Release Notes - 1.2
1.2.16-funcrel
Fixes/Bugs
| Customer Ticket Id |
Technical Details |
Customer Details |
| 52417 |
Support for HttpServletRequests authorization functions anonymous(), authenticated(), fullyAuthenticated(), denyAll(), hasIpAddress() and rememberMe(). |
Improve accuracy of rule 1040016 "PermitAll or user role should be specified to access URL(s) of the application". |
1.2.15-funcrel
Fixes/Bugs
| Customer Ticket Id |
Technical Details |
Customer Details |
| 52417 |
Support for authorization of HttpServletRequests functions requestMatchers(), hasAuthority(), hasAnyRole() and hasAnyAuthority() |
Improve accuracy for rule 1040016 "PermitAll or user role should be specified to access URL(s) of the application" and clarify its documentation |
1.2.14-funcrel
Other Updates
| Details |
| Fixed compatibility issues present when using the extension in v3/8.4 in a Linux/Docker environment. |
| Updated embedded libraries. |
1.2.13-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 48983 |
Added support for the Lambda DSL method for disabling CSRF, therefore fixing a missing violation on the rule "Avoid disabling CSRF Protection (Spring Security)". |
Rules
| Rule Id |
New Rule |
Details |
| 1040002 |
FALSE |
Added support for the Lambda DSL method for disabling CSRF, therefore fixing a missing violation on the rule "Avoid disabling CSRF Protection (Spring Security)". |
1.2.12-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 49240 |
Remove false positive for rule "Avoid unsafe object binding" when bound parameter is an array or a collection. |
1.2.11-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 48873 |
Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Boolean or a LocalDate. |
1.2.10-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 48873 |
Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Data Transfer Object. |
1.2.9-funcrel
Other Updates
| Details |
| Updated an internal library to provide improved resolutions and compatibility with Python 3.9/Linux. |
1.2.8-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 44764 |
Correction of false positive violation for rule "Ensure declaring formLogin after requesting authorization and authentication" (1040008). |
1.2.7-funcrel
Other Updates
| Details |
| Added support for Jakarta EE 9.0+ |
1.2.6-funcrel
Other Updates
| Details |
| A change has been made to reduce the amount of log messages provided during the analysis. As a result some less important log messages have been changed from "info" to "debug". |
1.2.5-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 41280 |
Fixed false violation for the rule (1040016): 'PermitAll or user role should be specified to access URL(s) of the application'. |
Other Updates
| Details |
| Fixed missing violation for rule (1040002): 'Avoid disabling CSRF Protection'. |
Rules
| Rule Id |
New Rule |
Details |
| 1040048 |
TRUE |
Avoid unsafe object binding (Spring) |
1.2.4-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 40067 |
Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
| 39495 |
Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
Rules
| Rule Id |
New Rule |
Details |
| 1040046 |
TRUE |
Avoid weak encryption algorithm (Spring) |
1.2.3-funcrel
Resolved Issues
| Customer Ticket Id |
Details |
| 39396 |
Fixes false positives violations for the following rules "PermitAll or user role should be specified to access URL(s) of the application", "Avoid disabling CSRF Protection (Spring Security)" and "HTTP user session must be invalidated during logout". |
| 36075 |
Fixes analyzer crash during parsing of xml files with lxml.etree.XMLSyntaxError error. |
| 35537 |
Fixes false negative for QR "Avoid disabling CSRF Protection (Spring Security)" |
Other Updates
| Details |
| Fixes inconsistency between Analysis Unit configuration. |
Rules
| Rule Id |
New Rule |
Details |
| 1040012 |
FALSE |
Fixed false positives for the rule "HTTP user session must be invalidated during logout". |
| 1040002 |
FALSE |
Fixed false positives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
| 1040016 |
FALSE |
Removed false positives for the rule "PermitAll or user role should be specified to access URL(s) of the application". |
| 1040002 |
FALSE |
Fixed false negatives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
1.2.2-funcrel
Other Updates
| Details |
| Fix to resolve the error "Extension com.castsoftware.springsecurity has encountered an issue" during an analysis. |
| JEE analyzer freeze when analyzing application with Spring Security. |
1.2.1-funcrel
Note
Extension withdrawn.
1.2.0-funcrel
Note
This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Other Updates
| Details |
| Thresholds has been updated for critical rules. |
Rules
| Rule Id |
New Rule |
Details |
| 1040024 |
FALSE |
Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access. |
| 1040012 |
FALSE |
HTTP user session must be invalidated during logout. |
| 1040018 |
FALSE |
Ensure the X-Frame-Options header is setup (Spring). |
| 1040010 |
FALSE |
Always delete the cookies during the logout. |