Bump brakeman from 4.7.2 to 5.0.0
Bumps brakeman from 4.7.2 to 5.0.0.
Release notes
Sourced from brakeman's releases.
5.0.0
- Scan (almost) all Ruby files in project
- Revamp CSV report to a CSV list of warnings
- Add Sonarqube report format (Adam England)
- Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
- Add check for potential HTTP verb confusion (#1432)
- Add
--[no-]skip-vendor
option- Ignore
uuid
as a safe attribute- Ignore
Tempfile#path
in shell commands- Ignore development environment
- Collapse
__send__
calls- Set Rails configuration defaults based on
load_defaults
version- Update Ruby requirement to version 2.4.0
- Suggest using
--force
if no Rails application is detected5.0.0.pre1
- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
- Add support for Haml 5.2.0
4.10.1
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths (#1536)
- Ensure RubyParser is passed file path as a String (#1534)
- Support new Haml 5.2.0 escaping method (#1517)
4.10.0
- Add SARIF report format (Steve Winton)
4.9.1
- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)- Check
chomp
ed strings for SQL injection (#1509)- Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used (#1512)- Bundle latest ruby_parser (4.15.0)
4.9.0
... (truncated)
- Add
--ensure-ignore-notes
(Eli Block)- Add check for user input in
ERB.new
(Matt Hickman)- Add check for CVE-2020-8166 (Jamie Finnigan)
- Always scan
environment.rb
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Do not warn about mass assignment with
params.permit!.slice
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards
Changelog
Sourced from brakeman's changelog.
5.0.0 - 2021-01-26
- Ignore
uuid
as a safe attribute- Collapse
__send__
calls- Ignore
Tempfile#path
in shell commands- Ignore development environment
- Revamp CSV report to a CSV list of warnings
- Set Rails configuration defaults based on
load_defaults
version- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
4.10.1 - 2020-12-24
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths
- Ensure RubyParser is passed file path as a String
- Support new Haml 5.2.0 escaping method
5.0.0.pre1 - 2020-11-17
- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
- Add support for Haml 5.2.0
4.10.0 - 2020-09-28
- Add SARIF report format (Steve Winton)
4.9.1 - 2020-09-04
- Check
chomp
ed strings for SQL injection- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)- Always set line number for joined arrays
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used4.9.0 - 2020-08-04
... (truncated)
- Add check for CVE-2020-8166 (Jamie Finnigan)
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Add check for user input in
ERB.new
(Matt Hickman)- Add
--ensure-ignore-notes
(Eli Block)
Commits
-
09b66b5
Bump to 5.0.0 -
bceb7d2
Update CHANGES -
09b299f
Merge pull request #1553 from presidentbeef/uuid_safe -
6d39f33
Treat UUIDs as safe values -
26865c7
Merge pull request #1551 from presidentbeef/collapse__send__ -
85a9e76
Collapse send calls -
fda51be
Tweak --force suggestion -
e2b25eb
Update CHANGES -
3fccde7
Merge pull request #1544 from presidentbeef/temp_file_path_in_command_injection -
980de69
Ignore Tempfile paths in command injection - Additional commits viewable in compare view