Skip to content
presidentbeef edited this page Oct 7, 2014 · 63 revisions

This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.

1.9

1.9.3

1.9.4

Bug fixes/CVEs only!

1.9.5

Bug fixes/CVEs only!

2.0

  • Standardize default config file location
  • Relative paths by default for JSON
  • Remove timestamp from JSON output
  • Combine YAML/Marshal/CSV load checks into single check
  • Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
  • Normalize SQL CVE warning messages to be less verbose
  • Normalize warning messages in general
  • Move test/tests/test_* to test/tests/*
  • Bump confidence on mass assignment with attr_protected to medium
  • Fix false positive reports of Model#id and to_json

2.1

  • Allow --compare and -o/-f together for nicer diff reports
  • Split into two packages, brakeman + brakeman-min
  • Add Tracker#warnings instead of Tracker#checks.all_warnings
  • Fix how mixin methods are handled - need to be duped

2.4

  • Scan all versions in Gemfile.lock instead of special cases

2.4.1

  • CVEs only

2.4.2

  • Bugfixes/Internal improvements only

2.5.0

  • Reorganize CVE checks
  • Support before_action for Rails 4
  • Support latest RailsLTS

2.5.1

  • Warn on XSS in render :inline

2.x

  • False positive configuration
  • Get rid of Tracker#check_initializers and FindCall
  • Scan helpers and make them available in views for inter-procedural analysis
  • Warn on render :update with user input

3.0

  • Add libs to call index
  • _Add ability to have optional checks not enabled by default _
  • Move Checks information into Tracker#report where it makes sense
  • Make --separate-models the default
  • In BaseCheck, only set @has_user_input once (i.e. ||=) to match first not last
  • Make CheckSymbolDoS an optional check

Some Day

  • Add remediation steps to warnings when created
  • Add number_with_delimiter, etc, to known bad, but have to check for :raise => true
  • Better highlighting of user input in HTML output
  • Add rel="noreferrer" to HTML report links
  • Prettier HTML output
  • Rescue divide by zero errors (and turn into warnings...?)