Changes since 7.1.2:
- Complete revamp of scan progress output and logging
--skip-libsremoved (#1839--index-libsremoved- Fix qualified constant lookup to respect module/class context (Mike Dalessio)
- Fix singleton method prefixes (viralpraxis)
- Faster file globbing for templates (Mikael Henriksson)
- No longer produce weak dynamic render path warnings
- Replace Erubis with Erubi (#1970)
New Scanner Progress Output
How Brakeman outputs scan progress has been completely updated!
Hopefully this feels more modern and less cluttered.
Don’t like the colors? --no-color will switch Brakeman to black-and-white (or whatever your terminal shows) output.
Don’t like the animation? --no-progress will switch Brakeman to a simplified output.
(Note that --no-progress has always been recommended if the output is going somewhere that acts like a terminal but
really isn’t, like CI logs.)
Other logging has also been improved. --timing is now similar to --no-progress, but of course with information about elapsed time.
--debug continues to dump tons of information, but with some improved colors.
There may be bugs lurking, as this was a large code/behavior change. Please report any issues!
(changes)
Removed Options
--skip-libs and --index-libs have been removed as options.
As noted in , --skip-libs has been completely broken for a while. The original intent was to make it easy to skip the lib/ directory, back when it wasn’t as valuable to Brakeman. Now, however, Brakeman ingests (almost) all Ruby files and sorts them out based on content rather than paths.
To have Brakeman skip specific directories, use --skip-files instead.
--index-libs was introduced mainly for --no-index-libs, which I’m sure no one ever used.
(changes)
Improved Constant Lookups
Thanks to Mike Dalessio, Brakeman now stores and uses more context for constants. This makes it more likely that it will find the right constant when trying to resolve constant values.
This is huge! Previously, Brakeman would mix up constants with the same name in different contexts and ignore any scoping.
(changes)
Singleton Method Prefixes
Ever seen Brakeman output like s(:self).my_cool_method? This has been a known problem with methods defined as def self.my_cool_method (or more unusually def MyClass.my_cool_method) for a long time. But viralpraxis fixed it up!
Unfortunately, this will very likely impact ignored fingerprints if such a method is involved in a warning. But it’s worth it for cleanup (also hey it’s a major version upgrade!)
(changes)
Faster File Collection for Templates
Mikael Henriksson noticed the faster file search in Brakeman 7.1.1 didn’t apply to template files.
He fixed that up so Brakeman should be nice and speedy on MacOS.
(changes)
No More Weak Dynamic Render Path Warnings
Dynamic render paths (allowing user input to influence which template file is rendered) have been the source of many false positives and it has become quite a bit harder to exploit them due to how and where Rails searches for matching templates.
Most false positives were from low confidence warnings about method calls that might have included user input somewhere in their arguments.
This release drops any dynamic render path warnings that were low confidence. It’s still best not to allow direct manipulation of which templates are rendered.
(changes)
Erubis Replaced with Erubi
Rails swapped Erubis for Erubi back in the 5.1 release. Functionally, from Brakeman’s point of view, it does not make a big difference and was not worth the effort to change.
However, Erubi hasn’t been touched since 2011. Time to catch up with the modern world.
The main side-effect of swapping to Erubi appears to be more accurate line numbers, which is great! Everything else should be the same.
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.