Ruby on Rails Static Analysis Security Tool

Brakeman 4.8.0 Released

First release of 2020! This release comes with a brand new report format: JUnit XML.

Changes since 4.7.2:

  • Add JUnit XML report format (Naoki Kimurai)
  • Sort ignore files by fingerprint and line (Ngan Pham)
  • Catch dangerous concatenation in CheckExecute (Jacob Evelyn)
  • User-friendly message when ignore config file has invalid JSON (D. Hicks)
  • Freeze call index results, fix thread-safety issue
  • Properly render confidence in Markdown report (#1446)
  • Report old warnings as fixed if zero warnings reported

JUnit XML Report

Thanks to Naoki Kimura, Brakeman can now generate a JUnit XML format. JUnit XML is produced and consumed by a number of different testing tools, including CircleCI.

Supporting this format makes it possible for Brakeman warnings to be consumed by general test infrastructure tools.

To use the new format, either use -f junit or -o report.junit.


Sort Ignore Files

Warnings in “ignore files” were previously only sorted by fingerprint. Thanks to Ngan Pham they are now sorted by fingerprint then line number, to maintain stable ordering between warnings with the same fingerprint.


Dangerous Concatenation in Commands

Jacob Evelyn has updated the command injection check (CheckExecute) to also consider string concatenation with dangerous values.

For example:

system("ls " + maybe_dangerous)


Fix Thread-safety Issue

Two checks were modifying shared data (call site results), which introduced a race condition. Sometimes a result would strangely become nil and cause intermittent errors. Note this only popped up when using real threads on JRuby.

Now results from the CallIndex are frozen to help prevent this kind of modification of shared data in the future.


Render Confidence in Markdown

Due to a previous refactoring, confidence levels were not being rendered in Markdown reports.


Report Comparison Fix

Due to a very old bug, when comparing an old report with some warnings to a new report with zero warnings, the old warnings were not reported as fixed. Now they will be.

Probably no one noticed because we generally only care about new warnings.



The SHA256 sums for this release are:

2febb3ce4111fe14f57a8ea447c5770eeb32ba43333955b4ed27864ef045c277  brakeman-4.8.0.gem
c513373a37576d8107af724bf9f8a47e8d76253c85bdd6fdb4d3e93471a47ee6  brakeman-lib-4.8.0.gem
d82206b9a60ef1eb4c96d32ba0157774db301e3ca10dcbdd7b4171044b28eccf  brakeman-min-4.8.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.