Ruby on Rails Static Analysis Security Tool

Brakeman 5.2.0 Released

Changes since 5.1.2:

  • Initial Rails 7 support (#1653)
  • Add new checks for unsupported Ruby and Rails version
  • Fix issue with calls to foo.root in routes (#1640)
  • Ignore I18n.locale in SQL queries (#1597)
  • Do not treat sanitize_sql_like as safe
  • Bundled version of ruby_parser updated to 3.18.1
  • Require Ruby 2.5.0+ (#1649)

Initial Rails 7 Support

Nothing special here, but the -7 option is available and Brakeman won’t think a Rails 7 app is a Rails 2 app.


New Checks for Unmaintained Software

Brakeman will now warn about use of Ruby or Rails versions which are no longer maintained.

Unlike other warnings, these new checks have a time component and will change as the end-of-life dates approach:

  • 60 days until EOL: Low warning
  • 30 days until EOL: Medium warning
  • EOL+: High warning


Bug Fix in Routes

Calls to something.root will no longer cause Brakeman to freak out.


SQL Injection Updates

I18n.locale is ignored in SQL queries.


sanitize_sql_like is no longer treated as “safe”. It only escapes LIKE-specific characters such as % but does not prevent SQL injection.


Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Gitter for questions and discussion.