Release Notes - 1.2
1.2.19-funcrel
Enhancement/Improvements
| Customer Ticket Id | Customer Details |
|---|
| Updates internal evaluation engine leading to an overall enhancement of performance |
1.2.18-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|
| 53507 | Improves accuracy of rule: 1040048 - Avoid unsafe object binding (Spring) |
Enhancement/Improvements
| Customer Ticket Id | Customer Details |
|---|
| Updates embedded libraries. |
1.2.17-funcrel
Stability
| Customer Ticket Id | Customer Details |
|---|
| 53574 | Fixes an issue causing a crash in the analyzer. |
Enhancement/Improvements
| Customer Ticket Id | Customer Details |
|---|
| Updates embedded libraries. |
| 53574 | Updates internal evaluation engine leading to an on overall enhancement of violation detections. |
1.2.16-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|
| 52417 | Improve accuracy of rule 1040016 "PermitAll or user role should be specified to access URL(s) of the application". |
1.2.15-funcrel
Fixes/Bugs
| Customer Ticket Id | Customer Details |
|---|
| 52417 | Improve accuracy for rule 1040016 "PermitAll or user role should be specified to access URL(s) of the application" and clarify its documentation |
1.2.14-funcrel
Other Updates
| Details |
|---|
| Updated embedded libraries. |
| Fixed compatibility issues present when using the extension in v3/8.4 in a Linux/Docker environment. |
1.2.13-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 48983 | Added support for the Lambda DSL method for disabling CSRF, therefore fixing a missing violation on the rule "Avoid disabling CSRF Protection (Spring Security)". |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040002 | FALSE | Added support for the Lambda DSL method for disabling CSRF, therefore fixing a missing violation on the rule "Avoid disabling CSRF Protection (Spring Security)". |
1.2.12-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 49240 | Remove false positive for rule "Avoid unsafe object binding" when bound parameter is an array or a collection. |
1.2.11-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 48873 | Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Boolean or a LocalDate. |
1.2.10-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 48873 | Remove false positive for rule "Avoid unsafe object binding" when bound parameter is a Data Transfer Object. |
1.2.9-funcrel
Other Updates
| Details |
|---|
| Updated an internal library to provide improved resolutions and compatibility with Python 3.9/Linux. |
1.2.8-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 44764 | Correction of false positive violation for rule "Ensure declaring formLogin after requesting authorization and authentication" (1040008). |
1.2.7-funcrel
Other Updates
| Details |
|---|
| Added support for Jakarta EE 9.0+ |
1.2.6-funcrel
Other Updates
| Details |
|---|
| A change has been made to reduce the amount of log messages provided during the analysis. As a result some less important log messages have been changed from "info" to "debug". |
1.2.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 41280 | Fixed false violation for the rule (1040016): 'PermitAll or user role should be specified to access URL(s) of the application'. |
Other Updates
| Details |
|---|
| Fixed missing violation for rule (1040002): 'Avoid disabling CSRF Protection'. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040048 | TRUE | Avoid unsafe object binding (Spring) |
1.2.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 39495 | Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
| 40067 | Fixes an issue causing the rule "Avoid disabling CSRF Protection (Spring Security)" (1040002) to report no violations at all. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040046 | TRUE | Avoid weak encryption algorithm (Spring) |
1.2.3-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 35537 | Fixes false negative for QR "Avoid disabling CSRF Protection (Spring Security)" |
| 36075 | Fixes analyzer crash during parsing of xml files with lxml.etree.XMLSyntaxError error. |
| 39396 | Fixes false positives violations for the following rules "PermitAll or user role should be specified to access URL(s) of the application", "Avoid disabling CSRF Protection (Spring Security)" and "HTTP user session must be invalidated during logout". |
Other Updates
| Details |
|---|
| Fixes inconsistency between Analysis Unit configuration. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040002 | FALSE | Fixed false negatives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
| 1040016 | FALSE | Removed false positives for the rule "PermitAll or user role should be specified to access URL(s) of the application". |
| 1040002 | FALSE | Fixed false positives for the rule "Avoid disabling CSRF Protection (Spring Security)". |
| 1040012 | FALSE | Fixed false positives for the rule "HTTP user session must be invalidated during logout". |
1.2.2-funcrel
Other Updates
| Details |
|---|
| JEE analyzer freeze when analyzing application with Spring Security. |
| Fix to resolve the error "Extension com.castsoftware.springsecurity has encountered an issue" during an analysis. |
1.2.1-funcrel
Note
Extension withdrawn.
1.2.0-funcrel
Note
This release of the extension contains a large number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Other Updates
| Details |
|---|
| Thresholds has been updated for critical rules. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1040010 | FALSE | Always delete the cookies during the logout. |
| 1040018 | FALSE | Ensure the X-Frame-Options header is setup (Spring). |
| 1040012 | FALSE | HTTP user session must be invalidated during logout. |
| 1040024 | FALSE | Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access. |