RubyGems - brakeman - Versions diffs - 5.2.2 → 7.1.1 - Mend

brakeman 5.2.2 → 7.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (952) hide show

data/lib/brakeman/checks/check_sql.rb CHANGED Viewed

@@ -188,11 +188,15 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
                       when :find_by_sql, :count_by_sql
                         check_by_sql_arguments call.first_arg
                       when :calculate
-                        check_find_arguments call.third_arg
+                        if call.arglist.length > 2
+                          unsafe_sql?(call.second_arg) or check_find_arguments(call.third_arg)
+                        elsif call.arglist.length > 1
+                          unsafe_sql?(call.second_arg)
+                        end
                       when :last, :first, :all
                         check_find_arguments call.first_arg
                       when :average, :count, :maximum, :minimum, :sum
-                        if call.length > 5
+                        if call.arglist.length > 1
                           unsafe_sql?(call.first_arg) or check_find_arguments(call.last_arg)
                         else
                           check_find_arguments call.last_arg
@@ -247,7 +251,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         :warning_code => :sql_injection,
         :message => "Possible SQL injection",
         :user_input => user_input,
-        :confidence => confidence
+        :confidence => confidence,
+        :cwe_id => [89]
     end
     if check_for_limit_or_offset_vulnerability call.last_arg
@@ -261,7 +266,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
         :warning_type => "SQL Injection",
         :warning_code => :sql_injection_limit_offset,
         :message => msg("Upgrade to Rails >= 2.1.2 to escape ", msg_code(":limit"), " and ", msg_code("offset"), ". Possible SQL injection"),
-        :confidence => confidence
+        :confidence => confidence,
+        :cwe_id => [89]
     end
   end
@@ -313,6 +319,9 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       check_hash_keys arg
     elsif node_type? arg, :lit, :str
       nil
+    elsif node_type? arg, :or
+      check_query_arguments(arg.lhs) or
+        check_query_arguments(arg.rhs)
     else
       #Hashes are safe...but we check above for hash, so...?
       unsafe_sql? arg, :ignore_hash
@@ -589,7 +598,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash, :foreign_key, :uuid
+    :where_values_hash, :foreign_key, :uuid, :escape, :escape_string
   ]
   def ignore_methods_in_sql

data/lib/brakeman/checks/check_sql_cves.rb CHANGED Viewed

@@ -81,7 +81,8 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve(cve), ". Upgrade to ", msg_version(upgrade_version)),
       :confidence => :high,
       :gem_info => gemfile_or_environment,
-      :link_path => link
+      :link_path => link,
+      :cwe_id => [89]
   end
   def upgrade_version? versions
@@ -101,6 +102,7 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
       :message => msg(msg_version(rails_version), " contains a SQL injection vulnerability ", msg_cve("CVE-2014-0080"), " with PostgreSQL. Upgrade to ", msg_version("4.0.3")),
       :confidence => :high,
       :gem_info => gemfile_or_environment(:pg),
-      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ",
+      :cwe_id => [89]
   end
 end

data/lib/brakeman/checks/check_ssl_verify.rb CHANGED Viewed

@@ -43,6 +43,7 @@ class Brakeman::CheckSSLVerify < Brakeman::BaseCheck
       :warning_type => "SSL Verification Bypass",
       :warning_code => :ssl_verification_bypass,
       :message => "SSL certificate verification was bypassed",
-      :confidence => :high
+      :confidence => :high,
+      :cwe_id => [295]
   end
 end

data/lib/brakeman/checks/check_strip_tags.rb CHANGED Viewed

@@ -35,7 +35,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
         :message => message,
         :gem_info => gemfile_or_environment,
         :confidence => :high,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion"
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/K5EwdJt06hI/discussion",
+        :cwe_id => [79]
     end
   end
@@ -60,7 +61,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
       :message => message,
       :confidence => :high,
       :gem_info => gemfile_or_environment,
-      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion",
+      :cwe_id => [79]
   end
   def cve_2015_7579
@@ -78,7 +80,8 @@ class Brakeman::CheckStripTags < Brakeman::BaseCheck
         :message => message,
         :confidence => confidence,
         :gem_info => gemfile_or_environment(:"rails-html-sanitizer"),
-        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ"
+        :link_path => "https://groups.google.com/d/msg/rubyonrails-security/OU9ugTZcbjc/PjEP46pbFQAJ",
+        :cwe_id => [79]
     end
   end

data/lib/brakeman/checks/check_symbol_dos.rb CHANGED Viewed

@@ -45,7 +45,8 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
         :warning_code => :unsafe_symbol_creation,
         :message => message,
         :user_input => input,
-        :confidence => confidence
+        :confidence => confidence,
+        :cwe_id => [20]
     end
   end

data/lib/brakeman/checks/check_symbol_dos_cve.rb CHANGED Viewed

@@ -23,7 +23,8 @@ class Brakeman::CheckSymbolDoSCVE < Brakeman::BaseCheck
         :message => msg(msg_version(rails_version), " has a denial of service vulnerability in ActiveRecord. Upgrade to ", msg_version(fix_version), " or patch"),
         :confidence => :medium,
         :gem_info => gemfile_or_environment,
-        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ"
+        :link => "https://groups.google.com/d/msg/rubyonrails-security/jgJ4cjjS8FE/BGbHRxnDRTIJ",
+        :cwe_id => [20]
     end
   end
 end

data/lib/brakeman/checks/check_template_injection.rb CHANGED Viewed

@@ -26,7 +26,8 @@ class Brakeman::CheckTemplateInjection < Brakeman::BaseCheck
         :warning_code => :erb_template_injection,
         :message => msg(msg_input(input), " used directly in ", msg_code("ERB"), " template, which might enable remote code execution"),
         :user_input => input,
-        :confidence => :high
+        :confidence => :high,
+        :cwe_id => [1336]
     end
   end
 end

data/lib/brakeman/checks/check_translate_bug.rb CHANGED Viewed

@@ -33,7 +33,8 @@ class Brakeman::CheckTranslateBug < Brakeman::BaseCheck
         :message => message,
         :confidence => confidence,
         :gem_info => gemfile_or_environment,
-        :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5"
+        :link_path => "http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5",
+        :cwe_id => [79]
     end
   end

data/lib/brakeman/checks/check_unsafe_reflection.rb CHANGED Viewed

@@ -49,7 +49,8 @@ class Brakeman::CheckUnsafeReflection < Brakeman::BaseCheck
         :warning_code => :unsafe_constantize,
         :message => message,
         :user_input => input,
-        :confidence => confidence
+        :confidence => confidence,
+        :cwe_id => [470]
     end
   end
 end

data/lib/brakeman/checks/check_unsafe_reflection_methods.rb CHANGED Viewed

@@ -63,6 +63,7 @@ class Brakeman::CheckUnsafeReflectionMethods < Brakeman::BaseCheck
       :warning_code => :unsafe_method_reflection,
       :message => message,
       :user_input => input,
-      :confidence => confidence
+      :confidence => confidence,
+      :cwe_id => [470]
   end
 end

data/lib/brakeman/checks/check_unscoped_find.rb CHANGED Viewed

@@ -23,6 +23,14 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
     calls.each do |call|
       process_result call
     end
+    tracker.find_call(:methods => [:find_by, :find_by!], :targets => associated_model_names).each do |result|
+      arg = result[:call].first_arg
+      if hash? arg and hash_access(arg, :id)
+        process_result result
+      end
+    end
   end
   def process_result result
@@ -40,7 +48,8 @@ class Brakeman::CheckUnscopedFind < Brakeman::BaseCheck
       :message      => msg("Unscoped call to ", msg_code("#{result[:target]}##{result[:method]}")),
       :code         => result[:call],
       :confidence   => :weak,
-      :user_input   => input
+      :user_input   => input,
+      :cwe_id => [285]
   end
   def optional_belongs_to? exp

data/lib/brakeman/checks/check_validation_regex.rb CHANGED Viewed

@@ -91,7 +91,8 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
       :warning_code => :validation_regex,
       :message => msg("Insufficient validation for ", msg_code(get_name validator), " using ", msg_code(regex.inspect), ". Use ", msg_code("\\A"), " and ", msg_code("\\z"), " as anchors"),
       :line => value.line,
-      :confidence => :high
+      :confidence => :high,
+      :cwe_id => [777]
     end
   end

data/lib/brakeman/checks/check_verb_confusion.rb CHANGED Viewed

@@ -70,6 +70,7 @@ class Brakeman::CheckVerbConfusion < Brakeman::BaseCheck
       :message => message,
       :code => code,
       :user_input => result[:call],
-      :confidence => confidence
+      :confidence => confidence,
+      :cwe_id => [352]
   end
 end

data/lib/brakeman/checks/check_weak_hash.rb CHANGED Viewed

@@ -53,7 +53,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
       :warning_code => :weak_hash_digest,
       :message => message,
       :confidence => confidence,
-      :user_input => input
+      :user_input => input,
+      :cwe_id => [328]
   end
   def process_hmac_result result
@@ -74,7 +75,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
       :warning_type => "Weak Hash",
       :warning_code => :weak_hash_hmac,
       :message => message,
-      :confidence => :medium
+      :confidence => :medium,
+      :cwe_id => [328]
   end
   def process_openssl_result result
@@ -90,7 +92,8 @@ class Brakeman::CheckWeakHash < Brakeman::BaseCheck
           :warning_type => "Weak Hash",
           :warning_code => :weak_hash_digest,
           :message => msg("Weak hashing algorithm used: ", msg_lit(alg)),
-          :confidence => :medium
+          :confidence => :medium,
+          :cwe_id => [328]
       end
     end
   end

data/lib/brakeman/checks/check_weak_rsa_key.rb ADDED Viewed

@@ -0,0 +1,112 @@
+require 'brakeman/checks/base_check'
+class Brakeman::CheckWeakRSAKey < Brakeman::BaseCheck
+  Brakeman::Checks.add self
+  @description = "Checks for weak uses RSA keys"
+  def run_check
+    check_rsa_key_creation
+    check_rsa_operations
+  end
+  def check_rsa_key_creation
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA'], method: [:new, :generate], nested: true).each do |result|
+      key_size_arg = result[:call].first_arg
+      check_key_size(result, key_size_arg)
+    end
+    tracker.find_call(targets: [:'OpenSSL::PKey'], method: [:generate_key], nested: true).each do |result|
+      call = result[:call]
+      key_type = call.first_arg
+      options_arg = call.second_arg
+      next unless options_arg and hash? options_arg
+      if string? key_type and key_type.value.upcase == 'RSA'
+        key_size_arg = (hash_access(options_arg, :rsa_keygen_bits) || hash_access(options_arg, s(:str, 'rsa_key_gen_bits')))
+        check_key_size(result, key_size_arg)
+      end
+    end
+  end
+  def check_rsa_operations
+    tracker.find_call(targets: [:'OpenSSL::PKey::RSA.new'], methods: [:public_encrypt, :public_decrypt, :private_encrypt, :private_decrypt], nested: true).each do |result|
+      padding_arg = result[:call].second_arg
+      check_padding(result, padding_arg)
+    end
+    tracker.find_call(targets: [:'OpenSSL::PKey.generate_key'], methods: [:encrypt, :decrypt, :sign, :verify, :sign_raw, :verify_raw], nested: true).each do |result|
+      call = result[:call]
+      options_arg = call.last_arg
+      if options_arg and hash? options_arg
+        padding_arg = (hash_access(options_arg, :rsa_padding_mode) || hash_access(options_arg, s(:str, 'rsa_padding_mode')))
+      else
+        padding_arg = nil
+      end
+      check_padding(result, padding_arg)
+    end
+  end
+  def check_key_size result, key_size_arg
+    return unless number? key_size_arg
+    return unless original? result
+    key_size = key_size_arg.value
+    if key_size < 1024
+      confidence = :high
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered very weak. Use at least 2048 bit key size")
+    elsif key_size < 2048
+      confidence = :medium
+      message = msg("RSA key with size ", msg_code(key_size.to_s), " is considered weak. Use at least 2048 bit key size")
+    else
+      return
+    end
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :small_rsa_key_size,
+      message: message,
+      confidence: confidence,
+      user_input: key_size_arg,
+      cwe_id: [326]
+  end
+  PKCS1_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :PKCS1_PADDING).freeze
+  PKCS1_PADDING_STR = s(:str, 'pkcs1').freeze
+  SSLV23_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :SSLV23_PADDING).freeze
+  SSLV23_PADDING_STR = s(:str, 'sslv23').freeze
+  NO_PADDING = s(:colon2, s(:colon2, s(:colon2, s(:const, :OpenSSL), :PKey), :RSA), :NO_PADDING).freeze
+  NO_PADDING_STR = s(:str, 'none').freeze
+  def check_padding result, padding_arg
+    return unless original? result
+    if string? padding_arg
+      padding_arg = padding_arg.deep_clone(padding_arg.line)
+      padding_arg.value = padding_arg.value.downcase
+    end
+    case padding_arg
+    when PKCS1_PADDING, PKCS1_PADDING_STR, nil
+      message = "Use of padding mode PKCS1 (default if not specified), which is known to be insecure. Use OAEP instead"
+    when SSLV23_PADDING, SSLV23_PADDING_STR
+      message = "Use of padding mode SSLV23 for RSA key, which is only useful for outdated versions of SSL. Use OAEP instead"
+    when NO_PADDING, NO_PADDING_STR
+      message = "No padding mode used for RSA key. A safe padding mode (OAEP) should be specified for RSA keys"
+    else
+      return
+    end
+    warn result: result,
+      warning_type: "Weak Cryptography",
+      warning_code: :insecure_rsa_padding_mode,
+      message: message,
+      confidence: :high,
+      user_input: padding_arg,
+      cwe_id: [780]
+  end
+end

data/lib/brakeman/checks/check_without_protection.rb CHANGED Viewed

@@ -55,7 +55,8 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
             :message => "Unprotected mass assignment",
             :code => call,
             :user_input => input,
-            :confidence => confidence
+            :confidence => confidence,
+            :cwe_id => [915]
         end
       end

data/lib/brakeman/checks/check_xml_dos.rb CHANGED Viewed

@@ -30,7 +30,8 @@ class Brakeman::CheckXMLDoS < Brakeman::BaseCheck
       :message => message,
       :confidence => :medium,
       :gem_info => gemfile_or_environment,
-      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"
+      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J",
+      :cwe_id => [125]
   end
   def has_workaround?

data/lib/brakeman/checks/check_yaml_parsing.rb CHANGED Viewed

@@ -29,7 +29,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :message => message,
         :confidence => :high,
         :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
+        :cwe_id => [20]
     end
     #Warn if app accepts YAML
@@ -41,7 +42,8 @@ class Brakeman::CheckYAMLParsing < Brakeman::BaseCheck
         :message => message,
         :confidence => :high,
         :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion"
+        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/61bkgvnSGTQ/discussion",
+        :cwe_id => [20]
     end
   end

data/lib/brakeman/checks/eol_check.rb CHANGED Viewed

@@ -34,7 +34,8 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"pending_eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ends on #{eol_date}"),
       confidence: confidence,
-      gem_info: gemfile_or_environment
+      gem_info: gemfile_or_environment(library),
+      :cwe_id => [1104]
   end
   def warn_about_unsupported_version library, eol_date, version
@@ -42,6 +43,7 @@ class Brakeman::EOLCheck < Brakeman::BaseCheck
       warning_code: :"eol_#{library}",
       message: msg("Support for ", msg_version(version, library.capitalize), " ended on #{eol_date}"),
       confidence: :high,
-      gem_info: gemfile_or_environment
+      gem_info: gemfile_or_environment(library),
+      :cwe_id => [1104]
   end
 end

data/lib/brakeman/commandline.rb CHANGED Viewed

@@ -145,6 +145,11 @@ module Brakeman
           quit Brakeman::Errors_Found_Exit_Code
         end
+        if tracker.options[:ensure_no_obsolete_ignore_entries] && tracker.unused_fingerprints.any?
+          warn '[Error] Obsolete ignore entries were found, exiting with an error code.'
+          quit Brakeman::Obsolete_Ignore_Entries_Exit_Code
+        end
         if ensure_ignore_notes_failed
           quit Brakeman::Empty_Ignore_Note_Exit_Code
         end

data/lib/brakeman/file_parser.rb CHANGED Viewed

@@ -7,7 +7,19 @@ module Brakeman
   class FileParser
     attr_reader :file_list, :errors
-    def initialize app_tree, timeout, parallel = true
+    def initialize app_tree, timeout, parallel = true, use_prism = false
+      @use_prism = use_prism
+      if @use_prism
+        begin
+          require 'prism'
+          Brakeman.debug '[Notice] Using Prism parser'
+        rescue LoadError => e
+          Brakeman.debug "[Notice] Asked to use Prism, but failed to load: #{e}"
+          @use_prism = false
+        end
+      end
       @app_tree = app_tree
       @timeout = timeout
       @file_list = []
@@ -73,8 +85,29 @@ module Brakeman
         path = path.relative
       end
+      Brakeman.debug "Parsing #{path}"
+      if @use_prism
+        begin
+          parse_with_prism input, path
+        rescue => e
+          Brakeman.debug "Prism failed to parse #{path}: #{e}"
+          parse_with_ruby_parser input, path
+        end
+      else
+        parse_with_ruby_parser input, path
+      end
+    end
+    private
+    def parse_with_prism input, path
+      Prism::Translation::RubyParser.parse(input, path)
+    end
+    def parse_with_ruby_parser input, path
       begin
-        Brakeman.debug "Parsing #{path}"
         RubyParser.new.parse input, path, @timeout
       rescue Racc::ParseError => e
         raise e.exception(e.message + "\nCould not parse #{path}")

data/lib/brakeman/file_path.rb CHANGED Viewed

@@ -68,6 +68,10 @@ module Brakeman
       self.absolute
     end
+    # Required for Pathname compatibility.
+    # Ruby 3.5+ requires Pathname#initialize to receive a String or an object with to_path method.
+    alias to_path to_str
     # Returns a string with the absolute path.
     def to_s
       self.to_str

data/lib/brakeman/messages.rb CHANGED Viewed

@@ -86,7 +86,7 @@ class Brakeman::Messages::Message
   end
   def to_html
-    require 'cgi'
+    require 'cgi/escape'
     output = @parts.map(&:to_html).join

data/lib/brakeman/options.rb CHANGED Viewed

@@ -71,6 +71,10 @@ module Brakeman::Options
           options[:ensure_ignore_notes] = true
         end
+        opts.on "--ensure-no-obsolete-ignore-entries", "Fail when an obsolete ignore entry is found" do
+          options[:ensure_no_obsolete_ignore_entries] = true
+        end
         opts.on "-3", "--rails3", "Force Rails 3 mode" do
           options[:rails3] = true
         end
@@ -101,6 +105,15 @@ module Brakeman::Options
           options[:rails7] = true
         end
+        opts.on "-8", "--rails8", "Force Rails 8 mode" do
+          options[:rails3] = true
+          options[:rails4] = true
+          options[:rails5] = true
+          options[:rails6] = true
+          options[:rails7] = true
+          options[:rails8] = true
+        end
         opts.separator ""
         opts.separator "Scanning options:"
@@ -150,6 +163,22 @@ module Brakeman::Options
           options[:parser_timeout] = timeout
         end
+        opts.on "--[no-]prism", "Use the Prism parser" do |use_prism|
+          if use_prism
+            min_prism_version = '1.0.0'
+            begin
+              gem 'prism', ">=#{min_prism_version}"
+              require 'prism'
+            rescue Gem::MissingSpecVersionError, Gem::MissingSpecError, Gem::LoadError => e
+              $stderr.puts "Please install `prism` version #{min_prism_version} or newer:"
+              raise e
+            end
+          end
+          options[:use_prism] = use_prism
+        end
         opts.on "-r", "--report-direct", "Only report direct use of untrusted data" do |option|
           options[:check_arguments] = !option
         end
@@ -197,12 +226,20 @@ module Brakeman::Options
           options[:engine_paths].merge paths
         end
+        opts.on '--[no-]follow-symlinks', 'Follow symbolic links for directions' do |follow_symlinks|
+          options[:follow_symlinks] = follow_symlinks
+        end
+        opts.on '--gemfile GEMFILE', 'Specify Gemfile to scan' do |gemfile|
+          options[:gemfile] = gemfile
+        end
         opts.on "-E", "--enable Check1,Check2,etc", Array, "Enable the specified checks" do |checks|
           checks.map! do |check|
             if check.start_with? "Check"
               check
             else
-              "Check" << check
+              "Check#{check}"
             end
           end
@@ -213,7 +250,7 @@ module Brakeman::Options
         opts.on "-t", "--test Check1,Check2,etc", Array, "Only run the specified checks" do |checks|
           checks.each_with_index do |s, index|
             if s[0,5] != "Check"
-              checks[index] = "Check" << s
+              checks[index] = "Check#{s}"
             end
           end
@@ -224,7 +261,7 @@ module Brakeman::Options
         opts.on "-x", "--except Check1,Check2,etc", Array, "Skip the specified checks" do |skip|
           skip.each do |s|
             if s[0,5] != "Check"
-              s = "Check" << s
+              s = "Check#{s}"
             end
             options[:skip_checks] ||= Set.new
@@ -244,13 +281,17 @@ module Brakeman::Options
           options[:debug] = true
         end
+        opts.on "--timing", "Measure time for scan steps" do
+          options[:show_timing] = true
+        end
         opts.on "-f",
           "--format TYPE",
           [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif, :sonar, :github],
           "Specify output formats. Default is text" do |type|
           type = "s" if type == :text
-          options[:output_format] = ("to_" << type.to_s).to_sym
+          options[:output_format] = :"to_#{type}"
         end
         opts.on "--css-file CSSFile", "Specify CSS to use for HTML output" do |file|
@@ -265,6 +306,10 @@ module Brakeman::Options
           options[:interactive_ignore] = true
         end
+        opts.on "--show-ignored", "Show files that are usually ignored by the ignore configuration file" do
+          options[:show_ignored] = true
+        end
         opts.on "-l", "--[no-]combine-locations", "Combine warning locations (Default)" do |combine|
           options[:combine_locations] = combine
         end
@@ -323,7 +368,7 @@ module Brakeman::Options
         end
         opts.on "--text-fields field1,field2,etc.", Array, "Specify fields for text report format" do |format|
-          valid_options = [:category, :category_id, :check, :code, :confidence, :file, :fingerprint, :line, :link, :message, :render_path]
+          valid_options = [:category, :category_id, :check, :code, :confidence, :cwe, :file, :fingerprint, :line, :link, :message, :render_path]
           options[:text_fields] = format.map(&:to_sym)

data/lib/brakeman/parsers/erubis_patch.rb ADDED Viewed

@@ -0,0 +1,11 @@
+module Brakeman::ErubisPatch
+  # Simple patch to make `erubis` compatible with frozen string literals
+  def convert(input)
+    codebuf = +"" # Modified line, the rest is identitical
+    @preamble.nil? ? add_preamble(codebuf) : (@preamble && (codebuf << @preamble))
+    convert_input(codebuf, input)
+    @postamble.nil? ? add_postamble(codebuf) : (@postamble && (codebuf << @postamble))
+    @_proc = nil    # clear cached proc object
+    return codebuf  # or codebuf.join()
+  end
+end