Release Notes - 1.1

1.1.0-funcrel

Fixes/Bugs

Customer Ticket Id Technical Details Customer Details
Added functions forward_static_call(), forward_static_call_array(), register_shutdown_function() and register_tick_function() as psalm sinks Improve accuracy of rules 1034012 - "Avoid reflection injection (PHP)" and 1034046 - "Avoid second order reflection injection (PHP)"
Handles usage of constants XMLReader::VALIDATE and XMLReader::SUBST_ENTITIES Improve accuracy of rule 1034054 - "Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP)"

New Support

Customer Ticket Id Technical Details Customer Details
Use linux php executable and shared libraries from com.castsoftware.php.runtime82. Support for Linux

Enhancement/Improvements

Customer Ticket Id Technical Details Customer Details
Update to psalm 5.26.1 Upgrade internal library

1.1.0-beta2

Other Updates

Details
Upgrade to Psalm 5.25.0 (with patches).

1.1.0-beta1

Other Updates

Details
Upgrade to Psalm 5.24.0 (with patches).

Rules

Rule Id New Rule Details
1034048 FALSE Added mt_srand(), str_shuffle() and array_rand() as functions triggering a violation for rule "Avoid using insufficient random generator (PHP)".
1034064 FALSE Added ini_set('session.cookie_httponly', true) as a remediation for rule "Ensure httpOnly option is enabled when creating session (PHP)".
1034072 TRUE Avoid mixing trusted and untrusted data in HTTP requests (PHP)
1034070 TRUE Ensure strict mode is enabled when creating session (PHP)
1034068 TRUE Ensure SameSite option is enabled when creating session (PHP)
1034066 TRUE Avoid creating application cookie without SameSite option (PHP)

1.1.0-alpha3

Resolved Issues

Customer Ticket Id Details
46530 Added "$argv" and "$_FILES" as taint sources for the rule "Avoid SQL injection (PHP)"
46596 Fixes an issue wherein the rules provided by this extension are now considered "critical".

Other Updates

Details
Report from Psalm is now stored a LISA sub-directory named "third_party_reports". The detailed results of Psalm no longer appear in standard CAST analysis logs.
The global variable "$argv" was added as a source for taint analysis.
The release of Psalm used by this extension has been updated to "master" branch, commit 4b2c6980c51129b066ae85c73798162865df5142external link.

Rules

Rule Id New Rule Details
1034058 FALSE Added $argv an $_FILES as taint sources for rule "Avoid uncontrolled sleep calls (PHP)"
1034050 FALSE Added $argv an $_FILES as taint sources for rule "Avoid XPath injection (PHP)"
1034022 FALSE Added $argv an $_FILES as taint sources for rule "Avoid server-side request forgery (PHP)"
1034020 FALSE Added $argv and $_FILES as taint sources for rule "Avoid HTTP header injection (PHP)"
1034018 FALSE Added $argv and $_FILES as taint sources for rule "Avoid deserialization injection (PHP)"
1034016 FALSE Added $argv and $_FILES as taint sources for rule "Avoid reflected cross-site scripting (non persistent) (PHP)"
1034014 FALSE Added $argv and $_FILES as taint sources for rule "Avoid file path manipulation (PHP)"
1034012 FALSE Added $argv and $_FILES as taint sources for rule "Avoid reflection injection (PHP)"
1034010 FALSE Added $argv and $_FILES as taint sources for rule "Avoid code injection (PHP)"
1034008 FALSE Added $argv and $_FILES as taint sources for rule "Avoid PHP Remote File Inclusion"
1034006 FALSE Added $argv and $_FILES as taint sources for rule "Avoid OS command injection (PHP)"
1034004 FALSE Added $argv and $_FILES as taint sources for rule "Avoid LDAP injection (PHP)"
1034002 FALSE Added $argv and $_FILES as taint sources for rule "Avoid cookie injection (PHP)"
1034064 TRUE Ensure httpOnly option is enabled when creating session (PHP)
1034062 TRUE Avoid creating cookie without setting httpOnly option (PHP)
1034060 TRUE Avoid uncontrolled import into the current symbol table (PHP)

1.1.0-alpha2

Note

Update psalm (master branch, commit e72fb5a2b31e606abd525f867696c5ba5bf7451b)

Other Updates

Details
Psalm standard error is now redirected to cast.analysers.log with a [psalm stderr] prefix.

Rules

Rule Id New Rule Details
1034058 TRUE Avoid uncontrolled sleep calls (PHP)
1034056 TRUE Avoid using hard-coded HMAC keys (PHP)
1034054 TRUE Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (PHP)

1.1.0-alpha1

Other Updates

Details
Switch to Psalm master branch (commit 96d83947615641734a5baa181d44da7f10ee0246) which will be the future version 6.x.

Rules

Rule Id New Rule Details
1034052 TRUE Avoid second order XPath injection (PHP)
1034050 TRUE Avoid XPath injection (PHP)
1034048 TRUE Avoid using insufficient random generator (PHP)
1034046 TRUE Avoid second order reflection injection (PHP)
1034044 TRUE Avoid second order server-side request forgery (PHP)
1034042 TRUE Avoid second order HTTP header injection (PHP)
1034040 TRUE Avoid second order deserialization injection (PHP)
1034038 TRUE Avoid cross-site scripting (persistent) (PHP)
1034036 TRUE Avoid second order file path manipulation (PHP)
1034034 TRUE Avoid second order cookie injection (PHP)
1034032 TRUE Avoid second order PHP Remote File Inclusion
1034030 TRUE Avoid second order OS command injection (PHP)
1034028 TRUE Avoid second order LDAP injection (PHP)
1034026 TRUE Avoid second order code injection (PHP)
1034024 TRUE Avoid second order SQL injection (PHP)