Forum: Ruby on Rails [ANN] Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
2a4c3579f2784ffdab12f536e97b041c?d=identicon&s=25 Justin C. (justin_c48)
on 2013-05-21 18:28
Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

# What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

 * Cross Site Scripting
 * SQL Injection
 * Command Injection
 * Mass Assignment
 * Cross-Site Request Forgery
 * Unprotected Redirects
 * Default Routes
 * Insufficient Format Validation
 * Dynamic Render Paths
 * Dangerous Evaluation
 * Unsafe File Access
 * Unsafe Session Settings
 * Potential Remote Code Execution
 * Symbol Creation Denial of Service
 * Version-specific Rails vulnerabilities
 * ...and more!

# How to use it

  gem install brakeman

  brakeman your_app_path

# Changes since 1.9.5

 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
 * Add Marshal/CSV deserialization check
 * Combine deserialization checks into single check
 * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
 * Avoid duplicate results for Symbol DoS check
 * Medium confidence for mass assignment to attr_protected models
 * Remove "timestamp" key from JSON reports
 * Remove deprecated config file locations
 * Relative paths are used by default in JSON reports
 * `--absolute-paths` replaces `--relative-paths`
 * Only treat classes with names containing `Controller` like
 * Better handling of classes nested inside controllers
 * Better handling of controller classes nested in classes/modules
 * Handle `->` lambdas with no arguments
 * Handle explicit block argument destructuring
 * Skip Rails config options that are real objects
 * Detect Rails 3 JSON escape config option
 * Much better tracking of warning file names
 * Fix errors when using `--separate-models` (Noah Davis)
 * Fix fingerprint generation to actually use the file path
 * Fix text report console output in JRuby
 * Fix false positives on `Model#id`
 * Fix false positives on `params.to_json`
 * Fix model path guesses to use "models/" instead of "controllers/"
 * Clean up SQL CVE warning messages
 * Use exceptions instead of abort in brakeman lib
 * Update to Ruby2Ruby 2.0.5
This topic is locked and can not be replied to.