Brakeman Pro 1.7.1 Released

Jan 10, 2018

The latest release of Brakeman Pro Desktop integrates with Secure Code Warrior to offer developer security training for common vulnerabilities.

Secure Code Warrior

We are happy to announce Brakeman Pro Desktop now includes links directly from warnings to relevant, interactive Ruby on Rails security training on the Secure Code Warrior platform.

Secure Code Warrior Link

Secure Code Warrior offers hundreds of short challenges, covering over 50 common vulnerabilities, including the OWASP top 10. For each challenge, the user is presented with Rails code where they must locate, identify and fix the vulnerable code.

Secure Code Warrior

We are excited to offer this expanded vulnerability information and hands-on training to our users. Basic Ruby on Rails challenges are available for free for Brakeman Pro customers. Secure Code Warrior also provides challenges for C# (.NET, WebForms, MVC), Java (Spring, Struts, and Enterprise Edition), Python (Django) and Node.js.

Deeper Analysis

This release of the Brakeman Pro Engine extends its interprocedural analysis to models and libraries.

Increased analysis of models and libraries should reduce false positives as well as help discover more vulnerable code.

New Checks

Several new checks are included in this release. First, there is a new warning for uses of params.permit that whitelist potentially dangerous keys (like admin) for mass assignment.

Next, there is a new check for filters that reference methods that do not exist. This may indicate typos or perhaps methods that have been removed. In some cases, this may lead to authorization vulnerabilities if filters are not applied when expected.

Third, Brakeman used to report potential division by zero as an error. This is now a warning instead.

Finally, Brakeman now warns about potential SQL injection when using Arel.sql.

Full Update List

Lots of updates in this release!

  • Additional interprocedual analysis for models and libraries
  • Link warnings to Secure Code Warrior challenges
  • New check for dangerous keys in permit
  • New check for filters using non-existent methods
  • New check for division by zero
  • Remove errors about divide by zero
  • New warning about dynamic values in Arel.sql
  • Avoid warning about file access for temp files
  • Avoid warning on params.permit with safe values
  • Avoid CSRF warning in Rails 5.2 default config
  • Better processing of op_asgn1 (e.g. x[:y] += 1)
  • Handle nested destructuring/multiple assignment
  • Use HTTPS for warning links in HTML/JSON reports
  • Try to guess options for less pager
  • Do not page if results fit on screen
  • Leave results on screen after paging
  • Show better location for Sass errors

Want to know more about Brakeman Pro?

Brakeman Pro is a static analysis security tool for Ruby on Rails applications.

Brakeman Pro can be used as a desktop application, Ruby Gem, and as a Code Climate engine.

If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.

Need to try before buying? Take Brakeman Pro Desktop for a spin.

Please feel free to contact us with any questions!