Release Notes - 1.1
1.1.0-alpha3
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 46596 | Fixes an issue wherein the rules provided by this extension are now considered "critical". |
| 46530 | Added "$argv" and "$_FILES" as taint sources for the rule "Avoid SQL injection (PHP)" |
Other Updates
| Details |
|---|
| The release of Psalm used by this extension has been updated to "master" branch, commit 4b2c6980c51129b066ae85c73798162865df5142 . |
| The global variable "$argv" was added as a source for taint analysis. |
| Report from Psalm is now stored a LISA sub-directory named "third_party_reports". The detailed results of Psalm no longer appear in standard CAST analysis logs. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1034060 | TRUE | Avoid uncontrolled import into the current symbol table (PHP) |
| 1034062 | TRUE | Avoid creating cookie without setting httpOnly option (PHP) |
| 1034064 | TRUE | Ensure httpOnly option is enabled when creating session (PHP) |
| 1034002 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid cookie injection (PHP)" |
| 1034004 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid LDAP injection (PHP)" |
| 1034006 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid OS command injection (PHP)" |
| 1034008 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid PHP Remote File Inclusion" |
| 1034010 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid code injection (PHP)" |
| 1034012 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid reflection injection (PHP)" |
| 1034014 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid file path manipulation (PHP)" |
| 1034016 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid reflected cross-site scripting (non persistent) (PHP)" |
| 1034018 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid deserialization injection (PHP)" |
| 1034020 | FALSE | Added $argv and $_FILES as taint sources for rule "Avoid HTTP header injection (PHP)" |
| 1034022 | FALSE | Added $argv an $_FILES as taint sources for rule "Avoid server-side request forgery (PHP)" |
| 1034050 | FALSE | Added $argv an $_FILES as taint sources for rule "Avoid XPath injection (PHP)" |
| 1034058 | FALSE | Added $argv an $_FILES as taint sources for rule "Avoid uncontrolled sleep calls (PHP)" |
1.1.0-alpha2
Note
Update psalm (master branch, commit e72fb5a2b31e606abd525f867696c5ba5bf7451b)
Other Updates
| Details |
|---|
| Psalm standard error is now redirected to cast.analysers.log with a [psalm stderr] prefix. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1034054 | TRUE | Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP) |
| 1034056 | TRUE | Avoid using hard-coded HMAC keys (PHP) |
| 1034058 | TRUE | Avoid uncontrolled sleep calls (PHP) |
1.1.0-alpha1
Other Updates
| Details |
|---|
| Switch to Psalm master branch (commit 96d83947615641734a5baa181d44da7f10ee0246) which will be the future version 6.x. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1034024 | TRUE | Avoid second order SQL injection (PHP) |
| 1034026 | TRUE | Avoid second order code injection (PHP) |
| 1034028 | TRUE | Avoid second order LDAP injection (PHP) |
| 1034030 | TRUE | Avoid second order OS command injection (PHP) |
| 1034032 | TRUE | Avoid second order PHP Remote File Inclusion |
| 1034034 | TRUE | Avoid second order cookie injection (PHP) |
| 1034036 | TRUE | Avoid second order file path manipulation (PHP) |
| 1034038 | TRUE | Avoid cross-site scripting (persistent) (PHP) |
| 1034040 | TRUE | Avoid second order deserialization injection (PHP) |
| 1034042 | TRUE | Avoid second order HTTP header injection (PHP) |
| 1034044 | TRUE | Avoid second order server-side request forgery (PHP) |
| 1034046 | TRUE | Avoid second order reflection injection (PHP) |
| 1034048 | TRUE | Avoid using insufficient random generator (PHP) |
| 1034050 | TRUE | Avoid XPath injection (PHP) |
| 1034052 | TRUE | Avoid second order XPath injection (PHP) |