Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Brakeman 2.0 has been released! Some changes, especially to JSON reports, may break external tools.

# What it is

Brakeman finds potential vulnerabilities in Rails applications by scanning the source code. No deployment or application stack required.

Brakeman searches for:

* Cross Site Scripting * SQL Injection * Command Injection * Mass Assignment * Cross-Site Request Forgery * Unprotected Redirects * Default Routes * Insufficient Format Validation * Dynamic Render Paths * Dangerous Evaluation * Unsafe File Access * Unsafe Session Settings * Potential Remote Code Execution * Symbol Creation Denial of Service * Version-specific Rails vulnerabilities * ...and more!

# How to use it

  gem install brakeman

  brakeman your_app_path

# Changes since 1.9.5

* Add `--only-files` option to specify files/paths to scan (Ian Ehlert) * Add Marshal/CSV deserialization check * Combine deserialization checks into single check * Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings * Avoid duplicate results for Symbol DoS check * Medium confidence for mass assignment to attr_protected models * Remove "timestamp" key from JSON reports * Remove deprecated config file locations * Relative paths are used by default in JSON reports * `--absolute-paths` replaces `--relative-paths` * Only treat classes with names containing `Controller` like controllers * Better handling of classes nested inside controllers * Better handling of controller classes nested in classes/modules * Handle `->` lambdas with no arguments * Handle explicit block argument destructuring * Skip Rails config options that are real objects * Detect Rails 3 JSON escape config option * Much better tracking of warning file names * Fix errors when using `--separate-models` (Noah Davis) * Fix fingerprint generation to actually use the file path * Fix text report console output in JRuby * Fix false positives on `Model#id` * Fix false positives on `params.to_json` * Fix model path guesses to use "models/" instead of "controllers/" * Clean up SQL CVE warning messages * Use exceptions instead of abort in brakeman lib * Update to Ruby2Ruby 2.0.5