It's a false positive.
In this situation, Brakeman knows Relationship
is a model, and that select
and where
are query methods. So it assumes Relationship.select(...).where(...).to_sql
is a record attribute (and potentially dangerous). It shouldn't, though, since to_sql
just generates the SQL code for the query as you mentioned. I'll fix this.
The second version of course does not warn because you are interpolating a string literal.