Update dependency brakeman to v6
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| brakeman (source, changelog) | major |
'4.10.1' -> '6.1.2'
|
MR created with the help of gitlab-org/frontend/renovate-gitlab-bot
Release Notes
presidentbeef/brakeman (brakeman)
v6.1.2
- Update Highline to 3.0
- Add EOL date for Ruby 3.3.0
- Avoid copying Sexps that are too large
- Avoid detecting
ViewComponentContrib::Baseas dynamic render paths (vividmuimui) - Remove deprecated use of
Kernel#open("|...") - Remove
safe_yamlgem dependency - Avoid detecting Phlex components as dynamic render paths (Máximo Mussini)
v6.1.1
- Handle racc as a default gem in Ruby 3.3.0
v6.1.0
- Add
--timingto add timing duration for scan steps - Fix keyword splats in filter arguments
- Add check for unfiltered search with Ransack
- Fix class method lookup in parent classes
- Handle
class << self - Add
PG::Connection.escape_stringas a SQL sanitization method (Joévin Soulenq)
v6.0.1
- Accept strings for
load_defaultsversion
v6.0.0
- Add obsolete fingerprints to comparison report
- Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
- Scan directories that include the word
public - Raise minimum Ruby version to 3.0
- Drop support for Ruby 1.8/1.9 syntax
- Fix end-of-life dates for Ruby
- Fix false positive with
content_tagin newer Rails
v5.4.1
- Fix file/line location for EOL software warnings
- Revise checking for request.env to only consider request headers
- Add
redirect_backandredirect_back_or_toto open redirect check - Support Rails 7 redirect options
- Add Rails 6.1 and 7.0 default configuration values
- Prevent redirects using
url_frombeing marked as unsafe (Lachlan Sylvester) - Warn about unscoped find for
find_by(id: ...) - Support
presence,presence_inandin? - Fix issue with
ifexpressions inwhenclauses
v5.4.0
- Use relative paths for CodeClimate report format (Mike Poage)
- Add check for weak RSA key sizes and padding modes
- Handle multiple values and splats in case/when
- Ignore more model methods in redirects
- Add check for absolute paths issue with Pathname
- Fix
load_rails_defaultsoverwriting settings in the Rails application (James Gregory-Monk)
v5.3.1
- Fix version range for CVE-2022-32209
v5.3.0
- Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
- Load rexml as a Brakeman dependency
- Fix "full call" information propagating unnecessarily
- Add check for CVE-2022-32209
- Add CWE information to warnings (Stephen Aghaulor)
v5.2.3
- Fix error with hash shorthand syntax
- Match order of interactive options with help message (Rory O'Kane)
v5.2.2
- Update
ruby_parserfor Ruby 3.1 support (Merek Skubela) - Handle
nilwhen joining values (Dan Buettner) - Update message for unsafe reflection (Pedro Baracho)
- Add additional String methods for SQL injection check
- Respect equality in
ifconditions
v5.2.1
- Add warning codes for EOL software warnings
v5.2.0
- Initial Rails 7 support
- Require Ruby 2.5.0+
- Fix issue with calls to
foo.rootin routes - Ignore
I18n.localein SQL queries - Do not treat
sanitize_sql_likeas safe - Add new checks for unsupported Ruby and Rails versions
v5.1.2
- Handle cases where enums are not symbols
- Support newer Haml with ::Haml::AttributeBuilder.build
- Fix issue where the previous output is still visible (Jason Frey)
- Fix warning sorting with nil line numbers
- Update for latest RubyParser (Ryan Davis)
v5.1.1
- Unrefactor IgnoreConfig's use of
Brakeman::FilePath
v5.1.0
- Initial support for ActiveRecord enums
- Support
Hash#include? - Interprocedural dataflow from very simple class methods
- Fix SARIF report when checks have no description (Eli Block)
- Add ignored warnings to SARIF report (Eli Block)
- Add
--sql-safe-methodsoption (Esty Scheiner) - Update SQL injection check for Rails 6.0/6.1
- Fix false positive in command injection with
Open3.capture(Richard Fitzgerald) - Fix infinite loop on mixin self-includes (Andrew Szczepanski)
- Ignore dates in SQL
- Refactor
cookie?/param?methods (Keenan Brock) - Ignore renderables in dynamic render path check (Brad Parker)
- Support
Array#push - Better
Array#joinsupport - Adjust copy of
--interactivemenu (Elia Schito) - Support
Array#* - Better method definition tracking and lookup
- Support
Hash#valuesandHash#values_at - Check for user-controlled evaluation even if it's a call target
- Support
Array#fetchandHash#fetch - Ignore
sanitize_sql_likein SQL - Ignore method calls on numbers in SQL
- Add GitHub Actions format (Klaus Badelt)
- Read and parse files in parallel
v5.0.4
(brakeman gem release only)
- Update bundled
ruby_parserto include argument forwarding support
v5.0.2
- Fix Loofah version check
v5.0.1
- Detect
::Rails.application.configuretoo - Set more line numbers on Sexps
- Support loading
slim/smart - Don't fail if HOME/USER are not defined
- Always ignore slice/only calls for mass assignment
- Convert splat array arguments to arguments
v5.0.0
- Ignore
uuidas a safe attribute - Collapse
__send__calls - Ignore
Tempfile#pathin shell commands - Ignore development environment
- Revamp CSV report to a CSV list of warnings
- Set Rails configuration defaults based on
load_defaultsversion - Add check for (more) unsafe method reflection
- Suggest using
--forceif no Rails application is detected - Add Sonarqube report format (Adam England)
- Add check for potential HTTP verb confusion
- Add
--[no-]skip-vendoroption - Scan (almost) all Ruby files in project
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.