brakeman 4.4.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: da26ae6b39148168c53a88ba2059e7d963d5accee96673a9e8ac5fd4c9f225c9
-  data.tar.gz: 8ff08328301a77bca2f71073065e4ab7697792372ffac87c2344e9d1fe1a119c
+  metadata.gz: 1d660b98db2252a6aa69d39bb56c6950aa7d9713f10831807d6ab837df54657d
+  data.tar.gz: 6999959ba9f8380f36c1d999e04b0d79e48ea9536fd9820485c4960bce769d60
 SHA512:
-  metadata.gz: a8948330446d4ebea6da1fc7de26e230b280a8d9f91de4a88d7ea8b748e2acf36425fd61da5f84fc581b134f3078af6051d0210a6b204a6de497cdcfbec9fe27
-  data.tar.gz: a56032f32f0a77b6a5481ed0bc94d3e35bb4fcc4af5a49370701fd486276bd617d2867fef5a7cfe7d570cfc5e3b4e127b1fb6773fd5480938799fb8ede2316a1
+  metadata.gz: b6738f567478a47fd36de992706968c1c42a237dd97d4527434a60fa9ddea5b7a7acb54d8b72e6bc282fd1805126953a358e399a19dab4c0c5e7fd92b4a857ed
+  data.tar.gz: 43f16437835dabb65a7b73981779460e7648e1fa2ba772320132e7500af55c8861effda46f3b181310bdd753dbf1c59af12b3ecdfed5844505e2cf5cbff866fa

data/CHANGES.md

@@ -1,4 +1,168 @@
-# 4.4.0
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
+
+* Add JUnit-XML report format (Naoki Kimura)
+* Sort ignore files by fingerprint and line (Ngan Pham)
+* Freeze call index results
+* Fix output test when using newer Minitest
+* Properly render confidence in Markdown report
+* Report old warnings as fixed if zero warnings reported
+* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
+* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
+* Initialize Rails version with `nil` (Carsten Wirth)
+
+# 4.7.2 - 2019-11-25
+
+* Remove version guard for `named_scope` vs. `scope`
+* Find SQL injection in `String#strip_heredoc` target
+* Handle more `permit!` cases
+* Ensure file name is set when processing model
+* Add `request.params` as query parameters
+
+# 4.7.1 - 2019-10-29 
+
+* Check string length against limit before joining
+* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
+* Fix flaky rails4 test (Adam Kiczula)
+* Added release dates to each version in CHANGES (TheSpartan1980)
+* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
+* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
+* Sort text report by file and line (Jacob Evelyn)
+
+# 4.7.0 - 2019-10-16
+
+* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
+* Ignore interpolation in `%W[]`
+* Fix `version_between?` (Andrey Glushkov)
+* Add support for `ruby_parser` 3.14.0
+* Ignore `form_for` for XSS check
+* Update Haml support to Haml 5.x
+* Catch shell injection from `-c` shell commands (Jacob Evelyn)
+* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
+
+# 4.6.1 - 2019-07-24
+
+* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
+
+# 4.6.0 - 2019-07-23
+
+* Skip calls to `dup`
+* Add reverse tabnabbing check (Linos Giannopoulos)
+* Better handling of gems with no version declared
+* Warn people that Haml 5 is not fully supported (Jared Beck)
+* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
+* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
+* Restore `Warning#relative_path`
+* Add check for cookie serialization with Marshal
+* Index calls in initializers
+* Improve template output handling in conditional branches
+* Avoid assigning `nil` line numbers to `Sexp`s
+* Add special warning code for custom checks
+* Add call matching by regular expression
+
+# 4.5.1 - 2019-05-11
+
+* Add `Brakeman::FilePath` to represent file paths
+* Handle trailing comma in block args
+* Properly handle empty partial name
+* Use relative paths for `__FILE__`
+* Convert `!!` calls to boolean value
+* Add optional check for `config.force_ssl`
+* Remove code for Ruby versions prior to 1.9
+* Check `link_to` with block for href XSS
+* Add SQL injection checks for `find_or_create_by` and friends
+* Add deserialization warning for `Oj.load/object_load`
+* Add initial Rails 6 support
+* Add SQL injection checks for `destroy_by`/`delete_by`
+
+# 4.5.0 - 2019-03-16
+
+* Update `ruby_parser`, use `ruby_parser-legacy`
+* More thoroughly handle `Shellwords` escaping
+* Handle non-integer version number comparisons
+* Use `FileParser` in `Scanner` to parse files
+* Add original exception to `Tracker#errors` list
+* Add support for CoffeeScript in Slim templates
+* Improve support for embedded template "filters"
+* Remove Sass dependency
+* Set location information in `CheckContentTag`
+* Stop swallowing exceptions in `AliasProcessor`
+* Avoid joining strings with different encodings
+* Handle `**` inside Hash literals
+* Better handling of splat/kwsplat arguments
+* Improve "user input" reported for SQL injection
+
+# 4.4.0 - 2019-01-17
 
 * Set default encoding to UTF-8
 * Update to Slim 4.0.1 (Jake Peterson)
@@ -21,7 +185,7 @@
 * Complete overhaul of warning message construction
 * Deadcode and typo fixes found via Coverity
 
-# 4.3.1
+# 4.3.1 - 2018-06-07
 
 * Ignore `Object#freeze`, use the target instead
 * Ignore `foreign_key` calls in SQL
@@ -34,7 +198,7 @@
 * Improve handling of conditionals in shell commands (Jacob Evelyn)
 * Fix error when setting line number in implicit renders
 
-# 4.3.0
+# 4.3.0 - 2018-05-11
 
 * Check exec-type calls even if they are targets
 * Convert `Array#join` to string interpolation
@@ -50,14 +214,14 @@
 * `--color` can be used to force color output
 * Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
 
-# 4.2.1
+# 4.2.1 - 2018-03-24
 
 * Add warning for CVE-2018-3741
 * Add warning for CVE-2018-8048
 * Scan `app/jobs/` directory
 * Handle `template_exists?` in controllers
 
-# 4.2.0
+# 4.2.0 - 2018-02-22
 
 * Avoid warning about symbol DoS on `Model#attributes`
 * Avoid warning about open redirects with model methods ending with `_path`
@@ -70,12 +234,12 @@
 * Exclude template folders in `lib/` (kru0096)
 * Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
 
-# 4.1.1
+# 4.1.1 - 2017-12-19
 
 * Remove check for use of `permit` with `*_id` keys
 * Avoid duplicate warnings about permitted attributes
 
-# 4.1.0
+# 4.1.0 - 2017-12-14
 
 * Process models as root sexp instead of each sexp
 * Avoid CSRF warning in Rails 5.2 default config
@@ -98,12 +262,12 @@
 * Refactor Code Climate engine options parsing (Noah Davis)
 * Fix upgrade version for CVE-2016-6316
 
-# 4.0.1
+# 4.0.1 - 2017-09-25
 
 * Disable pager when `CI` environment variable is set
 * Fix output when pager fails
 
-# 4.0.0
+# 4.0.0 - 2017-09-25
 
 * Add simple pager for reports output to terminal
 * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
@@ -117,11 +281,11 @@
 * --exit-on-error and --exit-on-warn are now the default
 * Fix --exit-on-error and --exit-on-warn in config files
 
-# 3.7.2
+# 3.7.2 - 2017-08-16
 
 * Fix --ensure-latest (David Guyon)
 
-# 3.7.1
+# 3.7.1 - 2017-08-16
 
 * Handle simple guard with return at end of branch
 * Modularize bin/brakeman
@@ -129,7 +293,7 @@
 * Add more collection methods for iteration detection
 * Update ruby2ruby and ruby_parser
 
-# 3.7.0
+# 3.7.0 - 2017-06-30
 
 * Improve support for rails4/rails5 options in config file
 * Track more information about constant assignments
@@ -138,7 +302,7 @@
 * Fix false positive for redirect_to in Rails 4 (Mário Areias)
 * Avoid interpolating hashes/arrays on failed access
 
-# 3.6.2
+# 3.6.2 - 2017-05-19
 
 * Handle safe call operator in checks
 * Better handling of `if` expressions in HAML rendering
@@ -153,11 +317,11 @@
 * Handle empty `if` expressions when finding return values
 * Fix finding return value from empty `if`
 
-# 3.6.1
+# 3.6.1 - 2017-03-24
 
 * Fix error when using `--compare` (Sean Gransee)
 
-# 3.6.0 
+# 3.6.0 - 2017-03-23
 
 * Avoid recursive Concerns
 * Branch inside of `case` expressions
@@ -168,7 +332,7 @@
 * Only report CVE-2015-3227 when exact version is known
 * Check targetless SQL calls outside of known models
 
-# 3.5.0
+# 3.5.0 - 2017-02-01
 
 * Allow `-t None`
 * Fail on invalid checks specified by `-x` or `-t`
@@ -183,7 +347,7 @@
 * Handle `included` block in concerns
 * Process concerns before controllers
 
-# 3.4.1
+# 3.4.1 - 2016-11-02
 
 * Show action help at start of interactive ignore
 * Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
@@ -193,7 +357,7 @@
 * Avoid warning about `where_values_hash` in SQLi
 * Fix ignoring link interpolation not at beginning of string
 
-# 3.4.0
+# 3.4.0 - 2016-09-08
 
 * Add new `plain` report format
 * Add option to prune ignore file with `-I`
@@ -202,18 +366,18 @@
 * Support creating reports in non-existent paths
 * Add `--no-exit-warn`
 
-# 3.3.5
+# 3.3.5 - 2016-08-12
 
 * Fix bug in reports when using --debug option
 
-# 3.3.4
+# 3.3.4 - 2016-08-12
 
 * Add generic warning for CVE-2016-6316
 * Warn about dangerous use of `content_tag` with CVE-2016-6316
 * Add warning for CVE-2016-6317
 * Use Minitest
 
-# 3.3.3
+# 3.3.3 - 2016-07-21
 
 * Show path when no Rails app found (Neil Matatall)
 * Index calls in view helpers
@@ -226,11 +390,11 @@
 * Sexp#value returns nil when there is no value
 * Improve return value estimation
 
-# 3.3.2
+# 3.3.2 - 2016-06-10
 
 * Fix serious performance regression with global constant tracking
 
-# 3.3.1 
+# 3.3.1 - 2016-06-03
 
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
@@ -241,7 +405,7 @@
 * Add `--force-scan` option (Neil Matatall)
 * Improved line number accuracy in ERB templates (Patrick Toomey)
 
-# 3.3.0
+# 3.3.0 - 2016-05-05
 
 * Skip processing obviously false if branches (more broadly)
 * Skip if branches with `Rails.env.test?`
@@ -259,11 +423,11 @@
 * [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
 * [Code Climate engine] Report end lines for issues (Gordon Diggs)
 
-# 3.2.1
+# 3.2.1 - 2016-02-25
 
 * Remove `multi_json` dependency from `bin/brakeman`
 
-# 3.2.0
+# 3.2.0 - 2016-02-25
 
 * Skip Symbol DoS check on Rails 5
 * Only update ignore config file on changes
@@ -277,7 +441,7 @@
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
 
-# 3.1.5
+# 3.1.5 - 2016-01-28
 
 * Fix CodeClimate construction of --only-files (Will Fleming)
 * Add check for denial of service via routes (CVE-2015-7581)
@@ -296,7 +460,7 @@
 * Handle module names with self methods
 * Add session manipulation documentation
 
-# 3.1.4
+# 3.1.4 - 2015-12-22
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
 * Ignore secrets.yml if in .gitignore
@@ -304,7 +468,7 @@
 * Increase test coverage for option parsing (Zander Mackie)
 * Work around safe_yaml error
 
-# 3.1.3
+# 3.1.3 - 2015-12-03
 
 * Check for session secret in secrets.yml
 * Respect `exit_on_warn` in config file
@@ -318,7 +482,7 @@
 * Depend on safe_yaml 1.0 or later
 * Test coverage improvements for Brakema module (Bethany Rentz)
 
-# 3.1.2
+# 3.1.2 - 2015-10-28
 
 * Treat `current_user` like a model
 * Set user input value for inline renders
@@ -336,7 +500,7 @@
 * Sortable tables in HTML report (David Lanner)
 * Search for config file relative to application root
 
-# 3.1.1
+# 3.1.1 - 2015-09-23
 
 * Add optional check for use of MD5 and SHA1
 * Avoid warning when linking to decorated models
@@ -350,7 +514,7 @@
 * Support newer terminal-table releases
 * Allow searching call index methods by regex (Alex Ianus)
 
-# 3.1.0
+# 3.1.0 - 2015-08-31
 
 * Add support for gems.rb/gems.locked
 * Update render path information in JSON reports
@@ -369,18 +533,18 @@
 * Expand safe methods to match methods with targets
 * Avoid duplicate eval() warnings
 
-# 3.0.5
+# 3.0.5 - 2015-06-20
 
 * Fix check for CVE-2015-3227
 
-# 3.0.4
+# 3.0.4 - 2015-06-18
 
 * Add check for CVE-2015-3226 (XSS via JSON keys)
 * Add check for CVE-2015-3227 (XML DoS)
 * Treat `<%==` as unescaped output
 * Update `ruby_parser` dependency to 3.7.0
 
-# 3.0.3
+# 3.0.3 - 2015-04-20
 
 * Ignore more Arel methods in SQL
 * Warn about protect_from_forgery without exceptions (Neil Matatall)
@@ -391,7 +555,7 @@
 * Do not ignore targets of `to_s` in SQL
 * Add Rake task to exit with error code on warnings (masarakki)
 
-# 3.0.2
+# 3.0.2 - 2015-03-09
 
 * Alias process methods called in class scope on models
 * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
@@ -407,7 +571,7 @@
 * Fix CSV output when there are no warnings
 * Handle processing of explicitly shadowed block arguments
 
-# 3.0.1
+# 3.0.1 - 2015-01-23
 
 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
 * Properly format command interpolation (again)
@@ -416,7 +580,7 @@
 * Add `--add-libs-path` for additional libraries (Patrick Toomey)
 * Properly process libraries (Patrick Toomey)
 
-# 3.0.0
+# 3.0.0 - 2015-01-03
 
 * Add check for CVE-2014-7829
 * Add check for cross-site scripting via inline renders
@@ -435,7 +599,7 @@
 * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
 * Change `--separate-models` to be the default
 
-# 2.6.3
+# 2.6.3 - 2014-10-14
 
 * Whitelist `exists` arel method from SQL injection check
 * Avoid warning about Symbol DoS on safe parameters as method targets
@@ -444,7 +608,7 @@
 * Add framework for optional checks
 * Fix stack overflow for cycles in class ancestors (Jeff Rafter)
 
-# 2.6.2 
+# 2.6.2 - 2014-08-18
 
 * Add check for CVE-2014-3415
 * Avoid warning about symbolizing safe parameters
@@ -458,13 +622,13 @@
 * Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
-# 2.6.1
+# 2.6.1 - 2014-07-02
 
 * Add check for CVE-2014-3482 and CVE-2014-3483
 * Add support for keyword arguments in blocks
 * Remove unused warning codes (Bill Fischer)
 
-# 2.6.0
+# 2.6.0 - 2014-06-06
 
 * Fix detection of `:host` setting in redirects with chained calls
 * Add check for CVE-2014-0130
@@ -478,7 +642,7 @@
 * Ignore more model methods in redirects
 * Fix CheckRender with nested render calls
 
-# 2.5.0
+# 2.5.0 - 2014-04-30
 
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
  * Add support for Rails 4 `before_actions` and friends
@@ -493,11 +657,11 @@
  * Handle more non-literals in routes
  * Add check for regex denial of service (Ben Toews) 
 
-# 2.4.3
+# 2.4.3 - 2014-03-23
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
 
-# 2.4.2
+# 2.4.2 - 2014-03-21
 
  * Remove `rescue Exception`
  * Fix duplicate warnings about sanitize CVE
@@ -506,13 +670,13 @@
  * Skip identically rendered templates
  * Fix HAML template processing
 
-# 2.4.1
+# 2.4.1 - 2014-02-19
 
  * Add check for CVE-2014-0082
  * Add check for CVE-2014-0081, replaces CVE-2013-6415
  * Add check for CVE-2014-0080
 
-# 2.4.0 
+# 2.4.0 - 2014-02-05
 
  * Detect Rails LTS versions
  * Reduce false positives for SQL injection in string building
@@ -527,12 +691,12 @@
  * No longer raise exceptions if a class name cannot be determined
  * Fingerprint attribute warnings individually (Case Taintor)
 
-# 2.3.1
+# 2.3.1 - 2013-12-13
 
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  * Fix link for CVE-2013-6415 (number_to_currency)
 
-# 2.3.0
+# 2.3.0 - 2013-12-12
 
  * Add check for Parameters#permit!
  * Add check for CVE-2013-4491 (i18n XSS)
@@ -546,7 +710,7 @@
  * Whitelist `Model#create` for redirects
  * Fix scoping issues with instance variables and blocks
 
-# 2.2.0 
+# 2.2.0 - 2013-10-28
 
  * Reduce command injection false positives
  * Use Rails version from Gemfile if it is available
@@ -555,14 +719,14 @@
  * Support scanning Rails engines (Geoffrey Hichborn)
  * Add check for detailed exceptions in production
 
-# 2.1.2
+# 2.1.2 - 2013-09-18
 
  * Do not attempt to load custom Haml filters
  * Do not warn about `to_json` XSS in Rails 4
  * Add --table-width option to set width of text reports (ssendev)
  * Remove fuzzy matching on dangerous attr_accessible values
 
-# 2.1.1
+# 2.1.1 - 2013-08-21
 
  * New warning code for dangerous attributes in attr_accessible
  * Do not warn on attr_accessible using roles
@@ -573,7 +737,7 @@
  * Fix infinite loop when run as rake task (Matthew Shanley)
  * Respect ignored warnings in tabs format reports
 
-# 2.1.0
+# 2.1.0 - 2013-07-17
 
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)
  * Support for ignoring warnings
@@ -593,7 +757,7 @@
  * Fix output format detection to be more strict again
  * Allow empty Brakeman configuration file
 
-# 2.0.0
+# 2.0.0 - 2013-05-20
   
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
  * Add Marshal/CSV deserialization check
@@ -623,7 +787,7 @@
  * Use exceptions instead of abort in brakeman lib
  * Update to Ruby2Ruby 2.0.5
 
-# 1.9.5
+# 1.9.5 - 2013-04-05
 
  * Add check for unsafe symbol creation
  * Do not warn on mass assignment with `slice`/`only`
@@ -638,7 +802,7 @@
  * More fixes for assignments inside branches
  * Pin to ruby2ruby version 2.0.3
 
-# 1.9.4
+# 1.9.4 - 2013-03-19
  
  * Add check for CVE-2013-1854
  * Add check for CVE-2013-1855
@@ -650,7 +814,7 @@
  * Slightly faster cloning of Sexps
  * Detect another way to add `strong_parameters`
 
-# 1.9.3
+# 1.9.3 - 2013-03-01
  
  * Add render path to JSON report
  * Add warning fingerprints
@@ -665,7 +829,7 @@
  * Expand HAML dependency to include 4.0
  * Scroll errors into view when expanding in HTML report
 
-# 1.9.2
+# 1.9.2 - 2013-02-14
 
  * Add check for CVE-2013-0269
  * Add check for CVE-2013-0276
@@ -676,7 +840,7 @@
  * Check for more dangerous YAML methods
  * Support MultiJSON 1.2 for Rails 3.0 and 3.1
 
-# 1.9.1
+# 1.9.1 - 2013-01-19
 
  * Update to RubyParser 3.1.1 (neersighted)
  * Remove ActiveSupport dependency (Neil Matatall)
@@ -688,7 +852,7 @@
  * Add check for CVE-2013-0156
  * Add check for unsafe `YAML.load`
 
-# 1.9.0
+# 1.9.0 - 2012-12-25
 
  * Update to RubyParser 3
  * Ignore route information by default
@@ -708,7 +872,7 @@
  * Handle empty model files
  * Remove "find by regex" feature from `CallIndex`
 
-# 1.8.3
+# 1.8.3 - 2012-11-13
 
  * Use `multi_json` gem for better harmony
  * Performance improvement for call indexing
@@ -724,7 +888,7 @@
  * Fix error in rescan of mixins with symbols in method name
  * Do not rescan non-Ruby files in config/
 
-# 1.8.2
+# 1.8.2 - 2012-10-17
 
  * Fixed rescanning problems caused by 1.8.0 changes
  * Fix scope calls with single argument
@@ -733,7 +897,7 @@
  * Much improved test coverage
  * Add CHANGES to gemspec
 
-# 1.8.1
+# 1.8.1 - 2012-09-24
 
  * Recover from errors in output formatting
  * Fix false positive in redirect_to (Neil Matatall)
@@ -745,7 +909,7 @@
  * Handle super calls with blocks
  * Respect `-q` flag for "Rails 3 detected" message
 
-# 1.8.0
+# 1.8.0 - 2012-09-05
 
  * Support relative paths in reports (fsword)
  * Allow Brakeman to be run without tty (fsword)
@@ -761,7 +925,7 @@
  * Treat model attributes in `or` expressions as immediate values
  * Switch to method access for Sexp nodes
 
-# 1.7.1
+# 1.7.1 - 2012-08-13
 
  * Add check for CVE-2012-3463
  * Add check for CVE-2012-3464
@@ -769,7 +933,7 @@
  * Add charset to HTML report (hooopo)
  * Report XSS in select() for Rails 2
 
-# 1.7.0
+# 1.7.0 - 2012-07-31
 
  * Add check for CVE-2012-3424
  * Link report types to descriptions on website
@@ -784,7 +948,7 @@
  * Fix processing of negative array indexes
  * Add line breaks to truncated table rows
 
-# 1.6.2
+# 1.6.2 - 2012-06-13
 
  * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  * Avoid warning when redirecting to a model instance
@@ -796,7 +960,7 @@
  * Cache before_filter lookups
  * Turn off quiet mode by default for `--compare`
 
-# 1.6.1
+# 1.6.1 - 2012-05-23
 
  * Major rewrite of CheckSQL
  * Fix rescanning of deleted templates
@@ -806,7 +970,7 @@
  * Fix highlighting of HTML escaped values in HTML report
  * Report line number of highlighted value, if available
 
-# 1.6.0
+# 1.6.0 - 2012-04-20
 
  * Remove the Ruport dependency (Neil Matatall)
  * Add more informational JSON output (Neil Matatall)
@@ -818,7 +982,7 @@
  * Fix rescanning of deleted files 
  * Properly check for rails_xss in Gemfile
 
-# 1.5.3
+# 1.5.3 - 2012-04-10
 
  * Add check for user input in Object#send (Neil Matatall)
  * Handle render :layout in views
@@ -832,7 +996,7 @@
  * Improve handling of modules and nesting
  * Test for zero errors in test reports
 
-# 1.5.2
+# 1.5.2 - 2012-03-22
 
  * Fix link_to checks for Rails 2.0 and 2.3
  * Fix rescanning of lib files (Neil Matatall)
@@ -843,7 +1007,7 @@
  * Fix handling of views when using rails_xss
  * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
 
-# 1.5.1
+# 1.5.1- 2012-03-06
 
  * Fix detection of global mass assignment setting
  * Fix partial rendering in Rails 3
@@ -853,7 +1017,7 @@
  * Add tracking of module and class to Brakeman::BaseProcessor
  * Report module when using Brakeman::FindCall
 
-# 1.5.0
+# 1.5.0 - 2012-03-02
 
  * Add version check for SafeBuffer vulnerability
  * Add check for select vulnerability in Rails 3
@@ -864,7 +1028,7 @@
  * Standardize methods to check for SQL injection
  * Fix Rails 2 route parsing issue with nested routes
 
-# 1.4.0
+# 1.4.0 - 2012-02-24
 
  * Add check for user input in link_to href parameter
  * Match ERB processing to rails_xss plugin when plugin used
@@ -872,7 +1036,7 @@
  * Warnings below minimum confidence are dropped completely
  * Brakeman.run always returns a Tracker
 
-# 1.3.0
+# 1.3.0 - 2012-02-09
 
  * Add file paths to HTML report
  * Add caching of filters
@@ -885,7 +1049,7 @@
  * Better variable substitution
  * Table output option for rescan reports
 
-# 1.2.2
+# 1.2.2 - 2012-01-26
 
  * --no-progress works again
  * Make CheckLinkTo a separate check
@@ -893,7 +1057,7 @@
  * Handle empty resource(s) blocks
  * Add RescanReport#existing_warnings
 
-## 1.2.1
+## 1.2.1 - 2012-01-20
 
  * Remove link_to warning for Rails 3.x or when using rails_xss
  * Don't warn if first argument to link_to is escaped
@@ -905,7 +1069,7 @@
  * Add Brakeman::RescanReport#to_s
  * Add Brakeman::Warning#to_s
 
-## 1.2.0
+## 1.2.0 - 2012-01-14
 
  * Speed improvements for CheckExecute and CheckRender
  * Check named_scope() and scope() for SQL injection
@@ -914,7 +1078,7 @@
  * Add --summary option to only output summary
  * Fix a problem with Rails 3 routes
 
-## 1.1.0
+## 1.1.0 - 2011-12-22
 
  * Relax required versions for dependencies
  * Performance improvements for source processing
@@ -924,14 +1088,14 @@
  * Compatibility with newer Haml versions
  * Fix some warnings
 
-## 1.0.0
+## 1.0.0 - 2011-12-08
 
  * Better handling of assignments inside ifs
  * Check more expressions for SQL injection
  * Use latest ruby_parser for better 1.9 syntax support
  * Better behavior for Brakeman as a library
 
-## 1.0.0rc1
+## 1.0.0rc1 - 2011-12-06
 
  * Brakeman can now be used as a library
  * Faster call search
@@ -944,23 +1108,23 @@
  * Ignore mass assignment using all literal arguments
  * Keep expanded context in view with HTML output
 
-## 0.9.2
+## 0.9.2 - 2011-11-22
 
  * Fix Rails 3 configuration parsing
  * Add t() helper to check for translate XSS bug
 
-## 0.9.1
+## 0.9.1 - 2011-11-18
 
  * Add warning for translator helper XSS vulnerability
 
-## 0.9.0
+## 0.9.0 - 2011-11-17
 
  * Process Rails 3 configuration files
  * Fix CSV output
  * Check for config.active_record.whitelist_attributes = true
  * Always produce a warning for without_protection => true
 
-## 0.8.4
+## 0.8.4 - 2011-11-04
 
  * Option for separate attr_accessible warnings
  * Option to set CSS file for HTML output
@@ -969,23 +1133,23 @@
  * Fix hash_insert()
  * Remove use of Queue from threaded checks
 
-## 0.8.3
+## 0.8.3 - 2011-10-25
  
  * Respect -w flag in .tabs format (tw-ngreen)
  * Escape HTML output of error messages
  * Add --skip-libs option
 
-## 0.8.2
+## 0.8.2 - 2011-10-01
 
  * Run checks in parallel threads by default
  * Fix compatibility with ruby_parser 2.3.1
 
-## 0.8.1
+## 0.8.1 - 2011-09-28
 
  * Add option to assume all controller methods are actions
  * Recover from errors when parsing routes
 
-## 0.8.0
+## 0.8.0 - 2011-09-15
 
  * Add check for mass assignment using without_protection
  * Add check for password in http_basic_authenticate_with
@@ -996,30 +1160,30 @@
  * Add ruby_parser hack for Ruby 1.9 hash syntax
  * Add a few Rails 3.1 tests
 
-## 0.7.2
+## 0.7.2 - 2011-08-27
 
  * Fix handling of params and cookies with nested access
  * Add CVEs for checks added in 0.7.0
 
-## 0.7.1
+## 0.7.1 - 2011-08-18
 
  * Require BaseProcessor for GemProcessor
 
-## 0.7.0
+## 0.7.0 - 2011-08-17
 
  * Allow local variable as a class name
  * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  * Check for default routes in Rails 3 apps
  * Look in Gemfile or Gemfile.lock for Rails version
 
-## 0.6.1
+## 0.6.1 - 2011-07-29
 
  * Fix XSS check for cookies as parameters in output
  * Don't bother calling super in CheckSessionSettings
  * Add escape_once as a safe method
  * Accept '\Z' or '\z' in model validations
 
-## 0.6.0
+## 0.6.0 - 2011-07-20
 
  * Tests are in place and fully functional
  * Hide errors by default in HTML output
@@ -1032,17 +1196,17 @@
  * Fixes to escaped output scanning
  * Update CSRF CVE-2011-0447 message to be less assertive
 
-## 0.5.2
+## 0.5.2 - 2011-06-29
 
  * Output report file name when finished
  * Add initial tests for Rails 2.x
  * Fix ERB line numbers when using Ruby 1.9
 
-## 0.5.1
+## 0.5.1 - 2011-06-17
 
  * Fix issue with 'has_one' => in routes
 
-## 0.5.0
+## 0.5.0 - 2011-06-08
 
   * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
   * Allow empty blocks in Rails 3 routes
@@ -1050,52 +1214,52 @@
   * Add line numbers to session setting warnings
   * Add --checks option to list checks
 
-## 0.4.1
+## 0.4.1 - 2011-05-23
   
   * Fix reported line numbers when using new Erubis parser
     (Mostly affects Rails 3 apps)
 
-## 0.4.0
+## 0.4.0 - 2011-05-19
 
   * Handle Rails XSS protection properly
   * More detection options for rails_xss
   * Add --escape-html option 
 
-## 0.3.2  
+## 0.3.2 - 2011-05-12  
 
   * Autodetect Rails 3 applications
   * Turn on auto-escaping for Rails 3 apps
   * Check Model.create() for mass assignment
 
-## 0.3.1
+## 0.3.1 - 2011-05-03
 
   * Always output a line number in tabbed output format
   * Restrict characters in category name in tabbed output format to
     word characters and spaces, for Hudson/Jenkins plugin
 
-## 0.3.0
+## 0.3.0 - 2011-03-21
 
   * Check for SQL injection in calls using constantize()
   * Check for SQL injection in calls to count_by_sql()
 
-## 0.2.2
+## 0.2.2 - 2011-02-22
 
   * Fix version_between? when no Rails version is specified
 
-## 0.2.1
+## 0.2.1 - 2011-02-18
 
   * Add code snippet to tab output messages
 
-## 0.2.0
+## 0.2.0 - 2011-02-16
 
   * Add check for mail_to vulnerability - CVE-2011-0446
   * Add check for CSRF weakness - CVE-2011-0447
 
-## 0.1.1
+## 0.1.1 - 2011-01-25
 
   * Be more permissive with ActiveSupport version
 
-## 0.1.0
+## 0.1.0 - 2011-01-18
 
   * Check link_to for XSS (because arguments are not escaped)
   * Process layouts better (although not perfectly yet)