Release Notes - 2.0

2.0.4-funcrel

Fixes/Bugs

Customer Ticket Id Customer Details
Improve accuracy of rule 1039044 "Avoid usage of BannedAPI when using ESAPI library".

Enhancement/Improvements

Customer Ticket Id Customer Details
Updates embedded libraries.

2.0.3-funcrel

Fixes/Bugs

Customer Ticket Id Customer Details
Improve accuracy of rules 1039018 "Avoid using cryptography hash with predictable salt (JEE)" and 1039022 "Avoid using Insecure PBE Iteration Count"
Improve accuracy of rule 1039046 - "Always use {@code} to wrap code statements or values such as null"

2.0.2-funcrel

Resolved Issues

Customer Ticket Id Details
52170 Removed error "KeyError: -1" with traceback. No functional changes.

Other Updates

Details
Upgraded internal library (java_string.1.2.31).

2.0.1-funcrel

Other Updates

Details
Updated embedded libraries.

2.0.0-funcrel

Note

No changes compared to 2.0.0-beta1. Latest beta version promoted to functional release.

2.0.0-beta1

Rules

Rule Id New Rule Details
1039108 TRUE Avoid leaving temporary files in directory (JEE)
1039106 TRUE Avoid disabling the automatic HTML escaping for Spring
1039104 TRUE Avoid creation of temporary file with insecure permissions (JEE)
1039102 TRUE Ensure SameSite option is enabled when creating session (JEE)
1039100 TRUE Avoid creating cookie without setting SameSite option (JEE)
1039066 FALSE Repaired missing violation for rule "Avoid creating cookie with an overly broad path (JEE)" when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie.
1039064 FALSE Repaired missing violation for rule "Avoid having cookie with an overly broad domain (JEE)" when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie.
1039026 FALSE Removed false positives for rule "Avoid creating cookie without setting httpOnly option (JEE)" when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie.
1039024 FALSE Removed false positives for rule "Avoid using unsecured cookie (JEE)" when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie.

2.0.0-alpha1

Rules

Rule Id New Rule Details
1039014 FALSE Improved support for rule "Avoid using Cipher with no HMAC to ensure data integrity"
1039012 FALSE Support of jakarta.servlet package for rule "Avoid using referer header field in HTTP request"
1039008 FALSE Support of jakarta.servlet package for rule "Avoid thrown Exceptions in servlet methods"
1039002 FALSE Improved support for rule "Avoid using deprecated SSL protocols to secure connection"
1039052 FALSE Support of jakarta.servlet package for rule "Avoid Http Session without expiration"
1039050 FALSE Improved suppport for rule "Add @Override on methods overriding or implementing a method declared in a super type"
1039044 FALSE Improved support for rule "Avoid usage of BannedAPI when using ESAPI"
1039030 FALSE Improved support for rule "Avoid using DefaultHttpClient constructor"
1039028 FALSE Improved support for rule "Avoid weak encryption providing not sufficient key size (JEE)"
1039026 FALSE Support of jakarta.servlet package for rule "Avoid creating cookie without setting httpOnly option (JEE)"
1039024 FALSE Support of jakarta.servlet package for rule "Avoid using unsecured cookie (JEE)"
1039020 FALSE Improved support for rule "Avoid using javax.crypto.NullCipher"
1039016 FALSE Deprecation of rule "Avoid Unvalidated URL Redirect"
1039074 FALSE Improved support for rule "Avoid using Apache ActiveMQ 5.x before 5.13.0"
1039072 FALSE Improved support for rule "Avoid using jYAML to deserialize YAML (JEE)"
1039070 FALSE Improved support for rule "Avoid using URL.equals(Object obj) or URL.hashCode()"
1039068 FALSE Support of jakarta.servlet package for rule "Avoid using the Non-Serializable Object Stored in Session"
1039066 FALSE Support of jakarta.servlet package for rule "Avoid creating cookie with an overly broad path (JEE)"
1039064 FALSE Support of jakarta.servlet package for rule "Avoid having cookie with an overly broad domain (JEE)"
1039058 FALSE Deprecation of rule "Avoid generating key with insufficient random generator in cookies"
1039056 FALSE Improved suppport for rule "Avoid insecure use of YAML deserialization when using SnakeYaml (JEE)"

Performance

Summary
The execution time of version 2.0.x has been improved compared to version 1.5.x. Depending on the source code analysed, the extension com.castsoftware.jeerules can be executed up to 5 times faster.