Created by N Padmavathi on Sep 29, 2020
1.4.4-funcrel
Other Updates
| Details |
|---|
| Fixes an issue wherein analysis of files containing a Java try-catch was incomplete. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1039024 | FALSE | Multiple web files and instances of Cookie in a method are handled for the rule: “Avoid using unsecured cookie (JEE)”. |
| 1039026 | FALSE | Multiple web files and instances of Cookie in a method are handled for the rule: “Avoid creating cookie without setting httpOnly option (JEE)". |
| 1039032 | FALSE | Improved the coverage of the rule: “Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)”. |
| 1039034 | FALSE | Improved the coverage of the rule: “Avoid using SAXParserFactory without restriction of XML External Entity Reference (XXE)". |
| 1039036 | FALSE | Improved the coverage of the rule: “Avoid using XMLReader without restriction of XML External Entity Reference (XXE)”. |
| 1039038 | FALSE | Improved the coverage of the rule: “Avoid using XPathFactory without restriction of XML External Entity Reference (XXE)”. |
| 1039040 | FALSE | Improved the coverage of the rule: “Avoid using XMLStreamReader without restriction of XML External Entity Reference (XXE)”. |
1.4.3-funcrel
Other Updates
| Details |
|---|
| Fixes issues related to missing bookmarks in Java Web XML objects. |
| Added support for various signatures (when SSLContext.getInstance() is called with several parameters) to the rule (1039002): “Avoid using deprecated SSL protocols to secure connection”. |
| Added icons for Java Web XML objects. |
1.4.2-funcrel
Other Updates
| Details |
|---|
| Analysis is blocked, while analyzing JEE source code. |
1.4.1-funcrel
Other Updates
| Details |
|---|
| Wording hardcoded -> hard-coded (a wording issue) |
1.4.0-funcrel
Note
This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Other Updates
| Details |
|---|
| Thresholds has been updated for critical rules |
Rules
| Rule Id | New Rule | Details |
|---|
| 1039066 | FALSE | Avoid creating cookie with overly broad path (JEE) |
| 1039064 | FALSE | Avoid having cookie with an overly broad domain (JEE) |
| 1039008 | FALSE | Avoid thrown Exceptions in servlet methods |
| 1039016 | FALSE | Avoid Unvalidated URL Redirect |
| 1039014 | FALSE | Avoid using Cipher with no HMAC to ensure data integrity |
| 1039018 | FALSE | Avoid using cryptography hash with hardcoded salt |
| 1039030 | FALSE | Avoid using DefaultHttpClient constructor |
| 1039004 | FALSE | Avoid using HttpServletRequest.getRequestedSessionId() |
| 1039022 | FALSE | Avoid using Insecure PBE Iteration Count |
| 1039020 | FALSE | Avoid using javax.crypto.NullCipher |
| 1039006 | FALSE | Avoid using predictable SecureRandom Seeds |
| 1039012 | FALSE | Avoid using referer header field in HTTP request |
| 1039010 | FALSE | Avoid using risky cryptographic hash (JEE) |
| 1039024 | FALSE | Avoid using unsecured cookie (JEE) |
| 1039028 | FALSE | Avoid weak encryption providing not sufficient key size (JEE) |
| 1039040 | FALSE | Avoid using XMLStreamReader without restriction of XML External Entity Reference (XXE) |
