Skip to content
Justin edited this page May 16, 2013 · 63 revisions

This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.

1.9

1.9.3

1.9.4

Bug fixes/CVEs only!

1.9.5

Bug fixes/CVEs only!

2.0

  • Standardize default config file location
  • Relative paths by default for JSON
  • Remove timestamp from JSON output
  • Combine YAML/Marshal/CSV load checks into single check
  • Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
  • Normalize SQL CVE warning messages to be less verbose
  • Normalize warning messages in general
  • Move test/tests/test_* to test/tests/*
  • Bump confidence on mass assignment with attr_protected to medium
  • Fix false positive reports of Model#id and to_json

2.1

  • Allow --compare and -o/-f together for nicer diff reports
  • Split into two packages, brakeman + brakeman-min
  • Fix how mixin methods are handled - need to be duped

2.x

  • Get rid of Tracker#check_initializers and FindCall
  • False positive configuration
  • Scan helpers and make them available in views for inter-procedural analysis
  • Add libs to call index

Some Day

  • Add remediation steps to warnings when created
  • Add number_with_delimiter, etc, to known bad, but have to check for :raise => true
  • Better highlighting of user input in HTML output
  • Add rel="noreferrer" to HTML report links
  • Clean up RubyParser "warnings"
  • Prettier HTML output
  • Move Checks information into Tracker#report where it makes sense