Ruby on Rails Static Analysis Security Tool

Frequently Asked Questions

Brakeman hangs while processing my app. What do I do?

Sorry about that! Please follow these instructions.

Brakeman is reporting parsing errors, but my app runs fine. What’s going on?

Brakeman relies on ruby_parser for parsing Ruby code. Support for Ruby 1.9 syntax is still in development, so Brakeman cannot handle all the new 1.9 syntax changes. Unfortunately, the next version of ruby_parser (3.0) makes some large, incompatible changes which will also require major changes in Brakeman.

By the way, sometimes there are actual syntax errors! This can happen in code which is no longer used by the application.

Please follow these instructions to find out what went wrong.

What is the number in parentheses (red in HTML) in the report summary?

That number indicates how many high confidence warnings were found.

Why are line numbers reported wrong?

Line numbers are sometimes off. This can be due to the parser reporting the wrong line number, or occasionally there is a bug in Brakeman.

However, it is important to note that the line number reported is where the vulnerability was found, not necessarily where it was introduced. For example, if a SQL query uses string interpolation which was assigned to a variable, the line with the query will be reported, not where the string is constructed.

Why is the context so different from the code shown in the warning?

The code in the warning is what is seen by Brakeman, while the code in the context is pulled directly from the original file. These can be different, as Brakeman propagates variables and performs other transformations on the code.

What is an “Unresolved Model”?

“Unresolved Model” is a placeholder used when it is clear that a model is being used at that location, but there is no way to know which model it is.

Why is a variable shown as “” when it clearly is not?

Records from a model will be sometimes displayed this way.

For example, if User is a model and there is an action like

class UsersController

  def list
    @users = User.all


and a corresponding view containing

<% @users.each do |user| %>
  <%= %>
<% end %>

This will produce a warning (in Rails 2.x) that looks like

Unescaped model attribute near line 3:

Brakeman reports 0 warnings. Am I safe?

No. It just means Brakeman didn’t find any problems. There may be vulnerabilities Brakeman does not test for or did not discover. No security tool has 100% coverage.

More documentation