Brakeman 3.7.1/3.7.2 Released

Just a little release. Next up: 4.0!

Changes since 3.7.0:

• Handle simple guard with return at end of branch (#1073)
• Add more collection methods for iteration detection
• Modularize bin/brakeman
• Improve multi-value Sexp error message
• Update ruby2ruby and ruby_parser dependencies

Another Simple Guard

Brakeman will now handle when the branch in a simple guard condition ends in return.

For example:

unless [:valid, :value].include? params[:x]
  do_stuff
  more_stuff
  return
end

x.send(params[:x]) # Will no longer warn because `params[:x]` must be 'safe'

(changes)

More Collection Methods

Brakeman attempts to detect when a template is iterating over records from a database query.

This release adds a few more methods that might return a collection of records.

(changes)

Modularize Commandline

The logic in the brakeman executable has now entirely been moved to Brakeman::Commandline for easier testing and custom behavior.

(changes)

Brakeman 4.0 Plans

If all goes well, Brakeman 4.0 will be released on August 27th, which is also the 7th anniversary of Brakeman’s first release. It will also be the 101st release of Brakeman!

At least two major changes will be coming in Brakeman 4.0:

• The plain report format will be the default instead of tables
• -z or --exit-on-warn (sets exit code if any warnings are found) will be on by default

There will likely be other changes, but these two will be the most obvious.