4.2.1

• Add warning for CVE-2018-3741
• Add warning for CVE-2018-8048
• Scan app/jobs/ directory
• Handle template_exists? in controllers (#1124)

4.2.0

• Handle ERb use of String#<< method for Ruby 2.5 (Pocke)
• Exclude template folders in lib/ (kru0096)
• Warn about SQL injection with not
• Avoid warning about symbol DoS on Model#attributes (#1096)
• Avoid warning about open redirects with model methods ending with _path(#1117)
• Avoid warning about command injection with Shellwords.escape (#1159)
• Use ivars from initialize in libraries
• Fix multiple assignment of globals (#1155)
• Sexp#body= can accept :rlist from Sexp#body_list
• Update RubyParser to 3.11.0

4.1.1

• Remove check for use of permit with *_id keys
• Avoid duplicate warnings about permitted attributes

4.1.0

• Add check for dangerous keys in permit
• Add optional check for divide by zero
• Remove errors about divide by zero
• Warn about dynamic values in Arel.sql
• Show better location for Sass errors (Andrew Bromwich)
• Avoid warning about file access for temp files (#1110)
• Avoid CSRF warning in Rails 5.2 default config (#1132)
• Better processing of op_asgn1 (e.g. x[:y] += 1) (#1103)
• Handle nested destructuring/multiple assignment
• Do not warn on params.permit with safe values (#1000)
• Use HTTPS for warning links
• Try to guess options for less pager (#1118)
• Do not page if results fit on screen
• Leave results on screen after paging
• Fix upgrade version for CVE-2016-6316
• Fix include_paths for Code Climate engine (Will Fleming)
• Support app_path configuration for Code Climate engine (Noah Davis)
• Refactor Code Climate engine options parsing (Noah Davis)

4.0.1

• Disable pager when CI environment variable is set
• Fix output when pager fails

4.0.0

• --exit-on-warn is now the default (#852)
• --exit-on-error is now the default (#1083)
• "Plain" report output is now the default
• Add simple pager for reports output to terminal
• Remove low confidence mass assignment warnings
• Reduce warnings about XSS in link_to
• Treat request.cookies like cookies (#1090)
• Treat fail/raise like early returns (#754)
• Rename "Cross Site Scripting" to "Cross-Site Scripting" (Paul Tetreau)
• Remove reliance on CONFIDENCE constant in checks
• Fix --exit-on-error and --exit-on-warn in config files

3.7.2

• Fix --ensure-latest (David Guyon)

3.7.1

• Handle simple guard with return at end of branch (#1073)
• Add more collection methods for iteration detection
• Modularize bin/brakeman
• Improve multi-value Sexp error message
• Update ruby2ruby and ruby_parser dependencies

3.7.0

• Avoid interpolating hashes/arrays on failed access (#921)
• Fix false positive for redirect_to in Rails 4 (Mário Areias)
• Show progress indicator in interactive mode (#1012)
• Handle simple conditional guards that use return (#1057)
• Improve support for rails4/rails5 options in config file (#1059)
• Updated RubyParser to master

3.6.2

• Remove --rake option
• By default, do not honor additional check paths in config
• Properly handle template names without .html or .js
• Catch YAML parsing errors in session settings check (#1046)
• Better handling of if expressions in HAML rendering (#1032)
• Avoid warning about SQLi with to_s in exists? (#1045)
• Handle safe call operator in checks (#1031)
• Handle empty if expressions when finding return values
• Set template file names during rendering for better errors
• Limit Slim dependency to before 3.0.8
• Update RubyParser to 3.9.0