Rails - May 2013 - Brakeman 2.0 Released: Static analysis security scanner for Rails apps

Brakeman 2.0 has been released! Some changes, especially to JSON
reports, may break external tools.

http://brakemanscanner.org

# What it is

Brakeman finds potential vulnerabilities in Rails applications by
scanning the source code. No deployment or application stack required.

Brakeman searches for:

 * Cross Site Scripting
 * SQL Injection
 * Command Injection
 * Mass Assignment
 * Cross-Site Request Forgery
 * Unprotected Redirects
 * Default Routes
 * Insufficient Format Validation
 * Dynamic Render Paths
 * Dangerous Evaluation
 * Unsafe File Access
 * Unsafe Session Settings
 * Potential Remote Code Execution
 * Symbol Creation Denial of Service
 * Version-specific Rails vulnerabilities
 * ...and more!

# How to use it

  gem install brakeman

  brakeman your_app_path

# Changes since 1.9.5

 * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
 * Add Marshal/CSV deserialization check
 * Combine deserialization checks into single check
 * Avoid duplicate "Dangerous Send" and "Unsafe Reflection"
warnings
 * Avoid duplicate results for Symbol DoS check
 * Medium confidence for mass assignment to attr_protected models
 * Remove "timestamp" key from JSON reports
 * Remove deprecated config file locations
 * Relative paths are used by default in JSON reports
 * `--absolute-paths` replaces `--relative-paths`
 * Only treat classes with names containing `Controller` like
controllers
 * Better handling of classes nested inside controllers
 * Better handling of controller classes nested in classes/modules
 * Handle `->` lambdas with no arguments
 * Handle explicit block argument destructuring
 * Skip Rails config options that are real objects
 * Detect Rails 3 JSON escape config option
 * Much better tracking of warning file names
 * Fix errors when using `--separate-models` (Noah Davis)
 * Fix fingerprint generation to actually use the file path
 * Fix text report console output in JRuby
 * Fix false positives on `Model#id`
 * Fix false positives on `params.to_json`
 * Fix model path guesses to use "models/" instead of
"controllers/"
 * Clean up SQL CVE warning messages
 * Use exceptions instead of abort in brakeman lib
 * Update to Ruby2Ruby 2.0.5

-- 
Posted via http://www.ruby-forum.com/.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/83e6b230e20145ef093c6db63bafe78e%40ruby-forum.com?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.