← Back to changelog

Another Round of Security Monitor Updates

A couple weeks ago, we rolled out a new version of Security Monitor. The latest version has more checks, removes some duplicate warnings, produces less false positives, and has more code coverage than the previous version. Here’s a more detailed breakdown:

Additional Checks

  • In addition to unsafe YAML de-serialization, you will now also be warned about unsafe calls to CSV.load and Marshal.load.

Removed Duplicate Warnings

  • In certain cases, warnings were being generated for every reference to the same unsafe code, and not just the original vulnerability. These duplicate warnings – for checks to dangerous sends, unsafe ruby reflection (aka unsafe constantize calls) and symbol Denial of Service attacks – have been removed.

Less False Positives

  • Security Monitor no longer warns on safe calls to Model#id or Model#to_json, such as when your Rails configuration specifies to escape JSON.

More Code Coverage

  • Now handles some nested classes (previously ignored them all)
  • Handles stabby lamdas with no arguments such as:

    -> { #rubycode }
    
  • Handles block argument destructuring, such as:

    your_method_call do | arg_a, ( arg_b, arg_c ) |
       # do something
    end
    

Overall, we’re seeing stabler and more accurate Security Monitor scans, but please do let us know if you find any issues or have any questions.

Actionable metrics for engineering leaders. Try Velocity Free