Created by James Hurrell on Mar 08, 2022
1.0.9-funcrel
Other Updates
| Details |
|---|
| The Security Analyzer now supports the "jakarta.servlet" similar to the existing support for "javax.servlet". |
| For Java technologies, improved support for BufferedReader and InputStreamReader types has now been implemented. This change may impact all rules computed by the Security Analyzer. |
Rules
| Rule Id | New Rule | Details |
|---|
| 8424 | FALSE | Fixes an issue for the quality rule "Avoid using hard-coded HMAC keys" caused by the specific type java.util.Base64$Decoder |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for JEE): support of JDBI 3. |
| 8420 | FALSE | Improved support for the quality rule "Avoid second order SQL injection" (for JEE): support of JDBI 3 |
| 8490 | FALSE | Improved support for the quality rule "Avoid SQL injection through API requests" (for JEE): support of JDBI 3 |
| 8044 | FALSE | Fix false positives for the quality rule "Avoid log forging" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
| 8508 | FALSE | Fix false positives for the quality rule "Avoid log forging through API requests" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
| 8542 | FALSE | Fix false positives for the quality rule "Avoid debug forging" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
| 8544 | FALSE | Fix false positives for the quality rule "Avoid debug forging through API requests" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
| 8418 | FALSE | Fix false positives for the quality rule "Avoid NoSQL injection" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
| 8514 | FALSE | Fix false positives for the quality rule "Avoid NoSQL injection through API requests" (for .NET and JEE) when there is a numerical type passed in argument of sensible methods |
1.0.8-funcrel
Other Updates
| Details |
|---|
| Extension com.castsoftware.dwr for "Direct Web Remoting Framework" (https://doc.castsoftware.com/display/TECHNOS/Direct+Web+Remoting) is able to prepare a collection of user-inputs specific to the DWR environment. This change may impact injection rules computed by the Security Analyzer: more violations may be detected on unchanged source code. |
| Fixes an issue causing the Security Analyzer to incorrectly detect false positive/not detect true positive violations for the quality rules "Avoid log forging" (8044), "Avoid log forging through API requests" (8508), "Avoid debug forging" (8542), "Avoid debug forging through API requests" (8544), Avoid NoSQL injection" (8418), "Avoid NoSQL injection through API requests" (8514) with numerical user-inputs. |
Rules
| Rule Id | New Rule | Details |
|---|
| 8416 | FALSE | Improved support for the rule "Avoid use of a reversible one-way hash" (for JEE): support of "org.apache.commons.codec". |
| 8424 | FALSE | Improved support for the rule "Avoid using hard-coded HMAC keys" (for JEE): support of "org.apache.commons.codec". |
| 8408 | FALSE | Improved support for the rule "Avoid reflected cross-site scripting (non persistent)" (for .NET): support of "System.Web.HttpResponseBase". |
| 8410 | FALSE | Improved support for the rule "Avoid cross-site scripting (persistent)" (for .NET): support of "System.Web.HttpResponseBase". |
| 8482 | FALSE | Improved support for the rule "Avoid cross-site scripting through API requests" (for .NET): support of "System.Web.HttpResponseBase". |
1.0.7-funcrel
Other Updates
| Details |
|---|
| For JEE environment, all rules of type "Avoid second order injection" are now computed more accurately. As a consequence after upgrade to this release and a new analysis, violation paths may differ compared with existing results and the number of violations may change. |
| For JEE environment, some methods of java.net.Socket are now recognized as inputs. This change may impact all rules computed by the Security Analyzer. |
| For JEE, "jakarta.jms.MessageListener" is now an input for the series of rules "through API requests" computed by the Security Analyzer, such as "Avoid cross-site scripting through API requests". This change may impact existing analysis results for unchanged source code: additional violations may be found that were not found previously. |
| For .NET, "System.Web.UI.StateBag" instances are now an inputfor the series of quality rules "through API requests" computed by the Security Analyzer, such as "Avoid cross-site scripting through API requests". This change may impact existing analysis results for unchanged source code: additional violations may be found that were not found previously. |
| The Security Analyzer is now able to follow non-static fields and in some very rare situations, it is now able to explore more paths. This fix impacts all rules computed by the Security Analyzer: the number of violations may change in comparison to previous results.. |
| Improvements have been implemented for the rules "Avoid NoSQL injection" (8418) , "Avoid NoSQL injection through API requests" (8514): previously these rules were not able to correctly identify input arguments with specific types such as int / long / float / double or other specific types like "java.lang.Throwable". This situation has now been resolved and these input types are now handled correctly. As a result, after upgrade to this release and the generation of a new snapshot on unchanged source code, some violations that were previously detected erroneously may now not be detected. |
Rules
| Rule Id | New Rule | Details |
|---|
| 8444 | FALSE | Improved support for the rule "Avoid resource URL manipulation" (for JEE): support of "java.lang.Class" and "java.lang.Object". |
| 1025048 | FALSE | Improved support for the rule "Avoid hard-coded password in connection string" (for .NET): support of "System.Data". |
| 1025054 | FALSE | Improved support for the rule "Avoid plaintext storage of password" (for JEE): the rule now supports a situation where the source is a call to the "getProperty" method. |
| 8438 | FALSE | Improved support for the rule "Avoid code injection" (for .NET): support of "System.CodeDom.Compiler". |
| 8524 | FALSE | Improved support for the rule "Avoid deserialization injection" (for .NET): support of "Newtonsoft.Json". |
| 8526 | FALSE | Improved support for the rule "Avoid second order deserialization injection" (for .NET): support of "Newtonsoft.Json". |
| 8528 | FALSE | Improved support for the rule "Avoid deserialization injection through API requests" (for .NET): support of "Newtonsoft.Json". |
| 8408 | FALSE | Improved support for the rule "Avoid reflected cross-site scripting (non persistent)" (for .NET): support of "System.Console". |
| 8410 | FALSE | Improved support for the rule "Avoid cross-site scripting (persistent)" (for .NET): support of "System.Console". |
| 8482 | FALSE | Improved support for the rule "Avoid cross-site scripting through API requests" (for .NET): support of "System.Console". |
| 8518 | FALSE | Improved support for the rule "Avoid regular expression injection" (for JEE): support of "spring-security". |
| 8520 | FALSE | Improved support for the rule "Avoid second order regular expression injection" (for JEE): support of "spring-security". |
| 8522 | FALSE | Improved support for the rule "Avoid regular expression injection through API requests" (for JEE): support of "spring-security". |
| 1025024 | FALSE | Improved support for the rule "Avoid disabling the expiration time validation of a JWT token" (for .NET): support of "System.IdentityModel.Tokens.Jwt". |
| 8408 | FALSE | Improved support for the rule "Avoid reflected cross-site scripting (non persistent)" (for JEE): support of "java.awt.Component". |
| 8410 | FALSE | Improved support for the rule "Avoid cross-site scripting (persistent)" (for JEE): support of "java.awt.Component". |
| 8482 | FALSE | Improved support for the rule "Avoid cross-site scripting through API requests" (for JEE): support of "java.awt.Component". |
| 8438 | FALSE | Improved support for the rule "Avoid code injection" (for JEE): support of "java.lang.reflect". |
| 8500 | FALSE | Improved support for the rule "Avoid code injection through API requests" (for JEE): support of "java.lang.reflect". |
| 8416 | FALSE | Improved support for the rule "Avoid use of a reversible one-way hash" (for JEE): support of "org.springframework.util". |
| 7742 | FALSE | Improved support for the rule "Avoid SQL injection" (for JEE): support of frameworks with "IRepository" in their type name. |
| 8420 | FALSE | Improved support for the rule "Avoid second order SQL injection" (for JEE): support of frameworks with "IRepository" in their type name. |
| 8490 | FALSE | Improved support for the rule "Avoid SQL injection through API requests" (for JEE): support of frameworks with "IRepository" in their type name. |
| 7752 | FALSE | Improved support for the rule "Avoid file path manipulation" (for JEE): support of "org.apache.pdfbox". |
| 8506 | FALSE | Improved support for the rule "Avoid file path manipulation through API requests" (for JEE): support of "org.apache.pdfbox". |
1.0.6-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 39791 | Fixes an issue causing the Security Analyzer to crash while computing the quality rule "Avoid using unnormalized input strings" (1025052). |
Other Updates
| Details |
|---|
| For JEE, ESAPI sanitization now applies only to the quality rules 8410 (Avoid cross-site scripting (persistent)), 8408 (Avoid reflected cross-site scripting (non persistent)) and 8482 (Avoid cross-site scripting through API requests). In previous releases ESAPI sanitization applied to all rules, therefore this change may impact existing analysis results for unchanged source code: less violations may be found for rules that are no longer configured for ESAPI santization. |
In an ASP.NET MVC environment, the methods of controllers that return a Task<ActionResult> are now a source for the series of quality rules "through API requests" of the Security Analyzer, such as "Avoid cross-site scripting through API requests". This change may impact existing analysis results for unchanged source code: additional violations may be found that were not found previously. |
Rules
| Rule Id | New Rule | Details |
|---|
| 8222 | FALSE | The Security Analyzer now recognizes automatically Password/password setters as candidates for the quality rule "Avoid hard-coded credentials" |
| 8518 | FALSE | Improved support for the quality rule "Avoid regular expression injection" (for JEE): support of org.apache.oro. |
| 8520 | FALSE | Improved support for the quality rule "Avoid second order regular expression injection" (for JEE): support of org.apache.oro. |
| 8522 | FALSE | Improved support for the quality rule "Avoid regular expression injection through API requests" (for JEE): support of org.apache.oro. |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of Microsoft.EntityFrameworkCore.RelationalQueryableExtensions. |
| 8420 | FALSE | Improved support for the quality rule "Avoid second order SQL injection" (for .NET): support of Microsoft.EntityFrameworkCore.RelationalQueryableExtensions. |
| 8490 | FALSE | Improved support for the quality rule "Avoid SQL injection through API requests" (for .NET): support of Microsoft.EntityFrameworkCore.RelationalQueryableExtensions. |
| 8222 | FALSE | Improved support for the quality rule "Avoid hard-coded credentials" (for JEE): support of android.webkit.HttpAuthHandler. |
| 1025054 | FALSE | Improved support for the quality rule "Avoid plaintext storage of password" (for JEE): support of android.webkit.HttpAuthHandler. |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of MySql.Data.MySqlClient.MySqlHelper. |
| 8420 | FALSE | Improved support for the quality rule "Avoid second order SQL injection" (for .NET): support of MySql.Data.MySqlClient.MySqlHelper. |
| 8490 | FALSE | Improved support for the quality rule "Avoid SQL injection through API requests" (for .NET): support of MySql.Data.MySqlClient.MySqlHelper. |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of Microsoft.SqlServer.Server.SqlPipe. |
| 8420 | FALSE | Improved support for the quality rule "Avoid second order SQL injection" (for .NET): support of Microsoft.SqlServer.Server.SqlPipe. |
| 8490 | FALSE | Improved support for the quality rule "Avoid SQL injection through API requests" (for .NET): support of Microsoft.SqlServer.Server.SqlPipe. |
| 8240 | FALSE | Improved support for the quality rule "Avoid using unsecured cookie" (for JEE): support of org.apache.commons.httpclient. |
| 1025016 | FALSE | Improved support for the quality rule "Avoid using cookie without the HttpOnly flag" (for JEE): support of org.apache.commons.httpclient. |
| 8044 | FALSE | The Security Analyzer now automatically recognizes log/trace/info/warn/error methods for more types (for JEE and .NET) as candidates for the quality rule "Avoid log forging". |
| 8508 | FALSE | The Security Analyzer now automatically recognizes log/trace/info/warn/error methods for more types (for JEE and .NET) as candidates for the quality rule "Avoid log forging through API requests". |
| 8542 | FALSE | The Security Analyzer now automatically recognizes automatically log/trace/info/warn/error methods for more types (for JEE and .NET) as candidates for the quality rule "Avoid debug forging". |
| 8544 | FALSE | The Security Analyzer now automatically recognizes log/trace/info/warn/error methods for more types (for JEE and .NET) as candidates for the quality rule "Avoid debug forging through API requests". |
| 7746 | FALSE | Improved support for the quality rule "Avoid LDAP injection" (for JEE): support of org.apache.directory.ldap. |
| 8492 | FALSE | Improved support for the quality rule "Avoid LDAP injection through API requests" (for JEE): support of org.apache.directory.ldap. |
| 1025010 | FALSE | Improved support for the quality rule "Avoid second order LDAP injection" (for JEE): support of org.apache.directory.ldap. |
1.0.5-funcrel
Rules
| Rule Id | New Rule | Details |
|---|
| 1025052 | TRUE | New rule: "Avoid using unnormalized input strings" has been added. |
| 1025054 | TRUE | New rule: "Avoid plaintext storage of password" has been added. |
| 8222 | FALSE | Improved support for the quality rule "Avoid hard-coded credentials" (for .NET and JEE) |
1.0.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 38343 | Removed some rare false positives for the quality rule: "Avoid OS command injection" (7748). |
Rules
| Rule Id | New Rule | Details |
|---|
| 1025050 | TRUE | New rule: "Avoid dangerous file inclusion" has been added. |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of SQLite-net. |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of Microsoft.Data.Sqlite. |
| 7748 | FALSE | Removed false positives for the rule "Avoid OS command injection" (7748). |
1.0.3-funcrel
Rules
| Rule Id | New Rule | Details |
|---|
| 8408 | FALSE | Improved support for the quality rule "Avoid reflected cross-site scripting" (for .NET): support of the type System.IO.TextWriter |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of Microsoft.ServiceFabric.Data |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): improved support of Oracle.DataAccess.Client |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): better support for System.Data types |
| 8408 | FALSE | Improved support for the quality rule "Avoid reflected cross-site scripting" (for JEE): support of the type "AntiSamy" sanitization framework |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of IBM.Data.DB2 and IBM.Data.Informix |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of MySql.Data, MySqlConnector and Devart.Data.MySql |
| 1025040 | TRUE | New rule: "Avoid external control of system or configuration setting" is added |
| 1025042 | TRUE | New rule: "Avoid external control of system or configuration setting through API requests" is added |
| 1025044 | TRUE | New rule: "Avoid MVC injection" is added |
| 1025046 | TRUE | New rule: "Avoid MVC injection through AIP requests" is added |
| 1025048 | TRUE | New rule: "Avoid hard-coded password in connection string" is added |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of System.Web.UI.WebControls.SqlDataSource |
| 7742 | FALSE | Improved support for the quality rule "Avoid SQL injection" (for .NET): support of Microsoft.Data.SqlClient |
1.0.2-funcrel
Rules
| Rule Id | New Rule | Details |
|---|
| 1025024 | TRUE | New rule: "Avoid disabling the expiration time validation of a JWT token" is added with the support of Microsoft.IdentityModel framework for .NET. |
| 1025026 | TRUE | New rule: "Avoid disabling the expiration time requirement of a JWT token" is added with the support of Microsoft.IdentityModel framework for .NET and jwkt for java. |
| 1025028 | TRUE | New rule: "Avoid disabling the signature requirement of a JWT token" is added with the support of Microsoft.IdentityModel framework for .NET and jwkt for java. |
| 1025030 | TRUE | New rule: "Avoid hard-coded JWT secret keys" is added with the support of jwkt for java. |
| 1025032 | TRUE | New rule: "Avoid insecure parameters for PBKDF2 password encoder" is added. |
| 1025034 | TRUE | New rule: "Avoid insecure parameters for BCrypt password encoder" is added. |
| 1025036 | TRUE | New rule: "Avoid insecure parameters for Argon2 password encoder" is added. |
| 1025038 | TRUE | New rule: "Avoid insecure parameters for SCrypt password encoder" is added. |
1.0.1-funcrel
Other Updates
| Details |
|---|
| The Security Analyzer now supports JAX-RS entry-points. |
Rules
| Rule Id | New Rule | Details |
|---|
| 7752 | FALSE | Removed some rare false positives for the quality rule: "Avoid file path manipulation" (.NET only). |
| 8222 | FALSE | Improved the support for the quality rule: "Avoid hard-coded credentials" (for .NET and Java). |
| 8240 | FALSE | Rule: "Avoid using unsecured cookie" moved to "Secure Coding - Weak Security Features". |
| 1025018 | TRUE | New rule: "Avoid cookie injection" is added for .NET and Java. |
| 1025010 | TRUE | New rule: "Avoid second order LDAP injection" is added for .NET and Java. |
| 8536 | FALSE | Improved the support for the rule: "Avoid expression language injection". The Security Analyzer is now able to detect violations of type "Avoid expression language injection" for OGNL expressions. |
| 1025020 | TRUE | New rule: "Avoid data filter injection" is added for .NET and Java. |
| 1025022 | TRUE | New rule: "Avoid data filter injection through API requests" is added for .NET and Java. |
| 1025002 | TRUE | New rule: "Avoid second order XPath injection" is added for .NET and Java. |
| 1025004 | TRUE | New rule: "Avoid second order URL redirection to untrusted site" is added for .NET and Java. |
| 1025016 | TRUE | New rule: "Avoid using cookie without the HttpOnly flag" is aded for .NET and Java. |
1.0.0-funcrel
Note
This is the first release of the Security Analyzer as a standalone extension. The Security Analyzer has been externalised as an extension to give the feature more flexibility to future development. The Security Analyzer embedded in AIP Core will continue to exist and will be shipped "out of the box" with AIP Core, but only critical bugs will be fixed and no new features or functionality will be added. This extension has the same features and functionality on release as the Security Analyzer embedded in AIP Core (except for the addition of one new rule - see below). The new Security Analyzer extension is compatible with AIP Core ≥ 8.3.44. All future development of the Security Analyzer (bug fixes, new features, functionality etc.) will be completed in the Security Analyzer extension only. The behaviour is as follows: 1) Nothing is automatic - for both AIP Console and "legacy" CAST AIP deployments, the Security Analyzer extension must be manually downloaded and installed in order to use it, 2) if the extension is installed, CAST AIP Console/CAST Management Studio will automatically detect that it exists and will use the extension rather than the analyzer embedded in AIP Core, 3) once the extension has been installed and used to produce analysis results, it is not possible to reverse this choice by removing the extension and re-analyzing the source code again.
Rules
| Rule Id | New Rule | Details |
|---|
| 1025000 | TRUE | A new rule "Avoid second order OS command injection" has been added in this release. |
