brakeman 5.4.1 → 6.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 88049c2c49d114a2921ded02a16ae8be8cb9717976aa026d14a8386046668702
-  data.tar.gz: 2d3bbf4de0df432415432657e0ff658eddd7edb860a29def3d1ae707e968b143
+  metadata.gz: 3bfe97a2a21052a6b89113eba0488d389790be712085e953b0661bfdad31f5ea
+  data.tar.gz: 9155ab4eb06b34c7e8294a63bc1878f4e754087f4c7eebc10ff0232f9b62ad14
 SHA512:
-  metadata.gz: 3910fabad6692126c5080485901629763cebd2355107fe821c2077af74fe2e1566cf936e7135e5d2c301bf43b8f95f6534c06cabfa56638a839e86a1202fbd40
-  data.tar.gz: d012ad0ee09eb897912350f399d0ff12589a2bf46f63a7dc9459f88dfa39c3aee9da6dd751c4636cd6e0b050781e0bef5e7471587da7a3446f66a196e81549c6
+  metadata.gz: 67f98784f2eff71cde186b940d6c7bae38495529d1f3882eee6f92103b9c44fb06caa62dd5e6ed2cfaab82b01e7a1c41b951b2529fd4b04e54e6c2ca89a65a91
+  data.tar.gz: a35a4a539a877bdf2eb2150ef4556d31f995be90ce23a2b2d9697ffae41bb2ec2d7fefbfcb853c10897849f554d87b6c03e9a24265fd965158815df8f445a79b

data/CHANGES.md

@@ -1,3 +1,17 @@
+# 6.0.1 - 2023-07-20
+
+* Accept strings for `load_defaults` version
+
+# 6.0.0 - 2023-05-24
+
+* Add obsolete fingerprints to comparison report
+* Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
+* Scan directories that include the word `public`
+* Raise minimum Ruby version to 3.0
+* Drop support for Ruby 1.8/1.9 syntax
+* Fix end-of-life dates for Ruby
+* Fix false positive with `content_tag` in newer Rails
+
 # 5.4.1 - 2023-02-21
 
 * Fix file/line location for EOL software warnings

data/README.md

@@ -66,7 +66,7 @@ Outside of Rails root (note that the output file is relative to path/to/rails/ap
 
 Brakeman should work with any version of Rails from 2.3.x to 7.x.
 
-Brakeman can analyze code written with Ruby 1.8 syntax and newer, but requires at least Ruby 2.5.0 to run.
+Brakeman can analyze code written with Ruby 2.0 syntax and newer, but requires at least Ruby 3.0.0 to run.
 
 # Basic Options
 
@@ -182,7 +182,7 @@ There is a [plugin available](http://brakemanscanner.org/docs/jenkins/) for Jenk
 
 For even more continuous testing, try the [Guard plugin](https://github.com/guard/guard-brakeman).
 
-There are a couple [Github Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
+There are a couple [GitHub Actions](https://github.com/marketplace?type=actions&query=brakeman) available.
 
 # Building
 

data/bundle/load.rb

@@ -2,13 +2,12 @@ path = File.expand_path('../..', __FILE__)
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/erubis-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/haml-5.2.2/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/highline-2.1.0/lib"
-$:.unshift "#{path}/bundle/ruby/3.1.0/gems/parallel-1.22.1/lib"
+$:.unshift "#{path}/bundle/ruby/3.1.0/gems/parallel-1.23.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/rexml-3.2.5/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby2ruby-2.4.4/lib"
-$:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby_parser-3.19.2/lib"
-$:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby_parser-legacy-1.0.0/lib"
+$:.unshift "#{path}/bundle/ruby/3.1.0/gems/ruby_parser-3.20.3/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/safe_yaml-1.0.5/lib"
-$:.unshift "#{path}/bundle/ruby/3.1.0/gems/sexp_processor-4.16.1/lib"
+$:.unshift "#{path}/bundle/ruby/3.1.0/gems/sexp_processor-4.17.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/slim-4.1.0/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/temple-0.8.2/lib"
 $:.unshift "#{path}/bundle/ruby/3.1.0/gems/terminal-table-1.8.0/lib"

data/bundle/ruby/3.1.0/gems/parallel-1.23.0/lib/parallel/version.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+module Parallel
+  VERSION = Version = '1.23.0' # rubocop:disable Naming/ConstantName
+end

data/bundle/ruby/3.1.0/gems/{parallel-1.22.1 → parallel-1.23.0}/lib/parallel.rb

@@ -1,11 +1,8 @@
 # frozen_string_literal: true
 require 'rbconfig'
 require 'parallel/version'
-require 'parallel/processor_count'
 
 module Parallel
-  extend ProcessorCount
-
   Stop = Object.new.freeze
 
   class DeadWorker < StandardError
@@ -307,6 +304,49 @@ module Parallel
       map(*args, &block).flatten(1)
     end
 
+    def filter_map(*args, &block)
+      map(*args, &block).compact
+    end
+
+    # Number of physical processor cores on the current system.
+    def physical_processor_count
+      @physical_processor_count ||= begin
+        ppc =
+          case RbConfig::CONFIG["target_os"]
+          when /darwin[12]/
+            IO.popen("/usr/sbin/sysctl -n hw.physicalcpu").read.to_i
+          when /linux/
+            cores = {} # unique physical ID / core ID combinations
+            phy = 0
+            File.read("/proc/cpuinfo").scan(/^physical id.*|^core id.*/) do |ln|
+              if ln.start_with?("physical")
+                phy = ln[/\d+/]
+              elsif ln.start_with?("core")
+                cid = "#{phy}:#{ln[/\d+/]}"
+                cores[cid] = true unless cores[cid]
+              end
+            end
+            cores.count
+          when /mswin|mingw/
+            require 'win32ole'
+            result_set = WIN32OLE.connect("winmgmts://").ExecQuery(
+              "select NumberOfCores from Win32_Processor"
+            )
+            result_set.to_enum.collect(&:NumberOfCores).reduce(:+)
+          else
+            processor_count
+          end
+        # fall back to logical count if physical info is invalid
+        ppc > 0 ? ppc : processor_count
+      end
+    end
+
+    # Number of processors seen by the OS, used for process scheduling
+    def processor_count
+      require 'etc'
+      @processor_count ||= Integer(ENV['PARALLEL_PROCESSOR_COUNT'] || Etc.nprocessors)
+    end
+
     def worker_number
       Thread.current[:parallel_worker_number]
     end

data/bundle/ruby/3.1.0/gems/{ruby_parser-3.19.2 → ruby_parser-3.20.3}/History.rdoc

@@ -1,3 +1,41 @@
+=== 3.20.3 / 2023-07-11
+
+* 2 minor enhancements:
+
+  * Added Parser#in_argdef and integrated into 3.x parsers.
+  * Improved tools/munge.rb to handler MRI 3.2 output
+
+* 2 bug fixes:
+
+  * Fixed process_dots to properly deal with paren-less forward_args. (eric1234)
+  * Fixed tools/ripper.rb to properly print ripper sexp at the end
+
+=== 3.20.2 / 2023-06-06
+
+* 1 bug fix:
+
+  * 3.2: fixed parsing of f(*) and f(**). (agrobbin)
+
+=== 3.20.1 / 2023-05-16
+
+* 1 minor enhancement:
+
+  * Fixes Sexp#line_max in parser for many constructs: paren_args, arrays of various sorts, calls, classes, modules, etc.
+
+=== 3.20.0 / 2023-03-04
+
+* 1 major enhancement:
+
+  * Added tentative 3.2 support.
+
+* 1 minor enhancement:
+
+  * Change minimum ruby version to 2.6. (want higher)
+
+* 1 bug fix:
+
+  * Fix up compare tasks for ruby 3.2 differences.
+
 === 3.19.2 / 2022-12-03
 
 * 5 bug fixes:

data/bundle/ruby/3.1.0/gems/{ruby_parser-3.19.2 → ruby_parser-3.20.3}/Manifest.txt

@@ -31,6 +31,8 @@ lib/ruby30_parser.rb
 lib/ruby30_parser.y
 lib/ruby31_parser.rb
 lib/ruby31_parser.y
+lib/ruby32_parser.rb
+lib/ruby32_parser.y
 lib/ruby3_parser.yy
 lib/ruby_lexer.rb
 lib/ruby_lexer.rex

data/bundle/ruby/3.1.0/gems/{ruby_parser-3.19.2 → ruby_parser-3.20.3}/README.rdoc

@@ -68,8 +68,9 @@ To add a new version:
 * New parser should be generated from lib/ruby[3]_parser.yy.
 * Extend lib/ruby[3]_parser.yy with new class name.
 * Add new version number to V2/V3 in Rakefile for rule creation.
-* Add new (full) version to `ruby_parse` section of Rakefile for rake compare
+* Add new `ruby_parse "x.y.z"` line to Rakefile for rake compare (line ~300).
 * Require generated parser in lib/ruby_parser.rb.
+* Add new V## = ::Ruby##Parser; end to ruby_parser.rb (bottom of file).
 * Add empty TestRubyParserShared##Plus module and TestRubyParserV## to test/test_ruby_parser.rb.
 * Extend Manifest.txt with generated file names.
 * Add new version number to sexp_processor's pt_testcase.rb in all_versions

data/bundle/ruby/3.1.0/gems/{ruby_parser-3.19.2 → ruby_parser-3.20.3}/compare/normalize.rb

@@ -84,6 +84,7 @@ def munge s
 
              "' '",             "tSPACE", # needs to be later to avoid bad hits
 
+             "ε",               "none", # bison 3+
              "%empty",          "none", # newer bison
              "/* empty */",     "none",
              /^\s*$/,           "none",