This release adds CWE information to reports - the first JSON report change in a long time!
Changes since 5.2.3:
- Add CWE information to warnings (Stephen Aghaulor)
- Include explicit engine or lib paths in
vendor/
(Joe Rafaniello) - Add check for CVE-2022-32209
- Load rexml as a Brakeman dependency
- Fix “full call” information propagating unnecessarily
CWE Information
Thanks to Stephen Aghaulor for taking on the arduous task of adding CWE information to every Brakeman warning type!
CWE information is now available in most report formats. In particular, it is a new field for the JSON report.
Example:
{
"warning_type": "Cross-Site Scripting",
"warning_code": 124,
"fingerprint": "c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d",
"check_name": "SanitizeConfigCve",
"message": "rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)",
"file": "config/initializers/sanitizers.rb",
"line": 1,
"link": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
"code": "Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"a\", \"style\"]",
"render_path": null,
"location": null,
"user_input": null,
"confidence": "High",
"cwe_id": [
79
]
}
(changes)
Explicit Paths in Vendor Directory
By default, Brakeman does not scan any code in the vendor/
directory.
But it was also ignoring any paths in vendor/
, even if the user explicitly included them via --add-libs-path
or --add-engines-path
.
Thanks to Joe Rafaniello this is now changed to respect the explicit additional paths, even if they reside in vendor/
.
(changes)
CVE-2022-32209
As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!
A check was added for CVE-2022-32209.
If the vulnerable configuration is detected, the warning will be high
confidence.
If only the vulnerable version of rails-html-sanitizer
is detected, the warning will be weak
confidence.
(changes)
Checksums
The SHA256 sums for this release are:
4fe584ef37c16e1011a0f2db36ebab540fef403ff8e26afed212e2d7ff5a3176 brakeman-5.3.0.gem
1f5caa0bd05fd8ea5b4f5791371dd0911f96d804612c7be986bab3ed0163a8cf brakeman-lib-5.3.0.gem
4a4ccef090c4eb5857140c15fa69ff65167f3eb550f7a0ca555012642aafe7e9 brakeman-min-5.3.0.gem
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Follow @brakeman on Twitter and hang out on Github for questions and discussion.