Brakeman Pro 1.7.3 Released

Mar 24, 2018

In response to the Rails-related CVEs released this week, Brakeman Pro Desktop 1.7.3 and Brakeman Pro Engine 4.2.1 are now available!

Please note there have been a number of vulnerabilities in the Rails HTML sanitization methods over the years. Parsing HTML and carefully keeping only “safe” values is very difficult to do correctly all the time for all inputs.

Only use sanitization when an application must accept and render HTML from an untrusted source. Otherwise, escape outputs.

Update List:

  • Warn about CVE-2018-3741
  • Warn about CVE-2018-8048
  • Scan the app/jobs/ directory
  • Avoid warning about dynamic renders when template_exists? is used

Want to know more about Brakeman Pro?

Brakeman Pro is a static analysis security tool for Ruby on Rails applications.

Brakeman Pro can be used as a desktop application, Ruby Gem, and as a Code Climate engine.

If you have not purchased Brakeman Pro yet, you can review pricing and purchase licenses directly from our site.

Need to try before buying? Take Brakeman Pro Desktop for a spin.

Please feel free to contact us with any questions!