From 9e9e56119daab6f2a80356db2ed43927c0f4f651 Mon Sep 17 00:00:00 2001
From: Alan Gabbianelli <alan.gabbianelli@digital.cabinet-office.gov.uk>
Date: Tue, 8 Jun 2021 15:44:04 +0100
Subject: [PATCH] Update brakeman to fix false positive warning

We recently came across a [strange warning][0] in a `frontend` build:

```
== Warnings ==

Confidence: High
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 187
```

Version 2.10.0 is clearly more recent than 2.2.1. This came from how
brakeman was doing a check:
```
loofah_version and loofah_version < "2.2.1"
```
but in ruby `'2.10.0' < '2.2.1'` is true:
```
[2] pry(main)> '2.10.0' < '2.2.1'
=> true
```

This [has been fixed][1] in [version 5.0.2][2] so let's upgrade brakeman to
this new version.

[0]: https://ci.integration.publishing.service.gov.uk/job/frontend/job/update-rubocop/6/console
[1]: https://github.com/presidentbeef/brakeman/pull/1607/files
[2]: https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md#502---2021-06-07
---
 CHANGELOG.md              | 4 ++++
 govuk_test.gemspec        | 2 +-
 lib/govuk_test/version.rb | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 18295a5..d0ec5fe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@
   useful summary for people upgrading their application, not a replication
   of the commit log.
 
+## 2.3.0
+
+* Update brakeman to fix false positive warning ([#41](https://github.com/alphagov/govuk_test/pull/41))
+
 ## 2.2.0
 
 * Remove pact test branch verify rake task
diff --git a/govuk_test.gemspec b/govuk_test.gemspec
index 06ef0cd..e2eed8c 100644
--- a/govuk_test.gemspec
+++ b/govuk_test.gemspec
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "brakeman", "~> 4.6"
+  spec.add_dependency "brakeman", ">= 5.0.2"
   spec.add_dependency "capybara"
   spec.add_dependency "puma"
   spec.add_dependency "selenium-webdriver", ">= 3.142"
diff --git a/lib/govuk_test/version.rb b/lib/govuk_test/version.rb
index 5d8bf33..e5fb099 100644
--- a/lib/govuk_test/version.rb
+++ b/lib/govuk_test/version.rb
@@ -1,3 +1,3 @@
 module GovukTest
-  VERSION = "2.2.0"
+  VERSION = "2.3.0"
 end