brakeman-min 4.4.0 → 4.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4238826e8268de87080a3478ae1fc77f9a3008babe69274edc12b526cffa3dbe
-  data.tar.gz: d6a3b102d3c965cc92ec4a12052da0ca69f64bb7cc42c98d36641a4667ce743b
+  metadata.gz: 40fc5a73b9d4b7911a901dfd0c7d537bb83c7fc9dcd9d4b67b63236d8d5e46d3
+  data.tar.gz: 3999b64908f9a50b111e17cdd7e899d897bbdd900a44016e9a24afc5b810a6c9
 SHA512:
-  metadata.gz: 34eeacb132f5af9176e25d283bf9eca29c8c80836be9680bc6c09b16f160c24a2c0523f81a71992ee1fe9b3f3d0a00c2326aa0cc8c5851c1db6c00bcbde08033
-  data.tar.gz: a789832cb8340f5ebedd7153464e5526cce69762d9cceeadae10f13dd1913ad6adced3d88c595491f2d174aa1575627a92546c7c8807a30906d61b541ccd8e30
+  metadata.gz: 32246f144782227e0f3a024a4035862e46a93bbe83113a017d0f3c1fba4b1eb21f9f196b4a2d5a758b64cbdafc964533423e5c615e6124840d1f5b8e1ca89d4b
+  data.tar.gz: 42d84682807291640dc249fe12c9a0986d869d5ff51464af7ad4cfdeb9ad6a2d9e5e9a2c13adbdec7e7ed0c1471792f74bd371d7f04c577ca40178617f224831

data/CHANGES.md

@@ -1,3 +1,20 @@
+# 4.5.0
+
+* Update `ruby_parser`, use `ruby_parser-legacy`
+* More thoroughly handle `Shellwords` escaping
+* Handle non-integer version number comparisons
+* Use `FileParser` in `Scanner` to parse files
+* Add original exception to `Tracker#errors` list
+* Add support for CoffeeScript in Slim templates
+* Improve support for embedded template "filters"
+* Remove Sass dependency
+* Set location information in `CheckContentTag`
+* Stop swallowing exceptions in `AliasProcessor`
+* Avoid joining strings with different encodings
+* Handle `**` inside Hash literals
+* Better handling of splat/kwsplat arguments
+* Improve "user input" reported for SQL injection
+
 # 4.4.0
 
 * Set default encoding to UTF-8

data/lib/brakeman/checks/base_check.rb

@@ -348,6 +348,22 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       when :or
         has_immediate_user_input? exp.lhs or
         has_immediate_user_input? exp.rhs
+      when :splat, :kwsplat
+        exp.each_sexp do |e|
+          match = has_immediate_user_input?(e)
+          return match if match
+        end
+
+        false
+      when :hash
+        if kwsplat? exp
+          exp[1].each_sexp do |e|
+            match = has_immediate_user_input?(e)
+            return match if match
+          end
+
+          false
+        end
       else
         false
       end

data/lib/brakeman/checks/check_content_tag.rb

@@ -45,6 +45,16 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def process_result result
     return if duplicate? result
 
+    case result[:location][:type]
+    when :template
+      @current_template = result[:location][:template]
+    when :class
+      @current_class = result[:location][:class]
+      @current_method = result[:location][:method]
+    end
+
+    @current_file = result[:location][:file]
+
     call = result[:call] = result[:call].dup
 
     args = call.arglist
@@ -85,6 +95,8 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         end
       end
     end
+  ensure
+    @current_template = @current_class = @current_method = @current_file = nil
   end
 
   def check_argument result, exp

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -57,12 +57,12 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
     if exp.node_type == :output
       out = exp.value
-    elsif exp.node_type == :escaped_output
-      if raw_call? exp
-        out = exp.value.first_arg
-      elsif html_safe_call? exp
-        out = exp.value.target
-      end
+    end
+
+    if raw_call? exp
+      out = exp.value.first_arg
+    elsif html_safe_call? exp
+      out = exp.value.target
     end
 
     return if call? out and ignore_call? out.target, out.method

data/lib/brakeman/checks/check_evaluation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :warning_type => "Dangerous Eval",
         :warning_code => :code_eval,
         :message => "User input in eval",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_execute.rb

@@ -90,6 +90,24 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     end
   end
 
+  def include_user_input? exp
+    if node_type? exp, :arglist, :dstr, :evstr, :dxstr
+      exp.each_sexp do |e|
+        if res = include_user_input?(e)
+          return res
+        end
+      end
+
+      false
+    else
+      if shell_escape? exp
+        false
+      else
+        super exp
+      end
+    end
+  end
+
   def dangerous_open_arg? exp
     if string_interp? exp
       # Check for input at start of string

data/lib/brakeman/checks/check_send.rb

@@ -28,7 +28,6 @@ class Brakeman::CheckSend < Brakeman::BaseCheck
         :warning_type => "Dangerous Send",
         :warning_code => :dangerous_send,
         :message => "User controlled method execution",
-        :code => result[:call],
         :user_input => input,
         :confidence => :high
     end

data/lib/brakeman/checks/check_session_manipulation.rb

@@ -27,7 +27,6 @@ class Brakeman::CheckSessionManipulation < Brakeman::BaseCheck
         :warning_type => "Session Manipulation",
         :warning_code => :session_key_manipulation,
         :message => msg(msg_input(input), " used as key in session hash"),
-        :code => result[:call],
         :user_input => input,
         :confidence => confidence
     end

data/lib/brakeman/checks/check_sql.rb

@@ -14,7 +14,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
   @description = "Check for SQL injection"
 
   def run_check
-    narrow_targets = [:exists?, :select]
+    # Avoid reporting `user_input` on silly values when generating warning.
+    # Note that we retroactively find `user_input` inside the "dangerous" value.
+    @safe_input_attributes.merge IGNORE_METHODS_IN_SQL
 
     @sql_targets = [:average, :calculate, :count, :count_by_sql, :delete_all, :destroy_all,
                     :find_by_sql, :maximum, :minimum, :pluck, :sum, :update_all]
@@ -43,6 +45,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     Brakeman.debug "Finding possible SQL calls on models"
     calls = tracker.find_call(:methods => @sql_targets, :nested => true)
 
+    narrow_targets = [:exists?, :select]
     calls.concat tracker.find_call(:targets => active_record_models.keys, :methods => narrow_targets, :chained => true)
 
     Brakeman.debug "Finding possible SQL calls with no target"
@@ -294,7 +297,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         # Model.where(params[:where])
         arg
       end
-    elsif hash? arg
+    elsif hash? arg and not kwsplat? arg
       #This is generally going to be a hash of column names and values, which
       #would escape the values. But the keys _could_ be user input.
       check_hash_keys arg
@@ -452,7 +455,13 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :dstr
       check_string_interp exp
     when :hash
-      check_hash_values exp unless ignore_hash
+      if kwsplat? exp and has_immediate_user_input? exp
+        exp
+      elsif not ignore_hash
+        check_hash_values exp
+      else
+        nil
+      end
     when :if
       unsafe_sql? exp.then_clause or unsafe_sql? exp.else_clause
     when :call

data/lib/brakeman/file_parser.rb

@@ -31,13 +31,17 @@ module Brakeman
       end
     end
 
-    def parse_ruby input, path
+    def parse_ruby input, path, parser = RubyParser.new
       begin
         Brakeman.debug "Parsing #{path}"
-        RubyParser.new.parse input, path, @timeout
+        parser.parse input, path, @timeout
       rescue Racc::ParseError => e
-        @tracker.error e, "Could not parse #{path}"
-        nil
+        if parser.class == RubyParser
+          return parse_ruby(input, path, RubyParser.latest)
+        else
+          @tracker.error e, "Could not parse #{path}"
+          nil
+        end
       rescue Timeout::Error => e
         @tracker.error Exception.new("Parsing #{path} took too long (> #{@timeout} seconds). Try increasing the limit with --parser-timeout"), caller
         nil

data/lib/brakeman/parsers/haml_embedded.rb

@@ -0,0 +1,44 @@
+module Brakeman
+  module FakeHamlFilter
+    # Copied from Haml - force delayed compilation
+    def compile(compiler, text)
+      filter = self
+      compiler.instance_eval do
+        text = unescape_interpolation(text).gsub(/(\\+)n/) do |s|
+          escapes = $1.size
+          next s if escapes % 2 == 0
+          ("\\" * (escapes - 1)) + "\n"
+        end
+        # We need to add a newline at the beginning to get the
+        # filter lines to line up (since the Haml filter contains
+        # a line that doesn't show up in the source, namely the
+        # filter name). Then we need to escape the trailing
+        # newline so that the whole filter block doesn't take up
+        # too many.
+        text = "\n" + text.sub(/\n"\Z/, "\\n\"")
+        push_script <<RUBY.rstrip, :escape_html => false
+find_and_preserve(#{filter.inspect}.render_with_options(#{text}, _hamlout.options))
+RUBY
+        return
+      end
+    end
+  end
+end
+
+# Fake CoffeeScript filter for Haml
+module Haml::Filters::Coffee
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Markdown filter for Haml
+module Haml::Filters::Markdown
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end
+
+# Fake Sass filter for Haml
+module Haml::Filters::Sass
+  include Haml::Filters::Base
+  extend Brakeman::FakeHamlFilter
+end

data/lib/brakeman/parsers/slim_embedded.rb

@@ -0,0 +1,44 @@
+# Fake filters for Slim
+module Slim
+  class Embedded
+    class TiltEngine
+      def on_slim_embedded(engine, body, attrs)
+        # Override this method to avoid Slim trying to load sass/scss and failing
+        case engine
+        when :sass, :scss, :coffee
+          tilt_engine = nil # Doesn't really matter, ignored below
+        else
+          # Original Slim code
+          tilt_engine = Tilt[engine] || raise(Temple::FilterError, "Tilt engine #{engine} is not available.")
+        end
+
+        tilt_options = options[engine.to_sym] || {}
+        tilt_options[:default_encoding] ||= 'utf-8'
+
+        [:multi, tilt_render(tilt_engine, tilt_options, collect_text(body)), collect_newlines(body)]
+      end
+    end
+
+    class SassEngine
+      protected
+
+      def tilt_render(tilt_engine, tilt_options, text)
+        [:dynamic,
+         "BrakemanFilter.render(#{text.inspect}, #{self.class})"]
+      end
+    end
+
+    class CoffeeEngine < TiltEngine
+      protected
+
+      def tilt_render(tilt_engine, tilt_options, text)
+        [:dynamic,
+         "BrakemanFilter.render(#{text.inspect}, #{self.class})"]
+      end
+    end
+
+    # Override the engine for CoffeeScript, because Slim doesn't have
+    # one, it just uses Tilt's
+    register :coffee, JavaScriptEngine, engine: CoffeeEngine
+  end
+end

data/lib/brakeman/parsers/template_parser.rb

@@ -75,7 +75,7 @@ module Brakeman
 
     def parse_haml path, text
       Brakeman.load_brakeman_dependency 'haml'
-      Brakeman.load_brakeman_dependency 'sass'
+      require_relative 'haml_embedded'
 
       Haml::Engine.new(text,
                        :filename => path,
@@ -83,13 +83,11 @@ module Brakeman
     rescue Haml::Error => e
       tracker.error e, ["While compiling HAML in #{path}"] << e.backtrace
       nil
-    rescue Sass::SyntaxError => e
-      tracker.error e, "While processing #{path}"
-      nil
     end
 
     def parse_slim path, text
       Brakeman.load_brakeman_dependency 'slim'
+      require_relative 'slim_embedded'
 
       Slim::Template.new(path,
                          :disable_capture => true,

data/lib/brakeman/processors/alias_processor.rb

@@ -66,7 +66,11 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         end
       end
     rescue => err
-      @tracker.error err if @tracker
+      if @tracker
+        @tracker.error err
+      else
+        raise err
+      end
     end
 
     result = replace(exp)
@@ -585,6 +589,24 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp
   end
 
+  def process_hash exp
+    exp = process_default(exp)
+
+    # Handle { **kw }
+    if node_type? exp, :hash
+      if exp.any? { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
+        kwsplats, rest = exp.partition { |e| node_type? e, :kwsplat and node_type? e.value, :hash }
+        exp = Sexp.new.concat(rest).line(exp)
+
+        kwsplats.each do |e|
+          exp = process_hash_merge! exp, e.value
+        end
+      end
+    end
+
+    exp
+  end
+
   #Merge values into hash when processing
   #
   # h.merge! :something => "value"

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -40,6 +40,10 @@ module Brakeman
       else
         original_exp
       end
+    rescue Encoding::CompatibilityError => e
+      # If the two strings are different encodings, we can't join them.
+      Brakeman.debug e.inspect
+      original_exp
     end
 
     def math_op op, lhs, rhs, original_exp = nil

data/lib/brakeman/processors/slim_template_processor.rb

@@ -8,6 +8,7 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
   OUTPUT_BUFFER = s(:ivar, :@output_buffer)
   TEMPLE_UTILS = s(:colon2, s(:colon3, :Temple), :Utils)
   ATTR_MERGE = s(:call, s(:call, s(:array), :reject, s(:block_pass, s(:lit, :empty?))), :join, s(:str, " "))
+  EMBEDDED_FILTER = s(:const, :BrakemanFilter)
 
   def process_call exp
     target = exp.target
@@ -44,6 +45,21 @@ class Brakeman::SlimTemplateProcessor < Brakeman::TemplateProcessor
     end
   end
 
+  def normalize_output arg
+    arg = super(arg)
+
+    if embedded_filter? arg
+      super(arg.first_arg)
+    else
+      arg
+    end
+  end
+
+  # Handle our "fake" embedded filters
+  def embedded_filter? arg
+    call? arg and arg.method == :render and arg.target == EMBEDDED_FILTER
+  end
+
   #Slim likes to interpolate output into strings then pass them to safe_concat.
   #Better to pull those values out directly.
   def process_inside_interp exp

data/lib/brakeman/processors/template_alias_processor.rb

@@ -27,9 +27,9 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
         return
       end
 
-      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name)
+      super name, args, @called_from.dup.add_template_render(@template.name, line, @file_name), line
     else
-      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name)
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template.name, line, @file_name), line
     end
   end
 

data/lib/brakeman/scanner.rb

@@ -1,5 +1,6 @@
 begin
   Brakeman.load_brakeman_dependency 'ruby_parser'
+  Brakeman.load_brakeman_dependency 'ruby_parser/legacy'
   require 'ruby_parser/bm_sexp.rb'
   require 'ruby_parser/bm_sexp_processor.rb'
   require 'brakeman/processor'
@@ -118,7 +119,7 @@ class Brakeman::Scanner
     path = "config/#{file}"
 
     if @app_tree.exists?(path)
-      @processor.process_config(parse_ruby(@app_tree.read(path)), path)
+      @processor.process_config(parse_ruby_file(path), path)
     end
 
   rescue => e
@@ -132,9 +133,9 @@ class Brakeman::Scanner
   def process_gems
     gem_files = {}
     if @app_tree.exists? "Gemfile"
-      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("Gemfile")), :file => "Gemfile" }
+      gem_files[:gemfile] = { :src => parse_ruby_file("Gemfile"), :file => "Gemfile" }
     elsif @app_tree.exists? "gems.rb"
-      gem_files[:gemfile] = { :src => parse_ruby(@app_tree.read("gems.rb")), :file => "gems.rb" }
+      gem_files[:gemfile] = { :src => parse_ruby_file("gems.rb"), :file => "gems.rb" }
     end
 
     if @app_tree.exists? "Gemfile.lock"
@@ -144,7 +145,7 @@ class Brakeman::Scanner
     end
 
     if @app_tree.gemspec
-      gem_files[:gemspec] = { :src => parse_ruby(@app_tree.read(@app_tree.gemspec)), :file => @app_tree.gemspec }
+      gem_files[:gemspec] = { :src => parse_ruby_file(@app_tree.gemspec), :file => @app_tree.gemspec }
     end
 
     if not gem_files.empty?
@@ -214,10 +215,9 @@ class Brakeman::Scanner
   #Adds parsed information to tracker.routes
   def process_routes
     if @app_tree.exists?("config/routes.rb")
-      begin
-        @processor.process_routes parse_ruby(@app_tree.read("config/routes.rb"))
-      rescue => e
-        tracker.error e.exception(e.message + "\nWhile processing routes.rb"), e.backtrace
+      if routes_sexp = parse_ruby_file("config/routes.rb")
+        @processor.process_routes routes_sexp
+      else
         Brakeman.notify "[Notice] Error while processing routes - assuming all public controller methods are actions."
         options[:assume_all_routes] = true
       end
@@ -316,8 +316,9 @@ class Brakeman::Scanner
     tracker.index_call_sites
   end
 
-  def parse_ruby input
-    RubyParser.new.parse input
+  def parse_ruby_file path
+    fp = Brakeman::FileParser.new(self.tracker, @app_tree)
+    fp.parse_ruby(@app_tree.read(path), path)
   end
 end
 

data/lib/brakeman/tracker.rb

@@ -61,7 +61,11 @@ class Brakeman::Tracker
     Brakeman.debug exception
     Brakeman.debug backtrace
 
-    @errors << { :error => exception.to_s.gsub("\n", " "), :backtrace => backtrace }
+    @errors << {
+      :exception => exception,
+      :error => exception.to_s.gsub("\n", " "),
+      :backtrace => backtrace
+    }
   end
 
   #Run a set of checks on the current information. Results will be stored

data/lib/brakeman/tracker/config.rb

@@ -122,22 +122,22 @@ module Brakeman
       current_version ||= rails_version
       return false unless current_version
 
-      version = current_version.split(".").map!(&:to_i)
-      low_version = low_version.split(".").map!(&:to_i)
-      high_version = high_version.split(".").map!(&:to_i)
+      version = current_version.split(".").map! { |v| convert_version_number v }
+      low_version = low_version.split(".").map! { |v| convert_version_number v }
+      high_version = high_version.split(".").map! { |v| convert_version_number v }
 
       version.each_with_index do |v, i|
-        if v < low_version.fetch(i, 0)
+        if lower? v, low_version.fetch(i, 0)
           return false
-        elsif v > low_version.fetch(i, 0)
+        elsif higher? v, low_version.fetch(i, 0)
           break
         end
       end
 
       version.each_with_index do |v, i|
-        if v > high_version.fetch(i, 0)
+        if higher? v, high_version.fetch(i, 0)
           return false
-        elsif v < high_version.fetch(i, 0)
+        elsif lower? v, high_version.fetch(i, 0)
           break
         end
       end
@@ -150,5 +150,30 @@ module Brakeman
         @rails[:action_controller][:session]
     end
 
+    private
+
+    def convert_version_number value
+      if value.match(/\A\d+\z/)
+        value.to_i
+      else
+        value
+      end
+    end
+
+    def lower? lhs, rhs
+      if lhs.class == rhs.class
+        lhs < rhs
+      else
+        false
+      end
+    end
+
+    def higher? lhs, rhs
+      if lhs.class == rhs.class
+        lhs > rhs
+      else
+        false
+      end
+    end
   end
 end

data/lib/brakeman/util.rb

@@ -94,11 +94,21 @@ module Brakeman::Util
   # end
   # names #["bob"]
   def hash_iterate hash
+    hash = remove_kwsplat(hash)
+
     1.step(hash.length - 1, 2) do |i|
       yield hash[i], hash[i + 1]
     end
   end
 
+  def remove_kwsplat exp
+    if exp.any? { |e| node_type? e, :kwsplat }
+      exp.reject { |e| node_type? e, :kwsplat }
+    else
+      exp
+    end
+  end
+
   #Insert value into Hash Sexp
   def hash_insert hash, key, value
     index = 1
@@ -264,6 +274,13 @@ module Brakeman::Util
     node_type? exp, :const, :colon2, :colon3
   end
 
+  def kwsplat? exp
+    exp.is_a? Sexp and
+      exp.node_type == :hash and
+      exp[1].is_a? Sexp and
+      exp[1].node_type == :kwsplat
+  end
+
   #Check if _exp_ is a Sexp.
   def sexp? exp
     exp.is_a? Sexp

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.4.0"
+  Version = "4.5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman-min
 version: !ruby/object:Gem::Version
-  version: 4.4.0
+  version: 4.5.0
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2019-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: minitest
@@ -25,20 +25,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-ci
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: ruby_parser
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '3.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.12'
+        version: '3.13'
+- !ruby/object:Gem::Dependency
+  name: ruby_parser-legacy
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: sexp_processor
   requirement: !ruby/object:Gem::Requirement
@@ -176,9 +204,11 @@ files:
 - lib/brakeman/format/style.css
 - lib/brakeman/messages.rb
 - lib/brakeman/options.rb
+- lib/brakeman/parsers/haml_embedded.rb
 - lib/brakeman/parsers/rails2_erubis.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
 - lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/slim_embedded.rb
 - lib/brakeman/parsers/template_parser.rb
 - lib/brakeman/processor.rb
 - lib/brakeman/processors/alias_processor.rb
@@ -258,7 +288,7 @@ files:
 - lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
 licenses:
-- CC-BY-NC-SA-4.0
+- Brakeman Public Use License
 metadata: {}
 post_install_message: 
 rdoc_options: []