Railroader: Security static analysis tool for Ruby on Rails (Brakeman fork)
7y ago
Source
dwheeler.comRailroader: Security static analysis tool for Ruby on Rails (Brakeman fork)dwheeler.comI’ve kicked off the Railroader project to maintain a security static analysis tool for Ruby on Rails that is open source software . If you are developing with Ruby on Rails, please consider using Railroader . We would also really love contributions, so please contribute! A security static analysis tool (analyzer) examines software to help you identify vulnerabilities (without running the possibly-vulnerable program). This helps you find and fix vulnerabilities before you field your web application. Ruby on Rails is a popular framework for developing web applications; sites that use Rails include GitHub, Airbnb, Bloomberg, Soundcloud, Groupon, Indiegogo, Kickstarter, Scribd, MyFitnessPal, Shopify, Urban Dictionary, Twitch.tv , GitLab , and the Core Infrastructure Initiative (CII) Best Practices Badge . In the past the obvious tool for this purpose was Brakeman . However, Brakeman has switched to the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 Public License (CC-BY-NC-SA-4.0) . This is not an open source software license since it cannot be used commercially (an OSS license cannot discriminate against a field of endeavor). Similarly, it is not a free software license (since you cannot run the program as you wish / for any purpose). You can verify this by looking at the Brakeman 4.4.0 release announcement , the SPDX license list , Debian’s “The Debian Free Software Guidelines (DFSG) and Software Licenses” , Various Licenses and Comments about Them (Free Software Foundation) , and Fedora’s Licensing:Main (Bad Licenses list) . Railroader conitinues using the original licenses: MIT for code and CC-BY-3.0 for the website. MIT, of course, is a very well-known and widely-used open source software license. If you are currently using Brakeman, do not update to Brakeman version 4.4.0 or later until you first talk with your lawyer . At the very least, if you plan to use newer versions of Brakeman, check their new license carefully to make sure that there is no possibility of a legal issue. This license change was part of a purchase of Brakeman by Synopsys. Synopsys is a big company, and they definitely have the resources to sue people who don’t obey their legal terms. Even if they didn’t, it is not okay to use software when you don’t have the right to do so. Either make sure that you have no legal issues… or just switch to Railroader, where nothing has changed. Unfortunately, it is really easy to “just upgrade to the latest release” of Brakeman without realizing that this is a major license change. I suspect a lot of people will just automatically download and run the latest version, and have no idea that this is happening. I only noticed because I routinely use software license checkers ( license_finder in my case) so that I immediately notice license changes in a newer version. I strongly recommend adding static source code analyzers and license checkers as part of your continuous integration (CI). We assume that “Brakeman” is now a trademarked by Synopsys, Inc, so we’ve tried to rename everything so that the projects are clearly distinct. If we’ve missed something, please let us know and we’ll fix it. The term “Railroader” is a play on the word Rails, but it is obviously a completely different word. Railroader shares a common code base historically with Brakeman, and that’s important to explain, but they are not the same projects and we are expressly trying to not infringe on any Brakeman trademark. It’s obviously legal to copy and modify materials licensed under the MIT and CC-BY-3.0 licenses (that’s the purpose of these licenses), so we believe there is no legal problem. I think I have a reasonable background for starting this project. I created and maintain flawfinder , a security static analysis tool for C/C++, since 2001. I literally wrote the book on developing secure software; see my book Secure Programming HOWTO . I even teach a graduate class at George Mason Univerity (GMU) on how to develop secure software . For an example of how I approach securing software in an affordable way, see my video How to Develop Secure Applications: The BadgeApp Example (2017-09-18) or the related document BadgeApp Security: Its Assurance Case . I have also long analyzed software licenses, e.g., see The Free-Libre / Open Source Software (FLOSS) License Slide , Free-Libre / Open Source Software (FLOSS) is Commercial Software , and Publicly Releasing Open Source Software Developed for the U.S. Government . While Railroader is a project fork, we hope that this is not a hosttile fork. We will not accept software licensed only under CC-BY-NC-SA-4.0, since that is not an OSS license. But we’ll gladly accept good contributions from anyone if they are released under the original OSS licenses (MIT for software, CC-BY-3.0 for website content). If the Brakeman project wants to cooperate in some way, we’d love to talk! We are all united in our desire to squash out vulnerabilities before they are deployed. In addition, we’re grateful for all the work that the Brakeman community has done. So, again: If you are developing with Ruby on Rails, please consider using Railroader . We would also really love contributions, so please contribute!
You might also wanna read
Ruby on Rails: The Open-Source Blueprint
blog.codeminer42.com·1y ago
Rail: A Self-Hosting Systems Programming Language with Pure-Rail TLS 1.3 Implementation
Rail is a self-hosting systems programming language that compiles itself without any C dependencies. The compiler is written in Rail and pro
Building a Rust-Style Static Analyzer for C++ to Prevent Memory Safety Issues
A systems researcher with 15 years of C++ experience describes building a Rust-style static analyzer for C++ called 'rusty-cpp' to address p
mpaxos.com·6mo ago
US Cybersecurity Agency Reveals Vulnerability Allowing Train Brake Manipulation
The US cybersecurity agency CISA has disclosed a vulnerability that can be exploited to manipulate or tamper with a train’s brakes. The vuln
Building an in-house multi-cloud status page with Rust and TanStack at Railway
Noah, a developer at Railway, explains why and how they built their own status page in-house using Rust and TanStack, hosted on Railway itse
blog.railway.com·1mo ago
AI Security Tools Find 50 Real Bugs in cURL Open-Source Project
A security researcher successfully used AI-based static application security testing (SAST) tools to identify 50 real bugs in the widely-use

Comments
Sign in to join the conversation.
No comments yet. Be the first.