Release Notes - 1.0

Provides improved support (including removing false positives) for the quality rule “Avoid using unsecured cookie” (for .NET): the Security Analyzer now takes into account the `Secure` value if it is equals to `FormAuthentication.RequireSSL`.

📝 44572

Fixes a false positive for the rule “Avoid hard-coded password in connection string”.	📝 42131
Fixes an issue that can cause a rare crash (ERROR System.ApplicationException) of the Security Analyzer.	📝 42507

The Security Analyzer now supports the “jakarta.servlet” similar to the existing support for “javax.servlet”.

For Java technologies, improved support for BufferedReader and InputStreamReader types has now been implemented. This change may impact all rules computed by the Security Analyzer.

Extension com.castsoftware.dwr for “Direct Web Remoting Framework” (https://doc.castsoftware.com/display/TECHNOS/Direct+Web+Remoting ) is able to prepare a collection of user-inputs specific to the DWR environment. This change may impact injection rules computed by the Security Analyzer: more violations may be detected on unchanged source code.

Fixes an issue causing the Security Analyzer to incorrectly detect false positive/not detect true positive violations for the quality rules “Avoid log forging” (8044), “Avoid log forging through API requests” (8508), “Avoid debug forging” (8542), “Avoid debug forging through API requests” (8544), Avoid NoSQL injection" (8418), “Avoid NoSQL injection through API requests” (8514) with numerical user-inputs.

For JEE environment, all rules of type “Avoid second order injection” are now computed more accurately. As a consequence after upgrade to this release and a new analysis, violation paths may differ compared with existing results and the number of violations may change.

For JEE environment, some methods of java.net.Socket are now recognized as inputs. This change may impact all rules computed by the Security Analyzer.

For JEE, “jakarta.jms.MessageListener” is now an input for the series of rules “through API requests” computed by the Security Analyzer, such as “Avoid cross-site scripting through API requests”. This change may impact existing analysis results for unchanged source code: additional violations may be found that were not found previously.

For .NET, “System.Web.UI.StateBag” instances are now an inputfor the series of quality rules “through API requests” computed by the Security Analyzer, such as “Avoid cross-site scripting through API requests”. This change may impact existing analysis results for unchanged source code: additional violations may be found that were not found previously.

The Security Analyzer is now able to follow non-static fields and in some very rare situations, it is now able to explore more paths. This fix impacts all rules computed by the Security Analyzer: the number of violations may change in comparison to previous results..

Improvements have been implemented for the rules “Avoid NoSQL injection” (8418) , “Avoid NoSQL injection through API requests” (8514): previously these rules were not able to correctly identify input arguments with specific types such as int / long / float / double or other specific types like “java.lang.Throwable”. This situation has now been resolved and these input types are now handled correctly. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected.

Fixes an issue causing the Security Analyzer to crash while computing the quality rule “Avoid using unnormalized input strings” (1025052).

📝 39791

Removed some rare false positives for the quality rule: “Avoid OS command injection” (7748).

📝 38343

The Security Analyzer now supports JAX-RS entry-points.

This is the first release of the Security Analyzer as a standalone extension. The Security Analyzer has been externalised as an extension to give the feature more flexibility to future development. The Security Analyzer embedded in AIP Core will continue to exist and will be shipped “out of the box” with AIP Core, but only critical bugs will be fixed and no new features or functionality will be added. This extension has the same features and functionality on release as the Security Analyzer embedded in AIP Core (except for the addition of one new rule - see below). The new Security Analyzer extension is compatible with AIP Core ≥ 8.3.44. All future development of the Security Analyzer (bug fixes, new features, functionality etc.) will be completed in the Security Analyzer extension only. The behaviour is as follows: 1) Nothing is automatic - for both AIP Console and “legacy” CAST AIP deployments, the Security Analyzer extension must be manually downloaded and installed in order to use it, 2) if the extension is installed, CAST AIP Console/CAST Management Studio will automatically detect that it exists and will use the extension rather than the analyzer embedded in AIP Core, 3) once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.