brakeman 4.5.1 → 5.4.0

data/CHANGES.md

@@ -1,4 +1,241 @@
-# 4.5.1 
+# 5.4.0 - 2022-11-17
+
+* Use relative paths for CodeClimate report format (Mike Poage)
+* Add check for weak RSA key sizes and padding modes
+* Handle multiple values and splats in case/when
+* Ignore more model methods in redirects
+* Add check for absolute paths issue with Pathname
+* Fix `load_rails_defaults` overwriting settings in the Rails application (James Gregory-Monk)
+
+# 5.3.1 - 2022-08-09
+
+* Fix version range for CVE-2022-32209
+
+# 5.3.0 - 2022-08-09
+
+* Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
+* Load rexml as a Brakeman dependency
+* Fix "full call" information propagating unnecessarily
+* Add check for CVE-2022-32209
+* Add CWE information to warnings (Stephen Aghaulor)
+
+# 5.2.3 - 2022-05-01
+
+* Fix error with hash shorthand syntax
+* Match order of interactive options with help message (Rory O'Kane)
+
+# 5.2.2 - 2022-04-06
+
+* Update `ruby_parser` for Ruby 3.1 support (Merek Skubela)
+* Handle `nil` when joining values (Dan Buettner)
+* Update message for unsafe reflection (Pedro Baracho)
+* Add additional String methods for SQL injection check
+* Respect equality in `if` conditions
+
+# 5.2.1 - 2022-01-30
+
+* Add warning codes for EOL software warnings
+
+# 5.2.0 - 2021-12-15
+
+* Initial Rails 7 support
+* Require Ruby 2.5.0+
+* Fix issue with calls to `foo.root` in routes
+* Ignore `I18n.locale` in SQL queries
+* Do not treat `sanitize_sql_like` as safe
+* Add new checks for unsupported Ruby and Rails versions
+
+# 5.1.2 - 2021-10-28
+
+* Handle cases where enums are not symbols
+* Support newer Haml with ::Haml::AttributeBuilder.build
+* Fix issue where the previous output is still visible (Jason Frey)
+* Fix warning sorting with nil line numbers
+* Update for latest RubyParser (Ryan Davis)
+
+# 5.1.1 - 2021-07-19
+
+* Unrefactor IgnoreConfig's use of `Brakeman::FilePath`
+
+# 5.1.0 - 2021-07-19
+
+* Initial support for ActiveRecord enums
+* Support `Hash#include?`
+* Interprocedural dataflow from very simple class methods
+* Fix SARIF report when checks have no description (Eli Block)
+* Add ignored warnings to SARIF report (Eli Block)
+* Add `--sql-safe-methods` option (Esty Scheiner)
+* Update SQL injection check for Rails 6.0/6.1
+* Fix false positive in command injection with `Open3.capture` (Richard Fitzgerald)
+* Fix infinite loop on mixin self-includes (Andrew Szczepanski)
+* Ignore dates in SQL
+* Refactor `cookie?`/`param?` methods (Keenan Brock)
+* Ignore renderables in dynamic render path check (Brad Parker)
+* Support `Array#push`
+* Better `Array#join` support
+* Adjust copy of `--interactive` menu (Elia Schito)
+* Support `Array#*`
+* Better method definition tracking and lookup
+* Support `Hash#values` and `Hash#values_at`
+* Check for user-controlled evaluation even if it's a call target
+* Support `Array#fetch` and `Hash#fetch`
+* Ignore `sanitize_sql_like` in SQL
+* Ignore method calls on numbers in SQL
+* Add GitHub Actions format (Klaus Badelt)
+* Read and parse files in parallel
+
+# 5.0.4 - 2021-06-08
+
+(brakeman gem release only)
+
+* Update bundled `ruby_parser` to include argument forwarding support
+
+# 5.0.2 - 2021-06-07
+
+* Fix Loofah version check
+
+# 5.0.1 - 2021-04-27
+
+* Detect `::Rails.application.configure` too
+* Set more line numbers on Sexps
+* Support loading `slim/smart`
+* Don't fail if $HOME/$USER are not defined
+* Always ignore slice/only calls for mass assignment
+* Convert splat array arguments to arguments
+
+# 5.0.0 - 2021-01-26
+
+* Ignore `uuid` as a safe attribute
+* Collapse `__send__` calls
+* Ignore `Tempfile#path` in shell commands
+* Ignore development environment
+* Revamp CSV report to a CSV list of warnings
+* Set Rails configuration defaults based on `load_defaults` version
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+
+# 4.10.1 - 2020-12-24
+
+* Declare REXML as a dependency (Ruby 3.0 compatibility)
+* Use `Sexp#sexp_body` instead of `Sexp#[..]` (Ruby 3.0 compatibility)
+* Prevent render loops when template names are absolute paths
+* Ensure RubyParser is passed file path as a String
+* Support new Haml 5.2.0 escaping method
+
+# 5.0.0.pre1 - 2020-11-17
+
+* Add check for (more) unsafe method reflection
+* Suggest using `--force` if no Rails application is detected
+* Add Sonarqube report format (Adam England)
+* Add check for potential HTTP verb confusion
+* Add `--[no-]skip-vendor` option
+* Scan (almost) all Ruby files in project
+* Add support for Haml 5.2.0
+
+# 4.10.0 - 2020-09-28
+
+* Add SARIF report format (Steve Winton)
+
+# 4.9.1 - 2020-09-04
+
+* Check `chomp`ed strings for SQL injection
+* Use version from `active_record` for non-Rails apps (Ulysse Buonomo)
+* Always set line number for joined arrays
+* Avoid warning about missing `attr_accessible` if `protected_attributes` gem is used
+
+# 4.9.0 - 2020-08-04
+
+* Add check for CVE-2020-8166 (Jamie Finnigan)
+* Avoid warning when `safe_yaml` is used via `YAML.load(..., safe: true)`
+* Add check for user input in `ERB.new` (Matt Hickman)
+* Add `--ensure-ignore-notes` (Eli Block)
+* Remove whitelist/blacklist language, add clarifications
+* Do not warn about mass assignment with `params.permit!.slice`
+* Add "full call" information to call index results
+* Ignore `params.permit!` in path helpers
+* Treat `Dir.glob` as safe source of values in guards
+* Always scan `environment.rb`
+
+# 4.8.2 - 2020-05-12
+
+* Add check for CVE-2020-8159
+* Fix `authenticate_or_request_with_http_basic` check for passed blocks (Hugo Corbucci)
+* Add `--text-fields` option
+* Add check for escaping HTML entities in JSON configuration
+
+# 4.8.1 - 2020-04-06
+
+* Check SQL query strings using `String#strip` or `String.squish`
+* Handle non-symbol keys in locals hash for render()
+* Warn about global(!) mass assignment
+* Index calls in render arguments
+
+# 4.8.0 - 2020-02-18 
+
+* Add JUnit-XML report format (Naoki Kimura)
+* Sort ignore files by fingerprint and line (Ngan Pham)
+* Freeze call index results
+* Fix output test when using newer Minitest
+* Properly render confidence in Markdown report
+* Report old warnings as fixed if zero warnings reported
+* Catch dangerous concatenation in `CheckExecute` (Jacob Evelyn)
+* Show user-friendly message when ignore config file has invalid JSON (D. Hicks)
+* Initialize Rails version with `nil` (Carsten Wirth)
+
+# 4.7.2 - 2019-11-25
+
+* Remove version guard for `named_scope` vs. `scope`
+* Find SQL injection in `String#strip_heredoc` target
+* Handle more `permit!` cases
+* Ensure file name is set when processing model
+* Add `request.params` as query parameters
+
+# 4.7.1 - 2019-10-29 
+
+* Check string length against limit before joining
+* Fix errors from frozen `Symbol#to_s` in Ruby 2.7
+* Fix flaky rails4 test (Adam Kiczula)
+* Added release dates to each version in CHANGES (TheSpartan1980)
+* Catch reverse tabnabbing with `:_blank` symbol (Jacob Evelyn)
+* Convert `s(:lambda)` to `s(:call)` in `Sexp#block_call`
+* Sort text report by file and line (Jacob Evelyn)
+
+# 4.7.0 - 2019-10-16
+
+* Refactor `Brakeman::Differ#second_pass` (Benoit Côté-Jodoin)
+* Ignore interpolation in `%W[]`
+* Fix `version_between?` (Andrey Glushkov)
+* Add support for `ruby_parser` 3.14.0
+* Ignore `form_for` for XSS check
+* Update Haml support to Haml 5.x
+* Catch shell injection from `-c` shell commands (Jacob Evelyn)
+* Correctly handle non-symbols in `CheckCookieSerialization` (Phil Turnbull)
+
+# 4.6.1 - 2019-07-24
+
+* Fix Reverse Tabnabbing warning message (Steffen Schildknecht / Jörg Schiller)
+
+# 4.6.0 - 2019-07-23
+
+* Skip calls to `dup`
+* Add reverse tabnabbing check (Linos Giannopoulos)
+* Better handling of gems with no version declared
+* Warn people that Haml 5 is not fully supported (Jared Beck)
+* Avoid warning about file access with `ActiveStorage::Filename#sanitized` (Tejas Bubane)
+* Update loofah version for fixing CVE-2018-8048 (Markus Nölle)
+* Restore `Warning#relative_path`
+* Add check for cookie serialization with Marshal
+* Index calls in initializers
+* Improve template output handling in conditional branches
+* Avoid assigning `nil` line numbers to `Sexp`s
+* Add special warning code for custom checks
+* Add call matching by regular expression
+
+# 4.5.1 - 2019-05-11
 
 * Add `Brakeman::FilePath` to represent file paths
 * Handle trailing comma in block args
@@ -13,7 +250,7 @@
 * Add initial Rails 6 support
 * Add SQL injection checks for `destroy_by`/`delete_by`
 
-# 4.5.0
+# 4.5.0 - 2019-03-16
 
 * Update `ruby_parser`, use `ruby_parser-legacy`
 * More thoroughly handle `Shellwords` escaping
@@ -30,7 +267,7 @@
 * Better handling of splat/kwsplat arguments
 * Improve "user input" reported for SQL injection
 
-# 4.4.0
+# 4.4.0 - 2019-01-17
 
 * Set default encoding to UTF-8
 * Update to Slim 4.0.1 (Jake Peterson)
@@ -53,7 +290,7 @@
 * Complete overhaul of warning message construction
 * Deadcode and typo fixes found via Coverity
 
-# 4.3.1
+# 4.3.1 - 2018-06-07
 
 * Ignore `Object#freeze`, use the target instead
 * Ignore `foreign_key` calls in SQL
@@ -66,7 +303,7 @@
 * Improve handling of conditionals in shell commands (Jacob Evelyn)
 * Fix error when setting line number in implicit renders
 
-# 4.3.0
+# 4.3.0 - 2018-05-11
 
 * Check exec-type calls even if they are targets
 * Convert `Array#join` to string interpolation
@@ -82,14 +319,14 @@
 * `--color` can be used to force color output
 * Fix reported line numbers for CVE-2018-3741 and CVE-2018-8048
 
-# 4.2.1
+# 4.2.1 - 2018-03-24
 
 * Add warning for CVE-2018-3741
 * Add warning for CVE-2018-8048
 * Scan `app/jobs/` directory
 * Handle `template_exists?` in controllers
 
-# 4.2.0
+# 4.2.0 - 2018-02-22
 
 * Avoid warning about symbol DoS on `Model#attributes`
 * Avoid warning about open redirects with model methods ending with `_path`
@@ -102,12 +339,12 @@
 * Exclude template folders in `lib/` (kru0096)
 * Handle ERb use of `String#<<` method for Ruby 2.5 (Pocke)
 
-# 4.1.1
+# 4.1.1 - 2017-12-19
 
 * Remove check for use of `permit` with `*_id` keys
 * Avoid duplicate warnings about permitted attributes
 
-# 4.1.0
+# 4.1.0 - 2017-12-14
 
 * Process models as root sexp instead of each sexp
 * Avoid CSRF warning in Rails 5.2 default config
@@ -130,12 +367,12 @@
 * Refactor Code Climate engine options parsing (Noah Davis)
 * Fix upgrade version for CVE-2016-6316
 
-# 4.0.1
+# 4.0.1 - 2017-09-25
 
 * Disable pager when `CI` environment variable is set
 * Fix output when pager fails
 
-# 4.0.0
+# 4.0.0 - 2017-09-25
 
 * Add simple pager for reports output to terminal
 * Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
@@ -149,11 +386,11 @@
 * --exit-on-error and --exit-on-warn are now the default
 * Fix --exit-on-error and --exit-on-warn in config files
 
-# 3.7.2
+# 3.7.2 - 2017-08-16
 
 * Fix --ensure-latest (David Guyon)
 
-# 3.7.1
+# 3.7.1 - 2017-08-16
 
 * Handle simple guard with return at end of branch
 * Modularize bin/brakeman
@@ -161,7 +398,7 @@
 * Add more collection methods for iteration detection
 * Update ruby2ruby and ruby_parser
 
-# 3.7.0
+# 3.7.0 - 2017-06-30
 
 * Improve support for rails4/rails5 options in config file
 * Track more information about constant assignments
@@ -170,7 +407,7 @@
 * Fix false positive for redirect_to in Rails 4 (Mário Areias)
 * Avoid interpolating hashes/arrays on failed access
 
-# 3.6.2
+# 3.6.2 - 2017-05-19
 
 * Handle safe call operator in checks
 * Better handling of `if` expressions in HAML rendering
@@ -185,11 +422,11 @@
 * Handle empty `if` expressions when finding return values
 * Fix finding return value from empty `if`
 
-# 3.6.1
+# 3.6.1 - 2017-03-24
 
 * Fix error when using `--compare` (Sean Gransee)
 
-# 3.6.0 
+# 3.6.0 - 2017-03-23
 
 * Avoid recursive Concerns
 * Branch inside of `case` expressions
@@ -200,7 +437,7 @@
 * Only report CVE-2015-3227 when exact version is known
 * Check targetless SQL calls outside of known models
 
-# 3.5.0
+# 3.5.0 - 2017-02-01
 
 * Allow `-t None`
 * Fail on invalid checks specified by `-x` or `-t`
@@ -215,7 +452,7 @@
 * Handle `included` block in concerns
 * Process concerns before controllers
 
-# 3.4.1
+# 3.4.1 - 2016-11-02
 
 * Show action help at start of interactive ignore
 * Check CSRF setting in direct subclasses of `ActionController::Base` (Jason Yeo)
@@ -225,7 +462,7 @@
 * Avoid warning about `where_values_hash` in SQLi
 * Fix ignoring link interpolation not at beginning of string
 
-# 3.4.0
+# 3.4.0 - 2016-09-08
 
 * Add new `plain` report format
 * Add option to prune ignore file with `-I`
@@ -234,18 +471,18 @@
 * Support creating reports in non-existent paths
 * Add `--no-exit-warn`
 
-# 3.3.5
+# 3.3.5 - 2016-08-12
 
 * Fix bug in reports when using --debug option
 
-# 3.3.4
+# 3.3.4 - 2016-08-12
 
 * Add generic warning for CVE-2016-6316
 * Warn about dangerous use of `content_tag` with CVE-2016-6316
 * Add warning for CVE-2016-6317
 * Use Minitest
 
-# 3.3.3
+# 3.3.3 - 2016-07-21
 
 * Show path when no Rails app found (Neil Matatall)
 * Index calls in view helpers
@@ -258,22 +495,22 @@
 * Sexp#value returns nil when there is no value
 * Improve return value estimation
 
-# 3.3.2
+# 3.3.2 - 2016-06-10
 
 * Fix serious performance regression with global constant tracking
 
-# 3.3.1 
+# 3.3.1 - 2016-06-03
 
 * Delay loading vendored gems and modifying load path
 * Avoid warning about SQL injection with `quoted_primary_key`
 * Support more safe `&.` operations
-* Allow multile line regex in `validates_format_of` (Dmitrij Fedorenko)
+* Allow multiple line regex in `validates_format_of` (Dmitrij Fedorenko)
 * Only consider `if` branches in templates
 * Avoid overwriting instance/class methods with same name (Tim Wade)
 * Add `--force-scan` option (Neil Matatall)
 * Improved line number accuracy in ERB templates (Patrick Toomey)
 
-# 3.3.0
+# 3.3.0 - 2016-05-05
 
 * Skip processing obviously false if branches (more broadly)
 * Skip if branches with `Rails.env.test?`
@@ -291,11 +528,11 @@
 * [Code Climate engine] Remove nil entries from include_paths (Gordon Diggs)
 * [Code Climate engine] Report end lines for issues (Gordon Diggs)
 
-# 3.2.1
+# 3.2.1 - 2016-02-25
 
 * Remove `multi_json` dependency from `bin/brakeman`
 
-# 3.2.0
+# 3.2.0 - 2016-02-25
 
 * Skip Symbol DoS check on Rails 5
 * Only update ignore config file on changes
@@ -309,7 +546,7 @@
 * Avoid render warnings about params[:action]/params[:controller]
 * Index calls in class bodies but outside methods
 
-# 3.1.5
+# 3.1.5 - 2016-01-28
 
 * Fix CodeClimate construction of --only-files (Will Fleming)
 * Add check for denial of service via routes (CVE-2015-7581)
@@ -328,7 +565,7 @@
 * Handle module names with self methods
 * Add session manipulation documentation
 
-# 3.1.4
+# 3.1.4 - 2015-12-22
 
 * Emit brakeman's native fingerprints for Code Climate engine (Noah Davis)
 * Ignore secrets.yml if in .gitignore
@@ -336,7 +573,7 @@
 * Increase test coverage for option parsing (Zander Mackie)
 * Work around safe_yaml error
 
-# 3.1.3
+# 3.1.3 - 2015-12-03
 
 * Check for session secret in secrets.yml
 * Respect `exit_on_warn` in config file
@@ -350,7 +587,7 @@
 * Depend on safe_yaml 1.0 or later
 * Test coverage improvements for Brakema module (Bethany Rentz)
 
-# 3.1.2
+# 3.1.2 - 2015-10-28
 
 * Treat `current_user` like a model
 * Set user input value for inline renders
@@ -368,7 +605,7 @@
 * Sortable tables in HTML report (David Lanner)
 * Search for config file relative to application root
 
-# 3.1.1
+# 3.1.1 - 2015-09-23
 
 * Add optional check for use of MD5 and SHA1
 * Avoid warning when linking to decorated models
@@ -382,7 +619,7 @@
 * Support newer terminal-table releases
 * Allow searching call index methods by regex (Alex Ianus)
 
-# 3.1.0
+# 3.1.0 - 2015-08-31
 
 * Add support for gems.rb/gems.locked
 * Update render path information in JSON reports
@@ -401,18 +638,18 @@
 * Expand safe methods to match methods with targets
 * Avoid duplicate eval() warnings
 
-# 3.0.5
+# 3.0.5 - 2015-06-20
 
 * Fix check for CVE-2015-3227
 
-# 3.0.4
+# 3.0.4 - 2015-06-18
 
 * Add check for CVE-2015-3226 (XSS via JSON keys)
 * Add check for CVE-2015-3227 (XML DoS)
 * Treat `<%==` as unescaped output
 * Update `ruby_parser` dependency to 3.7.0
 
-# 3.0.3
+# 3.0.3 - 2015-04-20
 
 * Ignore more Arel methods in SQL
 * Warn about protect_from_forgery without exceptions (Neil Matatall)
@@ -423,7 +660,7 @@
 * Do not ignore targets of `to_s` in SQL
 * Add Rake task to exit with error code on warnings (masarakki)
 
-# 3.0.2
+# 3.0.2 - 2015-03-09
 
 * Alias process methods called in class scope on models
 * Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
@@ -439,7 +676,7 @@
 * Fix CSV output when there are no warnings
 * Handle processing of explicitly shadowed block arguments
 
-# 3.0.1
+# 3.0.1 - 2015-01-23
 
 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base
 * Properly format command interpolation (again)
@@ -448,7 +685,7 @@
 * Add `--add-libs-path` for additional libraries (Patrick Toomey)
 * Properly process libraries (Patrick Toomey)
 
-# 3.0.0
+# 3.0.0 - 2015-01-03
 
 * Add check for CVE-2014-7829
 * Add check for cross-site scripting via inline renders
@@ -467,7 +704,7 @@
 * CVEs report correct line and file name (Gemfile/Gemfile.lock) (Rob Fletcher)
 * Change `--separate-models` to be the default
 
-# 2.6.3
+# 2.6.3 - 2014-10-14
 
 * Whitelist `exists` arel method from SQL injection check
 * Avoid warning about Symbol DoS on safe parameters as method targets
@@ -476,7 +713,7 @@
 * Add framework for optional checks
 * Fix stack overflow for cycles in class ancestors (Jeff Rafter)
 
-# 2.6.2 
+# 2.6.2 - 2014-08-18
 
 * Add check for CVE-2014-3415
 * Avoid warning about symbolizing safe parameters
@@ -490,13 +727,13 @@
 * Fix block statement endings in Erubis
 * Fix undefined variable in controller processing error (Jason Barnabe) 
 
-# 2.6.1
+# 2.6.1 - 2014-07-02
 
 * Add check for CVE-2014-3482 and CVE-2014-3483
 * Add support for keyword arguments in blocks
 * Remove unused warning codes (Bill Fischer)
 
-# 2.6.0
+# 2.6.0 - 2014-06-06
 
 * Fix detection of `:host` setting in redirects with chained calls
 * Add check for CVE-2014-0130
@@ -510,7 +747,7 @@
 * Ignore more model methods in redirects
 * Fix CheckRender with nested render calls
 
-# 2.5.0
+# 2.5.0 - 2014-04-30
 
  * Add support for RailsLTS 2.3.18.7 and 2.3.18.8
  * Add support for Rails 4 `before_actions` and friends
@@ -525,11 +762,11 @@
  * Handle more non-literals in routes
  * Add check for regex denial of service (Ben Toews) 
 
-# 2.4.3
+# 2.4.3 - 2014-03-23
 
  No changes. 2.4.2 gem release was unsigned, 2.4.3 is signed.
 
-# 2.4.2
+# 2.4.2 - 2014-03-21
 
  * Remove `rescue Exception`
  * Fix duplicate warnings about sanitize CVE
@@ -538,13 +775,13 @@
  * Skip identically rendered templates
  * Fix HAML template processing
 
-# 2.4.1
+# 2.4.1 - 2014-02-19
 
  * Add check for CVE-2014-0082
  * Add check for CVE-2014-0081, replaces CVE-2013-6415
  * Add check for CVE-2014-0080
 
-# 2.4.0 
+# 2.4.0 - 2014-02-05
 
  * Detect Rails LTS versions
  * Reduce false positives for SQL injection in string building
@@ -559,12 +796,12 @@
  * No longer raise exceptions if a class name cannot be determined
  * Fingerprint attribute warnings individually (Case Taintor)
 
-# 2.3.1
+# 2.3.1 - 2013-12-13
 
  * Fix check for CVE-2013-4491 (i18n XSS) to detect workaround
  * Fix link for CVE-2013-6415 (number_to_currency)
 
-# 2.3.0
+# 2.3.0 - 2013-12-12
 
  * Add check for Parameters#permit!
  * Add check for CVE-2013-4491 (i18n XSS)
@@ -578,7 +815,7 @@
  * Whitelist `Model#create` for redirects
  * Fix scoping issues with instance variables and blocks
 
-# 2.2.0 
+# 2.2.0 - 2013-10-28
 
  * Reduce command injection false positives
  * Use Rails version from Gemfile if it is available
@@ -587,14 +824,14 @@
  * Support scanning Rails engines (Geoffrey Hichborn)
  * Add check for detailed exceptions in production
 
-# 2.1.2
+# 2.1.2 - 2013-09-18
 
  * Do not attempt to load custom Haml filters
  * Do not warn about `to_json` XSS in Rails 4
  * Add --table-width option to set width of text reports (ssendev)
  * Remove fuzzy matching on dangerous attr_accessible values
 
-# 2.1.1
+# 2.1.1 - 2013-08-21
 
  * New warning code for dangerous attributes in attr_accessible
  * Do not warn on attr_accessible using roles
@@ -605,7 +842,7 @@
  * Fix infinite loop when run as rake task (Matthew Shanley)
  * Respect ignored warnings in tabs format reports
 
-# 2.1.0
+# 2.1.0 - 2013-07-17
 
  * Support non-native line endings in Gemfile.lock (Paul Deardorff)
  * Support for ignoring warnings
@@ -625,7 +862,7 @@
  * Fix output format detection to be more strict again
  * Allow empty Brakeman configuration file
 
-# 2.0.0
+# 2.0.0 - 2013-05-20
   
  * Add `--only-files` option to specify files/paths to scan (Ian Ehlert)
  * Add Marshal/CSV deserialization check
@@ -655,7 +892,7 @@
  * Use exceptions instead of abort in brakeman lib
  * Update to Ruby2Ruby 2.0.5
 
-# 1.9.5
+# 1.9.5 - 2013-04-05
 
  * Add check for unsafe symbol creation
  * Do not warn on mass assignment with `slice`/`only`
@@ -670,7 +907,7 @@
  * More fixes for assignments inside branches
  * Pin to ruby2ruby version 2.0.3
 
-# 1.9.4
+# 1.9.4 - 2013-03-19
  
  * Add check for CVE-2013-1854
  * Add check for CVE-2013-1855
@@ -682,7 +919,7 @@
  * Slightly faster cloning of Sexps
  * Detect another way to add `strong_parameters`
 
-# 1.9.3
+# 1.9.3 - 2013-03-01
  
  * Add render path to JSON report
  * Add warning fingerprints
@@ -697,7 +934,7 @@
  * Expand HAML dependency to include 4.0
  * Scroll errors into view when expanding in HTML report
 
-# 1.9.2
+# 1.9.2 - 2013-02-14
 
  * Add check for CVE-2013-0269
  * Add check for CVE-2013-0276
@@ -708,7 +945,7 @@
  * Check for more dangerous YAML methods
  * Support MultiJSON 1.2 for Rails 3.0 and 3.1
 
-# 1.9.1
+# 1.9.1 - 2013-01-19
 
  * Update to RubyParser 3.1.1 (neersighted)
  * Remove ActiveSupport dependency (Neil Matatall)
@@ -720,7 +957,7 @@
  * Add check for CVE-2013-0156
  * Add check for unsafe `YAML.load`
 
-# 1.9.0
+# 1.9.0 - 2012-12-25
 
  * Update to RubyParser 3
  * Ignore route information by default
@@ -740,7 +977,7 @@
  * Handle empty model files
  * Remove "find by regex" feature from `CallIndex`
 
-# 1.8.3
+# 1.8.3 - 2012-11-13
 
  * Use `multi_json` gem for better harmony
  * Performance improvement for call indexing
@@ -756,7 +993,7 @@
  * Fix error in rescan of mixins with symbols in method name
  * Do not rescan non-Ruby files in config/
 
-# 1.8.2
+# 1.8.2 - 2012-10-17
 
  * Fixed rescanning problems caused by 1.8.0 changes
  * Fix scope calls with single argument
@@ -765,7 +1002,7 @@
  * Much improved test coverage
  * Add CHANGES to gemspec
 
-# 1.8.1
+# 1.8.1 - 2012-09-24
 
  * Recover from errors in output formatting
  * Fix false positive in redirect_to (Neil Matatall)
@@ -777,7 +1014,7 @@
  * Handle super calls with blocks
  * Respect `-q` flag for "Rails 3 detected" message
 
-# 1.8.0
+# 1.8.0 - 2012-09-05
 
  * Support relative paths in reports (fsword)
  * Allow Brakeman to be run without tty (fsword)
@@ -793,7 +1030,7 @@
  * Treat model attributes in `or` expressions as immediate values
  * Switch to method access for Sexp nodes
 
-# 1.7.1
+# 1.7.1 - 2012-08-13
 
  * Add check for CVE-2012-3463
  * Add check for CVE-2012-3464
@@ -801,7 +1038,7 @@
  * Add charset to HTML report (hooopo)
  * Report XSS in select() for Rails 2
 
-# 1.7.0
+# 1.7.0 - 2012-07-31
 
  * Add check for CVE-2012-3424
  * Link report types to descriptions on website
@@ -816,7 +1053,7 @@
  * Fix processing of negative array indexes
  * Add line breaks to truncated table rows
 
-# 1.6.2
+# 1.6.2 - 2012-06-13
 
  * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
  * Avoid warning when redirecting to a model instance
@@ -828,7 +1065,7 @@
  * Cache before_filter lookups
  * Turn off quiet mode by default for `--compare`
 
-# 1.6.1
+# 1.6.1 - 2012-05-23
 
  * Major rewrite of CheckSQL
  * Fix rescanning of deleted templates
@@ -838,7 +1075,7 @@
  * Fix highlighting of HTML escaped values in HTML report
  * Report line number of highlighted value, if available
 
-# 1.6.0
+# 1.6.0 - 2012-04-20
 
  * Remove the Ruport dependency (Neil Matatall)
  * Add more informational JSON output (Neil Matatall)
@@ -850,7 +1087,7 @@
  * Fix rescanning of deleted files 
  * Properly check for rails_xss in Gemfile
 
-# 1.5.3
+# 1.5.3 - 2012-04-10
 
  * Add check for user input in Object#send (Neil Matatall)
  * Handle render :layout in views
@@ -864,7 +1101,7 @@
  * Improve handling of modules and nesting
  * Test for zero errors in test reports
 
-# 1.5.2
+# 1.5.2 - 2012-03-22
 
  * Fix link_to checks for Rails 2.0 and 2.3
  * Fix rescanning of lib files (Neil Matatall)
@@ -875,7 +1112,7 @@
  * Fix handling of views when using rails_xss
  * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
 
-# 1.5.1
+# 1.5.1- 2012-03-06
 
  * Fix detection of global mass assignment setting
  * Fix partial rendering in Rails 3
@@ -885,7 +1122,7 @@
  * Add tracking of module and class to Brakeman::BaseProcessor
  * Report module when using Brakeman::FindCall
 
-# 1.5.0
+# 1.5.0 - 2012-03-02
 
  * Add version check for SafeBuffer vulnerability
  * Add check for select vulnerability in Rails 3
@@ -896,7 +1133,7 @@
  * Standardize methods to check for SQL injection
  * Fix Rails 2 route parsing issue with nested routes
 
-# 1.4.0
+# 1.4.0 - 2012-02-24
 
  * Add check for user input in link_to href parameter
  * Match ERB processing to rails_xss plugin when plugin used
@@ -904,7 +1141,7 @@
  * Warnings below minimum confidence are dropped completely
  * Brakeman.run always returns a Tracker
 
-# 1.3.0
+# 1.3.0 - 2012-02-09
 
  * Add file paths to HTML report
  * Add caching of filters
@@ -917,7 +1154,7 @@
  * Better variable substitution
  * Table output option for rescan reports
 
-# 1.2.2
+# 1.2.2 - 2012-01-26
 
  * --no-progress works again
  * Make CheckLinkTo a separate check
@@ -925,7 +1162,7 @@
  * Handle empty resource(s) blocks
  * Add RescanReport#existing_warnings
 
-## 1.2.1
+## 1.2.1 - 2012-01-20
 
  * Remove link_to warning for Rails 3.x or when using rails_xss
  * Don't warn if first argument to link_to is escaped
@@ -937,7 +1174,7 @@
  * Add Brakeman::RescanReport#to_s
  * Add Brakeman::Warning#to_s
 
-## 1.2.0
+## 1.2.0 - 2012-01-14
 
  * Speed improvements for CheckExecute and CheckRender
  * Check named_scope() and scope() for SQL injection
@@ -946,7 +1183,7 @@
  * Add --summary option to only output summary
  * Fix a problem with Rails 3 routes
 
-## 1.1.0
+## 1.1.0 - 2011-12-22
 
  * Relax required versions for dependencies
  * Performance improvements for source processing
@@ -956,14 +1193,14 @@
  * Compatibility with newer Haml versions
  * Fix some warnings
 
-## 1.0.0
+## 1.0.0 - 2011-12-08
 
  * Better handling of assignments inside ifs
  * Check more expressions for SQL injection
  * Use latest ruby_parser for better 1.9 syntax support
  * Better behavior for Brakeman as a library
 
-## 1.0.0rc1
+## 1.0.0rc1 - 2011-12-06
 
  * Brakeman can now be used as a library
  * Faster call search
@@ -976,23 +1213,23 @@
  * Ignore mass assignment using all literal arguments
  * Keep expanded context in view with HTML output
 
-## 0.9.2
+## 0.9.2 - 2011-11-22
 
  * Fix Rails 3 configuration parsing
  * Add t() helper to check for translate XSS bug
 
-## 0.9.1
+## 0.9.1 - 2011-11-18
 
  * Add warning for translator helper XSS vulnerability
 
-## 0.9.0
+## 0.9.0 - 2011-11-17
 
  * Process Rails 3 configuration files
  * Fix CSV output
  * Check for config.active_record.whitelist_attributes = true
  * Always produce a warning for without_protection => true
 
-## 0.8.4
+## 0.8.4 - 2011-11-04
 
  * Option for separate attr_accessible warnings
  * Option to set CSS file for HTML output
@@ -1001,23 +1238,23 @@
  * Fix hash_insert()
  * Remove use of Queue from threaded checks
 
-## 0.8.3
+## 0.8.3 - 2011-10-25
  
  * Respect -w flag in .tabs format (tw-ngreen)
  * Escape HTML output of error messages
  * Add --skip-libs option
 
-## 0.8.2
+## 0.8.2 - 2011-10-01
 
  * Run checks in parallel threads by default
  * Fix compatibility with ruby_parser 2.3.1
 
-## 0.8.1
+## 0.8.1 - 2011-09-28
 
  * Add option to assume all controller methods are actions
  * Recover from errors when parsing routes
 
-## 0.8.0
+## 0.8.0 - 2011-09-15
 
  * Add check for mass assignment using without_protection
  * Add check for password in http_basic_authenticate_with
@@ -1028,30 +1265,30 @@
  * Add ruby_parser hack for Ruby 1.9 hash syntax
  * Add a few Rails 3.1 tests
 
-## 0.7.2
+## 0.7.2 - 2011-08-27
 
  * Fix handling of params and cookies with nested access
  * Add CVEs for checks added in 0.7.0
 
-## 0.7.1
+## 0.7.1 - 2011-08-18
 
  * Require BaseProcessor for GemProcessor
 
-## 0.7.0
+## 0.7.0 - 2011-08-17
 
  * Allow local variable as a class name
  * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
  * Check for default routes in Rails 3 apps
  * Look in Gemfile or Gemfile.lock for Rails version
 
-## 0.6.1
+## 0.6.1 - 2011-07-29
 
  * Fix XSS check for cookies as parameters in output
  * Don't bother calling super in CheckSessionSettings
  * Add escape_once as a safe method
  * Accept '\Z' or '\z' in model validations
 
-## 0.6.0
+## 0.6.0 - 2011-07-20
 
  * Tests are in place and fully functional
  * Hide errors by default in HTML output
@@ -1064,17 +1301,17 @@
  * Fixes to escaped output scanning
  * Update CSRF CVE-2011-0447 message to be less assertive
 
-## 0.5.2
+## 0.5.2 - 2011-06-29
 
  * Output report file name when finished
  * Add initial tests for Rails 2.x
  * Fix ERB line numbers when using Ruby 1.9
 
-## 0.5.1
+## 0.5.1 - 2011-06-17
 
  * Fix issue with 'has_one' => in routes
 
-## 0.5.0
+## 0.5.0 - 2011-06-08
 
   * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
   * Allow empty blocks in Rails 3 routes
@@ -1082,52 +1319,52 @@
   * Add line numbers to session setting warnings
   * Add --checks option to list checks
 
-## 0.4.1
+## 0.4.1 - 2011-05-23
   
   * Fix reported line numbers when using new Erubis parser
     (Mostly affects Rails 3 apps)
 
-## 0.4.0
+## 0.4.0 - 2011-05-19
 
   * Handle Rails XSS protection properly
   * More detection options for rails_xss
   * Add --escape-html option 
 
-## 0.3.2  
+## 0.3.2 - 2011-05-12  
 
   * Autodetect Rails 3 applications
   * Turn on auto-escaping for Rails 3 apps
   * Check Model.create() for mass assignment
 
-## 0.3.1
+## 0.3.1 - 2011-05-03
 
   * Always output a line number in tabbed output format
   * Restrict characters in category name in tabbed output format to
     word characters and spaces, for Hudson/Jenkins plugin
 
-## 0.3.0
+## 0.3.0 - 2011-03-21
 
   * Check for SQL injection in calls using constantize()
   * Check for SQL injection in calls to count_by_sql()
 
-## 0.2.2
+## 0.2.2 - 2011-02-22
 
   * Fix version_between? when no Rails version is specified
 
-## 0.2.1
+## 0.2.1 - 2011-02-18
 
   * Add code snippet to tab output messages
 
-## 0.2.0
+## 0.2.0 - 2011-02-16
 
   * Add check for mail_to vulnerability - CVE-2011-0446
   * Add check for CSRF weakness - CVE-2011-0447
 
-## 0.1.1
+## 0.1.1 - 2011-01-25
 
   * Be more permissive with ActiveSupport version
 
-## 0.1.0
+## 0.1.0 - 2011-01-18
 
   * Check link_to for XSS (because arguments are not escaped)
   * Process layouts better (although not perfectly yet)