RubyGems - brakeman - Versions diffs - 2.6.3 → 3.0.0 - Mend

brakeman 2.6.3 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

checksums.yaml +5 -13
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/CHANGES +19 -0
data/bin/brakeman +1 -1
data/lib/brakeman.rb +4 -2
data/lib/brakeman/app_tree.rb +1 -1
data/lib/brakeman/checks/base_check.rb +9 -7
data/lib/brakeman/checks/check_create_with.rb +1 -1
data/lib/brakeman/checks/check_cross_site_scripting.rb +46 -42
data/lib/brakeman/checks/check_digest_dos.rb +1 -1
data/lib/brakeman/checks/check_escape_function.rb +3 -3
data/lib/brakeman/checks/check_file_disclosure.rb +35 -0
data/lib/brakeman/checks/check_filter_skipping.rb +1 -1
data/lib/brakeman/checks/check_forgery_setting.rb +2 -2
data/lib/brakeman/checks/check_header_dos.rb +1 -1
data/lib/brakeman/checks/check_i18n_xss.rb +2 -3
data/lib/brakeman/checks/check_jruby_xml.rb +1 -1
data/lib/brakeman/checks/check_json_parsing.rb +9 -4
data/lib/brakeman/checks/check_mail_to.rb +1 -1
data/lib/brakeman/checks/check_nested_attributes.rb +1 -1
data/lib/brakeman/checks/check_number_to_currency.rb +1 -1
data/lib/brakeman/checks/check_quote_table_name.rb +1 -1
data/lib/brakeman/checks/check_render.rb +3 -3
data/lib/brakeman/checks/check_render_dos.rb +1 -1
data/lib/brakeman/checks/check_render_inline.rb +42 -0
data/lib/brakeman/checks/check_response_splitting.rb +1 -1
data/lib/brakeman/checks/check_safe_buffer_manipulation.rb +1 -1
data/lib/brakeman/checks/check_simple_format.rb +2 -2
data/lib/brakeman/checks/check_single_quotes.rb +1 -1
data/lib/brakeman/checks/check_skip_before_filter.rb +1 -1
data/lib/brakeman/checks/check_sql_cves.rb +2 -2
data/lib/brakeman/checks/check_strip_tags.rb +2 -2
data/lib/brakeman/checks/check_symbol_dos.rb +2 -23
data/lib/brakeman/checks/check_symbol_dos_cve.rb +30 -0
data/lib/brakeman/checks/check_translate_bug.rb +1 -1
data/lib/brakeman/checks/check_yaml_parsing.rb +2 -2
data/lib/brakeman/options.rb +6 -2
data/lib/brakeman/parsers/rails3_erubis.rb +2 -2
data/lib/brakeman/processors/alias_processor.rb +54 -1
data/lib/brakeman/processors/base_processor.rb +0 -8
data/lib/brakeman/processors/controller_alias_processor.rb +40 -2
data/lib/brakeman/processors/controller_processor.rb +5 -3
data/lib/brakeman/processors/gem_processor.rb +13 -9
data/lib/brakeman/processors/lib/basic_processor.rb +17 -0
data/lib/brakeman/processors/lib/find_all_calls.rb +2 -2
data/lib/brakeman/processors/lib/find_call.rb +2 -2
data/lib/brakeman/processors/lib/processor_helper.rb +9 -0
data/lib/brakeman/processors/lib/rails2_config_processor.rb +3 -1
data/lib/brakeman/processors/lib/rails2_route_processor.rb +3 -3
data/lib/brakeman/processors/lib/rails3_config_processor.rb +4 -1
data/lib/brakeman/processors/lib/rails3_route_processor.rb +4 -2
data/lib/brakeman/processors/output_processor.rb +1 -7
data/lib/brakeman/report/report_json.rb +1 -1
data/lib/brakeman/tracker.rb +7 -1
data/lib/brakeman/version.rb +1 -1
data/lib/brakeman/warning.rb +15 -1
data/lib/brakeman/warning_codes.rb +3 -0
data/lib/ruby_parser/bm_sexp.rb +17 -5
metadata +55 -56
metadata.gz.sig +0 -0

checksums.yaml CHANGED Viewed

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    NDU2OGUzNjFlZDYyMzU3NGNjODNhOGQxNzczYThmN2Y5NGUxZDYxOQ==
-  data.tar.gz: !binary |-
-    MzNiNzA0ZjBmNjZmOGNkOWYxNDgzMTg3YjY2MzIxYTlmNzIxODYzNA==
+SHA1:
+  metadata.gz: 8e036c60e03551ca1b437c9c0ba69ba388ec0bf1
+  data.tar.gz: 1b2cd12bd7417aa8409dc36d978d40557363c6d6
 SHA512:
-  metadata.gz: !binary |-
-    ZDUyOWJkNzA0NDUzZmZiNTBjZWJlZjZjZWIzYjI2MzJmMDk4NTk5NDBjNjZm
-    OGUxN2UyNGE3MTA5MDlkMjI2MDg1NjlmNzE1ZGIwZDYwOWExNzFkYzQ0MzBl
-    ZTExMjIyZGQ4YjRkZTMwMDk1NzAwMjg3Y2RiNGM3NWJiYzFjNWE=
-  data.tar.gz: !binary |-
-    YTFlM2JlMmJhN2E4OGJhNzU3N2QzNzcxYWFkMDhlZDhhNTMzM2EyMmI3MGVj
-    NjBhZGQyN2ViYTAzYzQzOTY3OTcxZGNkNWM3OTljY2YzM2NlYmVkNzRhZTk5
-    M2IzMDAwOGE4MzM1Y2U0ZTE4MjhkZDY4MzdkNzI3NzE2YWE1MjA=
+  metadata.gz: cf9478f1fa9747f397f1c614ee4058f1de4b0c99dc0c444d2ac169ec0d1aa5adf895ea0e804761d148cd7779fcb2f1a9fd6bc1dec73c99beaf005aa5c45ad1c7
+  data.tar.gz: 4b71efa6cf9e69e771d4698364d4ec2a7b19c05a1f3d24d8cd72a9e8e8bcb384143c5e06f8b7865d66bfa96ef52ae8a0dc7e302ddd7a65cdb15c8f0ffa21ee7b

checksums.yaml.gz.sig CHANGED Viewed

Binary file

data.tar.gz.sig CHANGED Viewed

Binary file

data/CHANGES CHANGED Viewed

@@ -1,3 +1,22 @@
+# 3.0.0
+* Add check for CVE-2014-7829
+* Add check for cross site scripting via inline renders
+* Fix formatting of command interpolation
+* Local variables are no longer formatted as `(local var)`
+* Actually skip skipped before filters
+* `--exit-on-warn --compare` only returns error code on new warnings (Jeff Yip)
+* Fix parsing of `<%==` in ERB
+* Sort warnings by fingerprint in JSON report (Jeff Yip)
+* Handle symmetric multiple assignment
+* Do not branch for self attribute assignment `x = x.y`
+* Fix CVE for CVE-2011-2932
+* Remove "fake filters" from warning fingerpints
+* Index calls in `lib/` files
+* Move Symbol DoS to optional checks
+* CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
+* Change `--separate-models` to be the default
 # 2.6.3
 * Whitelist `exists` arel method from SQL injection check

data/bin/brakeman CHANGED Viewed

@@ -70,7 +70,7 @@ begin
       puts MultiJson.dump(vulns, :pretty => true)
     end
-    if options[:exit_on_warn] and (vulns[:new].count + vulns[:fixed].count > 0)
+    if options[:exit_on_warn] && vulns[:new].count > 0
       exit Brakeman::Warnings_Found_Exit_Code
     end
   else

data/lib/brakeman.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module Brakeman
   #  * :app_path - path to root of Rails app (required)
   #  * :assume_all_routes - assume all methods are routes (default: true)
   #  * :check_arguments - check arguments of methods (default: true)
-  #  * :collapse_mass_assignment - report unprotected models in single warning (default: true)
+  #  * :collapse_mass_assignment - report unprotected models in single warning (default: false)
   #  * :combine_locations - combine warning locations (default: true)
   #  * :config_file - configuration file
   #  * :escape_html - escape HTML by default (automatic)
@@ -28,6 +28,7 @@ module Brakeman
   #  * :highlight_user_input - highlight user input in reported warnings (default: true)
   #  * :html_style - path to CSS file
   #  * :ignore_model_output - consider models safe (default: false)
+  #  * :index_libs - add libraries to call index (default: true)
   #  * :interprocedural - limited interprocedural processing of method calls (default: false)
   #  * :message_limit - limit length of messages
   #  * :min_confidence - minimum confidence (0-2, 0 is highest)
@@ -122,10 +123,11 @@ module Brakeman
       :safe_methods => Set.new,
       :min_confidence => 2,
       :combine_locations => true,
-      :collapse_mass_assignment => true,
+      :collapse_mass_assignment => false,
       :highlight_user_input => true,
       :ignore_redirect_to_model => true,
       :ignore_model_output => false,
+      :index_libs => true,
       :message_limit => 100,
       :parallel_checks => true,
       :relative_path => false,

data/lib/brakeman/app_tree.rb CHANGED Viewed

@@ -71,7 +71,7 @@ module Brakeman
     end
     def lib_paths
-      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" }
+      @lib_files ||= find_paths("lib").reject { |path| path.include? "/generators/" or path.include? "lib/tasks/" }
     end
   private

data/lib/brakeman/checks/base_check.rb CHANGED Viewed

@@ -328,7 +328,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp
+      when :string_interp, :dstr
         exp.each do |e|
           if sexp? e
             match = has_immediate_user_input?(e)
@@ -336,7 +336,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
           end
         end
         false
-      when :string_eval
+      when :string_eval, :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -390,14 +390,14 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
       end
     elsif sexp? exp
       case exp.node_type
-      when :string_interp
+      when :string_interp, :dstr
         exp.each do |e|
           if sexp? e and match = has_immediate_model?(e, out)
             return match
           end
         end
         false
-      when :string_eval
+      when :string_eval, :evstr
         if sexp? exp.value
           if exp.value.node_type == :rlist
             exp.value.each_sexp do |e|
@@ -484,11 +484,13 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   def lts_version? version
     tracker.config[:gems][:'railslts-version'] and
-    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version']
+    version_between? version, "2.3.18.99", tracker.config[:gems][:'railslts-version'][:version]
   end
-  def gemfile_or_environment
-    if @app_tree.exists?("Gemfile")
+  def gemfile_or_environment gem_name = :rails
+    if gem_name and info = tracker.config[:gems][gem_name]
+      info
+    elsif @app_tree.exists?("Gemfile")
       "Gemfile"
     else
       "config/environment.rb"

data/lib/brakeman/checks/check_create_with.rb CHANGED Viewed

@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
       warn :warning_type => "Mass Assignment",
         :warning_code => :CVE_2014_3514,
         :message => @message,
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :confidence => CONFIDENCE[:med],
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end

data/lib/brakeman/checks/check_cross_site_scripting.rb CHANGED Viewed

@@ -35,48 +35,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
   #Run check
   def run_check
-    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
-                           :field_field, :fields_for, :h, :hidden_field,
-                           :hidden_field, :hidden_field_tag, :image_tag, :label,
-                           :link_to, :mail_to, :radio_button, :select,
-                           :submit_tag, :text_area, :text_field,
-                           :text_field_tag, :url_encode, :url_for,
-                           :will_paginate].merge tracker.options[:safe_methods]
-    @models = tracker.models.keys
-    @inspect_arguments = tracker.options[:check_arguments]
-    @known_dangerous = Set[:truncate, :concat]
-    if version_between? "2.0.0", "3.0.5"
-      @known_dangerous << :auto_link
-    elsif version_between? "3.0.6", "3.0.99"
-      @ignore_methods << :auto_link
-    end
-    if version_between? "2.0.0", "2.3.14"
-      @known_dangerous << :strip_tags
-    end
-    json_escape_on = false
-    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
-    if tracker.config[:rails][:active_support] and
-      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
-        json_escape_on = true
-    elsif version_between? "4.0.0", "5.0.0"
-      json_escape_on = true
-    end
-    if !json_escape_on or version_between? "0.0.0", "2.0.99"
-      @known_dangerous << :to_json
-      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
-    else
-      @safe_input_attributes << :to_json
-      Brakeman.debug("Automatic to_json escaping is enabled.")
-    end
+    setup
     tracker.each_template do |name, template|
       Brakeman.debug "Checking #{name} for XSS"
@@ -301,6 +260,51 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp
   end
+  def setup
+    @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
+                           :field_field, :fields_for, :h, :hidden_field,
+                           :hidden_field, :hidden_field_tag, :image_tag, :label,
+                           :link_to, :mail_to, :radio_button, :select,
+                           :submit_tag, :text_area, :text_field,
+                           :text_field_tag, :url_encode, :url_for,
+                           :will_paginate].merge tracker.options[:safe_methods]
+    @models = tracker.models.keys
+    @inspect_arguments = tracker.options[:check_arguments]
+    @known_dangerous = Set[:truncate, :concat]
+    if version_between? "2.0.0", "3.0.5"
+      @known_dangerous << :auto_link
+    elsif version_between? "3.0.6", "3.0.99"
+      @ignore_methods << :auto_link
+    end
+    if version_between? "2.0.0", "2.3.14"
+      @known_dangerous << :strip_tags
+    end
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true?(result.call.first_arg) }
+    if tracker.config[:rails][:active_support] and
+      true? tracker.config[:rails][:active_support][:escape_html_entities_in_json]
+        json_escape_on = true
+    elsif version_between? "4.0.0", "5.0.0"
+      json_escape_on = true
+    end
+    if !json_escape_on or version_between? "0.0.0", "2.0.99"
+      @known_dangerous << :to_json
+      Brakeman.debug("Automatic to_json escaping not enabled, consider to_json dangerous")
+    else
+      @safe_input_attributes << :to_json
+      Brakeman.debug("Automatic to_json escaping is enabled.")
+    end
+  end
   def raw_call? exp
     exp.value.node_type == :call and exp.value.method == :raw
   end

data/lib/brakeman/checks/check_digest_dos.rb CHANGED Viewed

@@ -29,7 +29,7 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => confidence,
       :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
-      :file => gemfile_or_environment
+      :gem_info => gemfile_or_environment
   end
   def with_http_digest?

data/lib/brakeman/checks/check_escape_function.rb CHANGED Viewed

@@ -11,10 +11,10 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0'
       warn :warning_type => 'Cross Site Scripting',
-        :warning_code => :CVE_2011_2931,
-        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2931',
+        :warning_code => :CVE_2011_2932,
+        :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end
   end

data/lib/brakeman/checks/check_file_disclosure.rb ADDED Viewed

@@ -0,0 +1,35 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckFileDisclosure < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for versions with file existence disclosure vulnerability"
+  def run_check
+    fix_version = case
+      when version_between?('2.0.0', '2.3.18')
+        '3.2.21'
+      when version_between?('3.0.0', '3.2.20')
+        '3.2.21'
+      when version_between?('4.0.0', '4.0.11')
+        '4.0.12'
+      when version_between?('4.1.0', '4.1.7')
+        '4.1.8'
+      else
+        nil
+      end
+    if fix_version and serves_static_assets?
+      warn :warning_type => "File Access",
+        :warning_code => :CVE_2014_7829,
+        :message => "Rails #{tracker.config[:rails_version]} has a file existence disclosure. Upgrade to #{fix_version} or disable serving static assets",
+        :confidence => CONFIDENCE[:high],
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/23fiuwb1NBA/MQVM1-5GkPMJ"
+    end
+  end
+  def serves_static_assets?
+    true? tracker.config[:rails][:serve_static_assets]
+  end
+end

data/lib/brakeman/checks/check_filter_skipping.rb CHANGED Viewed

@@ -14,7 +14,7 @@ class Brakeman::CheckFilterSkipping < Brakeman::BaseCheck
         :warning_code => :CVE_2011_2929,
         :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion"
     end
   end

data/lib/brakeman/checks/check_forgery_setting.rb CHANGED Viewed

@@ -37,7 +37,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
     elsif version_between? "3.0.0", "3.0.3"
@@ -47,7 +47,7 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0447,
         :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
     end
   end

data/lib/brakeman/checks/check_header_dos.rb CHANGED Viewed

@@ -19,7 +19,7 @@ class Brakeman::CheckHeaderDoS < Brakeman::BaseCheck
         :warning_code => :CVE_2013_6414,
         :message => message,
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/A-ebV4WxzKg/KNPTbX8XAQUJ"
     end
   end

data/lib/brakeman/checks/check_i18n_xss.rb CHANGED Viewed

@@ -8,8 +8,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
   def run_check
     if (version_between? "3.0.6", "3.2.15" or version_between? "4.0.0", "4.0.1") and not has_workaround?
       message = "Rails #{tracker.config[:rails_version]} has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version "
-      i18n_gem = tracker.config[:gems][:i18n]
+      i18n_gem = tracker.config[:gems][:i18n][:version] if tracker.config[:gems][:i18n]
       if version_between? "3.0.6", "3.1.99" and version_before i18n_gem, "0.5.1"
         message << "3.2.16 or i18n 0.5.1"
@@ -23,7 +22,7 @@ class Brakeman::CheckI18nXSS < Brakeman::BaseCheck
         :warning_code => :CVE_2013_4491,
         :message => message,
         :confidence => CONFIDENCE[:med],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment(:i18n),
         :link_path => "https://groups.google.com/d/msg/ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
     end
   end

data/lib/brakeman/checks/check_jruby_xml.rb CHANGED Viewed

@@ -32,7 +32,7 @@ class Brakeman::CheckJRubyXML < Brakeman::BaseCheck
       :warning_code => :CVE_2013_1856,
       :message => "Rails #{tracker.config[:rails_version]} with JRuby has a vulnerability in XML parser: upgrade to #{fix_version} or patch",
       :confidence => CONFIDENCE[:high],
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment,
       :link => "https://groups.google.com/d/msg/rubyonrails-security/KZwsQbYsOiI/5kUV7dSCJGwJ"
   end
 end

data/lib/brakeman/checks/check_json_parsing.rb CHANGED Viewed

@@ -21,12 +21,17 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
                     end
       message = "Rails #{tracker.config[:rails_version]} has a serious JSON parsing vulnerability: upgrade to #{new_version} or patch"
+      if uses_yajl?
+        gem_info = gemfile_or_environment(:yajl)
+      else
+        gem_info = gemfile_or_environment
+      end
       warn :warning_type => "Remote Code Execution",
         :warning_code => :CVE_2013_0333,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gem_info,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion"
     end
   end
@@ -55,8 +60,8 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
   def check_cve_2013_0269
     [:json, :json_pure].each do |name|
-      version = tracker.config[:gems] && tracker.config[:gems][name]
-      check_json_version name, version if version
+      gem_hash = tracker.config[:gems][name] if tracker.config[:gems]
+      check_json_version name, gem_hash[:version] if gem_hash and gem_hash[:version]
     end
   end
@@ -90,7 +95,7 @@ class Brakeman::CheckJSONParsing < Brakeman::BaseCheck
       :warning_code => :CVE_2013_0269,
       :message => message,
       :confidence => confidence,
-      :file => gemfile_or_environment,
+      :gem_info => gemfile_or_environment(name),
       :link => "https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"
   end

data/lib/brakeman/checks/check_mail_to.rb CHANGED Viewed

@@ -24,7 +24,7 @@ class Brakeman::CheckMailTo < Brakeman::BaseCheck
         :warning_code => :CVE_2011_0446,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/8CpI7egxX4E/discussion"
     end
   end

data/lib/brakeman/checks/check_nested_attributes.rb CHANGED Viewed

@@ -23,7 +23,7 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
         :warning_code => :CVE_2010_3933,
         :message => message,
         :confidence => CONFIDENCE[:high],
-        :file => gemfile_or_environment,
+        :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/-fkT0yja_gw/discussion"
     end
   end