A static analysis security vulnerability scanner for Ruby on Rails applications
Brakeman 4.9.1 released: https://brakemanscanner.org/blog/2020/09/04/brakeman-4-dot-9-dot-1-released
Brakeman 4.10.0 released: https://brakemanscanner.org/blog/2020/09/28/brakeman-4-dot-10-dot-0-released
Only change here is the new SARIF report format.
Only change here is the new SARIF report format.
Quick question! I'm working on clearing out some Brakeman warnings on our application and I've run into several File Access warnings. In some instances, we were using the incoming filename as the filename on our end (not good), so I've started using hashes instead. However, I don't want to lose the file extension, but I haven't found a way to tack that on without Brakeman getting upset. Any recommendations?
Here's what Brakeman is mad at because
uploaded_io is coming from params[:file]
Hello, how are you? I have a question: is it possible in
e.g. I have this line
Thanks in advance!
Code attribute in output, that I see all the code including comments?e.g. I have this line
system("ls #{options}") #foo of code that returns Command Injection. In output, I only can see system("ls #{options}") but I need to see the comment too. Is there a way to run brakeman to see comments in code lines, or this does not exist in Brakeman?Thanks in advance!
@joelbrewer Not sure what to suggest there, really. Do you have a list of allowed extensions? You may be able to remove the Brakeman warning by putting your code behind a condition like
if [".txt", ".pdf", ".png"].include? extension
path = ...
endIt takes kind of specific code, but for something like the above, Brakeman will know that extension must be one of those values inside the if expression.
@victormazevedo With muse (https://github.com/marketplace/muse-dev) what you ask is the default behavior. You make PRs, Muse runs Brakeman (among others) and posts new results as line comments so you see the line in the github PR stream. If you look in the console then brakeman results link to the github source view (but the source isn't inline in the console).
For command line behavior I think you're reduced to writing your own shell wrapper that will parse the file name from brakeman results and find the line of interest to then output. If you can assume jq is installed then this shouldn't be too heavy of a lift.
Brakeman 4.10.1 was released Christmas Eve to fix some Ruby 3.0 incompatibilities: https://brakemanscanner.org/blog/2020/12/24/brakeman-4-dot-10-dot-1-released
and a couple other bugs. 4.10.1 was branched from 4.10, so there are still a number of pending changes which will be released in Brakeman 5.0
Good morning, I have a dumb question, but maybe you can help me, I'm implementing brakeman in a project but a question has arisen that I have not been able to solve: this gem can be implemented over an internal gem that is used in the project? any way to implement brakeman on gems?
Brakeman 5.0 is now released!! https://brakemanscanner.org/blog/2021/01/26/brakeman-5-dot-0-dot-0-released
The biggest change here is that Brakeman now scans (almost) all Ruby files in an application!
This will relieve a lot of confusion about why Brakeman doesn't "see" some files.
There are also two new checks, support for Sonarqube report format, and a bunch of other updates.
The biggest change here is that Brakeman now scans (almost) all Ruby files in an application!
This will relieve a lot of confusion about why Brakeman doesn't "see" some files.
There are also two new checks, support for Sonarqube report format, and a bunch of other updates.
can start docker image to scan local rails file
Hello everyone. By reading https://brakemanscanner.org/blog/2021/01/26/brakeman-5-dot-0-dot-0-released and I was wondering if this is to be seen as a wide scope of ruby files within the context of RoR or if there has been some effort in support for non-rails ruby code?
1 reply
Brakeman 5.1.0 is released! https://brakemanscanner.org/blog/2021/07/19/brakeman-5-dot-1-dot-0-released
This is a huge release (in terms of number of changes). Take a look!
This is a huge release (in terms of number of changes). Take a look!
Hey everyone! Is anyone using the brakeman comparison feature in an enterprise environment?
How have others dealt with line number changes affecting security finding fingerprints? It seems like the fingerprint uses the location_string to calculate the value.
How have others dealt with line number changes affecting security finding fingerprints? It seems like the fingerprint uses the location_string to calculate the value.
(location doesn't include line number... or file)
Have you seen that issue before? Wondering if you have any ideas..
You can
bundle install --path vendor to install dependencies into a local path and then brakeman --no-skip-vendor.
Results very much not guaranteed.
There's probably some work to be done around ignoring certain files/directions and interpreting things correctly... the further one strays from "regular" Rails application code the less accurate Brakeman becomes
Hi! I'm getting the following error in CI (gitlab, running using image ruby:3.0.2) but not locally (ruby 3.0.2 via rvm on macOS):
Error: "scss" filter's sassc dependency missing: try installing it or adding it to your Gemfile. I have gem "sassc-rails" in my Gemfile (which depends on sassc) and also tried adding sassc directly but neither helped. Any ideas? Something slightly non-standard which I didn't yet investigate: I'm using the hamlit Gem, not haml.
1 reply
Hi everyone! Going forward discussions can take place on https://github.com/presidentbeef/brakeman/discussions/
I don't really hang out here (I rely on "unread message" emails) and it's yet-another-site to log into.
I don't really hang out here (I rely on "unread message" emails) and it's yet-another-site to log into.
Hi I notice that brakeman is being used on the gitlab SAST tool. To check vulnerabilities on the code. In our code we also implement bundler-audit which checks checks for vulnerable versions of gem, I want to know if brakeman check for those or we should we continue using both.