Release Notes - 1.1
1.1.3-funcrel
Other Updates
| Details |
|---|
| This release of Security Analyzer includes a Linux-specific fix that enables the visualization of violation paths within the dashboard. |
1.1.2-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 8240 | FALSE | Fixed the 'Avoid using unsecured cookie' rules which could generate false positives in rare cases (JEE only) |
| 1025056 | FALSE | Enhanced the 'Avoid running SQL queries inside a loop' rule to now function inter-procedurally rather than intra-procedurally |
| 1025056 | FALSE | Improved support for the quality rule 'Avoid running SQL queries inside a loop': better support of `Spring Data` and `Entity Framework` |
| 7742 | FALSE | Improved support for the quality rule 'Avoid SQL injection': better support of `ZorgInfo` |
| 8420 | FALSE | Improved support for the quality rule 'Avoid second order SQL injection': better support of `ZorgInfo` |
| 8490 | FALSE | Improved support for the quality rule 'Avoid SQL injection through API requests': better support of `ZorgInfo` |
| 7746 | FALSE | Improved support for the quality rule 'Avoid LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 8492 | FALSE | Improved support for the quality rule 'Avoid LDAP injection through API requests': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 1025010 | FALSE | Improved support for the quality rule 'Avoid second order LDAP injection': better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` |
| 7740 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting': support of the type `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8484 | FALSE | Improved support for the quality rule 'Avoid HTTP response splitting through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 1025012 | FALSE | Improved support for the quality rule 'Avoid second order HTTP response splitting': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8044 | FALSE | Improved support for the quality rule 'Avoid log forging': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8508 | FALSE | Improved support for the quality rule 'Avoid log forging through API requests': support of the `OpenMRS` and `Adobe Granite` sanitization frameworks |
| 8408 | FALSE | Improved support for the quality rule 'Avoid reflected cross-site scripting (non persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8410 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting (persistent)': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 8482 | FALSE | Improved support for the quality rule 'Avoid cross-site scripting through API requests': support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks |
| 1025048 | FALSE | The rule 'Avoid hard-coded password in connection string' is now marked as critical |
1.1.1-funcrel
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 7742 | FALSE | Correction of the quality rule "Avoid SQL injection": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries" (1025058) |
| 8420 | FALSE | Correction of the quality rule "Avoid second order SQL injection": some violations are now identified by the quality rule "Avoid second order numeric user inputs in SQL queries" (1025060) |
| 8490 | FALSE | Correction of the quality rule "Avoid SQL injection through API requests": some violations are now identified by the quality rule "Avoid numeric user inputs in SQL queries through API requests" (1025062) |
| 1025058 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid SQL injection" (7742) |
| 1025060 | FALSE | Correction of the quality rule "Avoid second order numeric user inputs in SQL queries": added new violations that were previously identified by the quality rule "Avoid second order SQL injection" (8420) |
| 1025062 | FALSE | Correction of the quality rule "Avoid numeric user inputs in SQL queries through API requests": added new violations that were previously identified by the quality rule "Avoid SQL injection through API requests" (8490) |
| 8240 | FALSE | Improved support for the quality rule "Avoid using unsecured cookie" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 1025016 | FALSE | Improved support for the quality rule "Avoid using cookie without the HttpOnly flag" (for JEE): better support of `javax.servlet.http.HttpServletResponse` |
| 7746 | FALSE | Improved support for the quality rule "Avoid LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 8492 | FALSE | Improved support for the quality rule "Avoid LDAP injection through API requests" (for .NET): better support of `System.DirectoryServices` |
| 1025010 | FALSE | Improved support for the quality rule "Avoid second order LDAP injection" (for .NET): better support of `System.DirectoryServices` |
| 8416 | FALSE | Improved support for the quality rule "Avoid use of a reversible one-way hash" (for .NET): better support of `System.Security.Cryptography` |
| 8440 | FALSE | Improved support for the quality rule "Avoid reflection injection" (for .NET): better support of `System.Type` |
| 8502 | FALSE | Improved support for the quality rule "Avoid reflection injection through API requests" (for .NET): better support of `System.Type |
| 1025008 | FALSE | Improved support for the quality rule "Avoid second order reflection injection" (for .NET): better support of `System.Type` |
New Support
| Summary | Details |
|---|---|
| Apache NMS | The Security Analyzer now supports the framework Apache NMS for .NET environment. It is considered as tainted input "through API requests", affecting all rules "through API requests". As a consequence after upgrade to this release and a new analysis, additional violations may be found. |
1.1.0-funcrel
Note
Moved to funcrel release. No other changes have been made.
1.1.0-beta1
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1025056 | TRUE | New rule: "Avoid running SQL queries inside a loop" has been added. |
New Support
| Summary | Details |
|---|---|
| Support for RabbitMQ for JEE | The Security Analyzer now supports the framework RabbitMQ for JEE environment. "through API requests" are considered as tainted input affecting all rules "through API requests". As a consequence, after upgrade to this release and a new analysis, additional violations may be found. |