This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.
On this page:
2.4.2-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 26040 | Extension com.castsoftware.nodejs has encountered an issue: RuntimeError: invalid type name: 'CAST_NodeJS_AWS_Lambda_ANY' |
2.4.1-funcrel
Other Updates
| Details |
|---|
| False positive for QR avoid call to webservices in loops |
| Rules targeting the Express framework have been updated to correct the scope of objects that they cover. This update will result in a change in the Compliance value recorded in the Engineering Dashboard when a new snapshot is generated on unchanged source code - rules that were previously stating 0% Compliance will now show a higher Compliance value. |
2.4.0-funcrel
Note
This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1020706 | FALSE | Ensure the Content-Security-Policy is activated (Node.js) |
| 1020710 | FALSE | Ensure the X-XSS-Protection header is enabled |
| 1020712 | FALSE | Ensure the X-Frame-Options header is setup (Node.js) |
| 1020720 | FALSE | Avoid unsecure connection to the Node.js server |
| 1020722 | FALSE | Avoid enabling unsecure Node.js server |
| 1020726 | FALSE | Ensure that CSRF Protection is enabled (Node.js) |
| 1020728 | FALSE | Avoid creating cookie without setting httpOnly option (Node.js) |
| 1020734 | FALSE | Avoid using unsecured cookie (Node.js) |
| 1020736 | FALSE | Avoid bypassing self-signed ssl certificate (Node.js) |
| 1020740 | FALSE | Avoid creating cookie with overly broad path (Node.js) |
| 1020732 | FALSE | Avoid using risky cryptographic hash (Node.js) |
| 1020742 | FALSE | Avoid creating cookie with overly broad domain (Node.js) |
| 1020744 | FALSE | Avoid using TLS library before Node.js 9.11.2 and 10.4.1 |
| 1020746 | FALSE | Avoid using HTTP/2 library with vulnerable versions |
| 1020750 | FALSE | Avoid using the file path validation with Node.js 8.5.0 |
| 1020758 | FALSE | Avoid using Buffer.fill() and/or Buffer.alloc() with vulnerable versions |
| 1020760 | FALSE | Avoid using Buffer library and UCS-2 encoding with vulnerable versions |
| 1020762 | FALSE | Avoid using url.parse() with vulnerable versions |
| 1020764 | FALSE | Avoid using path library parsing functions with vulnerable versions |
| 1020766 | FALSE | Avoid using Node.js ps library with vulnerable versions |
| 1020768 | FALSE | Avoid using net.Socket object as stream with vulnerable version of Node.js |
| 1020770 | FALSE | Avoid using Node.js query-mysql third-party before 0.0.3 |
| 1020704 | FALSE | Avoid using string concatenation when using __dirname and __filename |
