Release Notes - 1.1


1.1.4-funcrel

Fixes/Bugs

Customer Ticket Id Technical Details Customer Details
Removes duplicated violations on AED (more precisely: in KB) in case of violations having their path starting on the same line and ending on the same line (that could be different of the starting line). Internally have precise information: each step of the violation path has a full bookmark (starting line, starting column, ending line, ending column). But the KB loses the column information, so we need to have an extra operation to remove duplicate violations for the KB. Removes duplicated violations.
Removes some violations computed by the internal "TaintedInput analyzer" if they contain several times the same method call in its violation path. Removes duplicated violations. May impact all quality rules computed by the Security Analyzer.
Fix a wrong detection of a loop in case of if/break in a do/while (java only) Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'.
Fix the counts visible in AED Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'.

New Support

Customer Ticket Id Technical Details Customer Details
51345 Support of CWE-261: Weak Encoding for Password for JEE and .NET Adds new rule: 1025064 'Avoid weak encoding'.

Enhancement/Improvements

Customer Ticket Id Technical Details Customer Details
Improved support of io.jsonwebtoken Improves accuracy of rule: 1025026 'Avoid disabling the expiration time requirement of a JWT token'.
New support of Spring WebRequest Improved support of JEE environment, affecting all rules of type "tainted input".
New support of Microsoft.ServiceBus Improved support of .NET environment, affecting all rules of type "through API requests".
New support of com.google.common.html (sanitization) Improves accuracy of 8408 'Avoid reflected cross-site scripting (non persistent)', 8410 'Avoid cross-site scripting (persistent)' and 8482 'Avoid cross-site scripting through API requests'.
Removes false positives and duplicated violations Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'.
Improved support of reflection injection targets using the blackboxing on the fly Improves accuracy of rules: 8440 'Avoid reflection injection', 1025008 Avoid second order reflection injection' and 8502-'Avoid reflection injection through API requests'.
Improved support of Spring Data MongoDB Improves accuracy of rules: 8418 'Avoid NoSQL injection' and 8514 'Avoid NoSQL injection through API requests'.
Improved support of System.Security.Cryptography, org.apache.commons.codec.digest, javax.crypto. Also renamed the quality rule and improved the documentation of the quality rule Improves accuracy of rule: 8424 'Avoid hard-coded HMAC and cryptographic key'.
Improved support of javax.crypto.Cipher and improved support of the algorithm detection Improves accuracy of rule: 8414 'Avoid weak cryptographic algorithm'.
Improved support of System.Security.Cryptography and improved support of the algorithm detection Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'.
Improved support of io.jsonwebtoken Improves accuracy of rule: 1025030 'Avoid hard-coded JWT secret keys'.
New support of oracle.jdbc.rowset, weblogic.jdbc.rowset, com.sun.rowset Improves accuracy of rules: 7742 'Avoid SQL injection', 8420 'Avoid second order SQL injection', 8490 'Avoid SQL injection through API requests' and 1025056 'Avoid running SQL queries inside a loop'.

1.1.3-funcrel

Other Updates

Details
This release of Security Analyzer includes a Linux-specific fix that enables the visualization of violation paths within the dashboard.

1.1.2-funcrel

Rules

Rule Id New Rule Details
1025048 FALSE The rule 'Avoid hard-coded password in connection string' is now marked as critical
8482 FALSE Improved support for the quality rule 'Avoid cross-site scripting through API requests': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks
8410 FALSE Improved support for the quality rule 'Avoid cross-site scripting (persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks
8408 FALSE Improved support for the quality rule 'Avoid reflected cross-site scripting (non persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks
8508 FALSE Improved support for the quality rule 'Avoid log forging through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks
8044 FALSE Improved support for the quality rule 'Avoid log forging': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks
1025012 FALSE Improved support for the quality rule 'Avoid second order HTTP response splitting': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks
8484 FALSE Improved support for the quality rule 'Avoid HTTP response splitting through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks
7740 FALSE Improved support for the quality rule 'Avoid HTTP response splitting': support of the type `OpenMRS` and `Adobe Granite` sanitization frameworks
1025010 FALSE Improved support for the quality rule 'Avoid second order LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry`
8492 FALSE Improved support for the quality rule 'Avoid LDAP injection through API requests': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry`
7746 FALSE Improved support for the quality rule 'Avoid LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry`
8490 FALSE Improved support for the quality rule 'Avoid SQL injection through API requests': better support of `ZorgInfo`
8420 FALSE Improved support for the quality rule 'Avoid second order SQL injection': better support of `ZorgInfo`
7742 FALSE Improved support for the quality rule 'Avoid SQL injection': better support of `ZorgInfo`
1025056 FALSE Improved support for the quality rule 'Avoid running SQL queries inside a loop': better support of `Spring Data` and `Entity Framework`
1025056 FALSE Enhanced the 'Avoid running SQL queries inside a loop' rule to now function inter-procedurally rather than intra-procedurally
8240 FALSE Fixed the 'Avoid using unsecured cookie' rules which could generate false positives in rare cases (JEE only)

1.1.1-funcrel

Rules

Rule Id New Rule Details
1025008 FALSE Improved support for the quality rule "Avoid second order reflection injection" (for .NET): better support of `System.Type`
8502 FALSE Improved support for the quality rule "Avoid reflection injection through API requests" (for .NET): better support of `System.Type
8440 FALSE Improved support for the quality rule "Avoid reflection injection" (for .NET): better support of `System.Type`
8416 FALSE Improved support for the quality rule "Avoid use of a reversible one-way hash" (for .NET): better support of `System.Security.Cryptography`
1025010 FALSE Improved support for the quality rule "Avoid second order LDAP injection" (for .NET): better support of `System.DirectoryServices`
8492 FALSE Improved support for the quality rule "Avoid LDAP injection through API requests" (for .NET): better support of `System.DirectoryServices`
7746 FALSE Improved support for the quality rule "Avoid LDAP injection" (for .NET): better support of `System.DirectoryServices`
1025016 FALSE Improved support for the quality rule "Avoid using cookie without the HttpOnly flag" (for JEE): better support of `javax.servlet.http.HttpServletResponse`
8240 FALSE Improved support for the quality rule "Avoid using unsecured cookie" (for JEE): better support of `javax.servlet.http.HttpServletResponse`
1025062 FALSE Correction of the quality rule "Avoid numeric user inputs in SQL queries through API requests": added new violations that were previously identified by the quality rule "Avoid SQL injection through API requests" (8490)
1025060 FALSE Correction of the quality rule "Avoid second order numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid second order SQL injection" (8420)
1025058 FALSE Correction of the quality rule "Avoid numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid SQL injection" (7742)
8490 FALSE Correction of the quality rule "Avoid SQL injection through API requests": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries through API requests" (1025062)
8420 FALSE Correction of the quality rule "Avoid second order SQL injection": some violations are now identified by the quality rule "Avoid second order numeric user inputs in SQL queries" (1025060)
7742 FALSE Correction of the quality rule "Avoid SQL injection": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries" (1025058)

New Support

Summary Details
Apache NMS The Security Analyzer now supports the framework Apache NMS for .NET environment. It is considered as tainted input "through API requests", affecting all rules "through API requests". As a consequence after upgrade to this release and a new analysis, additional violations may be found.

1.1.0-funcrel

Note

Moved to funcrel release. No other changes have been made.

1.1.0-beta1

Rules

Rule Id New Rule Details
1025056 TRUE New rule: "Avoid running SQL queries inside a loop" has been added.

New Support

Summary Details
Support for RabbitMQ for JEE The Security Analyzer now supports the framework RabbitMQ for JEE environment. "through API requests" are considered as tainted input affecting all rules "through API requests". As a consequence, after upgrade to this release and a new analysis, additional violations may be found.