-
Notifications
You must be signed in to change notification settings - Fork 732
Roadmap
Justin edited this page May 16, 2013
·
63 revisions
This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.
- Update to RubyParser 3.0
- Handle Rails 4 strong parameters
- Optional intra-procedural data flow for simple helper methods
- Switch to
multi_json
gem - Output Brakeman version
- Output scan duration
- Reduce Sexp creation
- Fix "Unhandled resource option")
- Session check is looking for
Rails3::...
which is silly - Fix YAML.load false positive
- Fix false positive on redirect to association
- Handle
append_before_filter
andprepend_before_filter
- Add "render path" to JSON output
- Warning identifiers
- Expand
skip_before_filter
check - Support for Slim
Bug fixes/CVEs only!
Bug fixes/CVEs only!
- Standardize default config file location
- Relative paths by default for JSON
- Remove
timestamp
from JSON output - Combine YAML/Marshal/CSV
load
checks into single check - Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
- Normalize SQL CVE warning messages to be less verbose
- Normalize warning messages in general
- Move
test/tests/test_*
totest/tests/*
- Bump confidence on mass assignment with
attr_protected
to medium - Fix false positive reports of
Model#id
andto_json
- Allow
--compare
and-o
/-f
together for nicer diff reports - Split into two packages, brakeman + brakeman-min
- Fix how mixin methods are handled - need to be duped
- Get rid of
Tracker#check_initializers
andFindCall
- False positive configuration
- Scan helpers and make them available in views for inter-procedural analysis
- Add libs to call index
- Add remediation steps to warnings when created
- Add
number_with_delimiter
, etc, to known bad, but have to check for:raise => true
- Better highlighting of user input in HTML output
- Add
rel="noreferrer"
to HTML report links - Clean up RubyParser "warnings"
- Prettier HTML output
- Move Checks information into Tracker#report where it makes sense