brakeman-min 7.0.2 → 7.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e8740dbaf52c1cba5a1c5afde01f41180ecf808e417d0cdcc274affbdcc684d
-  data.tar.gz: 83180ce5a3bfbf62f03ddf4fdbdf396ab66fc3a1b41dcdc5d5ff59d0699d5cff
+  metadata.gz: dd61d8da658d0f4da21e1f854a04c0e9423a91797bd93ec2a754ee6cc113570f
+  data.tar.gz: 2a725267c5b8296686867da71b9c2286c4ed423c12bb43f204dd10697afbe08f
 SHA512:
-  metadata.gz: 0c149490c10d73ac6d43f310b97c6bbed414062c544e4d8de4cd6e0df7bbf898973b09f7e17fafe1b689f66fad7e41a31e82eb710043497e00aa848b3aadeeb9
-  data.tar.gz: c32763c096908fbd24f0f418168d6e59879bf5aa03626d45fced5eb013d4fed1fe606f448a257379132af3675cc6fcc2563400b3eda5005669d530fb5e74200c
+  metadata.gz: a85e7dfae5e7dad5a99043c1f785c063a9deee56ab797d70a718ef3f6f8031dbe6b9a3307124d83c016443ae34ef15485a3f594282edf8775797a90d64a5384c
+  data.tar.gz: 70fd83ef6e68861ff57a4809098548c729fcbb67e164f541a5da4a523bb2e7a0d9a3e43f730332317e13917c9432a132af5393a8e5f0368d06abb2ea32ff6b52

data/CHANGES.md

@@ -1,3 +1,27 @@
+# 7.1.1 - 2025-11-03
+
+* Fix false positive when calling `with_content` on ViewComponents (Peer Allan)
+* Word wrap text output in pager
+* Consider Tempfile.create.path as safe input (Ali Ismayilov)
+* Exclude directories before searching for files
+* Check each side of `or` SQL arguments
+* Ignore attribute builder in Haml 6
+* Add `FilePath#to_path` for Ruby 3.5 compatibility (S-H-GAMELINKS)
+* Fix SQL injection check for calculate method (Rohan Sharma)
+* Fix missing `td` in HTML report (John Hawthorn)
+* Check for unsafe SQL when two arguments are passed to AR methods (Patrick Brinich-Langlois)
+
+# 7.1.0 - 2025-07-18
+
+* Add EOL dates for Rails 8.0 and Ruby 3.4
+* Support render model shortcut
+* Use lazy file lists for AppTree
+* Add Haml 6.x support
+* Improve ignored warnings layout in HTML report (Sebastien Savater)
+* Update JUnit report for CircleCI (Philippe Bernery)
+* Only load escape functionality from cgi library (Earlopain)
+* Add `--ensure-no-obsolete-ignore-entries` option (viralpraxis)
+
 # 7.0.2 - 2025-04-04
 
 * Fix error with empty `BUNDLE_GEMFILE` env variable

data/README.md

@@ -1,7 +1,7 @@
 [![Brakeman Logo](http://brakemanscanner.org/images/logo_medium.png)](http://brakemanscanner.org/)
 
 [![Build Status](https://circleci.com/gh/presidentbeef/brakeman.svg?style=svg)](https://circleci.com/gh/presidentbeef/brakeman)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
+[![Code Coverage](https://qlty.sh/gh/presidentbeef/projects/brakeman/coverage.svg)](https://qlty.sh/gh/presidentbeef/projects/brakeman)
 
 # Brakeman
 

data/lib/brakeman/app_tree.rb

@@ -33,6 +33,7 @@ module Brakeman
     #   * "path1/" - Matches any path that contains "path1" in the project directory.
     #   * "/path1/ - Matches any path that is rooted at "path1" in the project directory.
     #
+    # TODO: This is wacky and I don't like it.
     def self.regex_for_paths(paths)
       path_regexes = paths.map do |f|
         # If path ends in a file separator then we assume it is a path rather
@@ -145,6 +146,17 @@ module Brakeman
       end
     end
 
+
+    # Call this to be able to marshall the AppTree
+    def marshallable
+      @initializer_paths = @initializer_paths.to_a
+      @controller_paths = @controller_paths.to_a
+      @template_paths = @template_paths.to_a
+      @lib_files = @file_paths.to_a
+
+      self
+    end
+
   private
 
     def find_helper_paths
@@ -160,7 +172,7 @@ module Brakeman
     end
 
     def find_paths(directory, extensions = ".rb")
-      select_files(glob_files(directory, "*", extensions).sort)
+      select_files(glob_files(directory, "*", extensions))
     end
 
     def glob_files(directory, name, extensions = ".rb")
@@ -179,10 +191,15 @@ module Brakeman
         end
 
         files = patterns.flat_map { |pattern| Dir.glob(pattern) }
-        files.uniq
+        files.uniq.lazy
       else
-        pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
-        Dir.glob(pattern)
+        if directory == '.'
+          pattern = File.join(top_directories_pattern, '**', "#{name}#{extensions}")
+        else
+          pattern = "#{root_search_pattern}#{directory}/**/#{name}#{extensions}"
+        end
+
+        Dir.glob(pattern).lazy
       end
     end
 
@@ -191,7 +208,8 @@ module Brakeman
       paths = reject_skipped_files(paths)
       paths = convert_to_file_paths(paths)
       paths = reject_global_excludes(paths)
-      reject_directories(paths)
+      paths = reject_directories(paths)
+      paths
     end
 
     def reject_directories(paths)
@@ -245,18 +263,47 @@ module Brakeman
     end
 
     def match_path files, path
+      # TODO: Converting to Pathnames and Strings seems like a lot
+      # of converting that could perhaps all be handled in Brakeman::FilePath
+      # instead?
       absolute_path = Pathname.new(path)
+
       # relative root never has a leading separator. But, we use a leading
       # separator in a @skip_files entry to imply that a directory is
       # "absolute" with respect to the project directory.
-      project_relative_path = File.join(
-        File::SEPARATOR,
-        absolute_path.relative_path_from(@project_root_path).to_s
-      )
+      #
+      # Also directories need a trailing separator.
+      project_relative_path = if File.directory?(path)
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s,
+          File::SEPARATOR
+        )
+      else
+        File.join(
+          File::SEPARATOR,
+          absolute_path.relative_path_from(@project_root_path).to_s
+        )
+      end
 
       files.match(project_relative_path)
     end
 
+    def top_directories_pattern
+      top_dirs = convert_to_file_paths(Dir.glob(File.join(root_search_pattern, '*/')))
+      top_dirs.reject! { |d| File.symlink?(d) or !File.directory?(d) }
+      top_dirs = reject_global_excludes(top_dirs)
+      top_dirs = reject_skipped_files(top_dirs)
+
+      if top_dirs.empty?
+        # Fall back to searching everything, otherwise the empty pattern
+        # will start searching from the global root
+        root_search_pattern
+      else
+        "{#{top_dirs.join(',')}}"
+      end
+    end
+
     def root_search_pattern
       return @root_search_pattern if @root_search_pattern
       @root_search_pattern = search_pattern(@root)

data/lib/brakeman/checks/base_check.rb

@@ -151,10 +151,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     method[-1] == "?"
   end
 
-  TEMP_FILE_PATH = s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze
+  TEMP_FILE_PATH = [
+    s(:call, s(:call, s(:const, :Tempfile), :new), :path).freeze,
+    s(:call, s(:call, s(:const, :Tempfile), :create), :path).freeze
+  ].freeze
 
   def temp_file_path? exp
-    exp == TEMP_FILE_PATH
+    TEMP_FILE_PATH.include? exp
   end
 
   #Report a warning

data/lib/brakeman/checks/check_eol_rails.rb

@@ -25,5 +25,6 @@ class Brakeman::CheckEOLRails < Brakeman::EOLCheck
     ['7.0.0', '7.0.99'] => Date.new(2025, 4, 1),
     ['7.1.0', '7.1.99'] => Date.new(2025, 10, 1),
     ['7.2.0', '7.2.99'] => Date.new(2026, 8, 9),
+    ['8.0.0', '8.0.99'] => Date.new(2026, 10, 7),
   }
 end

data/lib/brakeman/checks/check_eol_ruby.rb

@@ -25,5 +25,6 @@ class Brakeman::CheckEOLRuby < Brakeman::EOLCheck
     ['3.1.0', '3.1.99'] => Date.new(2025, 3, 31),
     ['3.2.0', '3.2.99'] => Date.new(2026, 3, 31),
     ['3.3.0', '3.3.99'] => Date.new(2027, 3, 31),
+    ['3.4.0', '3.4.99'] => Date.new(2028, 3, 31),
   }
 end

data/lib/brakeman/checks/check_render.rb

@@ -101,6 +101,11 @@ class Brakeman::CheckRender < Brakeman::BaseCheck
   def renderable? exp
     return false unless call?(exp) and constant?(exp.target)
 
+    if exp.method == :with_content
+      exp = exp.target
+    end
+
+    return false unless constant?(exp.target)
     target_class_name = class_name(exp.target)
     known_renderable_class?(target_class_name) or tracker.find_method(:render_in, target_class_name)
   end

data/lib/brakeman/checks/check_sql.rb

@@ -188,11 +188,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                       when :find_by_sql, :count_by_sql
                         check_by_sql_arguments call.first_arg
                       when :calculate
-                        check_find_arguments call.third_arg
+                        if call.arglist.length > 2
+                          unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
+                        elsif call.arglist.length > 1
+                          unsafe_sql?(call.second_arg)
+                        end
                       when :last, :first, :all
                         check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if call.length > 5
+                        if call.arglist.length > 1
                           unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
                         else
                           check_find_arguments call.last_arg
@@ -315,6 +319,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       check_hash_keys arg
     elsif node_type? arg, :lit, :str
       nil
+    elsif node_type? arg, :or
+      check_query_arguments(arg.lhs) or
+        check_query_arguments(arg.rhs)
     else
       #Hashes are safe...but we check above for hash, so...?
       unsafe_sql? arg, :ignore_hash

data/lib/brakeman/commandline.rb

@@ -145,6 +145,11 @@ module Brakeman
           quit Brakeman::Errors_Found_Exit_Code
         end
 
+        if tracker.options[:ensure_no_obsolete_ignore_entries] && tracker.unused_fingerprints.any?
+          warn '[Error] Obsolete ignore entries were found, exiting with an error code.'
+          quit Brakeman::Obsolete_Ignore_Entries_Exit_Code
+        end
+
         if ensure_ignore_notes_failed
           quit Brakeman::Empty_Ignore_Note_Exit_Code
         end

data/lib/brakeman/file_path.rb

@@ -68,6 +68,10 @@ module Brakeman
       self.absolute
     end
 
+    # Required for Pathname compatibility.
+    # Ruby 3.5+ requires Pathname#initialize to receive a String or an object with to_path method.
+    alias to_path to_str
+
     # Returns a string with the absolute path.
     def to_s
       self.to_str

data/lib/brakeman/messages.rb

@@ -86,7 +86,7 @@ class Brakeman::Messages::Message
   end
 
   def to_html
-    require 'cgi'
+    require 'cgi/escape'
 
     output = @parts.map(&:to_html).join
 

data/lib/brakeman/options.rb

@@ -71,6 +71,10 @@ module Brakeman::Options
           options[:ensure_ignore_notes] = true
         end
 
+        opts.on "--ensure-no-obsolete-ignore-entries", "Fail when an obsolete ignore entry is found" do
+          options[:ensure_no_obsolete_ignore_entries] = true
+        end
+
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end

data/lib/brakeman/parsers/haml6_embedded.rb

@@ -0,0 +1,23 @@
+[:Coffee, :CoffeeScript, :Markdown, :Sass].each do |name|
+  klass = Module.const_get("Haml::Filters::#{name}")
+
+  klass.define_method(:compile) do |node|
+    temple = [:multi]
+    temple << [:static, "<script>\n"]
+    temple << compile_with_tilt(node)
+    temple << [:static, "</script>"]
+    temple
+  end
+
+  klass.define_method(:compile_with_tilt) do |node|
+    # From Haml
+    text = ::Haml::Util.unescape_interpolation(node.value[:text]).gsub(/(\\+)n/) do |s|
+      escapes = $1.size
+      next s if escapes % 2 == 0
+      "#{'\\' * (escapes - 1)}\n"
+    end
+    text.prepend("\n").sub!(/\n"\z/, '"')
+
+    [:dynamic, "BrakemanFilter.render(#{text})"]
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -24,6 +24,7 @@ module Brakeman
                 type = :erubis if erubis?
                 parse_erb path, text
               when :haml
+                type = :haml6 if haml6?
                 parse_haml path, text
               when :slim
                 parse_slim path, text
@@ -74,19 +75,43 @@ module Brakeman
     end
 
     def parse_haml path, text
-      Brakeman.load_brakeman_dependency 'haml'
-      require_relative 'haml_embedded'
+      if haml6?
+        require_relative 'haml6_embedded'
+
+        Haml::Template.new(filename: path.relative,
+                           :escape_html => tracker.config.escape_html?,
+                           generator: Temple::Generators::RailsOutputBuffer,
+                           use_html_safe: true,
+                           buffer_class: 'ActionView::OutputBuffer',
+                           disable_capture: true,
+                          ) { text }.precompiled_template
+      else
+        require_relative 'haml_embedded'
 
-      Haml::Engine.new(text,
-                       :filename => path,
-                       :escape_html => tracker.config.escape_html?,
-                       :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
-                      ).precompiled.gsub(/([^\\])\\n/, '\1')
+        Haml::Engine.new(text,
+                         :filename => path,
+                         :escape_html => tracker.config.escape_html?,
+                         :escape_filter_interpolations => tracker.config.escape_filter_interpolations?
+                        ).precompiled.gsub(/([^\\])\\n/, '\1')
+      end
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
     end
 
+    def haml6?
+      return @haml6 unless @haml6.nil?
+
+      Brakeman.load_brakeman_dependency 'haml'
+      major_version = Haml::VERSION.split('.').first.to_i
+
+      if major_version >= 6
+        @haml6 = true
+      else
+        @haml6 = false
+      end
+    end
+
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
 

data/lib/brakeman/processor.rb

@@ -63,6 +63,8 @@ module Brakeman
         result = ErbTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :haml
         result = HamlTemplateProcessor.new(@tracker, name, called_from, file_name).process src
+      when :haml6
+        result = Haml6TemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :erubis
         result = ErubisTemplateProcessor.new(@tracker, name, called_from, file_name).process src
       when :slim

data/lib/brakeman/processors/alias_processor.rb

@@ -436,6 +436,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.method == :open
   end
 
+  def temp_file_create? exp
+    call? exp and
+      exp.target == TEMP_FILE_CLASS and
+      exp.method == :create
+  end
+
   def temp_file_new line
     s(:call, TEMP_FILE_CLASS, :new).line(line)
   end
@@ -465,6 +471,9 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       elsif temp_file_open? call
         local = Sexp.new(:lvar, block_args.last)
         env.current[local] = temp_file_new(exp.line)
+      elsif temp_file_create? call
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = temp_file_new(exp.line)
       else
         block_args.each do |e|
           #Force block arg(s) to be local

data/lib/brakeman/processors/base_processor.rb

@@ -205,6 +205,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     rest = process rest
     result = Sexp.new(:render, render_type, value, rest)
     result.line(exp.line)
+
     result
   end
 
@@ -240,6 +241,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
     elsif first_arg.nil?
       type = :default
     elsif not hash? first_arg
+      # Maybe do partial if in view?
       type = :action
       value = first_arg
     end

data/lib/brakeman/processors/haml6_template_processor.rb

@@ -0,0 +1,92 @@
+require 'brakeman/processors/haml_template_processor'
+
+class Brakeman::Haml6TemplateProcessor < Brakeman::HamlTemplateProcessor
+
+  OUTPUT_BUFFER = s(:ivar, :@output_buffer)
+  HAML_UTILS = s(:colon2, s(:colon3, :Haml), :Util)
+  HAML_UTILS2 = s(:colon2, s(:const, :Haml), :Util)
+  # @output_buffer = output_buffer || ActionView::OutputBuffer.new
+  AV_SAFE_BUFFER = s(:or, s(:call, nil, :output_buffer), s(:call, s(:colon2, s(:const, :ActionView), :OutputBuffer), :new))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
+
+  def initialize(*)
+    super
+
+    # Because of how Haml 6 handles line breaks -
+    # we have to track where _haml_compiler variables are assigned.
+    # then change the line number of where they are output to where
+    # they are assigned.
+    #
+    # Like this:
+    #
+    #   ; _haml_compiler1 = (params[:x]; 
+    #   ; ); @output_buffer.safe_concat((((::Haml::Util.escape_html_safe((_haml_compiler1))).to_s).to_s));
+    #
+    #  `_haml_compiler1` is output a line after it's assigned,
+    #  but the assignment matches the "real" line where it is output in the template.
+    @compiler_assigns = {}
+  end
+
+  # @output_buffer.safe_concat
+  def buffer_append? exp
+    call? exp and
+      output_buffer? exp.target and
+      exp.method == :safe_concat
+  end
+
+  def process_lasgn exp
+    if exp.lhs.match?(/_haml_compiler\d+/)
+      @compiler_assigns[exp.lhs] = exp.rhs
+      ignore
+    else
+      exp
+    end
+  end
+
+  def process_lvar exp
+    if exp.value.match?(/_haml_compiler\d+/)
+      exp = @compiler_assigns[exp.value] || exp
+    end
+
+    exp
+  end
+
+  def is_escaped? exp
+    return unless call? exp
+
+    html_escaped? exp or
+      javascript_escaped? exp
+  end
+
+  def javascript_escaped? call
+    # TODO: Adding here to match existing behavior for HAML,
+    # but really this is not safe and needs to be revisited
+      call.method == :j or
+        call.method == :escape_javascript
+  end
+
+  def html_escaped? call
+    (call.target == HAML_UTILS or call.target == HAML_UTILS2) and
+      (call.method == :escape_html or call.method == :escape_html_safe)
+  end
+
+  def output_buffer? exp
+    exp == OUTPUT_BUFFER or
+      exp == AV_SAFE_BUFFER
+  end
+
+  def normalize_output arg
+    arg = super(arg)
+
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+end

data/lib/brakeman/processors/haml_template_processor.rb

@@ -84,6 +84,12 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     :escape_once_without_haml_xss
   ]
 
+  def is_escaped? exp
+    return unless call? exp
+
+    haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+  end
+
   def get_pushed_value exp, default = :output
     return exp unless sexp? exp
 
@@ -113,7 +119,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
     when :call
       if exp.method == :to_s or exp.method == :strip
         get_pushed_value(exp.target, default)
-      elsif haml_helpers? exp.target and ESCAPE_METHODS.include? exp.method
+      elsif is_escaped? exp
         get_pushed_value(exp.first_arg, :escaped_output)
       elsif @javascript and (exp.method == :j or exp.method == :escape_javascript) # TODO: Remove - this is not safe
         get_pushed_value(exp.first_arg, :escaped_output)
@@ -160,7 +166,7 @@ class Brakeman::HamlTemplateProcessor < Brakeman::TemplateProcessor
   def haml_attribute_builder? exp
     call? exp and
       exp.target == ATTRIBUTE_BUILDER and
-      exp.method == :build
+      (exp.method == :build or exp.method == :build_id)
   end
 
   def fix_textareas? exp

data/lib/brakeman/processors/lib/render_helper.rb

@@ -9,7 +9,14 @@ module Brakeman::RenderHelper
     @rendered = true
     case exp.render_type
     when :action, :template, :inline
-      process_action exp[2][1], exp[3], exp.line
+      action = exp[2]
+      args = exp[3]
+
+      if string? action or symbol? action
+        process_action action.value, args, exp.line
+      else
+        process_model_action action, args
+      end
     when :default
       begin
         process_template template_name, exp[3], nil, exp.line
@@ -49,6 +56,36 @@ module Brakeman::RenderHelper
   def process_action name, args, line
     if name.is_a? String or name.is_a? Symbol
       process_template template_name(name), args, nil, line
+    else
+      Brakeman.debug "Not processing render #{name.inspect}"
+    end
+  end
+
+  SINGLE_RECORD = [:first, :find, :last, :new]
+  COLLECTION = [:all, :where]
+
+  def process_model_action action, args
+    return unless call? action
+
+    method = action.method
+
+    klass = get_class_target(action) || Brakeman::Tracker::UNKNOWN_MODEL
+    name = Sexp.new(:lit, klass.downcase)
+
+    if SINGLE_RECORD.include? method
+      # Set a local variable with name based on class of model
+      # and value of the value passed to render
+      local_key = Sexp.new(:lit, :locals)
+      locals = hash_access(args, local_key) || Sexp.new(:hash)
+      hash_insert(locals, name, action)
+      hash_insert(args, local_key, locals)
+
+      process_partial name, args, action.line
+    elsif COLLECTION.include? method
+      collection_key = Sexp.new(:lit, :collection)
+      hash_insert(args, collection_key, action)
+
+      process_partial name, args, action.line
     end
   end
 

data/lib/brakeman/processors/template_processor.rb

@@ -56,7 +56,7 @@ class Brakeman::TemplateProcessor < Brakeman::BaseProcessor
   # Pull out actual output value from template
   def normalize_output arg
     if call? arg and [:to_s, :html_safe!, :freeze].include? arg.method
-      arg.target
+      normalize_output(arg.target) # sometimes it's foo.to_s.to_s
     elsif node_type? arg, :if
       branches = [arg.then_clause, arg.else_clause].compact
 

data/lib/brakeman/report/pager.rb

@@ -92,7 +92,7 @@ module Brakeman
       if system("which less > /dev/null")
         less_help = `less -?`
 
-        ["-R ", "-F ", "-X "].each do |opt|
+        ["-R ", "-F ", "-X ", " --wordwrap"].each do |opt|
           if less_help.include? opt
             @less_options << opt
           end

data/lib/brakeman/report/report_html.rb

@@ -1,4 +1,4 @@
-require 'cgi'
+require 'cgi/escape'
 require 'brakeman/report/report_table.rb'
 
 class Brakeman::Report::HTML < Brakeman::Report::Table

data/lib/brakeman/report/report_junit.rb

@@ -9,50 +9,7 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
     doc.add REXML::XMLDecl.new '1.0', 'UTF-8'
 
     test_suites = REXML::Element.new 'testsuites'
-    test_suites.add_attribute 'xmlns:brakeman', 'https://brakemanscanner.org/'
-    properties = test_suites.add_element 'brakeman:properties', { 'xml:id' => 'scan_info' }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'app_path', 'brakeman:value' => tracker.app_path }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'rails_version', 'brakeman:value' => rails_version }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'security_warnings', 'brakeman:value' => all_warnings.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'start_time', 'brakeman:value' => tracker.start_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'end_time', 'brakeman:value' => tracker.end_time.iso8601 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'duration', 'brakeman:value' => tracker.duration }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'checks_performed', 'brakeman:value' => checks.checks_run.join(',') }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_controllers', 'brakeman:value' => tracker.controllers.length }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_models', 'brakeman:value' => tracker.models.length - 1 }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'ruby_version', 'brakeman:value' => number_of_templates(@tracker) }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'number_of_templates', 'brakeman:value' => RUBY_VERSION }
-    properties.add_element 'brakeman:property', { 'brakeman:name' => 'brakeman_version', 'brakeman:value' => Brakeman::Version }
 
-    errors = test_suites.add_element 'brakeman:errors'
-    tracker.errors.each { |e|
-      error = errors.add_element 'brakeman:error'
-      error.add_attribute 'brakeman:message', e[:error]
-      e[:backtrace].each { |b|
-        backtrace = error.add_element 'brakeman:backtrace'
-        backtrace.add_text b
-      }
-    }
-
-    obsolete = test_suites.add_element 'brakeman:obsolete'
-    tracker.unused_fingerprints.each { |fingerprint|
-      obsolete.add_element 'brakeman:warning', { 'brakeman:fingerprint' => fingerprint }
-    }
-
-    ignored = test_suites.add_element 'brakeman:ignored'
-    ignored_warnings.each { |w|
-      warning = ignored.add_element 'brakeman:warning'
-      warning.add_attribute 'brakeman:message', w.message
-      warning.add_attribute 'brakeman:category', w.warning_type
-      warning.add_attribute 'brakeman:file', warning_file(w)
-      warning.add_attribute 'brakeman:line', w.line
-      warning.add_attribute 'brakeman:fingerprint', w.fingerprint
-      warning.add_attribute 'brakeman:confidence', w.confidence_name 
-      warning.add_attribute 'brakeman:code', w.format_code
-      warning.add_text w.to_s
-    }
-
-    hostname = `hostname`.strip
     i = 0
     all_warnings
       .map { |warning| [warning.file, [warning]] }
@@ -66,35 +23,25 @@ class Brakeman::Report::JUnit < Brakeman::Report::Base
         test_suite = test_suites.add_element 'testsuite'
         test_suite.add_attribute 'id', i
         test_suite.add_attribute 'package', 'brakeman'
-        test_suite.add_attribute 'name', file.relative
+        test_suite.add_attribute 'file', file.relative
         test_suite.add_attribute 'timestamp', tracker.start_time.strftime('%FT%T')
-        test_suite.add_attribute 'hostname', hostname == '' ? 'localhost' : hostname
         test_suite.add_attribute 'tests', checks.checks_run.length
         test_suite.add_attribute 'failures', warnings.length
         test_suite.add_attribute 'errors', '0'
         test_suite.add_attribute 'time', '0'
 
-        test_suite.add_element 'properties'
-
         warnings.each { |warning|
           test_case = test_suite.add_element 'testcase'
-          test_case.add_attribute 'name', 'run_check'
-          test_case.add_attribute 'classname', warning.check
+          test_case.add_attribute 'name', warning.check.sub(/^Brakeman::/, '')
+          test_case.add_attribute 'file', file.relative
+          test_case.add_attribute 'line', warning.line if warning.line
           test_case.add_attribute 'time', '0'
 
           failure = test_case.add_element 'failure'
           failure.add_attribute 'message', warning.message
           failure.add_attribute 'type', warning.warning_type
-          failure.add_attribute 'brakeman:fingerprint', warning.fingerprint
-          failure.add_attribute 'brakeman:file', warning_file(warning)
-          failure.add_attribute 'brakeman:line', warning.line
-          failure.add_attribute 'brakeman:confidence', warning.confidence_name 
-          failure.add_attribute 'brakeman:code', warning.format_code
           failure.add_text warning.to_s
         }
-
-        test_suite.add_element 'system-out'
-        test_suite.add_element 'system-err'
       }
 
     doc.add test_suites

data/lib/brakeman/report/templates/header.html.erb

@@ -9,10 +9,15 @@
     function toggle(context) {
       var elem = document.getElementById(context);
 
-      if (elem.style.display != "block")
+      if (elem.style.display != "block") {
         elem.style.display = "block";
-      else
+
+        elem.querySelectorAll("table").forEach(function(table) {
+          $(table).DataTable().columns.adjust();
+        });
+      } else {
         elem.style.display = "none";
+      }
 
       elem.parentNode.scrollIntoView();
     }
@@ -46,7 +51,7 @@
     <tr>
       <td><%= tracker.app_path %></td>
       <td><%= rails_version %></td>
-      <td><%= brakeman_version %>
+      <td><%= brakeman_version %></td>
       <td>
         <%= tracker.start_time %><br><br>
         <%= tracker.duration %> seconds

data/lib/brakeman/report/templates/ignored_warnings.html.erb

@@ -1,6 +1,6 @@
 <div onClick="toggle('ignored_table');">  <h2><%= warnings.length %> Ignored Warnings (click to see them)</h2 ></div>
-<div>
-  <table style="display:none" id="ignored_table">
+<div style="display:none; width:100%" id="ignored_table">
+  <table>
     <thead>
       <tr>
         <th>Confidence</th>
@@ -8,7 +8,7 @@
         <th>Warning Type</th>
         <th>CWE ID</th>
         <th>Message</th>
-        <th>Note</th>
+        <th width="auto">Note</th>
       </tr>
     </thead>
     <tbody>

data/lib/brakeman/tracker.rb

@@ -441,4 +441,10 @@ class Brakeman::Tracker
 
     @call_index.remove_indexes_by_file path
   end
+
+  # Call this to be able to marshal the Tracker
+  def marshallable
+    @app_tree.marshallable
+    self
+  end
 end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "7.0.2"
+  Version = "7.1.1"
 end

data/lib/brakeman.rb

@@ -24,6 +24,10 @@ module Brakeman
   #--ensure-ignore-notes is set
   Empty_Ignore_Note_Exit_Code = 8
 
+  # Exit code returned when at least one obsolete ignore entry is present
+  # and `--ensure-no-obsolete-ignore-entries` is set.
+  Obsolete_Ignore_Entries_Exit_Code = 9
+
   @debug = false
   @quiet = false
   @loaded_dependencies = []

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 7.0.2
+  version: 7.1.1
 platform: ruby
 authors:
 - Justin Collins
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-04 00:00:00.000000000 Z
+date: 2025-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -235,6 +235,7 @@ files:
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
 - lib/brakeman/parsers/erubis_patch.rb
+- lib/brakeman/parsers/haml6_embedded.rb
 - lib/brakeman/parsers/haml_embedded.rb
 - lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
@@ -250,6 +251,7 @@ files:
 - lib/brakeman/processors/erb_template_processor.rb
 - lib/brakeman/processors/erubis_template_processor.rb
 - lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/haml6_template_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
 - lib/brakeman/processors/lib/call_conversion_helper.rb