Release Notes - 1.1

  • 1.1.7-funcrel
    Improves the accuracy of database call detection in Java and .NET applications using Hibernate or NHibernate.
    Fixes some missing violations in the rare case when the Security Analyzer is used with an old version of SecurityForJava
    Improves accuracy of rules: 8044 ‘Avoid log forging’, 8508 ‘Avoid log forging through API requests’, 8542 ‘Avoid debug forging’, 8544 ‘Avoid debug forging through API requests’.
    Improves the documentation of the rule 8438 ‘Avoid code injection’
    Improves the documentation of the rule 8498 ‘Avoid thread injection through API requests’
    Improves the documentation of the rule 8436 ‘Avoid thread injection’
    Improves the documentation of the rule 8434 ‘Avoid process control’
    Improves the documentation of the rule 7750 ‘Avoid XPath injection’
    Improves the documentation of the rule 7746 ‘Avoid LDAP injection’
    Improves the documentation of the rule 8484 ‘Avoid HTTP response splitting through API requests’
    Improves the documentation of the rule 7740 ‘Avoid HTTP response splitting’
    Improves the documentation of the rule 7752 ‘Avoid file path manipulation’
    Improves the documentation of the rule 8508 ‘Avoid log forging through API requests’
    Improves the documentation of the rule 8482 ‘Avoid cross-site scripting through API requests’
    Improves accuracy of 💎 8416 ‘Avoid use of a reversible one-way hash’ adding support of Google Guava (com.google.common.hash.Hashing).
  • 1.1.6-funcrel
    Improves the description of the rules 8408 ‘Avoid reflected cross-site scripting (non persistent)’, 8410 ‘Avoid cross-site scripting (persistent)’
    Improves the description of the rules 7742 ‘Avoid SQL injection’, 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’
    Improves accuracy of rules: 8044 ‘Avoid log forging’, 8508 ‘Avoid log forging through API requests’, 8542 ‘Avoid debug forging’, 8544 ‘Avoid debug forging through API requests’.
    Improves accuracy of rules: 8044 ‘Avoid log forging’, 8508 ‘Avoid log forging through API requests’.
    Improves accuracy of rules: 7742 ‘Avoid SQL injection’, 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’ and 1025056 ‘Avoid running SQL queries inside a loop’.
    Improves accuracy of rules: 8418 ‘Avoid NoSQL injection’, 8514 ‘Avoid NoSQL injection through API requests’.
    Improves accuracy of rules: 8438 ‘Avoid code injection’, 8500 ‘Avoid code injection through API requests’.
    Supports the following frameworks: JLine, Lexer, ZK Framework, java.util.Scanner for the java environment. These frameworks are considered standard input mechanisms that affect all rules based on user input acquisition. Consequently, after upgrading to this release and performing a new analysis, additional violations may be detected.
    Improves accuracy of rules: 7750 ‘Avoid XPath injection’, 1025002 ‘Avoid second order XPath injection’, 8504 ‘Avoid XPath injection through API requests’, 8408 ‘Avoid reflected cross-site scripting (non persistent)’, 8410 ‘Avoid cross-site scripting (persistent)’, 8482 ‘Avoid cross-site scripting through API requests’
    Improves accuracy of rules: 7742 ‘Avoid SQL injection’, 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’ for the type java.sql.ResultSet and 1025056 ‘Avoid running SQL queries inside a loop’.
  • 1.1.5-funcrel
    Fixes the violation path in case of SpringMVC
    Improves the search of fields.
    Improves the description of rule 8098 ‘Avoid uncontrolled format string’
    Improves the description of rule 8044 ‘Avoid log forging’
    Improves the description of rule 7748 ‘Avoid OS command injection’
    Improves the description of the rule 8408 ‘Avoid reflected cross-site scripting (non persistent)’
    Improves the description of the rules 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’
    Improves technical log information
    Improves documentation of 💎 1025056 ‘Avoid running SQL queries inside a loop’
    Changes the description of the Security Analyzer component itself
    Improves documentation of 💎 1025064 “Avoid weak encoding for password”
    Improves accuracy of rules: 7746 ‘Avoid LDAP injection’, 1025010 ‘Avoid second order LDAP injection’, 8492 ‘Avoid LDAP injection through API requests’.
    Improves accuracy of rules: 7742 ‘Avoid resource injection’, 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’ and 1025056 ‘Avoid running SQL queries inside a loop’.
    Improves accuracy of rules: 8442 ‘Avoid resource injection’, 8486 ‘Avoid resource injection through API requests’.
  • 1.1.4-funcrel
    Removes duplicated violations.
    Removes duplicated violations. May impact all quality rules computed by the Security Analyzer.
    Improves accuracy of 💎 1025056 ‘Avoid running SQL queries inside a loop’.
    Improves accuracy of 💎 1025056 ‘Avoid running SQL queries inside a loop’.
    Adds new 💎 1025064 ‘Avoid weak encoding’. 📝 51345
    Improves accuracy of 💎 1025026 ‘Avoid disabling the expiration time requirement of a JWT token’.
    Improved support of JEE environment, affecting all rules of type “tainted input”.
    Improved support of .NET environment, affecting all rules of type “through API requests”.
    Improves accuracy of 8408 ‘Avoid reflected cross-site scripting (non persistent)’, 8410 ‘Avoid cross-site scripting (persistent)’ and 8482 ‘Avoid cross-site scripting through API requests’.
    Improves accuracy of 💎 8416 ‘Avoid use of a reversible one-way hash’.
    Improves accuracy of rules: 8440 ‘Avoid reflection injection’, 1025008 Avoid second order reflection injection’ and 8502-‘Avoid reflection injection through API requests’.
    Improves accuracy of rules: 8418 ‘Avoid NoSQL injection’ and 8514 ‘Avoid NoSQL injection through API requests’.
    Improves accuracy of 💎 8424 ‘Avoid hard-coded HMAC and cryptographic key’.
    Improves accuracy of 💎 8414 ‘Avoid weak cryptographic algorithm’.
    Improves accuracy of 💎 8416 ‘Avoid use of a reversible one-way hash’.
    Improves accuracy of 💎 1025030 ‘Avoid hard-coded JWT secret keys’.
    Improves accuracy of rules: 7742 ‘Avoid SQL injection’, 8420 ‘Avoid second order SQL injection’, 8490 ‘Avoid SQL injection through API requests’ and 1025056 ‘Avoid running SQL queries inside a loop’.
  • 1.1.3-funcrel
    This release of Security Analyzer includes a Linux-specific fix that enables the visualization of violation paths within the dashboard.
  • 1.1.2-funcrel
    The rule ‘Avoid hard-coded password in connection string’ is now marked as critical 💎 1025048
    Improved support for the quality rule ‘Avoid cross-site scripting through API requests’: support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks 💎 8482
    Improved support for the quality rule ‘Avoid cross-site scripting (persistent)’: support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks 💎 8410
    Improved support for the quality rule ‘Avoid reflected cross-site scripting (non persistent)’: support of the `OpenMRS` and `Adobe Granite` and `Apache Sling` sanitization frameworks 💎 8408
    Improved support for the quality rule ‘Avoid log forging through API requests’: support of the `OpenMRS` and `Adobe Granite` sanitization frameworks 💎 8508
    Improved support for the quality rule ‘Avoid log forging’: support of the `OpenMRS` and `Adobe Granite` sanitization frameworks 💎 8044
    Improved support for the quality rule ‘Avoid second order HTTP response splitting’: support of the `OpenMRS` and `Adobe Granite` sanitization frameworks 💎 1025012
    Improved support for the quality rule ‘Avoid HTTP response splitting through API requests’: support of the `OpenMRS` and `Adobe Granite` sanitization frameworks 💎 8484
    Improved support for the quality rule ‘Avoid HTTP response splitting’: support of the type `OpenMRS` and `Adobe Granite` sanitization frameworks 💎 7740
    Improved support for the quality rule ‘Avoid second order LDAP injection’: better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` 💎 1025010
    Improved support for the quality rule ‘Avoid LDAP injection through API requests’: better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` 💎 8492
    Improved support for the quality rule ‘Avoid LDAP injection’: better support of `unboundid`, `opendj`, `Spring LDAP`, `Apache Directory`, `Novell LDAP`, `System.DirectoryServices.DirectoryEntry` 💎 7746
    Improved support for the quality rule ‘Avoid SQL injection through API requests’: better support of `ZorgInfo` 💎 8490
    Improved support for the quality rule ‘Avoid second order SQL injection’: better support of `ZorgInfo` 💎 8420
    Improved support for the quality rule ‘Avoid SQL injection’: better support of `ZorgInfo` 💎 7742
    Improved support for the quality rule ‘Avoid running SQL queries inside a loop’: better support of `Spring Data` and `Entity Framework` 💎 1025056
    Enhanced the ‘Avoid running SQL queries inside a loop’ rule to now function inter-procedurally rather than intra-procedurally 💎 1025056
    Fixed the ‘Avoid using unsecured cookie’ rules which could generate false positives in rare cases (JEE only) 💎 8240
  • 1.1.1-funcrel
    Improved support for the quality rule “Avoid second order reflection injection” (for .NET): better support of `System.Type` 💎 1025008
    Improved support for the quality rule “Avoid reflection injection through API requests” (for .NET): better support of `System.Type 💎 8502
    Improved support for the quality rule “Avoid reflection injection” (for .NET): better support of `System.Type` 💎 8440
    Improved support for the quality rule “Avoid use of a reversible one-way hash” (for .NET): better support of `System.Security.Cryptography` 💎 8416
    Improved support for the quality rule “Avoid second order LDAP injection” (for .NET): better support of `System.DirectoryServices` 💎 1025010
    Improved support for the quality rule “Avoid LDAP injection through API requests” (for .NET): better support of `System.DirectoryServices` 💎 8492
    Improved support for the quality rule “Avoid LDAP injection” (for .NET): better support of `System.DirectoryServices` 💎 7746
    Improved support for the quality rule “Avoid using cookie without the HttpOnly flag” (for JEE): better support of `javax.servlet.http.HttpServletResponse` 💎 1025016
    Improved support for the quality rule “Avoid using unsecured cookie” (for JEE): better support of `javax.servlet.http.HttpServletResponse` 💎 8240
    Correction of the quality rule “Avoid numeric user inputs in SQL queries through API requests”: added new violations that were previously identified by the quality rule “Avoid SQL injection through API requests” (8490) 💎 1025062
    Correction of the quality rule “Avoid second order numeric user inputs in SQL queries”: added new violations that were previously identified by the quality rule “Avoid second order SQL injection” (8420) 💎 1025060
    Correction of the quality rule “Avoid numeric user inputs in SQL queries”: added new violations that were previously identified by the quality rule “Avoid SQL injection” (7742) 💎 1025058
    Correction of the quality rule “Avoid SQL injection through API requests”: some violations are now identified by the quality rule “Avoid numeric user inputs in SQL queries through API requests” (1025062) 💎 8490
    Correction of the quality rule “Avoid second order SQL injection”: some violations are now identified by the quality rule “Avoid second order numeric user inputs in SQL queries” (1025060) 💎 8420
    Correction of the quality rule “Avoid SQL injection”: some violations are now identified by the quality rule “Avoid numeric user inputs in SQL queries” (1025058) 💎 7742
    The Security Analyzer now supports the framework Apache NMS for .NET environment. It is considered as tainted input “through API requests”, affecting all rules “through API requests”. As a consequence after upgrade to this release and a new analysis, additional violations may be found.Apache NMS
  • 1.1.0-funcrel
    Moved to funcrel release. No other changes have been made.
  • 1.1.0-beta1
    NEW New rule: “Avoid running SQL queries inside a loop” has been added. 💎 1025056
    The Security Analyzer now supports the framework RabbitMQ for JEE environment. “through API requests” are considered as tainted input affecting all rules “through API requests”. As a consequence, after upgrade to this release and a new analysis, additional violations may be found.Support for RabbitMQ for JEE