Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

# What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

* Cross Site Scripting
* SQL Injection
* Command Injection
* Mass Assignment
* Cross-Site Request Forgery
* Unprotected Redirects
* Default Routes
* Insufficient Format Validation
* Dynamic Render Paths
* Dangerous Evaluation
* Unsafe File Access
* Unsafe Session Settings
* Potential Remote Code Execution
* Symbol Creation Denial of Service
* Version-specific Rails vulnerabilities
* ...and more!

# How to use it

  gem install brakeman

  brakeman your_app_path

# Changes since 1.9.5

* Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
* Add Marshal/CSV deserialization check
* Combine deserialization checks into single check
* Avoid duplicate "Dangerous Send" and "Unsafe Reflection" warnings
* Avoid duplicate results for Symbol DoS check
* Medium confidence for mass assignment to attr_protected models
* Remove "timestamp" key from JSON reports
* Remove deprecated config file locations
* Relative paths are used by default in JSON reports
* `--absolute-paths` replaces `--relative-paths`
* Only treat classes with names containing `Controller` like
* Better handling of classes nested inside controllers
* Better handling of controller classes nested in classes/modules
* Handle `->` lambdas with no arguments
* Handle explicit block argument destructuring
* Skip Rails config options that are real objects
* Detect Rails 3 JSON escape config option
* Much better tracking of warning file names
* Fix errors when using `--separate-models` (Noah Davis)
* Fix fingerprint generation to actually use the file path
* Fix text report console output in JRuby
* Fix false positives on `Model#id`
* Fix false positives on `params.to_json`
* Fix model path guesses to use "models/" instead of "controllers/"
* Clean up SQL CVE warning messages
* Use exceptions instead of abort in brakeman lib
* Update to Ruby2Ruby 2.0.5