version bump - 0.14.1

.github/workflows/elixir.yml

@@ -4,69 +4,67 @@ on:
   pull_request:
   push:
     branches:
-      - master
+      - main
 
 env:
   MIX_ENV: test
 
 jobs:
   mix_test:
     name: mix test (Elixir ${{matrix.elixir}} | OTP ${{matrix.otp}})
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
       matrix:
         include:
-          - elixir: '1.7.x'
-            otp: 22.3.4.26
-          - elixir: '1.8.x'
-            otp: 22.3.4.26
-          - elixir: '1.9.x'
-            otp: 22.3.4.26
-          - elixir: '1.10.x'
-            otp: 22.3.4.26
-          - elixir: '1.11.x'
-            otp: 23.3.4.18
-          - elixir: '1.12.x'
+          - elixir: "1.12.x"
             otp: 24
-          - elixir: '1.13.x'
+          - elixir: "1.13.x"
             otp: 25.1
-          - elixir: '1.14.x'
+          - elixir: "1.14.x"
             otp: 25.1
-          - elixir: '1.15.x'
+          - elixir: "1.15.x"
             otp: 26.0
-          - elixir: '1.16.x'
+          - elixir: "1.16.x"
             otp: 26.2
+          - elixir: "1.17.x"
+            otp: 27
+          - elixir: "1.18.x"
+            otp: 27
+          - elixir: "1.19.x"
+            otp: 28
+            # We only care about formatting and warnings for the latest version of Elixir
+            checkFormatAndWarnings: true
 
     steps:
-    - name: Setup Elixir
-      uses: erlef/setup-beam@v1
-      with:
-        otp-version: ${{ matrix.otp }}
-        elixir-version: ${{ matrix.elixir }}
+      - name: Setup Elixir
+        uses: erlef/setup-beam@v1
+        with:
+          otp-version: ${{ matrix.otp }}
+          elixir-version: ${{ matrix.elixir }}
 
-    - name: Checkout Code
-      uses: actions/checkout@v3
+      - name: Checkout Code
+        uses: actions/checkout@v3
 
-    - name: Install Dependencies
-      run: |
-        mix local.hex --force
-        mix local.rebar --force
-        mix deps.get --only test
+      - name: Install Dependencies
+        run: |
+          mix local.hex --force
+          mix local.rebar --force
+          mix deps.get --only test
 
-    - name: Hex Audit
-      run: mix hex.audit
+      - name: Hex Audit
+        run: mix hex.audit
 
-    - name: Check Formatting
-      if: ${{ matrix.elixir == '1.16.x' }} # we only care about formatting for latest version of Elixir
-      run: mix format --check-formatted
+      - name: Check Formatting
+        if: ${{ matrix.checkFormatAndWarnings }}
+        run: mix format --check-formatted
 
-    - name: Compiles w/o Warnings
-      if: ${{ matrix.elixir == '1.16.x' }} # we only care about warnings for latest version of Elixir
-      run: mix compile --warnings-as-errors
+      - name: Compiles w/o Warnings
+        if: ${{ matrix.checkFormatAndWarnings }}
+        run: mix compile --warnings-as-errors
 
-    - name: Credo
-      run: mix credo --all --strict
+      - name: Credo
+        run: mix credo --all --strict
 
-    - name: Run Tests
-      run: mix test
+      - name: Run Tests
+        run: mix test

CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## v0.14.1
+  * Enhancements
+    * Implicitly use `.sobelow-conf` if detected in the root directory rather than
+      require `--config` switch. The `--no-config` switch is still supported to
+      prevent any settings from being read in from the file if needed.
+    * Added guidance for `warn_if_outdated` option in mix deps
+    * Added support for Elixir v1.19.x
+  * Bug fixes
+    * Handled extra config options for app releases in mix.exs
+    * Properly handle the use of CLI switches and config file settings in the same run.
+      These would previously clobber each other in unapparent ways leading to
+      confusing behavior. CLI switch take precedence.
+    * `.sobelow-conf` now sorted alphabetically
+    * Fix edwarning from zero argument functions
+    * Fixed broken skip funcationality
+    * Fixed broken GitHub Actions CI
+  * Misc
+    * Typo fix
+
+## v0.14.0
+  * Removed
+    * Support for minimum Elixir versions 1.7 - 1.11 (**POTENTIALLY BREAKING** - only applies if you relied on Elixir 1.7 through 1.11, 1.12+ is still supported)
+  * Enhancements
+    * Added support for multiple variations of `SQL.query()`
+    * Added support for `System.shell' command introduced in Elixir v1.12
+    * Ignore runtime config during `Config.HSTS`
+    * Updated developer dependencies (`ex_doc` & `credo`)
+  * Bug fixes
+    * Fixed `is_endpoint?` error in main
+    * Fixed findings normalization bug
+    * Fixed truncation error
+  * Misc
+    * GitHub Actions test matrix updated (hence the large drop in support for old Elixir versions)
+    * Addressed compiler warnings from Elixir v1.18.x
+    * Moved from `master` branch to `main`
+
 ## v0.13.0
   * Removed
     * Support for minimum Elixir versions 1.5 & 1.6 (**POTENTIALLY BREAKING** - only applies if you relied on Elixir 1.5 or 1.6, 1.7+ is still supported)
@@ -18,7 +54,7 @@
       * Compiler Warnings as Errors
       * Checks Formatting
     * Added helper `mix test.all` alias
-    
+
 ## v0.12.2
   * Bug fixes
     * Removed `:castore` and introduced `:verify_none` to quiet warning and unblock escript usage, see [#133](https://github.com/nccgroup/sobelow/issues/133) for more context on why this is necessary
@@ -55,19 +91,19 @@
 ## v0.11.1
   * Enhancements
     * Sarif output with `--out` flag
-    * `--strict` flag, which throws compilation errors instead of suppressing them.  
+    * `--strict` flag, which throws compilation errors instead of suppressing them.
 
 ## v0.11.0
   * Enhancements
     * Sarif output for GitHub integration
     * `--flycheck` flag, which reverses output of `--compact`
   * Bug fixes
-    * Non-compiling files now return an empty syntax tree instead of 
+    * Non-compiling files now return an empty syntax tree instead of
     causing Sobelow errors.
     * Command Injection finding description are properly formatted
   * Misc
-    * If you use Sobelow as a standalone utility (i.e. not as part of 
-    a Phoenix application), you now need to install as an escript with 
+    * If you use Sobelow as a standalone utility (i.e. not as part of
+    a Phoenix application), you now need to install as an escript with
     `mix escript.install hex sobelow`.
     * Custom JSON serialization replaced with Jason.
 
@@ -105,7 +141,7 @@
 ## v0.9.3
   * Enhancements
     * Improved checks for all aliased functions
-    
+
   * Bug Fixes
     * JSON output for Raw findings is now properly normalized
     * `send_download` correctly flags aliased function calls
@@ -124,7 +160,7 @@
     * Add `--mark-skip-all` and `--clear-skip` flags
     * New CSRF via action reuse checks
     * Sobelow can now be run in umbrella apps
-     
+
   * Bug Fixes
     * Fix an error when printing some kinds of variables
 
@@ -134,26 +170,26 @@
         * All JSON findings contain `type`, `file`, and `line` keys
         * "Line" output now refers directly to the vulnerable line
         * Default output headers have been normalized
-    
-    **Note:** If you depend on the structure of the output, this 
-    may be a breaking change. More information can be found at 
+
+    **Note:** If you depend on the structure of the output, this
+    may be a breaking change. More information can be found at
     [https://sobelow.io](https://sobelow.io).
 
 ## v0.7.8
   * Enhancements
     * Add `--threshold` flag
     * Add module names to finding output
-    
+
   * Deprecations
-    * File/Path check has been deprecated  
-   
+    * File/Path check has been deprecated
+
   * Bug Fixes
     * Fix inaccurate CSRF details
 
 ## v0.7.7
   * Enhancements
     * Add check for insecure websocket settings
-    
+
   * Bug Fixes
     * Accept module attributes for application name
 
@@ -231,7 +267,7 @@
 
   * Bug Fixes
     * Allow RCE module to be appropriately ignored.
-    
+
 ## v0.6.4
 
   * Enhancements
@@ -241,8 +277,8 @@
 
   * Enhancements
     * Add RCE module to check for code execution via `Code` and `EEx`.
-    
+
   * Deprecations
-    * The `--with-code` flag has been changed to `--verbose`. The `--with-code` 
-    flag will continue to work as expected until v1.0.0, but will print a 
+    * The `--with-code` flag has been changed to `--verbose`. The `--with-code`
+    flag will continue to work as expected until v1.0.0, but will print a
     warning message.

README.md

@@ -4,7 +4,7 @@
 [![Hex Docs](https://img.shields.io/badge/hex-docs-lightgreen.svg)](https://hexdocs.pm/sobelow/)
 [![Total Download](https://img.shields.io/hexpm/dt/sobelow.svg)](https://hex.pm/packages/sobelow)
 [![License](https://img.shields.io/hexpm/l/sobelow.svg)](https://hex.pm/packages/sobelow)
-[![Last Updated](https://img.shields.io/github/last-commit/nccgroup/sobelow.svg)](https://github.com/nccgroup/sobelow/commits/master)
+[![Last Updated](https://img.shields.io/github/last-commit/sobelow/sobelow.svg)](https://github.com/sobelow/sobelow/commits/main)
 
 Sobelow is a security-focused static analysis tool for Elixir & the
 Phoenix framework. For security researchers, it is a useful
@@ -58,7 +58,7 @@ To use Sobelow, you can add it to your application's dependencies.
 ```elixir
 def deps do
   [
-    {:sobelow, "~> 0.13", only: [:dev, :test], runtime: false}
+    {:sobelow, "~> 0.14", only: [:dev, :test], runtime: false, warn_if_outdated: true}
   ]
 end
 ```
@@ -68,10 +68,10 @@ from the command line:
 
     $ mix escript.install hex sobelow
 
-To install from the master branch, rather than the latest release,
+To install from the `main` branch, rather than the latest release,
 the following command can be used:
 
-    $ mix escript.install github nccgroup/sobelow
+    $ mix escript.install github sobelow/sobelow
 
 ### To Use
 
@@ -134,7 +134,7 @@ relative to the application root.
   line options. See [Configuration Files](#configuration-files) for more
   information.
 
-  * `--config` - Run Sobelow with configuration file. See [Configuration Files](#configuration-files)
+  * `--[no-]config` - Run Sobelow with or without configuration file. See [Configuration Files](#configuration-files)
   for more information.
 
   * `--mark-skip-all` - Mark all displayed findings as skippable.
@@ -170,10 +170,9 @@ when you first start out using this package - the generated configuration file
 will be populated with the default values for each option. (This helps in
 quickly incorporating this package into a pre-existing codebase.)
 
-Now if you want to run Sobelow with the saved configuration,
-you can run Sobelow with the `--config` flag.
-
-    $ mix sobelow --config
+The `.sobelow-conf` file is automatically used if detected. CLI switches will
+take precedence over options in the config file. You can also specify
+`--no-config` to prevent any config file settings being used if needed.
 
 ## False Positives
 Sobelow favors over-reporting versus under-reporting. As such,
@@ -213,7 +212,7 @@ This list, and other helpful information, can be found on the
 command line:
 
     $ mix help sobelow
-    
+
 ## Umbrella Apps
 
 In order to run Sobelow against all child apps within an umbrella app with a single command, you can add an alias for sobelow in your root `mix.exs` file:
@@ -226,7 +225,7 @@ defp aliases do
 end
 ```
 
-If you wish to use configuration files in an umbrella app, create a `.sobelow-conf` in each child application and use the `--config` flag.
+If you wish to use configuration files in an umbrella app, create a `.sobelow-conf` in each child application.
 
 ## Updates
 When scanning a project, Sobelow will occasionally check for