Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A bug has been discovered in the User Input Security analysis which is causing false positive violations to be reported for Avoid file path manipulation vulnerabilities in .NET source code. This was due to a bug where the analyzer was programmed to record that the New System.IO.StreamReader  for the entry-point opened a file and therefore declares a path manipulation causing a violation of the rule. This bug has been fixed and after an upgrade to 8.3.26 and the generation of a consistency snapshot on unchanged source code, results may change: less violations of this rule providing more accuracy.

...

User Input Security now detects violations for the rule Avoid use of a reversible one-way hash in .NET source code. Previously, only JEE source code was supported. Therefore after an upgrade to 8.3.26 and the generation of a consistency snapshot on unchanged source code, results may change: additional violations of this rule providing more accuracy.

Avoid using hard-coded HMAC keys - 8424

A bug has been discovered where the CAST Engineering Dashboard was reporting a Total Checks value less than the number of objects in violation (Total Checks should never be less than the number of objects in violation). This was caused by a bug in the rule algorithm where some items were missing from the rule scope. This bug has been fixed, therefore after an upgrade to 8.3.26 and the generation of a consistency snapshot on unchanged source code, results may change: Total Checks should be equal to or greater than the number of objects in violation.

Never truncate data in MOVE statements - 7688

A bug has been discovered which is causing false positive violations to be reported for Never truncate data in MOVE statementsThis bug has been fixed and after an upgrade to 8.3.26 and the generation of a consistency snapshot on unchanged source code, results may change: less violations of this rule providing more accuracy.

User Input Security - new rules

...