github presidentbeef/brakeman v2.0.0

  • Add --only-files option to specify files/paths to scan (Ian Ehlert)
  • Add Marshal/CSV deserialization check
  • Combine deserialization checks into single check
  • Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
  • Avoid duplicate results for Symbol DoS check
  • Medium confidence for mass assignment to attr_protected models
  • Remove "timestamp" key from JSON reports
  • Remove deprecated config file locations
  • Relative paths are used by default in JSON reports
  • --absolute-paths replaces --relative-paths
  • Only treat classes with names containing Controller like controllers
  • Better handling of classes nested inside controllers
  • Better handling of controller classes nested in classes/modules
  • Handle -> lambdas with no arguments
  • Handle explicit block argument destructuring
  • Skip Rails config options that are real objects
  • Detect Rails 3 JSON escape config option
  • Much better tracking of warning file names
  • Fix errors when using --separate-models (Noah Davis)
  • Fix fingerprint generation to actually use the file path
  • Fix text report console output in JRuby
  • Fix false positives on Model#id
  • Fix false positives on params.to_json
  • Fix model path guesses to use "models/" instead of "controllers/"
  • Clean up SQL CVE warning messages
  • Use exceptions instead of abort in brakeman lib
  • Update to Ruby2Ruby 2.0.5
latest releases: v5.1.1, v5.1.0, v5.0.4...
7 years ago