1.5.0

• Add version check for SafeBuffer vulnerability
• Add check for select vulnerability in Rails 3
• select() is no longer considered safe in Rails 2
• Add check for skipping CSRF protection with a blacklist
• Add JSON report format
• Model#id should not be considered XSS
• Standardize methods to check for SQL injection
• Fix Rails 2 route parsing issue with nested routes

1.4.0

• Add check for user input in link_to href parameter
• Match ERB processing to rails_xss plugin when plugin used
• Add Brakeman::Report#to_json, Brakeman::Warning#to_json
• Warnings below minimum confidence are dropped completely
• Brakeman.run always returns a Tracker

1.3.0

• Add file paths to HTML report
• Add caching of filters
• Add --skip-files option
• Add support for attr_protected
• Add detection of request.env as user input
• Descriptions of checks in -k output
• Improved processing of named scopes
• Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
• Better variable substitution
• Table output option for rescan reports

1.2.2

• --no-progress works again
• Make CheckLinkTo a separate check
• Don't fail on unknown options to resource(s)
• Handle empty resource(s) blocks
• Add RescanReport#existing_warnings

1.2.1

• Remove link_to warning for Rails 3.x or when using rails_xss
• Don't warn if first argument to link_to is escaped
• Detect usage of attr_accessible with no arguments
• Fix error when rendering a partial from a view but not through a controller
• Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
• Simplify Brakeman Rake task
• Avoid modifying $VERBOSE
• Add Brakeman::RescanReport#to_s
• Add Brakeman::Warning#to_s

1.2.0

• Speed improvements for CheckExecute and CheckRender
• Check named_scope() and scope() for SQL injection
• Add --rake option to create rake task to run Brakeman
• Add experimental support for rescanning a subset of files
• Add --summary option to only output summary
• Fix a problem with Rails 3 routes

1.1.0

• Relax required versions for dependencies
• Performance improvements for source processing
• Better progress reporting
• Handle basic operators like << + - * /
• Rescue more errors to prevent complete crashes
• Compatibility with newer Haml versions
• Fix some warnings

1.0.0

• Better handling of assignments inside ifs
• Check more expressions for SQL injection
• Use latest ruby_parser for better 1.9 syntax support
• Brakeman can now be used as a library
• Faster call search
• Add option to return error code if warnings are found (tw-ngreen)
• Allow truncated messages to be expanded in HTML
• Fix summary when using warning thresholds
• Better support for Rails 3 routes
• Reduce SQL injection duplicate warnings
• Lower confidence on mass assignment with no user input
• Ignore mass assignment using all literal arguments
• Keep expanded context in view with HTML output

0.9.2

• Fix Rails 3 configuration parsing
• Add t() helper to check for translate XSS bug

0.9.1

Add warning for translator helper XSS vulnerability