Update dependency brakeman to v6
This MR contains the following updates:
Package | Update | Change |
---|---|---|
brakeman (source, changelog) | major |
'4.10.1' -> '6.1.2'
|
MR created with the help of gitlab-org/frontend/renovate-gitlab-bot
Release Notes
presidentbeef/brakeman (brakeman)
v6.1.2
- Update Highline to 3.0
- Add EOL date for Ruby 3.3.0
- Avoid copying Sexps that are too large
- Avoid detecting
ViewComponentContrib::Base
as dynamic render paths (vividmuimui) - Remove deprecated use of
Kernel#open("|...")
- Remove
safe_yaml
gem dependency - Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
v6.1.1
- Handle racc as a default gem in Ruby 3.3.0
v6.1.0
- Add
--timing
to add timing duration for scan steps - Fix keyword splats in filter arguments
- Add check for unfiltered search with Ransack
- Fix class method lookup in parent classes
- Handle
class << self
- Add
PG::Connection.escape_string
as a SQL sanitization method (Joévin Soulenq)
v6.0.1
- Accept strings for
load_defaults
version
v6.0.0
- Add obsolete fingerprints to comparison report
- Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
- Scan directories that include the word
public
- Raise minimum Ruby version to 3.0
- Drop support for Ruby 1.8/1.9 syntax
- Fix end-of-life dates for Ruby
- Fix false positive with
content_tag
in newer Rails
v5.4.1
- Fix file/line location for EOL software warnings
- Revise checking for request.env to only consider request headers
- Add
redirect_back
andredirect_back_or_to
to open redirect check - Support Rails 7 redirect options
- Add Rails 6.1 and 7.0 default configuration values
- Prevent redirects using
url_from
being marked as unsafe (Lachlan Sylvester) - Warn about unscoped find for
find_by(id: ...)
- Support
presence
,presence_in
andin?
- Fix issue with
if
expressions inwhen
clauses
v5.4.0
- Use relative paths for CodeClimate report format (Mike Poage)
- Add check for weak RSA key sizes and padding modes
- Handle multiple values and splats in case/when
- Ignore more model methods in redirects
- Add check for absolute paths issue with Pathname
- Fix
load_rails_defaults
overwriting settings in the Rails application (James Gregory-Monk)
v5.3.1
- Fix version range for CVE-2022-32209
v5.3.0
- Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
- Load rexml as a Brakeman dependency
- Fix "full call" information propagating unnecessarily
- Add check for CVE-2022-32209
- Add CWE information to warnings (Stephen Aghaulor)
v5.2.3
- Fix error with hash shorthand syntax
- Match order of interactive options with help message (Rory O'Kane)
v5.2.2
- Update
ruby_parser
for Ruby 3.1 support (Merek Skubela) - Handle
nil
when joining values (Dan Buettner) - Update message for unsafe reflection (Pedro Baracho)
- Add additional String methods for SQL injection check
- Respect equality in
if
conditions
v5.2.1
- Add warning codes for EOL software warnings
v5.2.0
- Initial Rails 7 support
- Require Ruby 2.5.0+
- Fix issue with calls to
foo.root
in routes - Ignore
I18n.locale
in SQL queries - Do not treat
sanitize_sql_like
as safe - Add new checks for unsupported Ruby and Rails versions
v5.1.2
- Handle cases where enums are not symbols
- Support newer Haml with ::Haml::AttributeBuilder.build
- Fix issue where the previous output is still visible (Jason Frey)
- Fix warning sorting with nil line numbers
- Update for latest RubyParser (Ryan Davis)
v5.1.1
- Unrefactor IgnoreConfig's use of
Brakeman::FilePath
v5.1.0
- Initial support for ActiveRecord enums
- Support
Hash#include?
- Interprocedural dataflow from very simple class methods
- Fix SARIF report when checks have no description (Eli Block)
- Add ignored warnings to SARIF report (Eli Block)
- Add
--sql-safe-methods
option (Esty Scheiner) - Update SQL injection check for Rails 6.0/6.1
- Fix false positive in command injection with
Open3.capture
(Richard Fitzgerald) - Fix infinite loop on mixin self-includes (Andrew Szczepanski)
- Ignore dates in SQL
- Refactor
cookie?
/param?
methods (Keenan Brock) - Ignore renderables in dynamic render path check (Brad Parker)
- Support
Array#push
- Better
Array#join
support - Adjust copy of
--interactive
menu (Elia Schito) - Support
Array#*
- Better method definition tracking and lookup
- Support
Hash#values
andHash#values_at
- Check for user-controlled evaluation even if it's a call target
- Support
Array#fetch
andHash#fetch
- Ignore
sanitize_sql_like
in SQL - Ignore method calls on numbers in SQL
- Add GitHub Actions format (Klaus Badelt)
- Read and parse files in parallel
v5.0.4
(brakeman gem release only)
- Update bundled
ruby_parser
to include argument forwarding support
v5.0.2
- Fix Loofah version check
v5.0.1
- Detect
::Rails.application.configure
too - Set more line numbers on Sexps
- Support loading
slim/smart
- Don't fail if HOME/USER are not defined
- Always ignore slice/only calls for mass assignment
- Convert splat array arguments to arguments
v5.0.0
- Ignore
uuid
as a safe attribute - Collapse
__send__
calls - Ignore
Tempfile#path
in shell commands - Ignore development environment
- Revamp CSV report to a CSV list of warnings
- Set Rails configuration defaults based on
load_defaults
version - Add check for (more) unsafe method reflection
- Suggest using
--force
if no Rails application is detected - Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendor
option - Scan (almost) all Ruby files in project
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.