Release Notes - 1.6
1.6.8-funcrel
Fixes/Bugs
| Customer Ticket Id | Technical Details | Customer Details |
|---|---|---|
| 52111 | To remove false positives, add the object on the left of the method call only for known constructors that use a URL. | Improve accuracy of rule: 1021106 - Avoid server-side request forgery (Python). |
1.6.7-funcrel
Other Updates
| Details |
|---|
| Fixes Traceback: AttributeError: 'NoneType' object has no attribute 'parent' in parse_comprehension_loop. Also adds support for "async" in loop comprehension. |
| Fixes Traceback: AttributeError: 'MethodCall' object has no attribute 'get_name'. |
| Fixes Traceback: TypeError: 'NoneType' object is not iterable. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021080 | FALSE | "Avoid resource injection (Python)": rule updated to add support for Django and Falcon and improve support for AIOHTTP, Bottle, FastAPI, Nameko and Tornado. |
1.6.6-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 51665 | Fixes a stack overflow error that interrupted the analysis. |
1.6.5-funcrel
Link Improvements
| Callee Type | Caller Type | Details |
|---|---|---|
| Python callable | CAST_RabbitMQ_Python_Queue | Fixes a traceback issue and creates missing queue objects. |
Performance
| Summary |
|---|
| Fixes a performance issue with rules based on detection of tainted values, especially for rules ID 1021124 and 1021134. |
1.6.4-funcrel
New Support
| Summary | Details |
|---|---|
| Adds support for the walrus operator ( := ) | This operator is interpreted as an assignment, which improves the evaluation of values used in quality rules. |
Performance
| Summary |
|---|
| Speeds up analysis of quality rules based on detection of tainted values. |
| Fixes "RuntimeError: maximum recursion depth exceeded" when analyzing complex code. |
1.6.3-funcrel
Performance
| Summary |
|---|
| Fixes a memory and performance issue in the global resolution step. In some cases the analysis could last for hours and consume all the virtual memory of the node. |
1.6.2-funcrel
Performance
| Summary |
|---|
| Fixes a performance problem with the rule 1021084 "Avoid XPath injection (Python)", in special cases where the variable to be analyzed is inside a function that is itself inside a function. |
1.6.1-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 50247 | Fixes and issue causing a frozen analysis. Also resolves performance issues in evaluator. |
Other Updates
| Details |
|---|
| Fixes an issue causing the analysis to freeze at the step "Start evaluating…". |
| CLI args from "argparse" and "optparse" added as taint sources. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021082 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid LDAP injection (Python)". |
| 1021106 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid server-side request forgery (Python). |
| 1021102 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)". |
| 1021088 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid uncontrolled sleep calls (Python)". |
| 1021108 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid unsafe access to object attributes". |
| 1021098 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid HTTP header injection (Python)". |
| 1021100 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid URL redirection to untrusted site (Python)". |
| 1021122 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid cookie poisoning". |
| 1021120 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid mixing trusted and untrusted data in HTTP requests (Python)". |
| 1021116 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid logging sensitive data (Python)". |
| 1021080 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid resource injection (Python)". |
| 1021084 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid XPath injection (Python)". |
| 1021104 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid file path manipulation (Python)". |
| 1021092 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid reflected cross-site scripting (Python)". |
| 1021110 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid using regular expression vulnerable to ReDoS (Python)". |
| 1021130 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python)". |
| 1021112 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid OS command injection (Python)". |
| 1021124 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid uncontrolled format string (Python)". |
| 1021134 | FALSE | Added args from argparse and optparse libraries as taint sources, impacting the rule "Avoid Unchecked Input for Loop Condition (Python)". |
1.6.0-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 46313 | Fixes an error causing the extension to crash during quality rule analysis of recursive functions. |
1.6.0-alpha9
Other Updates
| Details |
|---|
| Sensitive Data Tagging for NoSQL Collections has been added. See https://doc.castsoftware.com/technologies/multi/data-sensitivity/ . |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021120 | FALSE | Fixed bug: remove violation when session access is in the right side of an assignment. |
| 1021116 | FALSE | Fixed bug: correctly handle value interpolation in f-strings. |
| 1021126 | FALSE | Fixed Bug: avoid false positive on FastAPI when current rule applies to flask. |
| 1021130 | TRUE | Avoid overly permissive Cross-Origin Resource Sharing (CORS) policy (Python). |
| 1021132 | TRUE | Avoid observable discrepancies in authentication messaging (Python). |
| 1021134 | TRUE | Avoid Unchecked Input for Loop Condition (Python). |
| 1021136 | TRUE | Always protect against CSRF in FastAPI application. |
1.6.0-alpha8
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 45393 | Fixes an issue where the Python analyzer misses many internal links. |
Other Updates
| Details |
|---|
| Introduction of suport for evaluation of expressions inside f-strings. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021088 | FALSE | Raise a violation when calling sleep functions inside for loops with tainted iterators |
| 1021112 | FALSE | Support apis for remote command execution: libraries Paramiko and AsyncSSH |
| 1021042 | FALSE | "Avoid hard-coded passwords (Python)" - updated the behaviour to ensure boolean values are not considered as hard-coded passwords. |
| 1021128 | TRUE | Always protect against CSRF in Flask application |
| 1021126 | TRUE | Ensure the HTTP Strict-Transport-Security header (HSTS) is set up for Flask. |
| 1021120 | FALSE | "Avoid mixing trusted and untrusted data in HTTP requests": add support for Flask. |
| 1021100 | FALSE | "Avoid URL redirection to untrusted site": add support for Flask. |
| 1021082 | FALSE | Avoid LDAP injection (Python): ldap.dn.* escaping functions are now detected as implicit imports of the "ldap" module. |
| 1021102 | FALSE | "Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python)": add support of "feature_external_ges" for xml.sax's parser. |
| 1021098 | FALSE | "Avoid HTTP header injection (Python)": don't raise a violation if the value is read from a Dict. |
| 1021092 | FALSE | "Avoid reflected cross-site scripting (Python)": support getattr(), flask.url_for() and jinja environment. |
| 1021078 | FALSE | "Avoid unsafe deserialization (Python)": json.load and json.loads are now correctly detected. |
Performance
| Summary |
|---|
| Fix performance issue in the evaluation of logging statements. |
1.6.0-alpha7
Other Updates
| Details |
|---|
| Fixed an issue causing added/deleted objects when an analysis unit is deleted and re-added, even when the analyzed source code has not changed. The fix modifies the internal GUID calculation for the following objects: AWS S3 buckets, AWS DynamoDB databases and AWS DynamoDB tables. During the update to this release of the extension, the old GUIDs of the objects listed above will be migrated to new GUIDs. |
| Removed redundant parent links from external objects. |
1.6.0-alpha6
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021088 | FALSE | Shorten name to "Avoid uncontrolled sleep calls (Python)" |
| 1021122 | TRUE | Avoid cookie poisoning |
| 1021120 | TRUE | Avoid mixing trusted and untrusted data in HTTP requests (Python) |
| 1021118 | TRUE | Avoid disabling CSRF Protection in fastapi_jwt_auth |
| 1021124 | TRUE | Avoid uncontrolled format string (Python) |
1.6.0-alpha5
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021112 | TRUE | Avoid OS command injection (Python) |
| 1021114 | TRUE | Ensure the Strict-Transport-Security header (HSTS) is set up for FastAPI (Python) |
| 1021116 | TRUE | Avoid logging sensitive data (Python) |
New Support
| Summary | Details |
|---|---|
| Support type annotations (type hints) | Statements and function definitions containing type annotations are now correctly parsed. |
1.6.0-alpha4
Other Updates
| Details |
|---|
| Minor updates in the documentation of various quality rules: References, total counts, …. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021094 | FALSE | Removed web service requests as second order injection sources. |
| 1021096 | FALSE | Removed web service requests as second order injection sources. |
| 1021110 | TRUE | Avoid using regular expression vulnerable to ReDoS (Python) |
| 1021074 | FALSE | Corrected scope of the rule. Violations should be visible now in Python artifacts. |
| 1021102 | TRUE | Avoid parsing XML data without restriction of XML External Entity Reference (XXE) (Python) |
| 1021104 | TRUE | Avoid file path manipulation (Python) |
| 1021106 | TRUE | Avoid server-side request forgery (Python) |
| 1021108 | TRUE | Avoid unsafe access to object attributes |
Performance
| Summary |
|---|
| Corrected performance issues (too many evaluations) during quality rule analysis during analysis of return statements inside web service operation handler methods |
1.6.0-alpha3
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021090 | TRUE | Avoid using insufficient random generator |
| 1021092 | TRUE | Avoid reflected cross-site scripting |
| 1021094 | TRUE | Avoid cross-site scripting (persistent) |
| 1021096 | TRUE | Avoid second order LDAP injection |
| 1021098 | TRUE | Avoid HTTP header injection |
| 1021100 | TRUE | Avoid URL redirection to untrusted site |
1.6.0-alpha2
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 42086 | Fixes the traceback error "TypeError: sequence item 4: expected str instance, NoneType found" with certain type hint annotations. |
Other Updates
| Details |
|---|
| Corrects the resolution of variables when overridden with different types. |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021044 | FALSE | Enhance rule on SQL injection with new expression evaluator. |
| 1021088 | TRUE | Avoid uncontrolled sleep calls to prevent DoS attacks (Python). |
| 1021078 | FALSE | When the parameter is a constant, no violation is raised. |
| 1021084 | TRUE | Avoid XPath injection (Python). |
| 1021082 | TRUE | Avoid LDAP injection (Python). |
New Support
| Summary | Details |
|---|---|
| Support for special method __call__ | Method calls on instantiated objects are correctly resolved to their __call__ special method. |
1.6.0-alpha1
Resolved Issues
| Customer Ticket Id | Details |
|---|---|
| 40975 | Fixes the error messages found during the analysis of the Nameko framework. |
Other Updates
| Details |
|---|
| Introduction of new object Python Static Initializer for modelization of class-body code. See https://doc.castsoftware.com/display/TECHNOS/Python+1.6#Python1.6-Pythonstaticinitializers . |
Rules
| Rule Id | New Rule | Details |
|---|---|---|
| 1021080 | TRUE | Avoid resource injection (Python) |
| 1021078 | TRUE | Avoid deserialization injection (Python) |
New Support
| Summary | Details |
|---|---|
| Support parenthesized context managers | Python 3.10 allows the use of parentheses in "with" statements: the extension now supports this. |
| Support f-strings | Evaluation of f-strings is partially supported. Not support if one of ('=', '[', '.', '-') exists in the string. |