Happy new year! Apologies for the delay (and the Friday night release), but at least it is finally out, as promised.
Brakeman 3.0 is not a huge update, but it includes several breaking changes. Please read below carefully and be prepared for warnings to be a little different, including some fingerprints. The certificate used to sign the Brakeman gem expired, so it is necessary to add a new one when installing with `-P`. Also, there are new checks and changes to some internals, so please report any new false positives. Changes since 2.6.3: * `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip) * Sort warnings by fingerprint in JSON report (Jeff Yip) * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher) * Change `--separate-models` to be the default * Local variables are no longer formatted as `(local var)` * Actually skip skipped before filters * Remove "fake filters" from warning fingerpints * Index calls in `lib/` files * Handle symmetric multiple assignment * Do not branch for self attribute assignment `x = x.y` * Move Symbol DoS to optional checks * Add check for cross site scripting via inline renders * Add check for CVE-2014-7829 * Fix parsing of `<%==` in ERB * Fix CVE for CVE-2011-2932 See the release post for more details: http://brakemanscanner.org/blog/2015/01/02/brakeman-3-dot-0-0-released/
