Brakeman 5.3.0 Released

This release adds CWE information to reports - the first JSON report change in a long time!

CWE Information

Thanks to Stephen Aghaulor for taking on the arduous task of adding CWE information to every Brakeman warning type!

CWE information is now available in most report formats. In particular, it is a new field for the JSON report.

Example:

    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 124,
      "fingerprint": "c2cc471a99036432e03d83e893fe748c2b1d5c40a39e776475faf088717af97d",
      "check_name": "SanitizeConfigCve",
      "message": "rails-html-sanitizer 1.4.2 is vulnerable to cross-site scripting when `select` and `style` tags are allowed (CVE-2022-32209)",
      "file": "config/initializers/sanitizers.rb",
      "line": 1,
      "link": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s/m/S0fJfnkmBAAJ",
      "code": "Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"a\", \"style\"]",
      "render_path": null,
      "location": null,
      "user_input": null,
      "confidence": "High",
      "cwe_id": [
        79
      ]
    }

(changes)

Explicit Paths in Vendor Directory

By default, Brakeman does not scan any code in the vendor/ directory.

But it was also ignoring any paths in vendor/, even if the user explicitly included them via --add-libs-path or --add-engines-path.

Thanks to Joe Rafaniello this is now changed to respect the explicit additional paths, even if they reside in vendor/.

(changes)

CVE-2022-32209

As a reminder, Brakeman does not keep up with every CVE for Rails or other libraries. Use a dependency analysis tool for that!

A check was added for CVE-2022-32209.

If the vulnerable configuration is detected, the warning will be high confidence.

If only the vulnerable version of rails-html-sanitizer is detected, the warning will be weak confidence.

(changes)