Check Unscoped AR queries with find_by/find_by!

[thukim]

Fixes 2 issues described in #1786

Brakeman has been updated to include find_by but it does not include find_by!.
Brakeman only checks for find_by on id and doesn't look for any other attributes. In our project the attribute we use public_id instead of id as the publicly facing ID of our models. This means we don't get any warnings for unscoped find for most of our models.

[thukim]

Hi @presidentbeef ,

I think this repository is having flaky tests (screenshot attached below)

Ref: https://app.circleci.com/pipelines/github/presidentbeef/brakeman?branch=pull%2F1797

The same set of failed tests happen for test-3-2 first and then test-3-1 and it seems to be related to the file lib/sweet_lib.rb

[presidentbeef]

Yes, that is a flaky test. Sorry for the trouble. Now I'm finally motivated to fix it - fix incoming shortly, I hope.

[presidentbeef]

Should be fixed with #1798. Please rebase on main and try again.

[thukim]

Thanks, @presidentbeef ! After merging the latest changes from the main branch to this branch, all the tests are green 👍
This PR is also ready to be reviewed.

[presidentbeef]

Warning on all uses of find_by/find_by! is a pretty major change.

The intent of the original code was to warn about equivalents to find or find_by_id, and the overall intent of the check is to warn about insecure direct object references - i.e. uses of the row id directly.

This check already has pretty high false positive rate (which is why it is off by default), so I'm pretty hesitant to make it worse.

[thukim]

I see, thanks @presidentbeef! I will close this PR then