Brakeman v2.0.0 Release Notes
Release Date: 2013-05-20 // almost 11 years ago-
- Add
--only-files
option to specify files/paths to scan (Ian Ehlert) - Add Marshal/CSV deserialization check
- Combine deserialization checks into single check
- Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
- Avoid duplicate results for Symbol DoS check
- Medium confidence for mass assignment to attr_protected models
- Remove "timestamp" key from JSON reports
- Remove deprecated config file locations
- Relative paths are used by default in JSON reports
--absolute-paths
replaces--relative-paths
- Only treat classes with names containing
Controller
like controllers - Better handling of classes nested inside controllers
- Better handling of controller classes nested in classes/modules
- Handle
->
lambdas with no arguments - Handle explicit block argument destructuring
- Skip Rails config options that are real objects
- Detect Rails 3 JSON escape config option
- Much better tracking of warning file names
- Fix errors when using
--separate-models
(Noah Davis) - Fix fingerprint generation to actually use the file path
- Fix text report console output in JRuby
- Fix false positives on
Model#id
- Fix false positives on
params.to_json
- Fix model path guesses to use "models/" instead of "controllers/"
- Clean up SQL CVE warning messages
- Use exceptions instead of abort in brakeman lib
- Update to Ruby2Ruby 2.0.5
- Add