were called inside of model classes. This led to missing some SQL injection vulnerabilities.
(changes)
Nested SQL Interpolation
Some cases of nested string interpolation in SQL calls were generating false positives. This should be fixed now.
(changes)
Exit on Errors
Michael Grosser added the --exit-on-error
option to cause Brakeman to exit with a non-zero exit code if any errors are encountered. Normally Brakeman attempts to always generate a report regardless of any errors during the scan.
(changes)
Spurious CVE Warning
Brakeman was reporting CVE-2015-3227 on any application using an unknown Rails version.
(changes)
Option Errors
In an attempt to make command line option errors prettier, Brakeman was inadvertently messing up the error messages. It will no longer do so.
(changes)
GraphQL in ERB
Brakeman will now ignore <%graphql
tags in ERB templates.
(changes)
Recursive Concerns
Concerns that include
themselves will no longer cause infinite loops.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.