This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

1.5.6-funcrel

Resolved Issues

Customer Ticket IdDetails
44970Replace the vulnerable struts2-core-2.5.20.jar with struts2-core-2.5.33.jar.

1.5.5-funcrel

Other Updates

Details
Improvements have been implemented to resolve a situation where a Struts operation was missed during the analysis.
Fixed an issue casuing "FileNotFoundError" exceptions in the log file.
Fixed missing violation for "Avoid Duplicate Struts validation forms with the same name" (1042004).

Rules

Rule IdNew RuleDetails
1042004FALSEFixed missing violations for the rule "Avoid Duplicate Struts validation forms with the same name".

1.5.4-funcrel

Resolved Issues

Customer Ticket IdDetails
38055Fixed missing Struts Operation.

Other Updates

Details
Upgrade internal API. Upgrade application level API to 1.6.13.

1.5.3-funcrel

Rules

Rule IdNew RuleDetails
1042030FALSEThe rule: "Avoid using Default exclude patterns (excludeParams) for Struts 2.3.20 (and older)" has been set as critical.
1042036FALSEThe rule: "Avoid Long request parameter names in Struts 2.0.0 - struts 2.3.4" has been set as critical.

1.5.2-funcrel

Resolved Issues

Customer Ticket IdDetails
32427Missing Struts operation objects in the analyzed application
30184Internal issue during parsing
33313Internal issue during parsing

1.5.1-funcrel

Callee TypeCaller TypeDetails
Struts OperationStruts OperationWhen a struts operation was calling several struts operation (through forward), only one link was created to a randomly selected operation among all called operations. This has now been fixed.

1.5.0-funcrel

Note

This release of the extension contains a number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.

Rules

Rule IdNew RuleDetails
1042010FALSEAvoid using ParametersInterceptor with class parameter for Struts 2.3.16 (and older). Increased the Threshold.
1042012FALSEAvoid Unused Validation Form in Struts 1.x. Increased the Threshold.
1042016FALSEAvoid Struts action Mapping with disabled validator. Increased the Threshold.
1042022FALSEAvoid using CookieInterceptor with Struts 2.3.16 (and Older). Increased the Threshold.
1042024FALSEAvoid Unescaped User-controlled Input attribute in Struts 1.x and 2.x. Increased the Threshold.
1042050FALSEAvoid using special top object in struts 2.0.0 - struts 2.3.24. Increased the Threshold.