Roadmap

This is a tentative roadmap/TODO list for Brakeman. Note that these are deadline versions, not necessarily the version the feature/fix will appear in. Items in italics have been merged into master.

1.9

• Update to RubyParser 3.0
• Handle Rails 4 strong parameters
• Optional intra-procedural data flow for simple helper methods
• Switch to multi_json gem
• Output Brakeman version
• Output scan duration
• Reduce Sexp creation
• Fix "Unhandled resource option")
• Session check is looking for Rails3::... which is silly
• Fix YAML.load false positive
• Fix false positive on redirect to association

1.9.3

• Handle append_before_filter and prepend_before_filter
• Add "render path" to JSON output
• Warning identifiers
• Expand skip_before_filter check
• Support for Slim

1.9.4

Bug fixes/CVEs only!

1.9.5

Bug fixes/CVEs only!

2.0

• Standardize default config file location
• Relative paths by default for JSON
• Remove timestamp from JSON output
• Combine YAML/Marshal/CSV load checks into single check
• Change "Cross-Site Request Forgery" to "Cross Site Request Forgery"
• Normalize SQL CVE warning messages to be less verbose
• Normalize warning messages in general
• Move test/tests/test_* to test/tests/*
• Bump confidence on mass assignment with attr_protected to medium
• Fix false positive reports of Model#id and to_json

2.1

• Allow --compare and -o/-f together for nicer diff reports
• Split into two packages, brakeman + brakeman-min
• Add Tracker#warnings instead of Tracker#checks.all_warnings
• Fix how mixin methods are handled - need to be duped

2.4

• Scan all versions in Gemfile.lock instead of special cases

2.4.1

• CVEs only

2.4.2

• Bugfixes/Internal improvements only

2.5.0

• Reorganize CVE checks
• Support before_action for Rails 4
• Support latest RailsLTS

2.x

• False positive configuration
• Get rid of Tracker#check_initializers and FindCall
• Scan helpers and make them available in views for inter-procedural analysis

3.0

• Add libs to call index
• Add ability to have optional checks not enabled by default
• Make --separate-models the default
• In BaseCheck, only set @has_user_input once (i.e. ||=) to match first not last (maybe)
• Make CheckSymbolDoS an optional check
• Find a way to update ruby_parser and offset wrong line numbers
• Do not format local variables as "local var"
• Add warnings for rendering text, inline
• File disclosure CVEs check

3.1

• Refactor XSS checks to have easier shared code

4.0

• Switch to -f plain for default report
• Something like --report-direct by default?
• -z by default

Some Day

• Add remediation steps to warnings when created
• Add number_with_delimiter, etc, to known bad, but have to check for :raise => true
• Better highlighting of user input in HTML output
• Add rel="noreferrer" to HTML report links
• Prettier HTML output
• Rescue divide by zero errors (and turn into warnings...?)