Release Notes - 1.5
1.5.0-beta3
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 44850 | Fixes false negative for the rule 1039062: “Always implement readObject() to prevent untrusted deserialization when loading from ObjectInputStream”. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1039086 | TRUE | Avoid using DOMParser without restriction of XML External Entity Reference (XXE). |
| 1039088 | TRUE | Avoid using Validator without restriction of XML External Entity Reference (XXE) |
| 1039090 | TRUE | Avoid using java.beans.XMLDecoder (XXE) |
| 1039092 | TRUE | Avoid using JAXB Unmarshaller without a configurable secure parser (XXE) |
| 1039094 | TRUE | Avoid using XPathExpression without a configurable secure parser (XXE) |
| 1039032 | FALSE | Fixes false positive for the rule: “Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)” when using setEntityResolver(). Bookmark was moved to the call to parse() method. |
| 1039034 | FALSE | Fixes false positive for the rule: “Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)” when using setEntityResolver(). |
| 1039040 | FALSE | Fixes false negative for the rule “Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)” when calling method createXMLEventReader(). |
1.5.0-beta2
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1039006 | FALSE | Fix false positive when seeding with SecureRandom.generateSeed() for “Avoid using predictable SecureRandom Seeds”. |
| 1039024 | FALSE | Update documentation for “Avoid using unsecured cookie (JEE)”. |
| 1039026 | FALSE | Update documentation for “Avoid creating cookie without setting httpOnly option (JEE)”. |
| 1039032 | FALSE | Check for flags other than XMLConstants.FEATURE_SECURE_PROCESSING for “Avoid using DocumentBuilder without restriction of XML External Entity Reference (XXE)”. |
| 1039034 | FALSE | Check for flags other than XMLConstants.FEATURE_SECURE_PROCESSING for “Avoid using SAXParserFactory without restriction of XML External Entity Reference (XXE)”. |
| 1039036 | FALSE | Raise violation when flag XMLConstants.FEATURE_SECURE_PROCESSING is used alone and check for other flags - for “Avoid using XMLReader without restriction of XML External Entity Reference (XXE)”. |
| 1039040 | FALSE | Rule nenamed “Avoid using XMLInputFactory without restriction of XML External Entity Reference (XXE)”. Raise violation when flag XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES is used alone and check for other flags. |
| 1039078 | TRUE | Avoid using SchemaFactory without restriction of XML External Entity Reference (XXE) |
| 1039080 | TRUE | Avoid using TransformerFactory without restriction of XML External Entity Reference (XXE) |
| 1039082 | TRUE | Avoid using SAXTransformerFactory without restriction of XML External Entity Reference (XXE) |
| 1039084 | TRUE | Avoid using SAXBuilder without restriction of XML External Entity Reference (XXE) |
1.5.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1039010 | FALSE | Improved the coverage of the rule: “Avoid using risky cryptographic hash (JEE)”. |
| 1039018 | FALSE | Improved the coverage of the rule: “Avoid using cryptography hash with hard-coded salt”. |
| 1039022 | FALSE | Added support for the class" javax.crypto.spec.PBEKeySpec" for the rule “Avoid using Insecure PBE Iteration Count”. |
| 1039068 | FALSE | Change scope and improve coverage for the rule “Avoid using the Non-Serializable Object Stored in Session” |
1.5.0-alpha1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1039076 | TRUE | Added the following new rule: “Avoid using HttpURLConnection with HTTP protocol”. |
| 1039004 | FALSE | Improved the coverage of the rule: “Avoid using HttpServletRequest.getRequestedSessionId()”. |
| 1039006 | FALSE | Improved the coverage of the rule: “Avoid using predictable SecureRandom Seeds”. |
| 1039022 | FALSE | Improved the coverage of the rule: “Avoid using Insecure PBE Iteration Count”. |
| 1039052 | FALSE | Improved the coverage of the rule: “Avoid Http Session without expiration”. |