Created by N Padmavathi on Jul 17, 2023
This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.


1.6.0-alpha7

Other Updates

Details
Removed redundant parent links from external objects.
Fixed having the added/deleted objects when analysis unit is deleted and added again, even when the analyzed source is not changed. The internal GUID calculation has beend modified for objects: AWS S3 buckets, AWS DynamoDB databases and AWS DynamoDB tables. During the update to a new version, the old GUIDs of those objects will be migrated to new ones.

1.6.0-alpha6

Rules

Rule IdNew RuleDetails
1021124TRUEAvoid uncontrolled format string (Python)
1021118TRUEAvoid disabling CSRF Protection in fastapi_jwt_auth
1021120TRUEAvoid mixing trusted and untrusted data in HTTP requests (Python)
1021122TRUEAvoid cookie poisoning
1021088FALSEShorten name to "Avoid uncontrolled sleep calls (Python)"

1.6.0-alpha5

Rules

Rule IdNew RuleDetails
1021116TRUEAvoid logging sensitive data (Python)
1021114TRUEEnsure the Strict-Transport-Security header (HSTS) is set up for FastAPI (Python)
1021112TRUEAvoid OS command injection (Python)

New Support

SummaryDetails
Support type annotations (type hints)Statements and function definitions containing type annotations are now correctly parsed.

1.6.0-alpha4

Other Updates

Details
Minor updates in the documentation of various quality rules: References, total counts, ....

Rules

Rule IdNew RuleDetails
1021108TRUEAvoid unsafe access to object attributes
1021106TRUEAvoid server-side request forgery (Python)
1021104TRUEAvoid file path manipulation (Python)
1021102TRUEAvoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)
1021074FALSECorrected scope of the rule. Violations should be visible now in Python artifacts.
1021110TRUEAvoid using regular expression vulnerable to ReDoS (Python)
1021096FALSERemoved web service requests as second order injection sources.
1021094FALSERemoved web service requests as second order injection sources.

Performance Improvements

Summary
Corrected performance issues (too many evaluations) during quality rule analysis during analysis of return statements inside web service operation handler methods

1.6.0-alpha3

Rules

Rule IdNew RuleDetails
1021100TRUEAvoid URL redirection to untrusted site
1021098TRUEAvoid HTTP header injection
1021096TRUEAvoid second order LDAP injection
1021094TRUEAvoid cross-site scripting (persistent)
1021092TRUEAvoid reflected cross-site scripting
1021090TRUEAvoid using insufficient random generator

1.6.0-alpha2

Resolved Issues

Customer Ticket IdDetails
42086Fixes the traceback error "TypeError: sequence item 4: expected str instance, NoneType found" with certain type hint annotations.

Other Updates

Details
Corrects the resolution of variables when overridden with different types.

Rules

Rule IdNew RuleDetails
1021082TRUEAvoid LDAP injection (Python).
1021084TRUEAvoid XPath injection (Python).
1021078FALSEWhen the parameter is a constant, no violation is raised.
1021088TRUEAvoid uncontrolled sleep calls to prevent DoS attacks (Python).
1021044FALSEEnhance rule on SQL injection with new expression evaluator.

New Support

SummaryDetails
Support for special method __call__Method calls on instantiated objects are correctly resolved to their __call__ special method.

1.6.0-alpha1

Resolved Issues

Customer Ticket IdDetails
40975Fixes the error messages found during the analysis of the Nameko framework.

Other Updates

Details
Introduction of new object Python Static Initializer for modelization of class-body code. See https://doc.castsoftware.com/display/TECHNOS/Python+1.6#Python1.6-Pythonstaticinitializers.

Rules

Rule IdNew RuleDetails
1021078TRUEAvoid deserialization injection (Python)
1021080TRUEAvoid resource injection (Python)

New Support

SummaryDetails
Support f-stringsEvaluation of f-strings is partially supported. Not support if one of ('=', '[', '.', '-') exists in the string.
Support parenthesized context managersPython 3.10 allows the use of parentheses in "with" statements: the extension now supports this.