Release Notes - 2.0

  • 2.0.4-funcrel
    Improve accuracy of rule 1039044 “Avoid usage of BannedAPI when using ESAPI library”.
    Updates embedded libraries.
  • 2.0.3-funcrel
    Improve accuracy of rules 1039018 “Avoid using cryptography hash with predictable salt (JEE)” and 1039022 “Avoid using Insecure PBE Iteration Count”
    Improve accuracy of rule 1039046 - “Always use {@code} to wrap code statements or values such as null”
  • 2.0.2-funcrel
    Removed error “KeyError: -1” with traceback. No functional changes. 📝 52170
    Upgraded internal library (java_string.1.2.31).
  • 2.0.1-funcrel
    Updated embedded libraries.
  • 2.0.0-funcrel
    No changes compared to 2.0.0-beta1. Latest beta version promoted to functional release.
  • 2.0.0-beta1
    NEW Avoid leaving temporary files in directory (JEE) 💎 1039108
    NEW Avoid disabling the automatic HTML escaping for Spring 💎 1039106
    NEW Avoid creation of temporary file with insecure permissions (JEE) 💎 1039104
    NEW Ensure SameSite option is enabled when creating session (JEE) 💎 1039102
    NEW Avoid creating cookie without setting SameSite option (JEE) 💎 1039100
    Repaired missing violation for rule “Avoid creating cookie with an overly broad path (JEE)” when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie. 💎 1039066
    Repaired missing violation for rule “Avoid having cookie with an overly broad domain (JEE)” when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie. 💎 1039064
    Removed false positives for rule “Avoid creating cookie without setting httpOnly option (JEE)” when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie. 💎 1039026
    Removed false positives for rule “Avoid using unsecured cookie (JEE)” when calling jakarta.servlet.http.Cookie.setAttribute(…), jakarta.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), jakarta.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.addHeader(“Set-Cookie”, …), javax.servlet.http.HttpServletResponse.setHeader(“Set-Cookie”, …). Added support for classes com.google.gwt.user.client.Cookies, jakarta.ws.rs.core.Cookie, jakarta.ws.rs.core.NewCookie, jakarta.servlet.SessionCookieConfig, java.net.HttpCookie, javax.ws.rs.core.Cookie.Cookie, javax.ws.rs.core.NewCookie.NewCookie, javax.servlet.SessionCookieConfig, org.apache.commons.httpclient.Cookie, org.apache.http.impl.cookie.BasicClientCookie. 💎 1039024
  • 2.0.0-alpha1
    Improved support for rule “Avoid using Cipher with no HMAC to ensure data integrity” 💎 1039014
    Support of jakarta.servlet package for rule “Avoid using referer header field in HTTP request” 💎 1039012
    Support of jakarta.servlet package for rule “Avoid thrown Exceptions in servlet methods” 💎 1039008
    Improved support for rule “Avoid using deprecated SSL protocols to secure connection” 💎 1039002
    Support of jakarta.servlet package for rule “Avoid Http Session without expiration” 💎 1039052
    Improved suppport for rule “Add @Override on methods overriding or implementing a method declared in a super type” 💎 1039050
    Improved support for rule “Avoid usage of BannedAPI when using ESAPI” 💎 1039044
    Improved support for rule “Avoid using DefaultHttpClient constructor” 💎 1039030
    Improved support for rule “Avoid weak encryption providing not sufficient key size (JEE)” 💎 1039028
    Support of jakarta.servlet package for rule “Avoid creating cookie without setting httpOnly option (JEE)” 💎 1039026
    Support of jakarta.servlet package for rule “Avoid using unsecured cookie (JEE)” 💎 1039024
    Improved support for rule “Avoid using javax.crypto.NullCipher” 💎 1039020
    Deprecation of rule “Avoid Unvalidated URL Redirect” 💎 1039016
    Improved support for rule “Avoid using Apache ActiveMQ 5.x before 5.13.0” 💎 1039074
    Improved support for rule “Avoid using jYAML to deserialize YAML (JEE)” 💎 1039072
    Improved support for rule “Avoid using URL.equals(Object obj) or URL.hashCode()” 💎 1039070
    Support of jakarta.servlet package for rule “Avoid using the Non-Serializable Object Stored in Session” 💎 1039068
    Support of jakarta.servlet package for rule “Avoid creating cookie with an overly broad path (JEE)” 💎 1039066
    Support of jakarta.servlet package for rule “Avoid having cookie with an overly broad domain (JEE)” 💎 1039064
    Deprecation of rule “Avoid generating key with insufficient random generator in cookies” 💎 1039058
    Improved suppport for rule “Avoid insecure use of YAML deserialization when using SnakeYaml (JEE)” 💎 1039056
    The execution time of version 2.0.x has been improved compared to version 1.5.x. Depending on the source code analysed, the extension com.castsoftware.jeerules can be executed up to 5 times faster.