Release Notes - 1.6
1.6.4-funcrel
New Support
Summary | Details |
---|---|
Adds support for the walrus operator ( := ) | This operator is interpreted as an assignment, which improves the evaluation of values used in quality rules. |
Performance Improvements
Summary |
---|
Fixes "RuntimeError: maximum recursion depth exceeded" when analyzing complex code. |
Speeds up analysis of quality rules based on detection of tainted values. |
1.6.3-funcrel
Performance Improvements
Summary |
---|
Fixes a memory and performance issue in the global resolution step. In some cases the analysis could last for hours and consume all the virtual memory of the node. |
1.6.2-funcrel
Performance Improvements
Summary |
---|
Fixes a performance problem with the rule 1021084 "Avoid XPath injection (Python)", in special cases where the variable to be analyzed is inside a function that is itself inside a function. |
1.6.1-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
50247 | Fixes and issue causing a frozen analysis. Also resolves performance issues in evaluator. |
Other Updates
Details |
---|
Fixes an issue causing the analysis to freeze at the step "Start evaluating…". |
CLI args from "argparse" and "optparse" added as taint sources. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021080 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid resource injection (Python)". |
1021082 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid LDAP injection (Python)". |
1021084 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid XPath injection (Python)". |
1021106 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid server-side request forgery (Python). |
1021102 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)". |
1021088 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid uncontrolled sleep calls (Python)". |
1021104 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid file path manipulation (Python)". |
1021108 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid unsafe access to object attributes". |
1021092 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid reflected cross-site scripting (Python)". |
1021098 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid HTTP header injection (Python)". |
1021100 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid URL redirection to untrusted site (Python)". |
1021122 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid cookie poisoning". |
1021110 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid using regular expression vulnerable to ReDoS (Python)". |
1021120 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid mixing trusted and untrusted data in HTTP requests (Python)". |
1021130 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python)". |
1021112 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid OS command injection (Python)". |
1021124 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid uncontrolled format string (Python)". |
1021134 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid Unchecked Input for Loop Condition (Python)". |
1021116 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid logging sensitive data (Python)". |
1.6.0-funcrel
Resolved Issues
Customer Ticket Id | Details |
---|---|
46313 | Fixes an error causing the extension to crash during quality rule analysis of recursive functions. |
1.6.0-alpha9
Other Updates
Details |
---|
Sensitive Data Tagging for NoSQL Collections has been added. See https://doc.castsoftware.com/technologies/multi/data-sensitivity/ . |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021136 | TRUE | Always protect against CSRF in FastAPI application. |
1021134 | TRUE | Avoid Unchecked Input for Loop Condition (Python). |
1021132 | TRUE | Avoid observable discrepancies in authentication messaging (Python). |
1021130 | TRUE | Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python). |
1021126 | FALSE | Fixed Bug: avoid false positive on FastAPI when current rule applies to flask. |
1021116 | FALSE | Fixed bug: correctly handle value interpolation in f-strings. |
1021120 | FALSE | Fixed bug: remove violation when session access is in the right side of an assignment. |
1.6.0-alpha8
Resolved Issues
Customer Ticket Id | Details |
---|---|
45393 | Fixes an issue where the Python analyzer misses many internal links. |
Other Updates
Details |
---|
Introduction of suport for evaluation of expressions inside f-strings. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021078 | FALSE | "Avoid unsafe deserialization (Python)": json.load and json.loads are now correctly detected. |
1021092 | FALSE | "Avoid reflected cross-site scripting (Python)": support getattr(), flask.url_for() and jinja environment. |
1021098 | FALSE | "Avoid HTTP header injection (Python)": don't raise a violation if the value is read from a Dict. |
1021102 | FALSE | "Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)": add support of "feature_external_ges" for xml.sax's parser. |
1021082 | FALSE | Avoid LDAP injection (Python): ldap.dn.* escaping functions are now detected as implicit imports of the "ldap" module. |
1021100 | FALSE | "Avoid URL redirection to untrusted site": add support for Flask. |
1021120 | FALSE | "Avoid mixing trusted and untrusted data in HTTP requests": add support for Flask. |
1021126 | TRUE | Ensure the HTTP Strict-Transport-Security header (HSTS) is set up for Flask. |
1021128 | TRUE | Always protect against CSRF in Flask application |
1021042 | FALSE | "Avoid hard-coded passwords (Python)" - updated the behaviour to ensure boolean values are not considered as hard-coded passwords. |
1021112 | FALSE | Support apis for remote command execution: libraries Paramiko and AsyncSSH |
1021088 | FALSE | Raise a violation when calling sleep functions inside for loops with tainted iterators |
Performance Improvements
Summary |
---|
Fix performance issue in the evaluation of logging statements. |
1.6.0-alpha7
Other Updates
Details |
---|
Removed redundant parent links from external objects. |
Fixed an issue causing added/deleted objects when an analysis unit is deleted and re-added, even when the analyzed source code has not changed. The fix modifies the internal GUID calculation for the following objects: AWS S3 buckets, AWS DynamoDB databases and AWS DynamoDB tables. During the update to this release of the extension, the old GUIDs of the objects listed above will be migrated to new GUIDs. |
1.6.0-alpha6
Rules
Rule Id | New Rule | Details |
---|---|---|
1021124 | TRUE | Avoid uncontrolled format string (Python) |
1021118 | TRUE | Avoid disabling CSRF Protection in fastapi_jwt_auth |
1021120 | TRUE | Avoid mixing trusted and untrusted data in HTTP requests (Python) |
1021122 | TRUE | Avoid cookie poisoning |
1021088 | FALSE | Shorten name to "Avoid uncontrolled sleep calls (Python)" |
1.6.0-alpha5
Rules
Rule Id | New Rule | Details |
---|---|---|
1021116 | TRUE | Avoid logging sensitive data (Python) |
1021114 | TRUE | Ensure the Strict-Transport-Security header (HSTS) is set up for FastAPI (Python) |
1021112 | TRUE | Avoid OS command injection (Python) |
New Support
Summary | Details |
---|---|
Support type annotations (type hints) | Statements and function definitions containing type annotations are now correctly parsed. |
1.6.0-alpha4
Other Updates
Details |
---|
Minor updates in the documentation of various quality rules: References, total counts, …. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021108 | TRUE | Avoid unsafe access to object attributes |
1021106 | TRUE | Avoid server-side request forgery (Python) |
1021104 | TRUE | Avoid file path manipulation (Python) |
1021102 | TRUE | Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python) |
1021074 | FALSE | Corrected scope of the rule. Violations should be visible now in Python artifacts. |
1021110 | TRUE | Avoid using regular expression vulnerable to ReDoS (Python) |
1021096 | FALSE | Removed web service requests as second order injection sources. |
1021094 | FALSE | Removed web service requests as second order injection sources. |
Performance Improvements
Summary |
---|
Corrected performance issues (too many evaluations) during quality rule analysis during analysis of return statements inside web service operation handler methods |
1.6.0-alpha3
Rules
Rule Id | New Rule | Details |
---|---|---|
1021100 | TRUE | Avoid URL redirection to untrusted site |
1021098 | TRUE | Avoid HTTP header injection |
1021096 | TRUE | Avoid second order LDAP injection |
1021094 | TRUE | Avoid cross-site scripting (persistent) |
1021092 | TRUE | Avoid reflected cross-site scripting |
1021090 | TRUE | Avoid using insufficient random generator |
1.6.0-alpha2
Resolved Issues
Customer Ticket Id | Details |
---|---|
42086 | Fixes the traceback error "TypeError: sequence item 4: expected str instance, NoneType found" with certain type hint annotations. |
Other Updates
Details |
---|
Corrects the resolution of variables when overridden with different types. |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021082 | TRUE | Avoid LDAP injection (Python). |
1021084 | TRUE | Avoid XPath injection (Python). |
1021078 | FALSE | When the parameter is a constant, no violation is raised. |
1021088 | TRUE | Avoid uncontrolled sleep calls to prevent DoS attacks (Python). |
1021044 | FALSE | Enhance rule on SQL injection with new expression evaluator. |
New Support
Summary | Details |
---|---|
Support for special method __call__ | Method calls on instantiated objects are correctly resolved to their __call__ special method. |
1.6.0-alpha1
Resolved Issues
Customer Ticket Id | Details |
---|---|
40975 | Fixes the error messages found during the analysis of the Nameko framework. |
Other Updates
Details |
---|
Introduction of new object Python Static Initializer for modelization of class-body code. See https://doc.castsoftware.com/display/TECHNOS/Python+1.6#Python1.6-Pythonstaticinitializers . |
Rules
Rule Id | New Rule | Details |
---|---|---|
1021078 | TRUE | Avoid deserialization injection (Python) |
1021080 | TRUE | Avoid resource injection (Python) |
New Support
Summary | Details |
---|---|
Support f-strings | Evaluation of f-strings is partially supported. Not support if one of ('=', '[', '.', '-') exists in the string. |
Support parenthesized context managers | Python 3.10 allows the use of parentheses in "with" statements: the extension now supports this. |