brakeman

• Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
• Exclude template folders in lib/ (kru0096)
• Warn about SQL injection with not
• Avoid warning about symbol DoS on Model#attributes (#1096)
• Avoid warning about open redirects with model methods ending with _path(#1117)
• Avoid warning about command injection with Shellwords.escape (#1159)
• Use ivars from initialize in libraries
• Fix multiple assignment of globals (#1155)
• Sexp#body= can accept :rlist from Sexp#body_list
• Update RubyParser to 3.11.0

• Remove check for use of permit with *_id keys
• Avoid duplicate warnings about permitted attributes

• Add check for dangerous keys in permit
• Add optional check for divide by zero
• Remove errors about divide by zero
• Warn about dynamic values in Arel.sql
• Show better location for Sass errors (Andrew Bromwich)
• Avoid warning about file access for temp files (#1110)
• Avoid CSRF warning in Rails 5.2 default config (#1132)
• Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
• Handle nested destructuring/multiple assignment
• Do not warn on params.permit with safe values (#1000)
• Use HTTPS for warning links
• Try to guess options for less pager (#1118)
• Do not page if results fit on screen
• Leave results on screen after paging
• Fix upgrade version for CVE-2016-6316
• Fix include_paths for Code Climate engine (Will Fleming)
• Support app_path configuration for Code Climate engine (Noah Davis)
• Refactor Code Climate engine options parsing (Noah Davis)

• Disable pager when CI environment variable is set
• Fix output when pager fails

• --exit-on-warn is now the default (#852)
• --exit-on-error is now the default (#1083)
• "Plain" report output is now the default
• Add simple pager for reports output to terminal
• Remove low confidence mass assignment warnings
• Reduce warnings about XSS in link_to
• Treat request.cookies like cookies (#1090)
• Treat fail/raise like early returns (#754)
• Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
• Remove reliance on CONFIDENCE constant in checks
• Fix --exit-on-error and --exit-on-warn in config files

• Fix --ensure-latest (David Guyon)

• Handle simple guard with return at end of branch (#1073)
• Add more collection methods for iteration detection
• Modularize bin/brakeman
• Improve multi-value Sexp error message
• Update ruby2ruby and ruby_parser dependencies

• Avoid interpolating hashes/arrays on failed access (#921)
• Fix false positive for redirect_to in Rails 4 (Mário Areias)
• Show progress indicator in interactive mode (#1012)
• Handle simple conditional guards that use return (#1057)
• Improve support for rails4/rails5 options in config file (#1059)
• Updated RubyParser to master

• Remove --rake option
• By default, do not honor additional check paths in config
• Properly handle template names without .html or .js
• Catch YAML parsing errors in session settings check (#1046)
• Better handling of if expressions in HAML rendering (#1032)
• Avoid warning about SQLi with to_s in exists? (#1045)
• Handle safe call operator in checks (#1031)
• Handle empty if expressions when finding return values
• Set template file names during rendering for better errors
• Limit Slim dependency to before 3.0.8
• Update RubyParser to 3.9.0

• Fix error when using --compare (Sean Gransee)

• Branch inside of case expressions (#944, #972, #1002)
• Check targetless SQL calls outside of known models
• Fix issue with nested interpolation inside SQL strings (#1008)
• Add --exit-on-error (Michael Grosser)
• Only report CVE-2015-3227 when exact version is known (#933, #995)
• Print command line option errors without modification (#1010)
• Ignore GraphQL tags inside ERB templates
• Avoid recursive Concerns

• Warn about SQL injection even if target is not known ActiveRecord model
• Avoid warning about models as SQL injection (#655, #680, #833)
• Avoid warning about SQLi in all, first, or last after Rails 4.0
• Treat templates without .html as HTML anyway (#790)
• Report check name in JSON and plain reports (#971)
• Add --ensure-latest option (tamgrosser / Michael Grosser)
• Add --no-summary to hide summaries in HTML/text reports (#963)
• Fail on invalid checks specified by -x or -t (#970)
• Handle included block in concerns (#958)
• Updated RubyParser/Ruby2Ruby dependencies

• Fix bug in reports when using --debug

• Show obsolete ignore entries in reports (Jonathan Cheatham)
• Add option to prune ignore file with -I
• Add new plain report format (#914)
• Support creating reports in non-existent paths (#924)
• Add --no-exit-warn (#925)
• Improved Slim template support

• Configurable engines path (Jason Yeo)
• Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo)
• Pull Ruby version from .ruby-version or Gemfile
• Use Ruby version to turn off SymbolDoS check (#928)
• Fix ignoring link interpolation not at beginning of string (#939)
• Show action help at start of interactive ignore (#949)
• Avoid warning about where_values_hash in SQLi (#942)

• Add generic warning for CVE-2016-6316
• Warn about dangerous use of content_tag with CVE-2016-6316
• Add warning for CVE-2016-6317
• Use Minitest

• Index calls in view helpers
• Process inline template renders (#672)
• Show path when no Rails app found (Neil Matatall)
• Avoid warning about hashes in link_to hrefs (#897)
• Improve return value guesses
• Ignore boolean methods in render paths
• Reduce open redirect duplicates
• Fix SymbolDoS error with unknown Rails version

Preview of 3.2.0

• Fix performance regression in global constant tracking

• Improved line number accuracy in ERB templates (Patrick Toomey)
• Allow multiple line regex in validates_format_of (Dmitrij Fedorenko)
• Avoid overwriting instance/class methods with same name (Tim Wade)
• Add --force-scan option (Neil Matatall)
• Only consider if branches in templates
• Support more safe &. operations
• Avoid warning about SQL injection with quoted_primary_key (#884)
• Delay loading vendored gems and modifying load path
• Added brakeman-lib gem