Brakeman

Ruby on Rails Static Analysis Security Tool

Brakeman 5.3.0 Released

This release adds CWE information to reports - the first JSON report change in a long time!

Changes since 5.2.3:

  • Add CWE information to warnings (Stephen Aghaulor)
  • Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
  • Add check for CVE-2022-32209
  • Load rexml as a Brakeman dependency
  • Fix “full call” information propagating unnecessarily

CWE Information

Thanks to Stephen Aghaulor for taking on the arduous task of adding CWE information to every Brakeman warning type!

CWE information is now available in most report formats. In particular, it is a new field for the JSON report.

Example:

    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 124,
      "fingerprint": "c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d",
      "check_name": "SanitizeConfigCve",
      "message": "rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)",
      "file": "config/initializers/sanitizers.rb",
      "line": 1,
      "link": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
      "code": "Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"a\", \"style\"]",
      "render_path": null,
      "location": null,
      "user_input": null,
      "confidence": "High",
      "cwe_id": [
        79
      ]
    }

(changes)

Explicit Paths in Vendor Directory

By default, Brakeman does not scan any code in the vendor/ directory.

But it was also ignoring any paths in vendor/, even if the user explicitly included them via --add-libs-path or --add-engines-path.

Thanks to Joe Rafaniello this is now changed to respect the explicit additional paths, even if they reside in vendor/.

(changes)

CVE-2022-32209

As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!

A check was added for CVE-2022-32209.

If the vulnerable configuration is detected, the warning will be high confidence.

If only the vulnerable version of rails-html-sanitizer is detected, the warning will be weak confidence.

(changes)

Checksums

The SHA256 sums for this release are:

4fe584ef37c16e1011a0f2db36ebab540fef403ff8e26afed212e2d7ff5a3176  brakeman-5.3.0.gem
1f5caa0bd05fd8ea5b4f5791371dd0911f96d804612c7be986bab3ed0163a8cf  brakeman-lib-5.3.0.gem
4a4ccef090c4eb5857140c15fa69ff65167f3eb550f7a0ca555012642aafe7e9  brakeman-min-5.3.0.gem

Reporting Issues

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Follow @brakeman on Twitter and hang out on Github for questions and discussion.