RubyGems - brakeman-min - Versions diffs - 5.4.1 → 6.0.0 - Mend

brakeman-min 5.4.1 → 6.0.0

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a188afc9f3a8b700140582ea3bf9632ef909fde940fb24dd62a71e5d217944c1
-  data.tar.gz: 92d9d4e2a79ad4119866dd24238521052bfb2bd10d2511ac9dbeeec1a3576f4e
+  metadata.gz: 84b6e99be6a1ace4751801f306ab240f4ae95b816f334638c31d8723141626f9
+  data.tar.gz: 89d6d23b4a36f1f9613a8d7053baf686d4e270dff05f0ae9ea416eed96f89374
 SHA512:
-  metadata.gz: 9cf69d5ddc77ffc77096e46a57511847304821e5f655e9c19cc371e7aeeb96f766c2e5956618f942d27dfce68ef31142f3d74b1ef5e0bcb979bcd63929f68030
-  data.tar.gz: c3e1fbf2240fc9bc2a1cb58d724321d36c443bd84dedae296746e1a3e26345ca033d7be199ce7fda0f375e8144cb2b7ecef2a1179e4733f995e714d6c43c029c
+  metadata.gz: 2f35f6f6f70184b74cfa6660e82545f0e2328067575e114e8a5e425168bf58b6f7c3adb9f39bc02cb7cc902816c2fa15d115095c04201e6e32427128c7e767b8
+  data.tar.gz: 480cde72b7d0bd9fb253a5b0af4a22ddfd56fd1967dbede8daa6c357415fac4e5bddfacd2a2f5d53c0663713ff1ccc5ed0568b5522d9240c31ef140a371ea27c

data/CHANGES.md CHANGED Viewed

@@ -1,3 +1,13 @@
+# 6.0.0 - 2023-05-24
+* Add obsolete fingerprints to comparison report
+* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
+* Scan directories that include the word `public`
+* Raise minimum Ruby version to 3.0
+* Drop support for Ruby 1.8/1.9 syntax
+* Fix end-of-life dates for Ruby
+* Fix false positive with `content_tag` in newer Rails
 # 5.4.1 - 2023-02-21
 * Fix file/line location for EOL software warnings

data/README.md CHANGED Viewed

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 Brakeman should work with any version of Rails from 2.3.x to 7.x.
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
+Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 # Basic Options
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
-There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
 # Building

data/lib/brakeman/app_tree.rb CHANGED Viewed

@@ -197,7 +197,6 @@ module Brakeman
       spec/
       test/
       tmp/
-      public/
       log/
     ]

data/lib/brakeman/checks/check_content_tag.rb CHANGED Viewed

@@ -73,11 +73,14 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       check_argument result, content
     end
-    #Attribute keys are never escaped, so check them for user input
-    if not @matched and hash? attributes and not request_value? attributes
-      hash_iterate(attributes) do |k, _v|
-        check_argument result, k
-        return if @matched
+    # This changed in Rails 6.1.6
+    if version_between? '0.0.0', '6.1.5'
+      #Attribute keys are never escaped, so check them for user input
+      if not @matched and hash? attributes and not request_value? attributes
+        hash_iterate(attributes) do |k, _v|
+          check_argument result, k
+          return if @matched
+        end
       end
     end

data/lib/brakeman/checks/check_eol_ruby.rb CHANGED Viewed

@@ -21,6 +21,8 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['2.5.0', '2.5.99'] => Date.new(2021, 3, 31),
     ['2.6.0', '2.6.99'] => Date.new(2022, 3, 31),
     ['2.7.0', '2.7.99'] => Date.new(2023, 3, 31),
-    ['3.0.0', '2.8.99'] => Date.new(2024, 3, 31),
+    ['3.0.0', '3.0.99'] => Date.new(2024, 3, 31),
+    ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
+    ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
   }
 end

data/lib/brakeman/report/report_github.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# Github Actions Formatter
+# GitHub Actions Formatter
 # Formats warnings as workflow commands to create annotations in GitHub UI
 class Brakeman::Report::Github < Brakeman::Report::Base
   def generate_report

data/lib/brakeman/scanner.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 begin
   Brakeman.load_brakeman_dependency 'ruby_parser'
-  Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'

data/lib/brakeman/tracker/config.rb CHANGED Viewed

@@ -20,9 +20,7 @@ module Brakeman
     def default_protect_from_forgery?
       if version_between? "5.2.0.beta1", "9.9.9"
-        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:false)
-          return false
-        else
+        if @rails.dig(:action_controller, :default_protect_from_forgery) == Sexp.new(:true)
           return true
         end
       end

data/lib/brakeman/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "5.4.1"
+  Version = "6.0.0"
 end

data/lib/brakeman.rb CHANGED Viewed

@@ -493,10 +493,14 @@ module Brakeman
     end
     tracker = run(options)
+    new_report = JSON.parse(tracker.report.to_json, symbolize_names: true)
-    new_results = JSON.parse(tracker.report.to_json, :symbolize_names => true)[:warnings]
+    new_results = new_report[:warnings]
+    obsolete_ignored = tracker.unused_fingerprints
-    Brakeman::Differ.new(new_results, previous_results).diff
+    Brakeman::Differ.new(new_results, previous_results).diff.tap do |diff|
+      diff[:obsolete] = obsolete_ignored
+    end
   end
   def self.load_brakeman_dependency name, allow_fail = false

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 5.4.1
+  version: 6.0.0
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-02-21 00:00:00.000000000 Z
+date: 2023-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -94,20 +94,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.19'
-- !ruby/object:Gem::Dependency
-  name: ruby_parser-legacy
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -375,7 +361,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.