Release Notes - 1.6
1.6.14-funcrel
Other Updates
| Details |
|---|
| This extension now generates bookmark information for the methods of the application. This information will be used by com.castsoftware.securityanalyzer in order to display complete violations paths |
| This extension now uses a different representation of raw types (example: HashMap outputObjectMap = new HashMap(4);). The previous representation was causing the com.castsoftware.securityanalyzer extension to crash. |
| This extension now generates an internal blackbox when it discovers an application that uses Spring MVC. |
1.6.13-funcrel
Other Updates
| Details |
|---|
| To improve performance, a change has been made to the extension: direct dependencies and recursive dependencies of projects will now ONLY be searched. As a consequence, the resolution of types may fail where missing dependencies exist. |
1.6.12-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 41218 | Fixes an issue where, in some rare conditions, when analyzing java applications that use JSTL (Java server page Standard Tag Library), the Security for Java extension would create incorrect CastIL files. When this occurred, the Security Analyzer analysis failed with the error "Exception while processing user input security- Protocol message was too large". |
1.6.11-funcrel
Other Updates
| Details |
|---|
| Implemented an update to ensure that the extension will use Java correctly in a Linux environment. |
| Fixes an issue where in some rare conditions (incomplete java projects with an inconsistent tree structure), SecurityForJava was crashing. |
1.6.10-funcrel
Other Updates
| Details |
|---|
| Fixes an issue: SecurityForJava reported an error "Body java.lang.ClassCastException: org.eclipse.jdt.core.dom.SimpleName cannot be cast to org.eclipse.jdt.core.dom.VariableDeclarationExpression" when parsing an expression of type "try with resources", with the resource previously instantiated (JEP 213). |
1.6.9-funcrel
Other Updates
| Details |
|---|
| In some rare cases, temporary java files (containing class and method signatures) are created from specific jar files. But these temporary java files may conflict with the predefined definition of the java framework. As a consequence, during an analysis the CASTIL generation was impacted and the Security Analyzer would crash. This issue is now resolved. |
| For methods containing generic arguments, the way in which the resulting CASTIL was generated was incorrect: for these types of methods, each call created one additional method. As a consequence, the Security For Java extension created orphan methods and some violation paths were therefore incorrect or missing. This issue is now resolved. |
1.6.8-funcrel
Other Updates
| Details |
|---|
| Fixed an issue causing performance issues when handling large JSP files. |
1.6.7-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 33539 | Fix a bug in SecurityForJava (an exception "java.lang.ClassCastException: com.castsoftware.castil.translation.sources.jdt.ScopeManager$LoopScope cannot be cast to com.castsoftware.castil.translation.sources.jdt.ScopeManager$LabeledScope") in some rare conditions (labeled break statements containing at least one loop). A consequence of this exception is an incomplete creation of CASTIL files, and so, some false negative violations. |
| 33908 | SecurityForJava now uses the latest version of Log4j (2.17.1) for security reasons. |
1.6.6-funcrel
Other Updates
| Details |
|---|
| Fix for issue where SecurityForJava failed to compute internal objects for some JSP files. As a consequence, some true violations were not visible in the dashboard. |
| SecurityForJava now uses the latest version of Log4j (2.16.0) to resolve CVE-2021-44228 and CVE-2021-45046. |
1.6.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 30346 | In some rare conditions, SecurityForJava was not able to remove/create an intermediate file and so the snapshot failed. Similar tickets: 31270 and 31334. |
| 25259 | SecurityForJava is now able to log the possible missing types to resolve errors such as "Status ERROR: org.eclipse.jdt.core code=4 Could not retrieve superclass ….". |
1.6.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 30128 | In some rare cases, when the delivery is incomplete, SecurityForJava may crash silently without logging the information and displaying the result. Using this new version, in this situation, the process is stopped and logs contain clear information. |
1.6.3-funcrel
New Support
| Summary | Details |
|---|---|
| Support of @ModelAttribute annotations, used in SpringMVC framework | SecurityForJava takes into account @ModelAttribute annotations, used in SpringMVC framework. This feature requires AIP Core 8.3.34 (minimum). |
1.6.2-funcrel
Other Updates
| Details |
|---|
| Renaming of an internal file name. This change will not impact any existing results and is in preparation for porting the extension to Linux environment. |
1.6.1-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 28943 | SecurityForJava supports Execution Units |
Other Updates
| Details |
|---|
| The Security for Java extension no longer requires the presence of the .NET Framework to function. This change will not impact any existing results and is in preparation for porting the extension to Linux environment. |
1.6.0-funcrel
Other Updates
| Details |
|---|
| If the version of com.castsoftware.jee is strictly greater than 1.2.15 (and not equal to 1.3.0), the GUID implementation now uses Short Names instead of Fully Qualified Names for Method Parameters |
| SecurityForJava now runs after com.castsoftware.jee. As a consequence, the available memory for SecurityForJava is more important |