Changes since 8.0.2:
- Add release age option for
--ensure-latest(#1989) - Fix
polymorphic_nameSQLi false positive (Fredrico Franco) - Fix logger behavior when loading config files (#2009)
- Handle application names with module prefixes (#2011)
Add Age Option for Latest Release
When using --ensure-latest, you can now specify a minimum age (in days) for the latest release. The intent is to protect against supply chain attacks in case
the Brakeman gems are compromised.
--ensure-latest 10 will only return a non-zero exit code if the latest version of Brakeman is at least 10 days old.
Note that for performance reasons, Brakeman will only check the latest version, it will not try to find an less-recent version that meets the age requirements.
This means you may miss versions if the releases are too close together.
(changes)
Ignore polymorphic_name in SQL
Fredrico Franco fixed a false positive where Brakeman would erroneously warn about polymorphic_name in SQL queries.
(changes)
Fix Another Disappearing Cursor Issue
Fixed an issue where setting --quiet and loading a configuration file would cause the terminal cursor to not be restored when Brakeman exits.
(changes)
Application Names with Module Prefixes
Brakeman will now correctly pick up configurations where the application is defined as
class MyApp::Application < Rails::Application
# ...
end
instead of
module MyApp
class Application < Rails::Application
# ...
end
end
(changes)
Checksums
The SHA256 sums for this release are:
Reporting Issues
Thank you to everyone who reported bugs and contributed to this release!
Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.
Hang out on GitHub for questions and discussion.