Forum: Ruby on Rails [ANN] Brakeman 2.0 Released: Static analysis security scanner for Rails apps

3effd471557f1e6ebdff9f0d59de4916?d=identicon&s=25 Justin Collins (justin_c48)
on 2013-05-21 18:28
Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

http://brakemanscanner.org

# What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

 * Cross Site Scripting
 * SQL Injection
 * Command Injection
 * Mass Assignment
 * Cross-Site Request Forgery
 * Unprotected Redirects
 * Default Routes
 * Insufficient Format Validation
 * Dynamic Render Paths
 * Dangerous Evaluation
 * Unsafe File Access
 * Unsafe Session Settings
 * Potential Remote Code Execution
 * Symbol Creation Denial of Service
 * Version-specific Rails vulnerabilities
 * ...and more!

# How to use it

  gem install brakeman

  brakeman your_app_path

# Changes since 1.9.5

 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
 * Add Marshal/CSV deserialization check
 * Combine deserialization checks into single check
 * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
 * Avoid duplicate results for Symbol DoS check
 * Medium confidence for mass assignment to attr_protected models
 * Remove "timestamp" key from JSON reports
 * Remove deprecated config file locations
 * Relative paths are used by default in JSON reports
 * `--absolute-paths` replaces `--relative-paths`
 * Only treat classes with names containing `Controller` like
controllers
 * Better handling of classes nested inside controllers
 * Better handling of controller classes nested in classes/modules
 * Handle `->` lambdas with no arguments
 * Handle explicit block argument destructuring
 * Skip Rails config options that are real objects
 * Detect Rails 3 JSON escape config option
 * Much better tracking of warning file names
 * Fix errors when using `--separate-models` (Noah Davis)
 * Fix fingerprint generation to actually use the file path
 * Fix text report console output in JRuby
 * Fix false positives on `Model#id`
 * Fix false positives on `params.to_json`
 * Fix model path guesses to use "models/" instead of "controllers/"
 * Clean up SQL CVE warning messages
 * Use exceptions instead of abort in brakeman lib
 * Update to Ruby2Ruby 2.0.5
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.