brakeman 4.5.1 → 4.10.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7b421b3c9b1e3511d9f76869f86e07c04ce9267569d5d4f2d0965d8ce7303b93
-  data.tar.gz: 1189f4d043614c6624148f72b855db712c3297a51e4c87dcf12afa3a55150554
+  metadata.gz: 1266c840ed2a8f9b6e44686cba353eb6f75eb8d4ec87c7bbdcc56d81785b9227
+  data.tar.gz: a0ed358121968434f3289b25685970d338d72f1d1f97b0c27103a81a9792cb16
 SHA512:
-  metadata.gz: d3217750dd567855b96f0ad573f4386c07ba6540781e93da79305cc78e5dbd900a770bb7c06e068f539442b2aa6dfcf407b3be92c219cc0b139f1b11cfa4e1f5
-  data.tar.gz: 158479b5adb292bd783c817606a2bef28f114a6043e7bd906ba4ef8a6f56696028c86dfa0872e494b9a39a9b52bf8fec217ef5d463f987317eeb3bf485323e6e
+  metadata.gz: 22f064e0f38f304c3d9a18e0c7d36999b7161f9e33ff5c5cd4bca669d19b331e0f92651eb238faf1fd58de66c14da166d7de89353913d806d970f77eb87fa992
+  data.tar.gz: 4345e389eb3f592139f32cf70b8d618fcb8695cee9f4a8398fdaa636ac5e9be7b2b0ebe6667810f5cd0667f33898effcd9fbf8beac36f48883da73b68fa7c76f

data/CHANGES.md

@@ -1,4 +1,111 @@
-# 4.5.1 
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
+
+* Add JUnit-XML report format (Naoki Kimura)
+* Sort ignore files by fingerprint and line (Ngan Pham)
+* Freeze call index results
+* Fix output test when using newer Minitest
+* Properly render confidence in Markdown report
+* Report old warnings as fixed if zero warnings reported
+* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
+* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
+* Initialize Rails version with `nil` (Carsten Wirth)
+
+# 4.7.2 - 2019-11-25
+
+* Remove version guard for `named_scope` vs. `scope`
+* Find SQL injection in `String#strip_heredoc` target
+* Handle more `permit!` cases
+* Ensure file name is set when processing model
+* Add `request.params` as query parameters
+
+# 4.7.1 - 2019-10-29 
+
+* Check string length against limit before joining
+* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
+* Fix flaky rails4 test (Adam Kiczula)
+* Added release dates to each version in CHANGES (TheSpartan1980)
+* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
+* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
+* Sort text report by file and line (Jacob Evelyn)
+
+# 4.7.0 - 2019-10-16
+
+* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
+* Ignore interpolation in `%W[]`
+* Fix `version_between?` (Andrey Glushkov)
+* Add support for `ruby_parser` 3.14.0
+* Ignore `form_for` for XSS check
+* Update Haml support to Haml 5.x
+* Catch shell injection from `-c` shell commands (Jacob Evelyn)
+* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
+
+# 4.6.1 - 2019-07-24
+
+* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
+
+# 4.6.0 - 2019-07-23
+
+* Skip calls to `dup`
+* Add reverse tabnabbing check (Linos Giannopoulos)
+* Better handling of gems with no version declared
+* Warn people that Haml 5 is not fully supported (Jared Beck)
+* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
+* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
+* Restore `Warning#relative_path`
+* Add check for cookie serialization with Marshal
+* Index calls in initializers
+* Improve template output handling in conditional branches
+* Avoid assigning `nil` line numbers to `Sexp`s
+* Add special warning code for custom checks
+* Add call matching by regular expression
+
+# 4.5.1 - 2019-05-11
 
 * Add `Brakeman::FilePath` to represent file paths
 * Handle trailing comma in block args
@@ -13,7 +120,7 @@
 * Add initial Rails 6 support
 * Add SQL injection checks for `destroy_by`/`delete_by`
 
-# 4.5.0
+# 4.5.0 - 2019-03-16
 
 * Update `ruby_parser`, use `ruby_parser-legacy`
 * More thoroughly handle `Shellwords` escaping
@@ -30,7 +137,7 @@
 * Better handling of splat/kwsplat arguments
 * Improve "user input" reported for SQL injection
 
-# 4.4.0
+# 4.4.0 - 2019-01-17
 
 * Set default encoding to UTF-8
 * Update to Slim 4.0.1 (Jake Peterson)
@@ -53,7 +160,7 @@
 * Complete overhaul of warning message construction
 * Deadcode and typo fixes found via Coverity
 
-# 4.3.1
+# 4.3.1 - 2018-06-07
 
 * Ignore `Object#freeze`, use the target instead
 * Ignore `foreign_key` calls in SQL
@@ -66,7 +173,7 @@
 * Improve handling of conditionals in shell commands (Jacob Evelyn)
 * Fix error when setting line number in implicit renders
 
-# 4.3.0
+# 4.3.0 - 2018-05-11
 
 * Check exec-type calls even if they are targets
 * Convert `Array#join` to string interpolation
@@ -82,14 +189,14 @@
 * `--color` can be used to force color output
 * Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
 
-# 4.2.1
+# 4.2.1 - 2018-03-24
 
 * Add warning for CVE-2018-3741
 * Add warning for CVE-2018-8048
 * Scan `app/jobs/` directory
 * Handle `template_exists?` in controllers
 
-# 4.2.0
+# 4.2.0 - 2018-02-22
 
 * Avoid warning about symbol DoS on `Model#attributes`
 * Avoid warning about open redirects with model methods ending with `_path`
@@ -102,12 +209,12 @@
 * Exclude template folders in `lib/` (kru0096)
 * Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
 
-# 4.1.1
+# 4.1.1 - 2017-12-19
 
 * Remove check for use of `permit` with `*_id` keys
 * Avoid duplicate warnings about permitted attributes
 
-# 4.1.0
+# 4.1.0 - 2017-12-14
 
 * Process models as root sexp instead of each sexp
 * Avoid CSRF warning in Rails 5.2 default config
@@ -130,12 +237,12 @@
 * Refactor Code Climate engine options parsing (Noah Davis)
 * Fix upgrade version for CVE-2016-6316
 
-# 4.0.1
+# 4.0.1 - 2017-09-25
 
 * Disable pager when `CI` environment variable is set
 * Fix output when pager fails
 
-# 4.0.0
+# 4.0.0 - 2017-09-25
 
 * Add simple pager for reports output to terminal
 * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
@@ -149,11 +256,11 @@
 * --exit-on-error and --exit-on-warn are now the default
 * Fix --exit-on-error and --exit-on-warn in config files
 
-# 3.7.2
+# 3.7.2 - 2017-08-16
 
 * Fix --ensure-latest (David Guyon)
 
-# 3.7.1
+# 3.7.1 - 2017-08-16
 
 * Handle simple guard with return at end of branch
 * Modularize bin/brakeman
@@ -161,7 +268,7 @@
 * Add more collection methods for iteration detection
 * Update ruby2ruby and ruby_parser
 
-# 3.7.0
+# 3.7.0 - 2017-06-30
 
 * Improve support for rails4/rails5 options in config file
 * Track more information about constant assignments
@@ -170,7 +277,7 @@
 * Fix false positive for redirect_to in Rails 4 (Mário Areias)
 * Avoid interpolating hashes/arrays on failed access
 
-# 3.6.2
+# 3.6.2 - 2017-05-19
 
 * Handle safe call operator in checks
 * Better handling of `if` expressions in HAML rendering
@@ -185,11 +292,11 @@
 * Handle empty `if` expressions when finding return values
 * Fix finding return value from empty `if`
 
-# 3.6.1
+# 3.6.1 - 2017-03-24
 
 * Fix error when using `--compare` (Sean Gransee)
 
-# 3.6.0 
+# 3.6.0 - 2017-03-23
 
 * Avoid recursive Concerns
 * Branch inside of `case` expressions
@@ -200,7 +307,7 @@
 * Only report CVE-2015-3227 when exact version is known
 * Check targetless SQL calls outside of known models
 
-# 3.5.0
+# 3.5.0 - 2017-02-01
 
 * Allow `-t None`
 * Fail on invalid checks specified by `-x` or `-t`
@@ -215,7 +322,7 @@
 * Handle `included` block in concerns
 * Process concerns before controllers
 
-# 3.4.1
+# 3.4.1 - 2016-11-02
 
 * Show action help at start of interactive ignore
 * Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
@@ -225,7 +332,7 @@
 * Avoid warning about `where_values_hash` in SQLi
 * Fix ignoring link interpolation not at beginning of string
 
-# 3.4.0
+# 3.4.0 - 2016-09-08
 
 * Add new `plain` report format
 * Add option to prune ignore file with `-I`
@@ -234,18 +341,18 @@
 * Support creating reports in non-existent paths
 * Add `--no-exit-warn`
 
-# 3.3.5
+# 3.3.5 - 2016-08-12
 
 * Fix bug in reports when using --debug option
 
-# 3.3.4
+# 3.3.4 - 2016-08-12
 
 * Add generic warning for CVE-2016-6316
 * Warn about dangerous use of `content_tag` with CVE-2016-6316
 * Add warning for CVE-2016-6317
 * Use Minitest
 
-# 3.3.3
+# 3.3.3 - 2016-07-21
 
 * Show path when no Rails app found (Neil Matatall)
 * Index calls in view helpers
@@ -258,11 +365,11 @@
 * Sexp#value returns nil when there is no value
 * Improve return value estimation
 
-# 3.3.2
+# 3.3.2 - 2016-06-10
 
 * Fix serious performance regression with global constant tracking
 
-# 3.3.1 
+# 3.3.1 - 2016-06-03
 
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
@@ -273,7 +380,7 @@
 * Add `--force-scan` option (Neil Matatall)
 * Improved line number accuracy in ERB templates (Patrick Toomey)
 
-# 3.3.0
+# 3.3.0 - 2016-05-05
 
 * Skip processing obviously false if branches (more broadly)
 * Skip if branches with `Rails.env.test?`
@@ -291,11 +398,11 @@
 * [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
 * [Code Climate engine] Report end lines for issues (Gordon Diggs)
 
-# 3.2.1
+# 3.2.1 - 2016-02-25
 
 * Remove `multi_json` dependency from `bin/brakeman`
 
-# 3.2.0
+# 3.2.0 - 2016-02-25
 
 * Skip Symbol DoS check on Rails 5
 * Only update ignore config file on changes
@@ -309,7 +416,7 @@
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
 
-# 3.1.5
+# 3.1.5 - 2016-01-28
 
 * Fix CodeClimate construction of --only-files (Will Fleming)
 * Add check for denial of service via routes (CVE-2015-7581)
@@ -328,7 +435,7 @@
 * Handle module names with self methods
 * Add session manipulation documentation
 
-# 3.1.4
+# 3.1.4 - 2015-12-22
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
 * Ignore secrets.yml if in .gitignore
@@ -336,7 +443,7 @@
 * Increase test coverage for option parsing (Zander Mackie)
 * Work around safe_yaml error
 
-# 3.1.3
+# 3.1.3 - 2015-12-03
 
 * Check for session secret in secrets.yml
 * Respect `exit_on_warn` in config file
@@ -350,7 +457,7 @@
 * Depend on safe_yaml 1.0 or later
 * Test coverage improvements for Brakema module (Bethany Rentz)
 
-# 3.1.2
+# 3.1.2 - 2015-10-28
 
 * Treat `current_user` like a model
 * Set user input value for inline renders
@@ -368,7 +475,7 @@
 * Sortable tables in HTML report (David Lanner)
 * Search for config file relative to application root
 
-# 3.1.1
+# 3.1.1 - 2015-09-23
 
 * Add optional check for use of MD5 and SHA1
 * Avoid warning when linking to decorated models
@@ -382,7 +489,7 @@
 * Support newer terminal-table releases
 * Allow searching call index methods by regex (Alex Ianus)
 
-# 3.1.0
+# 3.1.0 - 2015-08-31
 
 * Add support for gems.rb/gems.locked
 * Update render path information in JSON reports
@@ -401,18 +508,18 @@
 * Expand safe methods to match methods with targets
 * Avoid duplicate eval() warnings
 
-# 3.0.5
+# 3.0.5 - 2015-06-20
 
 * Fix check for CVE-2015-3227
 
-# 3.0.4
+# 3.0.4 - 2015-06-18
 
 * Add check for CVE-2015-3226 (XSS via JSON keys)
 * Add check for CVE-2015-3227 (XML DoS)
 * Treat `<%==` as unescaped output
 * Update `ruby_parser` dependency to 3.7.0
 
-# 3.0.3
+# 3.0.3 - 2015-04-20
 
 * Ignore more Arel methods in SQL
 * Warn about protect_from_forgery without exceptions (Neil Matatall)
@@ -423,7 +530,7 @@
 * Do not ignore targets of `to_s` in SQL
 * Add Rake task to exit with error code on warnings (masarakki)
 
-# 3.0.2
+# 3.0.2 - 2015-03-09
 
 * Alias process methods called in class scope on models
 * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
@@ -439,7 +546,7 @@
 * Fix CSV output when there are no warnings
 * Handle processing of explicitly shadowed block arguments
 
-# 3.0.1
+# 3.0.1 - 2015-01-23
 
 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
 * Properly format command interpolation (again)
@@ -448,7 +555,7 @@
 * Add `--add-libs-path` for additional libraries (Patrick Toomey)
 * Properly process libraries (Patrick Toomey)
 
-# 3.0.0
+# 3.0.0 - 2015-01-03
 
 * Add check for CVE-2014-7829
 * Add check for cross-site scripting via inline renders
@@ -467,7 +574,7 @@
 * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
 * Change `--separate-models` to be the default
 
-# 2.6.3
+# 2.6.3 - 2014-10-14
 
 * Whitelist `exists` arel method from SQL injection check
 * Avoid warning about Symbol DoS on safe parameters as method targets
@@ -476,7 +583,7 @@
 * Add framework for optional checks
 * Fix stack overflow for cycles in class ancestors (Jeff Rafter)
 
-# 2.6.2 
+# 2.6.2 - 2014-08-18
 
 * Add check for CVE-2014-3415
 * Avoid warning about symbolizing safe parameters
@@ -490,13 +597,13 @@
 * Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
-# 2.6.1
+# 2.6.1 - 2014-07-02
 
 * Add check for CVE-2014-3482 and CVE-2014-3483
 * Add support for keyword arguments in blocks
 * Remove unused warning codes (Bill Fischer)
 
-# 2.6.0
+# 2.6.0 - 2014-06-06
 
 * Fix detection of `:host` setting in redirects with chained calls
 * Add check for CVE-2014-0130
@@ -510,7 +617,7 @@
 * Ignore more model methods in redirects
 * Fix CheckRender with nested render calls
 
-# 2.5.0
+# 2.5.0 - 2014-04-30
 
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
  * Add support for Rails 4 `before_actions` and friends
@@ -525,11 +632,11 @@
  * Handle more non-literals in routes
  * Add check for regex denial of service (Ben Toews) 
 
-# 2.4.3
+# 2.4.3 - 2014-03-23
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
 
-# 2.4.2
+# 2.4.2 - 2014-03-21
 
  * Remove `rescue Exception`
  * Fix duplicate warnings about sanitize CVE
@@ -538,13 +645,13 @@
  * Skip identically rendered templates
  * Fix HAML template processing
 
-# 2.4.1
+# 2.4.1 - 2014-02-19
 
  * Add check for CVE-2014-0082
  * Add check for CVE-2014-0081, replaces CVE-2013-6415
  * Add check for CVE-2014-0080
 
-# 2.4.0 
+# 2.4.0 - 2014-02-05
 
  * Detect Rails LTS versions
  * Reduce false positives for SQL injection in string building
@@ -559,12 +666,12 @@
  * No longer raise exceptions if a class name cannot be determined
  * Fingerprint attribute warnings individually (Case Taintor)
 
-# 2.3.1
+# 2.3.1 - 2013-12-13
 
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  * Fix link for CVE-2013-6415 (number_to_currency)
 
-# 2.3.0
+# 2.3.0 - 2013-12-12
 
  * Add check for Parameters#permit!
  * Add check for CVE-2013-4491 (i18n XSS)
@@ -578,7 +685,7 @@
  * Whitelist `Model#create` for redirects
  * Fix scoping issues with instance variables and blocks
 
-# 2.2.0 
+# 2.2.0 - 2013-10-28
 
  * Reduce command injection false positives
  * Use Rails version from Gemfile if it is available
@@ -587,14 +694,14 @@
  * Support scanning Rails engines (Geoffrey Hichborn)
  * Add check for detailed exceptions in production
 
-# 2.1.2
+# 2.1.2 - 2013-09-18
 
  * Do not attempt to load custom Haml filters
  * Do not warn about `to_json` XSS in Rails 4
  * Add --table-width option to set width of text reports (ssendev)
  * Remove fuzzy matching on dangerous attr_accessible values
 
-# 2.1.1
+# 2.1.1 - 2013-08-21
 
  * New warning code for dangerous attributes in attr_accessible
  * Do not warn on attr_accessible using roles
@@ -605,7 +712,7 @@
  * Fix infinite loop when run as rake task (Matthew Shanley)
  * Respect ignored warnings in tabs format reports
 
-# 2.1.0
+# 2.1.0 - 2013-07-17
 
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)
  * Support for ignoring warnings
@@ -625,7 +732,7 @@
  * Fix output format detection to be more strict again
  * Allow empty Brakeman configuration file
 
-# 2.0.0
+# 2.0.0 - 2013-05-20
   
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
  * Add Marshal/CSV deserialization check
@@ -655,7 +762,7 @@
  * Use exceptions instead of abort in brakeman lib
  * Update to Ruby2Ruby 2.0.5
 
-# 1.9.5
+# 1.9.5 - 2013-04-05
 
  * Add check for unsafe symbol creation
  * Do not warn on mass assignment with `slice`/`only`
@@ -670,7 +777,7 @@
  * More fixes for assignments inside branches
  * Pin to ruby2ruby version 2.0.3
 
-# 1.9.4
+# 1.9.4 - 2013-03-19
  
  * Add check for CVE-2013-1854
  * Add check for CVE-2013-1855
@@ -682,7 +789,7 @@
  * Slightly faster cloning of Sexps
  * Detect another way to add `strong_parameters`
 
-# 1.9.3
+# 1.9.3 - 2013-03-01
  
  * Add render path to JSON report
  * Add warning fingerprints
@@ -697,7 +804,7 @@
  * Expand HAML dependency to include 4.0
  * Scroll errors into view when expanding in HTML report
 
-# 1.9.2
+# 1.9.2 - 2013-02-14
 
  * Add check for CVE-2013-0269
  * Add check for CVE-2013-0276
@@ -708,7 +815,7 @@
  * Check for more dangerous YAML methods
  * Support MultiJSON 1.2 for Rails 3.0 and 3.1
 
-# 1.9.1
+# 1.9.1 - 2013-01-19
 
  * Update to RubyParser 3.1.1 (neersighted)
  * Remove ActiveSupport dependency (Neil Matatall)
@@ -720,7 +827,7 @@
  * Add check for CVE-2013-0156
  * Add check for unsafe `YAML.load`
 
-# 1.9.0
+# 1.9.0 - 2012-12-25
 
  * Update to RubyParser 3
  * Ignore route information by default
@@ -740,7 +847,7 @@
  * Handle empty model files
  * Remove "find by regex" feature from `CallIndex`
 
-# 1.8.3
+# 1.8.3 - 2012-11-13
 
  * Use `multi_json` gem for better harmony
  * Performance improvement for call indexing
@@ -756,7 +863,7 @@
  * Fix error in rescan of mixins with symbols in method name
  * Do not rescan non-Ruby files in config/
 
-# 1.8.2
+# 1.8.2 - 2012-10-17
 
  * Fixed rescanning problems caused by 1.8.0 changes
  * Fix scope calls with single argument
@@ -765,7 +872,7 @@
  * Much improved test coverage
  * Add CHANGES to gemspec
 
-# 1.8.1
+# 1.8.1 - 2012-09-24
 
  * Recover from errors in output formatting
  * Fix false positive in redirect_to (Neil Matatall)
@@ -777,7 +884,7 @@
  * Handle super calls with blocks
  * Respect `-q` flag for "Rails 3 detected" message
 
-# 1.8.0
+# 1.8.0 - 2012-09-05
 
  * Support relative paths in reports (fsword)
  * Allow Brakeman to be run without tty (fsword)
@@ -793,7 +900,7 @@
  * Treat model attributes in `or` expressions as immediate values
  * Switch to method access for Sexp nodes
 
-# 1.7.1
+# 1.7.1 - 2012-08-13
 
  * Add check for CVE-2012-3463
  * Add check for CVE-2012-3464
@@ -801,7 +908,7 @@
  * Add charset to HTML report (hooopo)
  * Report XSS in select() for Rails 2
 
-# 1.7.0
+# 1.7.0 - 2012-07-31
 
  * Add check for CVE-2012-3424
  * Link report types to descriptions on website
@@ -816,7 +923,7 @@
  * Fix processing of negative array indexes
  * Add line breaks to truncated table rows
 
-# 1.6.2
+# 1.6.2 - 2012-06-13
 
  * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  * Avoid warning when redirecting to a model instance
@@ -828,7 +935,7 @@
  * Cache before_filter lookups
  * Turn off quiet mode by default for `--compare`
 
-# 1.6.1
+# 1.6.1 - 2012-05-23
 
  * Major rewrite of CheckSQL
  * Fix rescanning of deleted templates
@@ -838,7 +945,7 @@
  * Fix highlighting of HTML escaped values in HTML report
  * Report line number of highlighted value, if available
 
-# 1.6.0
+# 1.6.0 - 2012-04-20
 
  * Remove the Ruport dependency (Neil Matatall)
  * Add more informational JSON output (Neil Matatall)
@@ -850,7 +957,7 @@
  * Fix rescanning of deleted files 
  * Properly check for rails_xss in Gemfile
 
-# 1.5.3
+# 1.5.3 - 2012-04-10
 
  * Add check for user input in Object#send (Neil Matatall)
  * Handle render :layout in views
@@ -864,7 +971,7 @@
  * Improve handling of modules and nesting
  * Test for zero errors in test reports
 
-# 1.5.2
+# 1.5.2 - 2012-03-22
 
  * Fix link_to checks for Rails 2.0 and 2.3
  * Fix rescanning of lib files (Neil Matatall)
@@ -875,7 +982,7 @@
  * Fix handling of views when using rails_xss
  * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
 
-# 1.5.1
+# 1.5.1- 2012-03-06
 
  * Fix detection of global mass assignment setting
  * Fix partial rendering in Rails 3
@@ -885,7 +992,7 @@
  * Add tracking of module and class to Brakeman::BaseProcessor
  * Report module when using Brakeman::FindCall
 
-# 1.5.0
+# 1.5.0 - 2012-03-02
 
  * Add version check for SafeBuffer vulnerability
  * Add check for select vulnerability in Rails 3
@@ -896,7 +1003,7 @@
  * Standardize methods to check for SQL injection
  * Fix Rails 2 route parsing issue with nested routes
 
-# 1.4.0
+# 1.4.0 - 2012-02-24
 
  * Add check for user input in link_to href parameter
  * Match ERB processing to rails_xss plugin when plugin used
@@ -904,7 +1011,7 @@
  * Warnings below minimum confidence are dropped completely
  * Brakeman.run always returns a Tracker
 
-# 1.3.0
+# 1.3.0 - 2012-02-09
 
  * Add file paths to HTML report
  * Add caching of filters
@@ -917,7 +1024,7 @@
  * Better variable substitution
  * Table output option for rescan reports
 
-# 1.2.2
+# 1.2.2 - 2012-01-26
 
  * --no-progress works again
  * Make CheckLinkTo a separate check
@@ -925,7 +1032,7 @@
  * Handle empty resource(s) blocks
  * Add RescanReport#existing_warnings
 
-## 1.2.1
+## 1.2.1 - 2012-01-20
 
  * Remove link_to warning for Rails 3.x or when using rails_xss
  * Don't warn if first argument to link_to is escaped
@@ -937,7 +1044,7 @@
  * Add Brakeman::RescanReport#to_s
  * Add Brakeman::Warning#to_s
 
-## 1.2.0
+## 1.2.0 - 2012-01-14
 
  * Speed improvements for CheckExecute and CheckRender
  * Check named_scope() and scope() for SQL injection
@@ -946,7 +1053,7 @@
  * Add --summary option to only output summary
  * Fix a problem with Rails 3 routes
 
-## 1.1.0
+## 1.1.0 - 2011-12-22
 
  * Relax required versions for dependencies
  * Performance improvements for source processing
@@ -956,14 +1063,14 @@
  * Compatibility with newer Haml versions
  * Fix some warnings
 
-## 1.0.0
+## 1.0.0 - 2011-12-08
 
  * Better handling of assignments inside ifs
  * Check more expressions for SQL injection
  * Use latest ruby_parser for better 1.9 syntax support
  * Better behavior for Brakeman as a library
 
-## 1.0.0rc1
+## 1.0.0rc1 - 2011-12-06
 
  * Brakeman can now be used as a library
  * Faster call search
@@ -976,23 +1083,23 @@
  * Ignore mass assignment using all literal arguments
  * Keep expanded context in view with HTML output
 
-## 0.9.2
+## 0.9.2 - 2011-11-22
 
  * Fix Rails 3 configuration parsing
  * Add t() helper to check for translate XSS bug
 
-## 0.9.1
+## 0.9.1 - 2011-11-18
 
  * Add warning for translator helper XSS vulnerability
 
-## 0.9.0
+## 0.9.0 - 2011-11-17
 
  * Process Rails 3 configuration files
  * Fix CSV output
  * Check for config.active_record.whitelist_attributes = true
  * Always produce a warning for without_protection => true
 
-## 0.8.4
+## 0.8.4 - 2011-11-04
 
  * Option for separate attr_accessible warnings
  * Option to set CSS file for HTML output
@@ -1001,23 +1108,23 @@
  * Fix hash_insert()
  * Remove use of Queue from threaded checks
 
-## 0.8.3
+## 0.8.3 - 2011-10-25
  
  * Respect -w flag in .tabs format (tw-ngreen)
  * Escape HTML output of error messages
  * Add --skip-libs option
 
-## 0.8.2
+## 0.8.2 - 2011-10-01
 
  * Run checks in parallel threads by default
  * Fix compatibility with ruby_parser 2.3.1
 
-## 0.8.1
+## 0.8.1 - 2011-09-28
 
  * Add option to assume all controller methods are actions
  * Recover from errors when parsing routes
 
-## 0.8.0
+## 0.8.0 - 2011-09-15
 
  * Add check for mass assignment using without_protection
  * Add check for password in http_basic_authenticate_with
@@ -1028,30 +1135,30 @@
  * Add ruby_parser hack for Ruby 1.9 hash syntax
  * Add a few Rails 3.1 tests
 
-## 0.7.2
+## 0.7.2 - 2011-08-27
 
  * Fix handling of params and cookies with nested access
  * Add CVEs for checks added in 0.7.0
 
-## 0.7.1
+## 0.7.1 - 2011-08-18
 
  * Require BaseProcessor for GemProcessor
 
-## 0.7.0
+## 0.7.0 - 2011-08-17
 
  * Allow local variable as a class name
  * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  * Check for default routes in Rails 3 apps
  * Look in Gemfile or Gemfile.lock for Rails version
 
-## 0.6.1
+## 0.6.1 - 2011-07-29
 
  * Fix XSS check for cookies as parameters in output
  * Don't bother calling super in CheckSessionSettings
  * Add escape_once as a safe method
  * Accept '\Z' or '\z' in model validations
 
-## 0.6.0
+## 0.6.0 - 2011-07-20
 
  * Tests are in place and fully functional
  * Hide errors by default in HTML output
@@ -1064,17 +1171,17 @@
  * Fixes to escaped output scanning
  * Update CSRF CVE-2011-0447 message to be less assertive
 
-## 0.5.2
+## 0.5.2 - 2011-06-29
 
  * Output report file name when finished
  * Add initial tests for Rails 2.x
  * Fix ERB line numbers when using Ruby 1.9
 
-## 0.5.1
+## 0.5.1 - 2011-06-17
 
  * Fix issue with 'has_one' => in routes
 
-## 0.5.0
+## 0.5.0 - 2011-06-08
 
   * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
   * Allow empty blocks in Rails 3 routes
@@ -1082,52 +1189,52 @@
   * Add line numbers to session setting warnings
   * Add --checks option to list checks
 
-## 0.4.1
+## 0.4.1 - 2011-05-23
   
   * Fix reported line numbers when using new Erubis parser
     (Mostly affects Rails 3 apps)
 
-## 0.4.0
+## 0.4.0 - 2011-05-19
 
   * Handle Rails XSS protection properly
   * More detection options for rails_xss
   * Add --escape-html option 
 
-## 0.3.2  
+## 0.3.2 - 2011-05-12  
 
   * Autodetect Rails 3 applications
   * Turn on auto-escaping for Rails 3 apps
   * Check Model.create() for mass assignment
 
-## 0.3.1
+## 0.3.1 - 2011-05-03
 
   * Always output a line number in tabbed output format
   * Restrict characters in category name in tabbed output format to
     word characters and spaces, for Hudson/Jenkins plugin
 
-## 0.3.0
+## 0.3.0 - 2011-03-21
 
   * Check for SQL injection in calls using constantize()
   * Check for SQL injection in calls to count_by_sql()
 
-## 0.2.2
+## 0.2.2 - 2011-02-22
 
   * Fix version_between? when no Rails version is specified
 
-## 0.2.1
+## 0.2.1 - 2011-02-18
 
   * Add code snippet to tab output messages
 
-## 0.2.0
+## 0.2.0 - 2011-02-16
 
   * Add check for mail_to vulnerability - CVE-2011-0446
   * Add check for CSRF weakness - CVE-2011-0447
 
-## 0.1.1
+## 0.1.1 - 2011-01-25
 
   * Be more permissive with ActiveSupport version
 
-## 0.1.0
+## 0.1.0 - 2011-01-18
 
   * Check link_to for XSS (because arguments are not escaped)
   * Process layouts better (although not perfectly yet)