Release Notes - 1.1
1.1.4-funcrel
Fixes/Bugs
| Customer Ticket Id | Technical Details | Customer Details |
|---|---|---|
| Removes duplicated violations on AED (more precisely: in KB) in case of violations having their path starting on the same line and ending on the same line (that could be different of the starting line). Internally have precise information: each step of the violation path has a full bookmark (starting line, starting column, ending line, ending column). But the KB loses the column information, so we need to have an extra operation to remove duplicate violations for the KB. | Removes duplicated violations. | |
| Removes some violations computed by the internal "TaintedInput analyzer" if they contain several times the same method call in its violation path. | Removes duplicated violations. May impact all quality rules computed by the Security Analyzer. | |
| Fix a wrong detection of a loop in case of if/break in a do/while (java only) | Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'. | |
| Fix the counts visible in AED | Improves accuracy of rule: 1025056 'Avoid running SQL queries inside a loop'. |
New Support
| Customer Ticket Id | Technical Details | Customer Details |
|---|---|---|
| 51345 | Support of CWE-261: Weak Encoding for Password for JEE and .NET | Adds new rule: 1025064 'Avoid weak encoding'. |
Enhancement/Improvements
| Customer Ticket Id | Technical Details | Customer Details |
|---|---|---|
| Improved support of io.jsonwebtoken | Improves accuracy of rule: 1025026 'Avoid disabling the expiration time requirement of a JWT token'. | |
| New support of Spring WebRequest | Improved support of JEE environment, affecting all rules of type "tainted input". | |
| New support of Microsoft.ServiceBus | Improved support of .NET environment, affecting all rules of type "through API requests". | |
| New support of com.google.common.html (sanitization) | Improves accuracy of 8408 'Avoid reflected cross-site scripting (non persistent)', 8410 'Avoid cross-site scripting (persistent)' and 8482 'Avoid cross-site scripting through API requests'. | |
| Removes false positives and duplicated violations | Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'. | |
| Improved support of reflection injection targets using the blackboxing on the fly | Improves accuracy of rules: 8440 'Avoid reflection injection', 1025008 Avoid second order reflection injection' and 8502-'Avoid reflection injection through API requests'. | |
| Improved support of Spring Data MongoDB | Improves accuracy of rules: 8418 'Avoid NoSQL injection' and 8514 'Avoid NoSQL injection through API requests'. | |
| Improved support of System.Security.Cryptography, org.apache.commons.codec.digest, javax.crypto. Also renamed the quality rule and improved the documentation of the quality rule | Improves accuracy of rule: 8424 'Avoid hard-coded HMAC and cryptographic key'. | |
| Improved support of javax.crypto.Cipher and improved support of the algorithm detection | Improves accuracy of rule: 8414 'Avoid weak cryptographic algorithm'. | |
| Improved support of System.Security.Cryptography and improved support of the algorithm detection | Improves accuracy of rule: 8416 'Avoid use of a reversible one-way hash'. | |
| Improved support of io.jsonwebtoken | Improves accuracy of rule: 1025030 'Avoid hard-coded JWT secret keys'. | |
| New support of oracle.jdbc.rowset, weblogic.jdbc.rowset, com.sun.rowset | Improves accuracy of rules: 7742 'Avoid SQL injection', 8420 'Avoid second order SQL injection', 8490 'Avoid SQL injection through API requests' and 1025056 'Avoid running SQL queries inside a loop'. |
1.1.3-funcrel
Other Updates
| Details |
|---|
| This release of Security Analyzer includes a Linux-specific fix that enables the visualization of violation paths within the dashboard. |
1.1.2-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025048 | FALSE | The rule 'Avoid hard-coded password in connection string' is now marked as critical |
| 8482 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting through API requests': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8410 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting (persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8408 | FALSE | Improved support for the quality rule 'Avoid reflected cross-site scripting (non persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8508 | FALSE | Improved support for the quality rule 'Avoid log forging through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8044 | FALSE | Improved support for the quality rule 'Avoid log forging': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 1025012 | FALSE | Improved support for the quality rule 'Avoid second order HTTP response splitting': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8484 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 7740 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting': support of the type `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 1025010 | FALSE | Improved support for the quality rule 'Avoid second order LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 8492 | FALSE | Improved support for the quality rule 'Avoid LDAP injection through API requests': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 7746 | FALSE | Improved support for the quality rule 'Avoid LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 8490 | FALSE | Improved support for the quality rule 'Avoid SQL injection through API requests': better support of `ZorgInfo` |
| 8420 | FALSE | Improved support for the quality rule 'Avoid second order SQL injection': better support of `ZorgInfo` |
| 7742 | FALSE | Improved support for the quality rule 'Avoid SQL injection': better support of `ZorgInfo` |
| 1025056 | FALSE | Improved support for the quality rule 'Avoid running SQL queries inside a loop': better support of `Spring Data` and `Entity Framework` |
| 1025056 | FALSE | Enhanced the 'Avoid running SQL queries inside a loop' rule to now function inter-procedurally rather than intra-procedurally |
| 8240 | FALSE | Fixed the 'Avoid using unsecured cookie' rules which could generate false positives in rare cases (JEE only) |
1.1.1-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025008 | FALSE | Improved support for the quality rule "Avoid second order reflection injection" (for .NET): better support of `System.Type` |
| 8502 | FALSE | Improved support for the quality rule "Avoid reflection injection through API requests" (for .NET): better support of `System.Type |
| 8440 | FALSE | Improved support for the quality rule "Avoid reflection injection" (for .NET): better support of `System.Type` |
| 8416 | FALSE | Improved support for the quality rule "Avoid use of a reversible one-way hash" (for .NET): better support of `System.Security.Cryptography` |
| 1025010 | FALSE | Improved support for the quality rule "Avoid second order LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 8492 | FALSE | Improved support for the quality rule "Avoid LDAP injection through API requests" (for .NET): better support of `System.DirectoryServices` |
| 7746 | FALSE | Improved support for the quality rule "Avoid LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 1025016 | FALSE | Improved support for the quality rule "Avoid using cookie without the HttpOnly flag" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 8240 | FALSE | Improved support for the quality rule "Avoid using unsecured cookie" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 1025062 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries through API requests": added new violations that were previously identified by the quality rule "Avoid SQL injection through API requests" (8490) |
| 1025060 | FALSE | Correction of the quality rule "Avoid second order numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid second order SQL injection" (8420) |
| 1025058 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid SQL injection" (7742) |
| 8490 | FALSE | Correction of the quality rule "Avoid SQL injection through API requests": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries through API requests" (1025062) |
| 8420 | FALSE | Correction of the quality rule "Avoid second order SQL injection": some violations are now identified by the quality rule "Avoid second order numeric user inputs in SQL queries" (1025060) |
| 7742 | FALSE | Correction of the quality rule "Avoid SQL injection": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries" (1025058) |
New Support
| Summary | Details |
|---|---|
| Apache NMS | The Security Analyzer now supports the framework Apache NMS for .NET environment. It is considered as tainted input "through API requests", affecting all rules "through API requests". As a consequence after upgrade to this release and a new analysis, additional violations may be found. |
1.1.0-funcrel
Note
Moved to funcrel release. No other changes have been made.
1.1.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025056 | TRUE | New rule: "Avoid running SQL queries inside a loop" has been added. |
New Support
| Summary | Details |
|---|---|
| Support for RabbitMQ for JEE | The Security Analyzer now supports the framework RabbitMQ for JEE environment. "through API requests" are considered as tainted input affecting all rules "through API requests". As a consequence, after upgrade to this release and a new analysis, additional violations may be found. |