We are excited to announce Brakeman Pro 1.2.0 is now available to customers. The most notable change in this release is the addition of custom rules, which allow users to generate warnings from arbitrary method calls.
Current customers may download the new version from the same location as previous releases.
The new custom rules feature is useful when your team knows about dangerous APIs or internal library calls they would like to track. For example, say there is an internal library call that has been deprecated:
Report.fetch. You could create a rule to warn about uses of this method:
On the next scan, the report will include warnings about this method call:
The Brakeman Pro engine has been updated to 3.2.1. Along with many other fixes and improvements, Ruby 2.3.0 syntax should be properly supported now.
The unescaped outputs check has been improved to only warn once per template output location. Additionally, it will not produce a warning if a regular cross-site scripting warning has already been generated for a given location.
This should drastically reduce the number of warnings about unescaped outputs.
When running Brakeman Pro from the command line, the unescaped outputs check will run by default (it used to be optional).
Brakeman Pro now provides informational warnings about uses of
eval and similar methods.
Two new rules related to basic authentication have been added. The first will warn about instances where password checks use
== for comparisons. The second rule will warn about any uses of basic authentication that the first did not already warn about.
We are continuing to work on Pro features for both the engine and the GUI. In the coming months we expect to offer better support for continuous integration and a Ruby gem version of the Pro engine.
If you have not purchased Brakeman Pro yet, you can view our pricing and purchase licenses directly from our site.
Not sure about Brakeman Pro? We also offer a downloadable trial version to try it out.
Please feel free to contact us at firstname.lastname@example.org with any questions.