Brakeman 3.6.0 Released

Case Expressions

At long last, Brakeman will now treat case expressions similarly to ifs. This includes tracking variable assignments inside of when clauses and better handling case expressions as values.

Note that at this time Brakeman does not handle nested case expressions.

(changes)

Targetless SQL Calls

Brakeman 3.5.0 broadened the check for SQL injection to calls that may not be on models (because models are often defined outside the application). However, calls with no target were still checking to see if they were called inside of model classes. This led to missing some SQL injection vulnerabilities.

(changes)

Nested SQL Interpolation

Some cases of nested string interpolation in SQL calls were generating false positives. This should be fixed now.

(changes)

Exit on Errors

Michael Grosser added the --exit-on-error option to cause Brakeman to exit with a non-zero exit code if any errors are encountered. Normally Brakeman attempts to always generate a report regardless of any errors during the scan.

(changes)

Spurious CVE Warning

Brakeman was reporting CVE-2015-3227 on any application using an unknown Rails version.

(changes)

Option Errors

In an attempt to make command line option errors prettier, Brakeman was inadvertently messing up the error messages. It will no longer do so.

(changes)

GraphQL in ERB

Brakeman will now ignore <%graphql tags in ERB templates.

(changes)

Recursive Concerns

Concerns that include themselves will no longer cause infinite loops.

(changes)