This is a small release in response to Tuesday's CVEs. In regards to CVEs, the general policy going forward will be to limit Brakeman's checks for CVEs to just those in the core Rails gems. The only advantage Brakeman provides over bundler-audit is *sometimes* being able to detect workarounds or, in even rarer cases, whether or not the application is actually affected. In general, please rely on bundler-audit for checking for known vulnerable versions of gems.
Changes since 3.0.3: * Add check for CVE-2015-3226 (XSS via JSON keys) * Add check for CVE-2015-3227 (XML DoS) * Treat <%== as unescaped output * Update ruby_parser dependency to 3.7.0 See blog post for details: http://brakemanscanner.org/blog/2015/06/18/brakeman-3-dot-0-4-released/