Changes since 3.5.0:
- Branch inside of
caseexpressions (#944, #972, #1002)
- Check targetless SQL calls outside of known models
- Fix issue with nested interpolation inside SQL strings (#1008)
- Only report CVE-2015-3227 when exact version is known (#933, #995)
- Print command line option errors without modification (#1010)
- Ignore GraphQL tags inside ERB templates
- Avoid recursive
At long last, Brakeman will now treat
case expressions similarly to
ifs. This includes tracking variable assignments inside of
when clauses and better handling
case expressions as values.
Note that at this time Brakeman does not handle nested
Targetless SQL Calls
Brakeman 3.5.0 broadened the check for SQL injection to calls that may not be on models (because models are often defined outside the application). However, calls with no target were still checking to see if they were called inside of model classes. This led to missing some SQL injection vulnerabilities.
Nested SQL Interpolation
Some cases of nested string interpolation in SQL calls were generating false positives. This should be fixed now.
Exit on Errors
Michael Grosser added the
--exit-on-error option to cause Brakeman to exit with a non-zero exit code if any errors are encountered. Normally Brakeman attempts to always generate a report regardless of any errors during the scan.
Spurious CVE Warning
Brakeman was reporting CVE-2015-3227 on any application using an unknown Rails version.
In an attempt to make command line option errors prettier, Brakeman was inadvertently messing up the error messages. It will no longer do so.
GraphQL in ERB
Brakeman will now ignore
<%graphql tags in ERB templates.
include themselves will no longer cause infinite loops.
The SHA256 sums for this release are:
c9bcc82a14359fe5f010551b1256eb1cea6848115f3429c7db74a386d6b0cf8c brakeman-3.6.0.gem 4793a407f79970a284474db3235d355f9927e987b71e33f1ce99fac3f3c249aa brakeman-min-3.6.0.gem 5c0a7aab7fc14d069d9dc208b653e10f71c355cb959fd144d6e8f7430c88a8e7 brakeman-lib-3.6.0.gem
Thank you to everyone who reported bugs and contributed to this release.
If you find Brakeman valuable and want to support its development, check out Brakeman Pro.