Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
The 3.0.0 release introduces some backwards-incompatible changes. Very likely this release will cause many changes in reports, including fingerprints on existing warnings.
Changes since 2.6.3:
- –exit-on-warn –compare only returns error code on new warnings
- Sort warnings by fingerprint in JSON report
- CVEs report correct line and file name (Gemfile/Gemfile.lock)
- Change –separate-models to be the default
- Local variables are no longer formatted as (local var)
- Actually skip skipped before filters
- Remove “fake filters” from warning fingerpints
- Index calls in lib/ files
- Handle symmetric multiple assignment
- Do not branch for self attribute assignment x = x.y (#552)
- Move Symbol DoS to optional checks
- Add check for cross site scripting via inline renders
- Add check for CVE-2014-7829
- Fix parsing of <%== in ERB
- Fix output format of command interpolation
- Fix CVE for CVE-2011-2932.