Page tree
Skip to end of metadata
Go to start of metadata

On this page:

Summary: This document provides information about changes and new features introduced in this release.

New features

Default Activation of new Environment Profiles

A set of environment profiles (mainly for Logging Frameworks and which were introduced in JEE Anlyzer 1.0.3) are now active by default in JEE Analyzer 1.0.4 and no manual configuration is required. These environment profiles provide the following improvements:

  • they reduce the number of links reported by the Dynamic Link Manager i.e. preventing (through parametrization) links from being created to database objects whose names are found in an argument's string
  • they allow the creation (through parametrization) of the correct Use link between Java objects and database objects for Applications that use the the Spring IoC framework simpleJdbcTemplate methods. Note that Applications can use both the JdbcTemplate and simpleJdbcTemplate classes.
  • they reduce the number of warning messages in the analysis log related to annotations (these annotations will be ignored - this will have no impact on analysis results).

The table below lists environment profiles which are now active by default "out of the box:

Environment Profile nameContent Comment
JEE - MokitoMockito related annotations to be ignored.Like org.mockito.Mock, org.mockito.Spy and org.mockito.InjectMocks
JEE - Jackson 2.0 annotations to ignoreJackson Fasterxml related annotations to be ignoredLike com.fasterxml.jackson.annotation.JsonView
JEE - Guava 18.0 annotations to ignoregoogle common related annotations to be ignoredLike com.google.common.annotations.GwtCompatible
Log4j 2.xLog4j related annotations to be ignoredLike org.apache.logging.log4j.core.config.Order
JEE - Logger JBOSSParametrization rules for JBOSS 
JEE - Logger WeblogicParametrization rules for Weblogic 
JEE - Logger SLF4JParametrization rules for SLF4J 
JEE - Logger java.util.loggingParametrization rules for Logger java.util.logging 
JEE - Logger MonologParametrization rules for Monolog 
JEE - Logger MortbayParametrization rules for Mortbay 
JEE - Logger Avalon EscaliburParametrization rules for Logger Avalon Escalibur 
JEE - Logger Apache commons loggingParametrization rules for Logger Apache commons logging 
JEE - Logger KrysalisParametrization rules for Logger Krysalis 
JEE - Logger ATGParametrization rules for Logger ATG 
JEE - Logger SpringParametrization rules for Logger Spring 
JEE - Logger EclipseParametrization rules for Logger Eclipse 
JEE - Logger PlexusParametrization rules for Logger Plexus 
JEE - Logger CamelParametrization rules for Logger Camel 
JEE - Logger jnlpParametrization rules for Logger jnlp 
JEE - Logger xwork2Parametrization rules for Logger xwork2 
JEE - XStreamXStream related annotations to be ignoredLike com.thoughtworks.xstream.annotations.XStreamAlias.value
JEE - TestNGTestNG related annotations to be ignoredLike org.testng.annotations.AfterClass
Spring Framework 3.x add-on for simpleJDBCSpring 3.x related additions add on annotations to be ignored

Like Spring test related org.springframework.test.annotation.DirtiesContext

and Spring Data related org.springframework.data.jpa.repository.Modifying

JEE - PowerMockPowerMock related annotations to be ignoredLike org.powermock.core.classloader.annotations.Mock
JEE - JSE org.w3c.domParametrization rules for JSE org.w3c.dom 
JEE - Logger JBOSS Seam 2.2.2Parametrization rules for Logger JBOSS Seam 2.2.2 
JEE - EasyMockEasyMock related annotations to be ignoredLike org.easymock.Mock
JEE - Unit Test UnitilsUnitils related annotations to be ignoredLike org.unitils.dbunit.annotation.DataSet
JEE - jBehavejBehave related annotations to be ignoredLike org.jbehave.core.annotations.When
JEE - JAX-WSJAX-WS related annotations to be ignoredLike javax.xml.ws.soap.MTOM
JEE - MeltingPotSome miscellaneous annotations to be ignoredLike edu.umd.cs.findbugs.annotations.SuppressFBWarnings

New Quality Rules

Two new Quality Rules have been added in this release to reinforce security checks:

Avoid using RSA Cryptographic algorithms without OAEP (Optimal Asymmetric Encryption Padding)

  • Parent Technical Criterion: Secure Coding - Weak Security Features 
  • Critical Contribution: Yes 
  • Quality Rule weight: 9

References:  

  • CWE-326 - Inadequate Encryption Strength 
  • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm 
  • OWASP: A3:2017-Sensitive Data Exposure 

Avoid using weak encryption algorithm as DES and triple DES

  • Parent Technical Criterion: Secure Coding - Weak Security Features
  • Critical Contribution: Yes 
  • Quality Rule weight: 9

References:

  • CWE-780 - Use of RSA Algorithm without OAEP 
  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm 
  • OWASP: A3:2017-Sensitive Data Exposure 

Resolved issues in this release

The following issues have been fixed in this release of the JEE Analyzer extension:

Internal IDCall IDSummary
JFAMILY-485 JEE QR "Pages should use error handling page" should not be critical
JFAMILY-601 Documentation : Details about the Quality Rule "Avoid Artifacts with lines longer than X characters" needs to be updated
JFAMILY-616 Documentation : QR description metric "Avoid using native Methods (JNI)" to be reviewed
JFAMILY-621 TCCConfig - eFile free definition should be more accurate. Images should not be viewed as a starting point
JFAMILY-622 TCCConfig - run methods should not be viewed as a starting point if they are called by another run method
JFAMILY-652 TCC - Java.lang.process should be viewed as an endpoint
JFAMILY-653 TCC - main methods selection as starting point should be only the main not called or executed
JFAMILY-655  

New environment profiles transferred from Analysis configuration SME kit should be better integrated

JFAMILY-658 We should ignore the annotation sun.reflect.CallerSensitive
JFAMILY-666 JAVA142: unable to find or to use archive: jce.jar.blackbox.xml
JFAMILY-713 analysis failing with error: The process Jeecmd.exe has stopped working exited with code -1073741819
  • No labels