Skip to content

Bump brakeman from 4.7.2 to 5.0.1

NipaNipa requested to merge dependabot/bundler/brakeman-5.0.1 into master

Bumps brakeman from 4.7.2 to 5.0.1.

Release notes

Sourced from brakeman's releases.

5.0.0

  • Scan (almost) all Ruby files in project
  • Revamp CSV report to a CSV list of warnings
  • Add Sonarqube report format (Adam England)
  • Add check for (more) unsafe method reflection (#1488, #1507, and #1508)
  • Add check for potential HTTP verb confusion (#1432)
  • Add --[no-]skip-vendor option
  • Ignore uuid as a safe attribute
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Collapse __send__ calls
  • Set Rails configuration defaults based on load_defaults version
  • Update Ruby requirement to version 2.4.0
  • Suggest using --force if no Rails application is detected

5.0.0.pre1

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.1

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths (#1536)
  • Ensure RubyParser is passed file path as a String (#1534)
  • Support new Haml 5.2.0 escaping method (#1517)

4.10.0

4.9.1

  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
  • Check chomped strings for SQL injection (#1509)
  • Always set line number for joined arrays (#1499)
  • Avoid warning about missing attr_accessible if protected_attributes gem is used (#1512)
  • Bundle latest ruby_parser (4.15.0)

4.9.0

  • Add --ensure-ignore-notes (Eli Block)
  • Add check for user input in ERB.new (Matt Hickman)
  • Add check for CVE-2020-8166 (Jamie Finnigan)
  • Always scan environment.rb
  • Avoid warning when safe_yaml is used via YAML.load(..., safe: true)
  • Do not warn about mass assignment with params.permit!.slice
  • Ignore params.permit! in path helpers
  • Treat Dir.glob as safe source of values in guards
... (truncated)
Changelog

Sourced from brakeman's changelog.

5.0.1 - 2021-04-27

  • Detect ::Rails.application.configure too
  • Set more line numbers on Sexps
  • Support loading slim/smart
  • Don't fail if HOME/USER are not defined
  • Always ignore slice/only calls for mass assignment
  • Convert splat array arguments to arguments

5.0.0 - 2021-01-26

  • Ignore uuid as a safe attribute
  • Collapse __send__ calls
  • Ignore Tempfile#path in shell commands
  • Ignore development environment
  • Revamp CSV report to a CSV list of warnings
  • Set Rails configuration defaults based on load_defaults version
  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project

4.10.1 - 2020-12-24

  • Declare REXML as a dependency (Ruby 3.0 compatibility)
  • Use Sexp#sexp_body instead of Sexp#[..] (Ruby 3.0 compatibility)
  • Prevent render loops when template names are absolute paths
  • Ensure RubyParser is passed file path as a String
  • Support new Haml 5.2.0 escaping method

5.0.0.pre1 - 2020-11-17

  • Add check for (more) unsafe method reflection
  • Suggest using --force if no Rails application is detected
  • Add Sonarqube report format (Adam England)
  • Add check for potential HTTP verb confusion
  • Add --[no-]skip-vendor option
  • Scan (almost) all Ruby files in project
  • Add support for Haml 5.2.0

4.10.0 - 2020-09-28

  • Add SARIF report format (Steve Winton)

4.9.1 - 2020-09-04

  • Check chomped strings for SQL injection
  • Use version from active_record for non-Rails apps (Ulysse Buonomo)
... (truncated)
Commits
  • 6b1eb67 Bump to 5.0.1
  • d1275bb Update CHANGES
  • b470c33 Merge pull request #1585 from presidentbeef/colon_colon_rails
  • 035a18c Merge branch 'main' into colon_colon_rails
  • 767333a Merge pull request #1581 from presidentbeef/more_line_numbers_when_joining_ar...
  • f2a2732 Set even more line numbers
  • 04fd02b Detect ::Rails.application.configure too
  • 05e2372 Merge pull request #1582 from presidentbeef/slim_smart
  • cf3d9ac Support loading slim/smart
  • d5cfa90 Set line numbers when joining array into a string
  • Additional commits viewable in compare view

Merge request reports