First release of 2020! This release comes with a brand new report format: JUnit XML.
Changes since 4.7.2:
- Add JUnit XML report format (Naoki Kimurai)
- Sort ignore files by fingerprint and line (Ngan Pham)
- Catch dangerous concatenation in
- User-friendly message when ignore config file has invalid JSON (D. Hicks)
- Freeze call index results, fix thread-safety issue
- Properly render confidence in Markdown report (#1446)
- Report old warnings as fixed if zero warnings reported
JUnit XML Report
Thanks to Naoki Kimura, Brakeman can now generate a JUnit XML format. JUnit XML is produced and consumed by a number of different testing tools, including CircleCI.
Supporting this format makes it possible for Brakeman warnings to be consumed by general test infrastructure tools.
To use the new format, either use
-f junit or
Sort Ignore Files
Warnings in “ignore files” were previously only sorted by fingerprint. Thanks to Ngan Pham they are now sorted by fingerprint then line number, to maintain stable ordering between warnings with the same fingerprint.
Dangerous Concatenation in Commands
Jacob Evelyn has updated the command injection check (
CheckExecute) to also consider string concatenation with dangerous values.
system("ls " + maybe_dangerous)
Fix Thread-safety Issue
Two checks were modifying shared data (call site results), which introduced a race condition.
Sometimes a result would strangely become
nil and cause intermittent errors.
Note this only popped up when using real threads on JRuby.
Now results from the
CallIndex are frozen to help prevent this kind of modification of shared data in the future.
Render Confidence in Markdown
Due to a previous refactoring, confidence levels were not being rendered in Markdown reports.
Report Comparison Fix
Due to a very old bug, when comparing an old report with some warnings to a new report with zero warnings, the old warnings were not reported as fixed. Now they will be.
Probably no one noticed because we generally only care about new warnings.
The SHA256 sums for this release are:
2febb3ce4111fe14f57a8ea447c5770eeb32ba43333955b4ed27864ef045c277 brakeman-4.8.0.gem c513373a37576d8107af724bf9f8a47e8d76253c85bdd6fdb4d3e93471a47ee6 brakeman-lib-4.8.0.gem d82206b9a60ef1eb4c96d32ba0157774db301e3ca10dcbdd7b4171044b28eccf brakeman-min-4.8.0.gem
Thank you to everyone who reported bugs and contributed to this release!