Created by James Hurrell, last modified on Feb 17, 2020
This documentation is not maintained. Please refer to doc.castsoftware.com/technologies to find the latest updates.


On this page:

1.0.1-funcrel

Updates

  • Critical bug fix : Scope was too narrow for the list of metric ids and the fix gives the definition of right scope.

1.0.0-funcrel

Updates

Three new rules have been added.

  • 1040034 "StrictHttpFirewall" should be set as HttpFirewall
  • 1040028 Never Enable Spring Boot Devtools in Production
  • 1040024 Ensure Spring Boot Shutdown Actuator Endpoint is disabled

Resolved issues

  • Correction in scope of Quality rules
  • Internal bug fixes

1.0.0-beta4

Resolved issues

Internal bug fixes.

Resolved issues

Internal bug fixes.

1.0.0-beta3

Updates

Newly added Spring Security rules, see https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.0.0-beta3

  • 1040030 Avoid Using Generic Authentication Exception Class
  • 1040032 Avoid Using ControllerAdvice And HandlerExceptionResolver Simultaneously

Resolved issues

Internal bug fixes.

1.0.0-beta2

Updates

Newly added Spring Security rules, see https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.0.0-beta2

  • 1040020 Ensure to enable Spring Boot Actuator Endpoint
  • 1040022 Ensure to enable Spring Boot Admin MBean
  • 1040026 Ensure To Specify Http Methods In RequestMapping

1.0.0-beta1

Updates

Internal bug fixes.

1.0.0-alpha4

Updates

Newly added Spring Security rules, see https://technologies.castsoftware.com/rules?sec=srs_springsecurity&ref=||1.0.0-beta1:

  • 1040014 CWE-439:Avoid using Spring Security's debug mode
  • 1040016 PermitAll or user role should be specified to access URL(s) of the application
  • 1040018 X-Frame-Option should be correctly set to avoid Clickjacking attack

1.0.0-alpha3

Updates

Improvements in Masterfiles for rules.

1.0.0-alpha1 and 1.0.0-alpha2

Updates

Implementation of a set of rules to check Spring Security aspects such as Authentication, CSRF protection and others. These rules are Compliant with CWE and OWASP T0P 10 Standards for security. Newly added Spring Security rules:

  • 1040002 Spring Security CSRF Protection must not be disabled
  • 1040004 Ensure that any application request uses basic HTTP authentication
  • 1040006 Ensure that Content-Security-Policy is set for Spring Application
  • 1040008 Ensure that form login is declared after requesting authorization and authentication
  • 1040010 Cookies must be deleted during the logout
  • 1040012 Ensure that HTTP Session has been Invalidating during logout