Release Notes - 1.2

Improves accuracy of 💎 1040048 - Avoid unsafe object binding (Spring)

📝 53507

Fixes an issue causing a crash in the analyzer.

📝 53574

Improve accuracy of rule 1040016 “PermitAll or user role should be specified to access URL(s) of the application”.

📝 52417

Improve accuracy for rule 1040016 “PermitAll or user role should be specified to access URL(s) of the application” and clarify its documentation

📝 52417

Updated embedded libraries.

Fixed compatibility issues present when using the extension in v3/8.4 in a Linux/Docker environment.

Added support for the Lambda DSL method for disabling CSRF, therefore fixing a missing violation on the rule “Avoid disabling CSRF Protection (Spring Security)”.

📝 48983

Remove false positive for rule “Avoid unsafe object binding” when bound parameter is an array or a collection.

📝 49240

Remove false positive for rule “Avoid unsafe object binding” when bound parameter is a Boolean or a LocalDate.

📝 48873

Remove false positive for rule “Avoid unsafe object binding” when bound parameter is a Data Transfer Object.

📝 48873

Updated an internal library to provide improved resolutions and compatibility with Python 3.9/Linux.

Correction of false positive violation for rule “Ensure declaring formLogin after requesting authorization and authentication” (1040008).

📝 44764

Added support for Jakarta EE 9.0+

A change has been made to reduce the amount of log messages provided during the analysis. As a result some less important log messages have been changed from “info” to “debug”.

Fixed false violation for the rule (1040016): ‘PermitAll or user role should be specified to access URL(s) of the application’.

📝 41280

Fixes an issue causing the rule “Avoid disabling CSRF Protection (Spring Security)” (1040002) to report no violations at all.	📝 39495
Fixes an issue causing the rule “Avoid disabling CSRF Protection (Spring Security)” (1040002) to report no violations at all.	📝 40067

Fixes false negative for QR “Avoid disabling CSRF Protection (Spring Security)”	📝 35537
Fixes analyzer crash during parsing of xml files with lxml.etree.XMLSyntaxError error.	📝 36075
Fixes false positives violations for the following rules “PermitAll or user role should be specified to access URL(s) of the application”, “Avoid disabling CSRF Protection (Spring Security)” and “HTTP user session must be invalidated during logout”.	📝 39396

JEE analyzer freeze when analyzing application with Spring Security.

Fix to resolve the error “Extension com.castsoftware.springsecurity has encountered an issue” during an analysis.

Extension withdrawn.

This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.