Sorry for the poor timing of this release. I pushed Ryan Davis to
update ruby2ruby to use ruby_parser 3.1.1 and it broke Brakeman's
dependencies. No exciting changes in this release, but there are several
new checks so expect new warnings.
Changes since 1.9.0:
* Add check for CVE-2012-5664 -
Brakeman 1.9.3 includes several promised features, including
fingerprints for warnings and support for Slim templates.
Only one more release is planned before 2.0!
Changes since 1.9.2:
* Add warning fingerprints
* Add check for unsafe reflection (Gabriel Quadros)
* Add support for Slim
Due to the new CVEs, a new version of Brakeman was released a little
earlier than planned. This means there will be at least one more 1.9.x
release before 2.0.
Changes since 1.9.3:
* Add check for CVE-2013-1854
* Add check for CVE-2013-1855
* Add check for CVE-2013-1856
* Add check for
Brakeman 1.9.5 is out today. Mostly bug fixes, with one new check for
dynamic symbol creation. There is also a chance that changes in this
release will lead to performance improvements, depending on the
application being scanned.
Little trivia: this is the highest bug fix version number
Hi Matt,
Yes, this is a good idea. I can do the SHA1 for this release and start
signing the gem with the next release.
-Justin
On 2013-10-28 11:52, Matt Glover (Mandiant) wrote:
In case I missed it does the brakeman project cryptographically sign
or otherwise provide verification information
Actually released last night, but took some time to write the blog
post. It has a lot of info this time :)
Sorry for the delay, but the five latest CVEs are now checked by
Brakeman. This release also includes a new check for uses of
`Parameters#permit!`.
For the first time, this release is
This release involves a bit of shuffling and changes to internals, so
expect minor changes in warnings and please report any bugs. Performance
for code using `+=` inside of if expressions has improved dramatically.
If you previously skipped any files for performance reasons, please try
Hi Ronie,
Are you sure this is the code generating the warning? I cannot reproduce
the warning. Brakeman should definitely not be warning about this.
-Justin
On 2015-03-13 16:55, Ronie Henrich wrote:
Brakeman is reporting Unescaped parameter value when using find with
parameterized queries
interested - no worries!
Everything will continue as normal.
This will be the only email I send to this list regarding Brakeman Pro.
You are welcome to follow @BrakemanPro on Twitter for updates or email
me directly.
TL;DR - Nothing is changing with the Brakeman you know and love.
Thanks,
Justin
As mentioned previously, Brakeman 3.1.0 contains some changes which may
cause things to break. Please read the release post carefully!
Note this release has dependencies which do not support Ruby 1.8. If you
*really* need to run Brakeman with Ruby 1.8, the brakeman-min gem should
work. This
Actually, image_tag (and most other _tag methods) should be ignored.
I'm having trouble reproducing this warning. Can you show us the entire
warning output? What version of Rails and Brakeman are you using?
Thanks!
-Justin
On 04/10/2013 04:06 PM, Matthew Brookes wrote:
Hi!
I'm getting
to overlay. It's a bit
of a daisy-chain, but it works!
I could possibly use session / flash to pass the location_id, but using
a querystring makes the link bookmarkable. Also, i /think /the
google-earth plugin maintains its own session. Any ideas?
Thanks!
On 11 April 2013 01:01, Justin
Yes, Brakeman should probably not warn on to_param/to_query.
On 04/11/2013 01:36 PM, Matthew Brookes wrote:
Thanks Justin,
A quick search for CGI.escape brought me to this discussion
http://stackoverflow.com/a/13059657/1447810 on Ruby escape methods,
which in one of the comments had a link
Lots of changes in this release, but that's mostly because it's been
over a month since 1.9.5. There are some changes in this release which
may break external tools, thus the 2.0 version number. Also, 1.10
would have been next, which is ugly.
Please note the changes to JSON reports. Also,
Hi all,
As announced here:
https://twitter.com/brakeman/status/402981069227454464 I have some
Brakeman stickers to give away. Just send your name and address to
stick...@brakeman.org.
-Justin
warnings[3].
Hope that helps.
-Justin
[1]
https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#comment-58002244
[2]
https://wiki.jenkins-ci.org/display/JENKINS/Static+Code+Analysis+Plug-ins?focusedCommentId=58002244#StaticCodeAnalysisPlug-ins-email
16 matches
Mail list logo