This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.

Summary: This document provides information about changes and new features introduced in this release.

1.6.13-funcrel

Other Updates

Details
To improve performance, a change has been made to the extension: direct dependencies and recursive dependencies of projects will now ONLY be searched. As a consequence, the resolution of types may fail where missing dependencies exist.

1.6.12-funcrel

Resolved Issues

Customer Ticket IdDetails
41218Fixes an issue where, in some rare conditions, when analyzing java applications that use JSTL (Java server page Standard Tag Library), the Security for Java extension would create incorrect CastIL files. When this occurred, the Security Analyzer analysis failed with the error "Exception while processing user input security- Protocol message was too large".

1.6.11-funcrel

Other Updates

Details
Implemented an update to ensure that the extension will use Java correctly in a Linux environment.
Fixes an issue where in some rare conditions (incomplete java projects with an inconsistent tree structure), SecurityForJava was crashing.

1.6.10-funcrel

Other Updates

Details
Fixes an issue: SecurityForJava reported an error "Body java.lang.ClassCastException: org.eclipse.jdt.core.dom.SimpleName cannot be cast to org.eclipse.jdt.core.dom.VariableDeclarationExpression" when parsing an expression of type "try with resources", with the resource previously instantiated (JEP 213).

1.6.9-funcrel

Other Updates

Details
In some rare cases, temporary java files (containing class and method signatures) are created from specific jar files. But these temporary java files may conflict with the predefined definition of the java framework. As a consequence, during an analysis the CASTIL generation was impacted and the Security Analyzer would crash. This issue is now resolved.
For methods containing generic arguments, the way in which the resulting CASTIL was generated was incorrect: for these types of methods, each call created one additional method. As a consequence, the Security For Java extension created orphan methods and some violation paths were therefore incorrect or missing. This issue is now resolved.

1.6.8-funcrel

Other Updates

Details
Fixed an issue causing performance issues when handling large JSP files.

1.6.7-funcrel

Resolved Issues

Customer Ticket IdDetails
33539Fix a bug in SecurityForJava (an exception "java.lang.ClassCastException: com.castsoftware.castil.translation.sources.jdt.ScopeManager$LoopScope cannot be cast to com.castsoftware.castil.translation.sources.jdt.ScopeManager$LabeledScope") in some rare conditions (labeled break statements containing at least one loop). A consequence of this exception is an incomplete creation of CASTIL files, and so, some false negative violations.
33908SecurityForJava now uses the latest version of Log4j (2.17.1) for security reasons.

1.6.6-funcrel

Other Updates

Details
Fix for issue where SecurityForJava failed to compute internal objects for some JSP files. As a consequence, some true violations were not visible in the dashboard.
SecurityForJava now uses the latest version of Log4j (2.16.0) to resolve CVE-2021-44228 and CVE-2021-45046.

1.6.5-funcrel

Resolved Issues

Customer Ticket IdDetails
30346In some rare conditions, SecurityForJava was not able to remove/create an intermediate file and so the snapshot failed. Similar tickets: 31270 and 31334.
25259SecurityForJava is now able to log the possible missing types to resolve errors such as "Status ERROR: org.eclipse.jdt.core code=4 Could not retrieve superclass ....".

1.6.4-funcrel

Resolved Issues

Customer Ticket IdDetails
30128In some rare cases, when the delivery is incomplete, SecurityForJava may crash silently without logging the information and displaying the result. Using this new version, in this situation, the process is stopped and logs contain clear information.

1.6.3-funcrel

New Support

SummaryDetails
Support of @ModelAttribute annotations, used in SpringMVC frameworkSecurityForJava takes into account @ModelAttribute annotations, used in SpringMVC framework. This feature requires AIP Core 8.3.34 (minimum).

1.6.2-funcrel

Other Updates

Details
Renaming of an internal file name. This change will not impact any existing results and is in preparation for porting the extension to Linux environment.

1.6.1-funcrel

Resolved Issues

Customer Ticket IdDetails
28943SecurityForJava supports Execution Units

Other Updates

Details
The Security for Java extension no longer requires the presence of the .NET Framework to function. This change will not impact any existing results and is in preparation for porting the extension to Linux environment.

1.6.0-funcrel

Other Updates

Details
If the version of com.castsoftware.jee is strictly greater than 1.2.15 (and not equal to 1.3.0), the GUID implementation now uses Short Names instead of Fully Qualified Names for Method Parameters
SecurityForJava now runs after com.castsoftware.jee. As a consequence, the available memory for SecurityForJava is more important