Skip to content

Bump brakeman from 4.7.2 to 5.0.0

NipaNipa requested to merge dependabot/bundler/brakeman-5.0.0 into master

Bumps brakeman from 4.7.2 to 5.0.0.

Release notes

Sourced from brakeman's releases.

5.0.0

  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected

5.0.0.pre1

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.1

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

4.10.0

4.9.1

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
  • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)
  • Bundle latest ruby_parser (4.15.0)

4.9.0

  • Add --ensure-ignore-notes (Eli Block)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Always scan environment.rb
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Do not warn about mass assignment with params.permit!.slice
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
... (truncated)
Changelog

Sourced from brakeman's changelog.

5.0.0 - 2021-01-26

  • Ignore uuid as a safe attribute
  • Collapse __send__ calls
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Revamp CSV report to a CSV list of warnings
  • Set Rails configuration defaults based on load_defaults version
  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

5.0.0.pre1 - 2020-11-17

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.0 - 2020-09-28

  • Add SARIF report format (Steve Winton)

4.9.1 - 2020-09-04

  • Check chomped strings for SQL injection
  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Always set line number for joined arrays
  • Avoid warning about missing attr_accessible if protected_attributes gem is used

4.9.0 - 2020-08-04

  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add --ensure-ignore-notes (Eli Block)
... (truncated)
Commits

Merge request reports