Created by N Padmavathi on Sep 28, 2020
1.2.6-funcrel
Other Updates
| Details |
|---|
| A change has been made to reduce the amount of log messages provided during the analysis. As a result some less important log messages have been changed from "info" to "debug". |
1.2.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 41280 | Fixed false violation for the rule (1040016): 'PermitAll or user role should be specified to access URL(s) of the application'. |
Other Updates
| Details |
|---|
| Fixed missing violation for rule (1040002): 'Avoid disabling CSRF Protection'. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040048 | TRUE | Avoid unsafe object binding (Spring) |
1.2.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 39495 | Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
| 40067 | Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040046 | TRUE | Avoid weak encryption algorithm (Spring) |
1.2.3-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 35537 | Fixes false negative for QR "Avoid disabling CSRF Protection (Spring Security)" |
| 36075 | Fixes analyzer crash during parsing of xml files with lxml.etree.XMLSyntaxError error. |
| 39396 | Fixes false positives violations for the following rules "PermitAll or user role should be specified to access URL(s) of the application", "Avoid disabling CSRF Protection (Spring Security)" and "HTTP user session must be invalidated during logout". |
Other Updates
| Details |
|---|
| Fixes inconsistency between Analysis Unit configuration. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040002 | FALSE | Fixed false negatives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
| 1040016 | FALSE | Removed false positives for the rule "PermitAll or user role should be specified to access URL(s) of the application". |
| 1040002 | FALSE | Fixed false positives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
| 1040012 | FALSE | Fixed false positives for the rule "HTTP user session must be invalidated during logout". |
1.2.2-funcrel
Other Updates
| Details |
|---|
| JEE analyzer freeze when analyzing application with Spring Security. |
| Fix to resolve the error "Extension com.castsoftware.springsecurity has encountered an issue" during an analysis. |
1.2.1-funcrel
Note
Extension withdrawn.
1.2.0-funcrel
Note
This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Other Updates
| Details |
|---|
| Thresholds has been updated for critical rules. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040010 | FALSE | Always delete the cookies during the logout. |
| 1040018 | FALSE | Ensure the X-Frame-Options header is setup (Spring). |
| 1040012 | FALSE | HTTP user session must be invalidated during logout. |
| 1040024 | FALSE | Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access. |
