brakeman 3.7.2 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b35dc1f57ca3589db3da50fee0727172aab89443
-  data.tar.gz: 21152579e85d00e06992bea8867e323d8516df7c
+  metadata.gz: 5473cad261403087ab82423bcb64eab734d11e8c
+  data.tar.gz: 59a9f5320cdd156c0d6202cd950238ce05a7b92f
 SHA512:
-  metadata.gz: e275bc4c370e29fe12f90fa57dd1daeadf5cadae6004edf0ef89cc9d6eaeadc2883987c870cce2947c4d2bffbc58e3a5cae9e4aab4793ae76e21dc678467f1df
-  data.tar.gz: b8660222d3d68094edcf12ececc814732e0d928ceeb099650f3a937b8df143c6b7a5df977aa220754d395f32e3f462beec34a1a324df2228bfecdb591fa7d98a
+  metadata.gz: 72a9fc46b9385feddcb5ef032794470d68c2ce52f551f3eed00157c24e2f36015dff891f6c409a3862f78ec649c8aee2f3d373d5654f1fcfa3769d3cbf90f67c
+  data.tar.gz: 2fb4b886463bea09c6a46b78b83a507d1312d1d2f68df7d94df364d2eb374ea758f9f7fb959299a632d089288bc0b4304ec04f793708505b76f450c7e639ac9d

data/{CHANGES → CHANGES.md}

@@ -1,3 +1,45 @@
+# 4.1.0
+
+* Process models as root sexp instead of each sexp
+* Avoid CSRF warning in Rails 5.2 default config
+* Show better location for Sass errors (Andrew Bromwich)
+* Warn about dynamic values in `Arel.sql`
+* Fix `include_paths` for Code Climate engine (Will Fleming)
+* Add check for dangerous keys in `permit`
+* Try to guess options for `less` pager
+* Better processing of op_asgn1 (e.g. x[:y] += 1)
+* Add optional check for divide by zero
+* Remove errors about divide by zero
+* Avoid warning about file access for temp files
+* Do not warn on params.permit with safe values
+* Add Sexp#call_chain
+* Use HTTPS for warning links
+* Handle nested destructuring/multiple assignment
+* Leave results on screen after paging
+* Do not page if results fit on screen
+* Support `app_path` configuration for Code Climate engine (Noah Davis)
+* Refactor Code Climate engine options parsing (Noah Davis)
+* Fix upgrade version for CVE-2016-6316
+
+# 4.0.1
+
+* Disable pager when `CI` environment variable is set
+* Fix output when pager fails
+
+# 4.0.0
+
+* Add simple pager for reports output to terminal
+* Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
+* Rearrange tests a little bit
+* Treat `request.cookies` like `cookies`
+* Treat `fail`/`raise` like early returns
+* Remove reliance on `CONFIDENCE` constant in checks
+* Remove low confidence mass assignment warnings
+* Reduce warnings about XSS in `link_to`
+* "Plain" report output is now the default
+* --exit-on-error and --exit-on-warn are now the default
+* Fix --exit-on-error and --exit-on-warn in config files
+
 # 3.7.2
 
 * Fix --ensure-latest (David Guyon)
@@ -300,7 +342,7 @@
 # 3.0.0
 
 * Add check for CVE-2014-7829
-* Add check for cross site scripting via inline renders
+* Add check for cross-site scripting via inline renders
 * Fix formatting of command interpolation
 * Local variables are no longer formatted as `(local var)`
 * Actually skip skipped before filters

data/FEATURES

@@ -1,5 +1,5 @@
 Can detect:
--Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
+-Possibly unescaped model attributes or parameters in views (Cross-Site Scripting)
 -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
 -String interpolation in find_by_sql (SQL Injection)
 -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)

data/README.md

@@ -2,8 +2,8 @@
 [![Brakeman Pro Logo](https://brakemanpro.com/images/bmp_square_white.png)](https://brakemanpro.com)
 
 [![Build Status](https://travis-ci.org/presidentbeef/brakeman.svg?branch=master)](https://travis-ci.org/presidentbeef/brakeman)
-[![Code Climate](https://codeclimate.com/github/presidentbeef/brakeman/badges/gpa.svg)](https://codeclimate.com/github/presidentbeef/brakeman)
-[![Test Coverage](https://codeclimate.com/github/presidentbeef/brakeman/badges/coverage.svg)](https://codeclimate.com/github/presidentbeef/brakeman/coverage)
+[![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/presidentbeef/brakeman/maintainability)
+[![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/presidentbeef/brakeman/test_coverage)
 [![Gitter](https://badges.gitter.im/presidentbeef/brakeman.svg)](https://gitter.im/presidentbeef/brakeman)
 
 # Brakeman

data/bundle/load.rb

@@ -1,6 +1,5 @@
 path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/haml-4.0.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.8/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby2ruby-2.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sass-3.4.25/vendor/listen/lib"
@@ -9,6 +8,7 @@ $:.unshift "#{path}/bundle/ruby/2.3.0/gems/temple-0.7.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/unicode-display_width-1.3.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/sexp_processor-4.10.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/ruby_parser-3.10.1/lib"
+$:.unshift "#{path}/bundle/ruby/2.3.0/gems/highline-1.7.10/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/terminal-table-1.8.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/slim-3.0.7/lib"
 $:.unshift "#{path}/bundle/ruby/2.3.0/gems/erubis-2.7.0/lib"

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Changelog.md

@@ -2,6 +2,12 @@
 
 Below is a complete listing of changes for each revision of HighLine.
 
+### 1.7.10 / 2017-11-23
+* Add gemspec to Gemfile. Address #223. (@abinoam)
+
+### 1.7.9 / 2017-05-08
+* Fix frozen string issue on HighLine::Simulate. (Ivan Giuliani (@ivgiuliani), PR #210)
+
 ### 1.7.8 / 2015-10-09
 * Fix some issues when paginating. (Nick Carboni (@carbonin) and Abinoam P. Marques Jr. (@abinoam), #168, PRs #169 #170)
 

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/Gemfile

@@ -1,5 +1,7 @@
 source "https://rubygems.org"
 
+gemspec
+
 gem "rake", :require => false
 gem "rdoc", :require => false
 

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/simulate.rb

@@ -23,7 +23,7 @@ class HighLine
 
     # Simulate StringIO#getbyte by shifting a single character off of the next line of the script
     def getbyte
-      line = gets
+      line = gets.dup
       if line.length > 0
         char = line.slice! 0
         @strings.unshift line

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/lib/highline/version.rb

@@ -1,4 +1,4 @@
 class HighLine
   # The version of the installed library.
-  VERSION = "1.7.8".freeze
+  VERSION = "1.7.10".freeze
 end

data/bundle/ruby/2.3.0/gems/{highline-1.7.8 → highline-1.7.10}/test/tc_simulator.rb

@@ -20,4 +20,14 @@ class SimulatorTest < Test::Unit::TestCase
       assert_equal '18', age
     end
   end
+
+  def test_simulate_with_echo_and_frozen_strings
+    HighLine::Simulate.with('the password'.freeze) do
+      password = ask('What is your password?') do |q|
+        q.echo = '*'
+      end
+
+      assert_equal 'the password', password
+    end
+  end
 end

data/lib/brakeman/call_index.rb

@@ -67,7 +67,7 @@ class Brakeman::CallIndex
 
   def remove_template_indexes template_name = nil
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           from_template call, template_name
         end
@@ -77,7 +77,7 @@ class Brakeman::CallIndex
 
   def remove_indexes_by_class classes
     [@calls_by_method, @calls_by_target].each do |calls_by|
-      calls_by.each do |name, calls|
+      calls_by.each do |_name, calls|
         calls.delete_if do |call|
           call[:location][:type] == :class and classes.include? call[:location][:class]
         end

data/lib/brakeman/checks/base_check.rb

@@ -10,7 +10,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   include Brakeman::Util
   attr_reader :tracker, :warnings
 
-  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }
+  # This is for legacy support.
+  # Use :high, :medium, or :low instead when creating warnings.
+  CONFIDENCE = Brakeman::Warning::CONFIDENCE
 
   Match = Struct.new(:type, :match)
 
@@ -60,7 +62,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
   #Default Sexp processing. Iterates over each value in the Sexp
   #and processes them if they are also Sexps.
   def process_default exp
-    exp.each_with_index do |e, i|
+    exp.each_with_index do |e, _i|
       if sexp? e
         process e
       else
@@ -443,41 +445,16 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
     false
   end
 
-  #Returns true if low_version <= RAILS_VERSION <= high_version
-  #
-  #If the Rails version is unknown, returns false.
-  def version_between? low_version, high_version, current_version = nil
-    current_version ||= rails_version
-    return false unless current_version
-
-    version = current_version.split(".").map! { |n| n.to_i }
-    low_version = low_version.split(".").map! { |n| n.to_i }
-    high_version = high_version.split(".").map! { |n| n.to_i }
-
-    version.each_with_index do |v, i|
-      if v < low_version.fetch(i, 0)
-        return false
-      elsif v > low_version.fetch(i, 0)
-        break
-      end
-    end
-
-    version.each_with_index do |v, i|
-      if v > high_version.fetch(i, 0)
-        return false
-      elsif v < high_version.fetch(i, 0)
-        break
-      end
-    end
-
-    true
-  end
-
   def lts_version? version
     tracker.config.has_gem? :'railslts-version' and
     version_between? version, "2.3.18.99", tracker.config.gem_version(:'railslts-version')
   end
 
+
+  def version_between? low_version, high_version, current_version = nil
+    tracker.config.version_between? low_version, high_version, current_version
+  end
+
   def gemfile_or_environment gem_name = :rails
     if gem_name and info = tracker.config.get_gem(gem_name)
       info

data/lib/brakeman/checks/check_basic_auth.rb

@@ -17,7 +17,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
   end
 
   def check_basic_auth_filter
-    controllers = tracker.controllers.select do |name, c|
+    controllers = tracker.controllers.select do |_name, c|
       c.options[:http_basic_authenticate_with]
     end
 
@@ -30,7 +30,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
               :code => call,
-              :confidence => 0,
+              :confidence => :high,
               :file => controller.file
           break
         end
@@ -50,7 +50,7 @@ class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
               :warning_type => "Basic Auth",
               :warning_code => :basic_auth_password,
               :message => "Basic authentication password stored in source code",
-              :confidence => 0
+              :confidence => :high
       end
     end
   end

data/lib/brakeman/checks/check_basic_auth_timing_attack.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckBasicAuthTimingAttack < Brakeman::BaseCheck
         :warning_type => "Timing Attack",
         :warning_code => :CVE_2015_7576,
         :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
     end
   end

data/lib/brakeman/checks/check_content_tag.rb

@@ -66,7 +66,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
     #Attribute keys are never escaped, so check them for user input
     if not @matched and hash? attributes and not request_value? attributes
-      hash_iterate(attributes) do |k, v|
+      hash_iterate(attributes) do |k, _v|
         check_argument result, k
         return if @matched
       end
@@ -79,7 +79,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       if request_value? attributes or not hash? attributes
         check_argument result, attributes
       else #check hash values
-        hash_iterate(attributes) do |k, v|
+        hash_iterate(attributes) do |_k, v|
           check_argument result, v
           return if @matched
         end
@@ -101,11 +101,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => input,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :link_path => "content_tag"
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(arg)
@@ -113,13 +113,13 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
         add_result result
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         warn :result => result,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => :xss_content_tag,
           :message => "Unescaped model attribute in content_tag",
           :user_input => match,
@@ -135,11 +135,11 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
       add_result result
 
       warn :result => result,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :xss_content_tag,
         :message => message,
         :user_input => @matched,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "content_tag"
     end
   end
@@ -159,9 +159,9 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
   def check_cve_2016_6316
     if cve_2016_6316?
       confidence = if @content_tags.any?
-                     CONFIDENCE[:high]
+                     :high
                    else
-                     CONFIDENCE[:med]
+                     :medium
                    end
 
       fix_version = case
@@ -170,7 +170,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                     when version_between?("4.0.0", "4.2.7.0")
                       "4.2.7.1"
                     when version_between?("5.0.0", "5.0.0")
-                      "5.0.0"
+                      "5.0.0.1"
                     when (version.nil? and tracker.options[:rails3])
                       "3.2.22.4"
                     when (version.nil? and tracker.options[:rails4])
@@ -179,7 +179,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                       return
                     end
 
-      warn :warning_type => "Cross Site Scripting",
+      warn :warning_type => "Cross-Site Scripting",
         :warning_code => :CVE_2016_6316,
         :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
         :confidence => confidence,

data/lib/brakeman/checks/check_create_with.rb

@@ -51,15 +51,15 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
     if call? exp and exp.method == :permit
       nil
     elsif request_value? exp
-      CONFIDENCE[:high]
+      :high
     elsif hash? exp
       nil
     elsif has_immediate_user_input?(exp)
-      CONFIDENCE[:high]
+      :high
     elsif include_user_input? exp
-      CONFIDENCE[:med]
+      :medium
     else
-      CONFIDENCE[:low]
+      :weak
     end
   end
 
@@ -68,7 +68,7 @@ class Brakeman::CheckCreateWith < Brakeman::BaseCheck
         :warning_code => :CVE_2014_3514,
         :message => @message,
         :gem_info => gemfile_or_environment,
-        :confidence => CONFIDENCE[:med],
+        :confidence => :medium,
         :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
   end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -73,11 +73,11 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       message = "Unescaped #{friendly_type_of input}"
 
       warn :template => @current_template,
-        :warning_type => "Cross Site Scripting",
+        :warning_type => "Cross-Site Scripting",
         :warning_code => :cross_site_scripting,
         :message => message,
         :code => input.match,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
 
     elsif not tracker.options[:ignore_model_output] and match = has_immediate_model?(out)
       method = if call? match
@@ -90,9 +90,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         add_result exp
 
         if likely_model_attribute? match
-          confidence = CONFIDENCE[:high]
+          confidence = :high
         else
-          confidence = CONFIDENCE[:med]
+          confidence = :medium
         end
 
         message = "Unescaped model attribute"
@@ -106,7 +106,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         end
 
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting",
+          :warning_type => "Cross-Site Scripting",
           :warning_code => warning_code,
           :message => message,
           :code => match,
@@ -178,18 +178,18 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           warning_code = :cross_site_scripting
 
           if @known_dangerous.include? exp.method
-            confidence = CONFIDENCE[:high]
+            confidence = :high
             if exp.method == :to_json
               message += " in JSON hash"
               link_path += "_to_json"
               warning_code = :xss_to_json
             end
           else
-            confidence = CONFIDENCE[:low]
+            confidence = :weak
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting",
+            :warning_type => "Cross-Site Scripting",
             :warning_code => warning_code,
             :message => message,
             :code => exp,

data/lib/brakeman/checks/check_default_routes.rb

@@ -21,7 +21,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
         :line => tracker.routes[:allow_all_actions].line,
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :file => "#{tracker.app_path}/config/routes.rb"
     end
   end
@@ -43,7 +43,7 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
           :warning_code => :controller_default_routes,
           :message => "Any public method in #{name} can be used as an action for #{verb} requests.",
           :line => actions[2],
-          :confidence => CONFIDENCE[:med],
+          :confidence => :medium,
           :file => "#{tracker.app_path}/config/routes.rb"
       end
     end
@@ -67,9 +67,9 @@ class Brakeman::CheckDefaultRoutes < Brakeman::BaseCheck
     end
 
     if allow_all_actions? or @actions_allowed_on_controller
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     warn :warning_type => "Remote Code Execution",

data/lib/brakeman/checks/check_deserialize.rb

@@ -36,9 +36,9 @@ class Brakeman::CheckDeserialize < Brakeman::BaseCheck
     method = result[:call].method
 
     if input = has_immediate_user_input?(arg)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = include_user_input?(arg)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     end
 
     if confidence

data/lib/brakeman/checks/check_detailed_exceptions.rb

@@ -18,13 +18,13 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
       warn :warning_type => "Information Disclosure",
            :warning_code => :local_request_config,
            :message => "Detailed exceptions are enabled in production",
-           :confidence => CONFIDENCE[:high],
+           :confidence => :high,
            :file => "config/environments/production.rb"
     end
   end
 
   def check_detailed_exceptions
-    tracker.controllers.each do |name, controller|
+    tracker.controllers.each do |_name, controller|
       controller.methods_public.each do |method_name, definition|
         src = definition[:src]
         body = src.body.last
@@ -32,9 +32,9 @@ class Brakeman::CheckDetailedExceptions < Brakeman::BaseCheck
 
         if method_name == :show_detailed_exceptions? and not safe? body
           if true? body
-            confidence = CONFIDENCE[:high]
+            confidence = :high
           else
-            confidence = CONFIDENCE[:med]
+            confidence = :medium
           end
 
           warn :warning_type => "Information Disclosure",

data/lib/brakeman/checks/check_digest_dos.rb

@@ -19,9 +19,9 @@ class Brakeman::CheckDigestDoS < Brakeman::BaseCheck
     end
 
     if with_http_digest?
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     else
-      confidence = CONFIDENCE[:low]
+      confidence = :weak
     end
 
     warn :warning_type => "Denial of Service",

data/lib/brakeman/checks/check_divide_by_zero.rb

@@ -0,0 +1,40 @@
+require 'brakeman/checks/base_check'
+
+class Brakeman::CheckDivideByZero < Brakeman::BaseCheck
+  Brakeman::Checks.add_optional self
+
+  @description = "Warns on potential division by zero"
+
+  def run_check
+    tracker.find_call(:method => :"/").each do |result|
+      check_division result
+    end
+  end
+
+  def check_division result
+    call = result[:call]
+
+    denominator = call.first_arg
+
+    if number? denominator and denominator.value == 0
+      numerator = call.target
+
+      if number? numerator
+        if numerator.value.is_a? Float
+          return # 0.0 / 0 is NaN and 1.0 / 0 is Infinity
+        else
+          confidence = :medium
+        end
+      else
+        confidence = :weak
+      end
+
+      warn :result => result,
+        :warning_type => "Divide by Zero",
+        :warning_code => :divide_by_zero,
+        :message => "Potential division by zero",
+        :confidence => confidence,
+        :user_input => denominator
+    end
+  end
+end

data/lib/brakeman/checks/check_dynamic_finders.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckDynamicFinders < Brakeman::BaseCheck
             :warning_type => "SQL Injection",
             :warning_code => :sql_injection_dynamic_finder,
             :message => "MySQL integer conversion may cause 0 to match any string",
-            :confidence => CONFIDENCE[:med],
+            :confidence => :medium,
             :user_input => arg
 
           break

data/lib/brakeman/checks/check_escape_function.rb

@@ -10,10 +10,10 @@ class Brakeman::CheckEscapeFunction < Brakeman::BaseCheck
   def run_check
     if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
 
-      warn :warning_type => 'Cross Site Scripting',
+      warn :warning_type => 'Cross-Site Scripting',
         :warning_code => :CVE_2011_2932,
         :message => 'Versions before 2.3.14 have a vulnerability in escape method when used with Ruby 1.8: CVE-2011-2932',
-        :confidence => CONFIDENCE[:high],
+        :confidence => :high,
         :gem_info => gemfile_or_environment,
         :link_path => "https://groups.google.com/d/topic/rubyonrails-security/Vr_7WSOrEZU/discussion"
     end

data/lib/brakeman/checks/check_evaluation.rb

@@ -29,7 +29,7 @@ class Brakeman::CheckEvaluation < Brakeman::BaseCheck
         :message => "User input in eval",
         :code => result[:call],
         :user_input => input,
-        :confidence => CONFIDENCE[:high]
+        :confidence => :high
     end
   end
 end

data/lib/brakeman/checks/check_execute.rb

@@ -56,9 +56,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     if failure and original? result
 
       if failure.type == :interp #Not from user input
-        confidence = CONFIDENCE[:med]
+        confidence = :medium
       else
-        confidence = CONFIDENCE[:high]
+        confidence = :high
       end
 
       warn :result => result,
@@ -79,7 +79,7 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
           :warning_code => :command_injection,
           :message => "Possible command injection in open()",
           :user_input => match,
-          :confidence => CONFIDENCE[:high]
+          :confidence => :high
       end
     end
   end
@@ -111,9 +111,9 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
     exp = result[:call]
 
     if input = include_user_input?(exp)
-      confidence = CONFIDENCE[:high]
+      confidence = :high
     elsif input = dangerous?(exp)
-      confidence = CONFIDENCE[:med]
+      confidence = :medium
     else
       return
     end