Release Notes - 1.6
1.6.0-alpha9
Other Updates
| Details |
|---|
| Sensitive Data Tagging for NoSQL Collections has been added. See https://doc.castsoftware.com/technologies/multi/data-sensitivity/ . |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021136 | TRUE | Always protect against CSRF in FastAPI application. |
| 1021134 | TRUE | Avoid Unchecked Input for Loop Condition (Python). |
| 1021132 | TRUE | Avoid observable discrepancies in authentication messaging (Python). |
| 1021130 | TRUE | Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python). |
| 1021126 | FALSE | Fixed Bug: avoid false positive on FastAPI when current rule applies to flask. |
| 1021116 | FALSE | Fixed bug: correctly handle value interpolation in f-strings. |
| 1021120 | FALSE | Fixed bug: remove violation when session access is in the right side of an assignment. |
1.6.0-alpha8
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 45393 | Fixes an issue where the Python analyzer misses many internal links. |
Other Updates
| Details |
|---|
| Introduction of suport for evaluation of expressions inside f-strings. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021078 | FALSE | “Avoid unsafe deserialization (Python)”: json.load and json.loads are now correctly detected. |
| 1021092 | FALSE | “Avoid reflected cross-site scripting (Python)”: support getattr(), flask.url_for() and jinja environment. |
| 1021098 | FALSE | “Avoid HTTP header injection (Python)”: don’t raise a violation if the value is read from a Dict. |
| 1021102 | FALSE | “Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)”: add support of “feature_external_ges” for xml.sax’s parser. |
| 1021082 | FALSE | Avoid LDAP injection (Python): ldap.dn.* escaping functions are now detected as implicit imports of the “ldap” module. |
| 1021100 | FALSE | “Avoid URL redirection to untrusted site”: add support for Flask. |
| 1021120 | FALSE | “Avoid mixing trusted and untrusted data in HTTP requests”: add support for Flask. |
| 1021126 | TRUE | Ensure the HTTP Strict-Transport-Security header (HSTS) is set up for Flask. |
| 1021128 | TRUE | Always protect against CSRF in Flask application |
| 1021042 | FALSE | “Avoid hard-coded passwords (Python)” - updated the behaviour to ensure boolean values are not considered as hard-coded passwords. |
| 1021112 | FALSE | Support apis for remote command execution: libraries Paramiko and AsyncSSH |
| 1021088 | FALSE | Raise a violation when calling sleep functions inside for loops with tainted iterators |
Performance Improvements
| Summary |
|---|
| Fix performance issue in the evaluation of logging statements. |
1.6.0-alpha7
Other Updates
| Details |
|---|
| Removed redundant parent links from external objects. |
| Fixed an issue causing added/deleted objects when an analysis unit is deleted and re-added, even when the analyzed source code has not changed. The fix modifies the internal GUID calculation for the following objects: AWS S3 buckets, AWS DynamoDB databases and AWS DynamoDB tables. During the update to this release of the extension, the old GUIDs of the objects listed above will be migrated to new GUIDs. |
1.6.0-alpha6
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021124 | TRUE | Avoid uncontrolled format string (Python) |
| 1021118 | TRUE | Avoid disabling CSRF Protection in fastapi_jwt_auth |
| 1021120 | TRUE | Avoid mixing trusted and untrusted data in HTTP requests (Python) |
| 1021122 | TRUE | Avoid cookie poisoning |
| 1021088 | FALSE | Shorten name to “Avoid uncontrolled sleep calls (Python)” |
1.6.0-alpha5
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021116 | TRUE | Avoid logging sensitive data (Python) |
| 1021114 | TRUE | Ensure the Strict-Transport-Security header (HSTS) is set up for FastAPI (Python) |
| 1021112 | TRUE | Avoid OS command injection (Python) |
New Support
| Summary | Details |
|---|---|
| Support type annotations (type hints) | Statements and function definitions containing type annotations are now correctly parsed. |
1.6.0-alpha4
Other Updates
| Details |
|---|
| Minor updates in the documentation of various quality rules: References, total counts, …. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021108 | TRUE | Avoid unsafe access to object attributes |
| 1021106 | TRUE | Avoid server-side request forgery (Python) |
| 1021104 | TRUE | Avoid file path manipulation (Python) |
| 1021102 | TRUE | Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python) |
| 1021074 | FALSE | Corrected scope of the rule. Violations should be visible now in Python artifacts. |
| 1021110 | TRUE | Avoid using regular expression vulnerable to ReDoS (Python) |
| 1021096 | FALSE | Removed web service requests as second order injection sources. |
| 1021094 | FALSE | Removed web service requests as second order injection sources. |
Performance Improvements
| Summary |
|---|
| Corrected performance issues (too many evaluations) during quality rule analysis during analysis of return statements inside web service operation handler methods |
1.6.0-alpha3
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021100 | TRUE | Avoid URL redirection to untrusted site |
| 1021098 | TRUE | Avoid HTTP header injection |
| 1021096 | TRUE | Avoid second order LDAP injection |
| 1021094 | TRUE | Avoid cross-site scripting (persistent) |
| 1021092 | TRUE | Avoid reflected cross-site scripting |
| 1021090 | TRUE | Avoid using insufficient random generator |
1.6.0-alpha2
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 42086 | Fixes the traceback error “TypeError: sequence item 4: expected str instance, NoneType found” with certain type hint annotations. |
Other Updates
| Details |
|---|
| Corrects the resolution of variables when overridden with different types. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021082 | TRUE | Avoid LDAP injection (Python). |
| 1021084 | TRUE | Avoid XPath injection (Python). |
| 1021078 | FALSE | When the parameter is a constant, no violation is raised. |
| 1021088 | TRUE | Avoid uncontrolled sleep calls to prevent DoS attacks (Python). |
| 1021044 | FALSE | Enhance rule on SQL injection with new expression evaluator. |
New Support
| Summary | Details |
|---|---|
| Support for special method __call__ | Method calls on instantiated objects are correctly resolved to their __call__ special method. |
1.6.0-alpha1
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 40975 | Fixes the error messages found during the analysis of the Nameko framework. |
Other Updates
| Details |
|---|
| Introduction of new object Python Static Initializer for modelization of class-body code. See https://doc.castsoftware.com/display/TECHNOS/Python+1.6#Python1.6-Pythonstaticinitializers . |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021078 | TRUE | Avoid deserialization injection (Python) |
| 1021080 | TRUE | Avoid resource injection (Python) |
New Support
| Summary | Details |
|---|---|
| Support f-strings | Evaluation of f-strings is partially supported. Not support if one of (’=’, ‘[’, ‘.’, ‘-’) exists in the string. |
| Support parenthesized context managers | Python 3.10 allows the use of parentheses in “with” statements: the extension now supports this. |