brakeman -c config/brakeman.yml

brakeman.json

{
  "scan_info": {
    "app_path": "/home/aditya/rubygems.org",
    "rails_version": "5.2.1.1",
    "security_warnings": 2,
    "start_time": "2018-12-25 13:30:52 +0530",
    "end_time": "2018-12-25 13:30:54 +0530",
    "duration": 1.919798021,
    "checks_performed": [
      "BasicAuth",
      "BasicAuthTimingAttack",
      "ContentTag",
      "CreateWith",
      "CrossSiteScripting",
      "DefaultRoutes",
      "Deserialize",
      "DetailedExceptions",
      "DigestDoS",
      "DynamicFinders",
      "EscapeFunction",
      "Evaluation",
      "Execute",
      "FileAccess",
      "FileDisclosure",
      "FilterSkipping",
      "ForgerySetting",
      "HeaderDoS",
      "I18nXSS",
      "JRubyXML",
      "JSONEncoding",
      "JSONParsing",
      "LinkTo",
      "LinkToHref",
      "MailTo",
      "MassAssignment",
      "MimeTypeDoS",
      "ModelAttrAccessible",
      "ModelAttributes",
      "ModelSerialize",
      "NestedAttributes",
      "NestedAttributesBypass",
      "NumberToCurrency",
      "PermitAttributes",
      "QuoteTableName",
      "Redirect",
      "RegexDoS",
      "Render",
      "RenderDoS",
      "RenderInline",
      "ResponseSplitting",
      "RouteDoS",
      "SQL",
      "SQLCVEs",
      "SSLVerify",
      "SafeBufferManipulation",
      "SanitizeMethods",
      "SelectTag",
      "SelectVulnerability",
      "Send",
      "SendFile",
      "SessionManipulation",
      "SessionSettings",
      "SimpleFormat",
      "SingleQuotes",
      "SkipBeforeFilter",
      "StripTags",
      "SymbolDoSCVE",
      "TranslateBug",
      "UnsafeReflection",
      "ValidationRegex",
      "WithoutProtection",
      "XMLDoS",
      "YAMLParsing"
    ],
    "number_of_controllers": 34,
    "number_of_models": 16,
    "number_of_templates": 51,
    "ruby_version": "2.3.5",
    "brakeman_version": "4.3.1"
  },
  "warnings": [
    {
      "warning_type": "Dynamic Render Path",
      "warning_code": 15,
      "fingerprint": "6e18d75f9e6fc624b054335d6f8fc92514f4793ecf69bd46adb0d42df138389f",
      "check_name": "Render",
      "message": "Render path contains parameter value",
      "file": "app/views/reverse_dependencies/index.html.erb",
      "line": 11,
      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
      "code": "render(action => Rubygem.find_by_name((params[:rubygem_id] or params[:id])).reverse_dependencies.by_downloads.preload(:gem_download, :latest_version).page(params[:page].to_i).without_count, {})",
      "render_path": [{"type":"controller","class":"ReverseDependenciesController","method":"index","line":15,"file":"app/controllers/reverse_dependencies_controller.rb"}],
      "location": {
        "type": "template",
        "template": "reverse_dependencies/index"
      },
      "user_input": "params[:page]",
      "confidence": "Weak"
    },
    {
      "warning_type": "SQL Injection",
      "warning_code": 0,
      "fingerprint": "86641d277ebad7e3174dcd6f9a9e270b7066892d4a7cff402e2a17e25992ec28",
      "check_name": "SQL",
      "message": "Possible SQL injection",
      "file": "app/models/concerns/rubygem_searchable.rb",
      "line": 122,
      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
      "code": "where(\"        versions.indexed and\\n          (UPPER(name) LIKE UPPER(:query) OR\\n           UPPER(TRANSLATE(name,\\n                           '#{\".-_\"}',\\n                           '#{(\" \" * \".-_\".length)}')\\n                ) LIKE UPPER(:query))\\n\", :query => (\"%#{query.strip}%\"))",
      "render_path": null,
      "location": {
        "type": "method",
        "class": "RubygemSearchable",
        "method": "RubygemSearchable.legacy_search"
      },
      "user_input": "(\" \" * \".-_\".length)",
      "confidence": "Medium"
    }
  ],
  "ignored_warnings": [

  ],
  "errors": [

  ],
  "obsolete": [

  ]
}