SAP/ABAP

Avoid unsorted data after SELECT queries - 8134

A bug in the ABAP analyzer has been found to cause false violations when the syntax "sort" uses "[]": e.g. "sort X[] by Y". This bug has now been fixed. This change may impact existing results: you may find that the number of violations decreases.

SAP/ABAP discoverer update

A change has been made to the SAP discoverer. Previously, the discoverer would create only one single project (and therefore Analysis Unit) regardless of the number of SAP extractions provided in the source code delivery (it was assumed that only one extraction would be delivered). This behaviour has now been changed and multiple SAP extractions delivered in one go will result in one project (and therefore Analysis Unit) for each extraction. See also SAP ABAP Discoverer. This change may impact existing results.

Syntax updates

Some changes have been made to the ABAP Analyzer to removed unsupported syntax warnings in the analysis log. This change may impact existing results.

User Input Security

Support for org.owasp.esapi framework

The User Input Security feature now supports the JEE framework org.owasp.esapi. All "getValidate*" methods are now automatically taken into account as sanitization methods for all quality rules. This change may impact existing results.

New rules to support the detection of XQuery Injections

Three new rules have been implemented for JEE and .NET technologies to support the detection of XQuery Injections: 1) "Avoid XQuery injection" (8530), 2) "Avoid second order XQuery injection" (8532), 3) "Avoid XQuery injection through API requests" (8534). This change may impact existing results.

Improved support for .NET UI controls for XSS violations

Improved support for .NET UI controls as targets for XSS violations has been implemented, for example "set_Text" and "set_ImageUrl" methods of control objects. This change may impact existing results.