Skip to content

Roadmap

Justin edited this page Jun 5, 2017 · 63 revisions

This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.

1.9

1.9.3

1.9.4

Bug fixes/CVEs only!

1.9.5

Bug fixes/CVEs only!

2.0

  • Standardize default config file location
  • Relative paths by default for JSON
  • Remove timestamp from JSON output
  • Combine YAML/Marshal/CSV load checks into single check
  • Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
  • Normalize SQL CVE warning messages to be less verbose
  • Normalize warning messages in general
  • Move test/tests/test_* to test/tests/*
  • Bump confidence on mass assignment with attr_protected to medium
  • Fix false positive reports of Model#id and to_json

2.1

  • Allow --compare and -o/-f together for nicer diff reports
  • Split into two packages, brakeman + brakeman-min
  • Add Tracker#warnings instead of Tracker#checks.all_warnings
  • Fix how mixin methods are handled - need to be duped

2.4

  • Scan all versions in Gemfile.lock instead of special cases

2.4.1

  • CVEs only

2.4.2

  • Bugfixes/Internal improvements only

2.5.0

  • Reorganize CVE checks
  • Support before_action for Rails 4
  • Support latest RailsLTS

2.x

  • False positive configuration
  • Get rid of Tracker#check_initializers and FindCall
  • Scan helpers and make them available in views for inter-procedural analysis

3.0

  • Add libs to call index
  • Add ability to have optional checks not enabled by default
  • Make --separate-models the default
  • In BaseCheck, only set @has_user_input once (i.e. ||=) to match first not last (maybe)
  • Make CheckSymbolDoS an optional check
  • Find a way to update ruby_parser and offset wrong line numbers
  • Do not format local variables as "local var"
  • Add warnings for rendering text, inline
  • File disclosure CVEs check

3.1

  • Refactor XSS checks to have easier shared code

4.0

  • Switch to -f plain for default report
  • Something like --report-direct by default?
  • -z by default

Some Day

  • Add remediation steps to warnings when created
  • Add number_with_delimiter, etc, to known bad, but have to check for :raise => true
  • Better highlighting of user input in HTML output
  • Add rel="noreferrer" to HTML report links
  • Prettier HTML output
  • Rescue divide by zero errors (and turn into warnings...?)
You can’t perform that action at this time.