6.1.1

• Handle racc as a default gem in Ruby 3.3.0

6.1.0

• Add check for unfiltered search with Ransack
• Add --timing to add timing duration for scan steps
• Add PG::Connection.escape_string as a SQL sanitization method (Joévin Soulenq)
• Handle class << self
• Fix class method lookup in parent classes
• Fix keyword splats in filter arguments

6.0.0.1 - Docker only

This release is to fix the Ruby version used in the Docker image.

No other changes.

6.0.0

• Drop support for Ruby 1.8/1.9 syntax
• Raise minimum Ruby version to 3.0
• Add obsolete fingerprints to comparison report (#1758)
• Warn about missing CSRF protection when defaults are not loaded (Chris Kruger)
• Fix false positive with content_tag in newer Rails (#1778)
• Scan directories that include the word public
• Fix end-of-life dates for Ruby

5.4.1

• Add Rails 6.1 and 7.0 default configuration values
• Support Rails 7 redirect options
• Add redirect_back and redirect_back_or_to to open redirect check
• Revise checking for request.env to only consider request headers
• Prevent redirects using url_from being marked as unsafe (Lachlan Sylvester)
• Warn about unscoped find for find_by(id: ...)
• Support presence, presence_in and in? (#1569)
• Fix issue with if expressions in when clauses (#1743)
• Fix file/line location for EOL software warnings

5.4.0

• Add check for weak RSA key sizes and padding modes (#1736)
• Add check for absolute paths issue with Pathname (#1721)
• Handle multiple values and splats in case/when (#1730)
• Ignore more model methods in redirects (#1723)
• Fix load_rails_defaults overwriting settings in the Rails application (James Gregory-Monk)
• Use relative paths for CodeClimate report format (Mike Poage)

5.3.1

• Fix version range for CVE-2022-32209

5.3.0

• Add CWE information to warnings (Stephen Aghaulor)
• Include explicit engine or lib paths in vendor/ (Joe Rafaniello)
• Add check for CVE-2022-32209
• Load rexml as a Brakeman dependency
• Fix "full call" information propagating unnecessarily

5.2.3

• Fix error with hash shorthand syntax (#1700)
• Match order of interactive options with help message (@roryokane)

5.2.2

• Respect equality in if conditions (#1683)
• Update message for unsafe reflection (Pedro Baracho)
• Handle nil when joining values (Dan Buettner)
• Add additional String methods for SQL injection check (#1669)
• Update ruby_parser for Ruby 3.1 support (Merek Skubela)