Bump brakeman from 4.7.2 to 5.0.1
Bumps brakeman from 4.7.2 to 5.0.1.
Release notes
Sourced from brakeman's releases.
5.0.0
- Scan (almost) all Ruby files in project
- Revamp CSV report to a CSV list of warnings
- Add Sonarqube report format (Adam England)
- Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
- Add check for potential HTTP verb confusion (#1432)
- Add
--[no-]skip-vendor
option- Ignore
uuid
as a safe attribute- Ignore
Tempfile#path
in shell commands- Ignore development environment
- Collapse
__send__
calls- Set Rails configuration defaults based on
load_defaults
version- Update Ruby requirement to version 2.4.0
- Suggest using
--force
if no Rails application is detected5.0.0.pre1
- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
- Add support for Haml 5.2.0
4.10.1
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths (#1536)
- Ensure RubyParser is passed file path as a String (#1534)
- Support new Haml 5.2.0 escaping method (#1517)
4.10.0
- Add SARIF report format (Steve Winton)
4.9.1
- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)- Check
chomp
ed strings for SQL injection (#1509)- Always set line number for joined arrays (#1499)
- Avoid warning about missing
attr_accessible
ifprotected_attributes
gem is used (#1512)- Bundle latest ruby_parser (4.15.0)
4.9.0
... (truncated)
- Add
--ensure-ignore-notes
(Eli Block)- Add check for user input in
ERB.new
(Matt Hickman)- Add check for CVE-2020-8166 (Jamie Finnigan)
- Always scan
environment.rb
- Avoid warning when
safe_yaml
is used viaYAML.load(..., safe: true)
- Do not warn about mass assignment with
params.permit!.slice
- Ignore
params.permit!
in path helpers- Treat
Dir.glob
as safe source of values in guards
Changelog
Sourced from brakeman's changelog.
5.0.1 - 2021-04-27
- Detect
::Rails.application.configure
too- Set more line numbers on Sexps
- Support loading
slim/smart
- Don't fail if
HOME/
USER are not defined- Always ignore slice/only calls for mass assignment
- Convert splat array arguments to arguments
5.0.0 - 2021-01-26
- Ignore
uuid
as a safe attribute- Collapse
__send__
calls- Ignore
Tempfile#path
in shell commands- Ignore development environment
- Revamp CSV report to a CSV list of warnings
- Set Rails configuration defaults based on
load_defaults
version- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
4.10.1 - 2020-12-24
- Declare REXML as a dependency (Ruby 3.0 compatibility)
- Use
Sexp#sexp_body
instead ofSexp#[..]
(Ruby 3.0 compatibility)- Prevent render loops when template names are absolute paths
- Ensure RubyParser is passed file path as a String
- Support new Haml 5.2.0 escaping method
5.0.0.pre1 - 2020-11-17
- Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected- Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option- Scan (almost) all Ruby files in project
- Add support for Haml 5.2.0
4.10.0 - 2020-09-28
- Add SARIF report format (Steve Winton)
4.9.1 - 2020-09-04
... (truncated)
- Check
chomp
ed strings for SQL injection- Use version from
active_record
for non-Rails apps (Ulysse Buonomo)
Commits
-
6b1eb67
Bump to 5.0.1 -
d1275bb
Update CHANGES -
b470c33
Merge pull request #1585 from presidentbeef/colon_colon_rails -
035a18c
Merge branch 'main' into colon_colon_rails -
767333a
Merge pull request #1581 from presidentbeef/more_line_numbers_when_joining_ar... -
f2a2732
Set even more line numbers -
04fd02b
Detect ::Rails.application.configure too -
05e2372
Merge pull request #1582 from presidentbeef/slim_smart -
cf3d9ac
Support loading slim/smart -
d5cfa90
Set line numbers when joining array into a string - Additional commits viewable in compare view