This release has some big changes to detecting SQL injection vulnerabilities, a new check for OpenSSL::SSL::VERIFY_NONE, and support for RailsLTS versions going forward.
Additionally, warnings about dangerous attributes in attr_accessible are now fingerprinted individually, allowing them to be ignored individually. This will definitely change fingerprints for existing warnings. Also, please note the warning messages for dangerous attributes have changed. Changes since 2.3.1: * Fingerprint attribute warnings individually (Case Taintor) * Add check for uses of OpenSSL::SSL::VERIFY_NONE (Aaron Bedra) * Detect SQL injection raw SQL queries using connection * Fix false positives when SQL methods are not called on AR models (Aaron Bedra) * Reduce false positives for SQL injection in string building * More accurate user input marking for SQL injection warnings * Detect SQL injection in delete_all/destroy_all * Add support for Rails LTS versions * Parse exact versions from Gemfile.lock for all gems * Ignore generators in lib/ directory * No longer raise exceptions if a class name cannot be determined * Update to RubyParser 3.4.0 For full details, please see the release post: http://brakemanscanner.org/blog/2014/02/05/brakeman-2-dot-4-0-released/