This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

1.5.0-beta3

Resolved Issues

Customer Ticket IdDetails
44850Fixes false negative for the rule 1039062: "Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream".

Rules

Rule IdNew RuleDetails
1039086TRUEAvoid using DOMParser without restriction of XML External Entity Reference (XXE).
1039088TRUEAvoid using Validator without restriction of XML External Entity Reference (XXE)
1039090TRUEAvoid using java.beans.XMLDecoder (XXE)
1039092TRUEAvoid using JAXB Unmarshaller without a configurable secure parser (XXE)
1039094TRUEAvoid using XPathExpression without a configurable secure parser (XXE)
1039032FALSEFixes false positive for the rule: "Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)" when using setEntityResolver(). Bookmark was moved to the call to parse() method.
1039034FALSEFixes false positive for the rule: "Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)" when using setEntityResolver().
1039040FALSEFixes false negative for the rule "Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)" when calling method createXMLEventReader().

1.5.0-beta2

Rules

Rule IdNew RuleDetails
1039006FALSEFix false positive when seeding with SecureRandom.generateSeed() for "Avoid using predictable SecureRandom Seeds".
1039024FALSEUpdate documentation for "Avoid using unsecured cookie (JEE)".
1039026FALSEUpdate documentation for "Avoid creating cookie without setting httpOnly option (JEE)".
1039032FALSECheck for flags other than XMLConstants.FEATURE_SECURE_PROCESSING for "Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)".
1039034FALSECheck for flags other than XMLConstants.FEATURE_SECURE_PROCESSING for "Avoid using SAXParserFactory without restriction of XML External Entity Reference (XXE)".
1039036FALSERaise violation when flag XMLConstants.FEATURE_SECURE_PROCESSING is used alone and check for other flags - for "Avoid using XMLReader without restriction of XML External Entity Reference (XXE)".
1039040FALSERule nenamed "Avoid using XMLInputFactory without restriction of XML External Entity Reference (XXE)". Raise violation when flag XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES is used alone and check for other flags.
1039078TRUEAvoid using SchemaFactory without restriction of XML External Entity Reference (XXE)
1039080TRUEAvoid using TransformerFactory without restriction of XML External Entity Reference (XXE)
1039082TRUEAvoid using SAXTransformerFactory without restriction of XML External Entity Reference (XXE)
1039084TRUEAvoid using SAXBuilder without restriction of XML External Entity Reference (XXE)

1.5.0-beta1

Rules

Rule IdNew RuleDetails
1039010FALSEImproved the coverage of the rule: "Avoid using risky cryptographic hash (JEE)".
1039018FALSEImproved the coverage of the rule: "Avoid using cryptography hash with hard-coded salt".
1039022FALSEAdded support for the class" javax.crypto.spec.PBEKeySpec" for the rule "Avoid using Insecure PBE Iteration Count".
1039068FALSEChange scope and improve coverage for the rule "Avoid using the Non-Serializable Object Stored in Session"

1.5.0-alpha1

Rules

Rule IdNew RuleDetails
1039076TRUEAdded the following new rule: "Avoid using HttpURLConnection with HTTP protocol".
1039004FALSEImproved the coverage of the rule: "Avoid using HttpServletRequest.getRequestedSessionId()".
1039006FALSEImproved the coverage of the rule: "Avoid using predictable SecureRandom Seeds".
1039022FALSEImproved the coverage of the rule: "Avoid using Insecure PBE Iteration Count".
1039052FALSEImproved the coverage of the rule: "Avoid Http Session without expiration".