Release Notes - 1.2

1.2.12-funcrel

Resolved Issues

Customer Ticket Id Details
49240 Remove false positive for rule "Avoid unsafe object binding" when bound parameter is an array or a collection.

1.2.11-funcrel

Resolved Issues

Customer Ticket Id Details
48873 Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Boolean or a LocalDate.

1.2.10-funcrel

Resolved Issues

Customer Ticket Id Details
48873 Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Data Transfer Object.

1.2.9-funcrel

Other Updates

Details
Updated an internal library to provide improved resolutions and compatibility with Python 3.9/Linux.

1.2.8-funcrel

Resolved Issues

Customer Ticket Id Details
44764 Correction of false positive violation for rule "Ensure declaring formLogin after requesting authorization and authentication" (1040008).

1.2.7-funcrel

Other Updates

Details
Added support for Jakarta EE 9.0+

1.2.6-funcrel

Other Updates

Details
A change has been made to reduce the amount of log messages provided during the analysis. As a result some less important log messages have been changed from "info" to "debug".

1.2.5-funcrel

Resolved Issues

Customer Ticket Id Details
41280 Fixed false violation for the rule (1040016): 'PermitAll or user role should be specified to access URL(s) of the application'.

Other Updates

Details
Fixed missing violation for rule (1040002): 'Avoid disabling CSRF Protection'.

Rules

Rule Id New Rule Details
1040048 TRUE Avoid unsafe object binding (Spring)

1.2.4-funcrel

Resolved Issues

Customer Ticket Id Details
39495 Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all.
40067 Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all.

Rules

Rule Id New Rule Details
1040046 TRUE Avoid weak encryption algorithm (Spring)

1.2.3-funcrel

Resolved Issues

Customer Ticket Id Details
35537 Fixes false negative for QR "Avoid disabling CSRF Protection (Spring Security)"
36075 Fixes analyzer crash during parsing of xml files with lxml.etree.XMLSyntaxError error.
39396 Fixes false positives violations for the following rules "PermitAll or user role should be specified to access URL(s) of the application", "Avoid disabling CSRF Protection (Spring Security)" and "HTTP user session must be invalidated during logout".

Other Updates

Details
Fixes inconsistency between Analysis Unit configuration.

Rules

Rule Id New Rule Details
1040002 FALSE Fixed false negatives for the rule "Avoid disabling CSRF Protection (Spring Security)".
1040016 FALSE Removed false positives for the rule "PermitAll or user role should be specified to access URL(s) of the application".
1040002 FALSE Fixed false positives for the rule "Avoid disabling CSRF Protection (Spring Security)".
1040012 FALSE Fixed false positives for the rule "HTTP user session must be invalidated during logout".

1.2.2-funcrel

Other Updates

Details
JEE analyzer freeze when analyzing application with Spring Security.
Fix to resolve the error "Extension com.castsoftware.springsecurity has encountered an issue" during an analysis.

1.2.1-funcrel

Note

Extension withdrawn.

1.2.0-funcrel

Note

This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.

Other Updates

Details
Thresholds has been updated for critical rules.

Rules

Rule Id New Rule Details
1040010 FALSE Always delete the cookies during the logout.
1040018 FALSE Ensure the X-Frame-Options header is setup (Spring).
1040012 FALSE HTTP user session must be invalidated during logout.
1040024 FALSE Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access.