3.6.1

• Fix error when using --compare (Sean Gransee)

3.6.0

• Branch inside of case expressions (#944, #972, #1002)
• Check targetless SQL calls outside of known models
• Fix issue with nested interpolation inside SQL strings (#1008)
• Add --exit-on-error (Michael Grosser)
• Only report CVE-2015-3227 when exact version is known (#933, #995)
• Print command line option errors without modification (#1010)
• Ignore GraphQL tags inside ERB templates
• Avoid recursive Concerns

3.5.0

• Warn about SQL injection even if target is not known ActiveRecord model
• Avoid warning about models as SQL injection (#655, #680, #833)
• Avoid warning about SQLi in all, first, or last after Rails 4.0
• Treat templates without .html as HTML anyway (#790)
• Report check name in JSON and plain reports (#971)
• Add --ensure-latest option (tamgrosser / Michael Grosser)
• Add --no-summary to hide summaries in HTML/text reports (#963)
• Fail on invalid checks specified by -x or -t (#970)
• Handle included block in concerns (#958)
• Updated RubyParser/Ruby2Ruby dependencies

3.4.1

• Configurable engines path (Jason Yeo)
• Check CSRF setting in direct subclasses of ActionController::Base (Jason Yeo)
• Pull Ruby version from .ruby-version or Gemfile
• Use Ruby version to turn off SymbolDoS check (#928)
• Fix ignoring link interpolation not at beginning of string (#939)
• Show action help at start of interactive ignore (#949)
• Avoid warning about where_values_hash in SQLi (#942)

3.4.0

• Show obsolete ignore entries in reports (Jonathan Cheatham)
• Add option to prune ignore file with -I
• Add new plain report format (#914)
• Support creating reports in non-existent paths (#924)
• Add --no-exit-warn (#925)
• Improved Slim template support

3.3.5

• Fix bug in reports when using --debug

3.3.4

• Add generic warning for CVE-2016-6316
• Warn about dangerous use of content_tag with CVE-2016-6316
• Add warning for CVE-2016-6317
• Use Minitest

3.3.3

• Index calls in view helpers
• Process inline template renders (#672)
• Show path when no Rails app found (Neil Matatall)
• Avoid warning about hashes in link_to hrefs (#897)
• Improve return value guesses
• Ignore boolean methods in render paths
• Reduce open redirect duplicates
• Fix SymbolDoS error with unknown Rails version

3.3.2

• Fix performance regression in global constant tracking

3.3.1

• Improved line number accuracy in ERB templates (Patrick Toomey)
• Allow multiple line regex in validates_format_of (Dmitrij Fedorenko)
• Avoid overwriting instance/class methods with same name (Tim Wade)
• Add --force-scan option (Neil Matatall)
• Only consider if branches in templates
• Support more safe &. operations
• Avoid warning about SQL injection with quoted_primary_key (#884)
• Delay loading vendored gems and modifying load path
• Added brakeman-lib gem