Release Notes - 1.1
1.1.5-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|---|
| Fixes the violation path in case of SpringMVC | |
| Improves the search of fields. |
Enhancement/Improvements
| Customer Ticket Id | Customer Details |
|---|---|
| Improves the description of rule 8098 'Avoid uncontrolled format string' | |
| Improves the description of rule 8044 'Avoid log forging' | |
| Improves the description of rule 7748 'Avoid OS command injection' | |
| Improves the description of the rule 8408 'Avoid reflected cross-site scripting (non persistent)' | |
| Improves the description of the rules 8420 'Avoid second order SQL injection', 8490 'Avoid SQL injection through API requests' | |
| Improves technical log information | |
| Improves documentation of rule: 1025056 'Avoid running SQL queries inside a loop' | |
| Changes the description of the Security Analyzer component itself | |
| Improves documentation of rule: 1025064 "Avoid weak encoding for password" | |
| Improves accuracy of rules: 7746 'Avoid LDAP injection', 1025010 'Avoid second order LDAP injection', 8492 'Avoid LDAP injection through API requests'. | |
| Improves accuracy of rules: 7742 'Avoid resource injection', 8420 'Avoid second order SQL injection', 8490 'Avoid SQL injection through API requests' and 1025056 'Avoid running SQL queries inside a loop'. | |
| Improves accuracy of rules: 8442 'Avoid resource injection', 8486 'Avoid resource injection through API requests'. |
1.1.4-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|---|
| Removes duplicated violations. | |
| Removes duplicated violations. May impact all quality rules computed by the Security Analyzer. | |
| Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'. | |
| Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'. |
New Support
| Customer Ticket Id | Customer Details |
|---|---|
| 51345 | Adds new rule: 1025064 'Avoid weak encoding'. |
Enhancement/Improvements
| Customer Ticket Id | Customer Details |
|---|---|
| Improves accuracy of rule: 1025026 'Avoid disabling the expiration time requirement of a JWT token'. | |
| Improved support of JEE environment, affecting all rules of type "tainted input". | |
| Improved support of .NET environment, affecting all rules of type "through API requests". | |
| Improves accuracy of 8408 'Avoid reflected cross-site scripting (non persistent)', 8410 'Avoid cross-site scripting (persistent)' and 8482 'Avoid cross-site scripting through API requests'. | |
| Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'. | |
| Improves accuracy of rules: 8440 'Avoid reflection injection', 1025008 Avoid second order reflection injection' and 8502-'Avoid reflection injection through API requests'. | |
| Improves accuracy of rules: 8418 'Avoid NoSQL injection' and 8514 'Avoid NoSQL injection through API requests'. | |
| Improves accuracy of rule: 8424 'Avoid hard-coded HMAC and cryptographic key'. | |
| Improves accuracy of rule: 8414 'Avoid weak cryptographic algorithm'. | |
| Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'. | |
| Improves accuracy of rule: 1025030 'Avoid hard-coded JWT secret keys'. | |
| Improves accuracy of rules: 7742 'Avoid SQL injection', 8420 'Avoid second order SQL injection', 8490 'Avoid SQL injection through API requests' and 1025056 'Avoid running SQL queries inside a loop'. |
1.1.3-funcrel
Other Updates
| Details |
|---|
| This release of Security Analyzer includes a Linux-specific fix that enables the visualization of violation paths within the dashboard. |
1.1.2-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025048 | FALSE | The rule 'Avoid hard-coded password in connection string' is now marked as critical |
| 8482 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting through API requests': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8410 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting (persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8408 | FALSE | Improved support for the quality rule 'Avoid reflected cross-site scripting (non persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8508 | FALSE | Improved support for the quality rule 'Avoid log forging through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8044 | FALSE | Improved support for the quality rule 'Avoid log forging': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 1025012 | FALSE | Improved support for the quality rule 'Avoid second order HTTP response splitting': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8484 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 7740 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting': support of the type `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 1025010 | FALSE | Improved support for the quality rule 'Avoid second order LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 8492 | FALSE | Improved support for the quality rule 'Avoid LDAP injection through API requests': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 7746 | FALSE | Improved support for the quality rule 'Avoid LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 8490 | FALSE | Improved support for the quality rule 'Avoid SQL injection through API requests': better support of `ZorgInfo` |
| 8420 | FALSE | Improved support for the quality rule 'Avoid second order SQL injection': better support of `ZorgInfo` |
| 7742 | FALSE | Improved support for the quality rule 'Avoid SQL injection': better support of `ZorgInfo` |
| 1025056 | FALSE | Improved support for the quality rule 'Avoid running SQL queries inside a loop': better support of `Spring Data` and `Entity Framework` |
| 1025056 | FALSE | Enhanced the 'Avoid running SQL queries inside a loop' rule to now function inter-procedurally rather than intra-procedurally |
| 8240 | FALSE | Fixed the 'Avoid using unsecured cookie' rules which could generate false positives in rare cases (JEE only) |
1.1.1-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025008 | FALSE | Improved support for the quality rule "Avoid second order reflection injection" (for .NET): better support of `System.Type` |
| 8502 | FALSE | Improved support for the quality rule "Avoid reflection injection through API requests" (for .NET): better support of `System.Type |
| 8440 | FALSE | Improved support for the quality rule "Avoid reflection injection" (for .NET): better support of `System.Type` |
| 8416 | FALSE | Improved support for the quality rule "Avoid use of a reversible one-way hash" (for .NET): better support of `System.Security.Cryptography` |
| 1025010 | FALSE | Improved support for the quality rule "Avoid second order LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 8492 | FALSE | Improved support for the quality rule "Avoid LDAP injection through API requests" (for .NET): better support of `System.DirectoryServices` |
| 7746 | FALSE | Improved support for the quality rule "Avoid LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 1025016 | FALSE | Improved support for the quality rule "Avoid using cookie without the HttpOnly flag" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 8240 | FALSE | Improved support for the quality rule "Avoid using unsecured cookie" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 1025062 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries through API requests": added new violations that were previously identified by the quality rule "Avoid SQL injection through API requests" (8490) |
| 1025060 | FALSE | Correction of the quality rule "Avoid second order numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid second order SQL injection" (8420) |
| 1025058 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid SQL injection" (7742) |
| 8490 | FALSE | Correction of the quality rule "Avoid SQL injection through API requests": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries through API requests" (1025062) |
| 8420 | FALSE | Correction of the quality rule "Avoid second order SQL injection": some violations are now identified by the quality rule "Avoid second order numeric user inputs in SQL queries" (1025060) |
| 7742 | FALSE | Correction of the quality rule "Avoid SQL injection": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries" (1025058) |
New Support
| Summary | Details |
|---|---|
| Apache NMS | The Security Analyzer now supports the framework Apache NMS for .NET environment. It is considered as tainted input "through API requests", affecting all rules "through API requests". As a consequence after upgrade to this release and a new analysis, additional violations may be found. |
1.1.0-funcrel
Note
Moved to funcrel release. No other changes have been made.
1.1.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025056 | TRUE | New rule: "Avoid running SQL queries inside a loop" has been added. |
New Support
| Summary | Details |
|---|---|
| Support for RabbitMQ for JEE | The Security Analyzer now supports the framework RabbitMQ for JEE environment. "through API requests" are considered as tainted input affecting all rules "through API requests". As a consequence, after upgrade to this release and a new analysis, additional violations may be found. |