Permalink
Switch branches/tags
Azure-Add-Nuget-Settings-Update CONTRAST-7831 CONTRAST-8781 CONTRAST-12222-protect-docs CONTRAST-14638-trouble-java CONTRAST-17463-re/move-articles CONTRAST-17470-what-is-contrast CONTRAST-17566 CONTRAST-18659-profiler-docs CONTRAST-20358-config CONTRAST-20381 CONTRAST-20663-update-ruby-config CONTRAST-20961-freemium-docs CONTRAST-21091-Add-VS-Plugin-Doc CONTRAST-21316-remove-appname CONTRAST-21554-remove-assembly CONTRAST-23556-integrated-service CONTRAST-23556-speedracer CONTRAST-23895-flask-app CONTRAST-25182-Add-Dotnet-Chaining CONTRAST-25297-java-command CONTRAST-25851-service-clarification CONTRAST-25851-service-flag CONTRAST-26040-common-config CONTRAST-26040-dotnet-adjust CONTRAST-26040-node-common-config-changes CONTRAST-26732-pki CONTRAST-26736-cert-config CONTRAST-26737-node-docs CONTRAST-26999-java-common-config CONTRAST-27030 CONTRAST-27167-vulns-grid CONTRAST-27312-node-config-emph CONTRAST-27409-changes-to-support-contrast-env-var-prefix CONTRAST-27463-node-10-lts CONTRAST-27975-remove-dotnet-proxy-host CONTRAST-28172-java-docker CONTRAST-28194 CONTRAST-28440-vsts-backlogs CONTRAST-28941-build-based-view-options Contrast-AlexB-patch-1 DanFiedler-AddSystemReqs DanFiedler-FormatSuppTech Node-Install-Config-Updates OD3-Test-LayoutUpdates OD3-Test-Merged OD3-Test-TerraGood-MikeGood-Synced OD3-Test-TerraGood OD3-Test Release-356-Profiler-Chaining-Flag-Fix Update_General_Properties ZD#9080-Supported-LDAP-Servers bamboo contrast-25989-exec-helper-troubleshooting contrast-26111-verify-java-exec-helper ddooley77-patch-1 dhafley-patch-1 distributed-config dotnet-directory-changes fix-appname ide-plugins installer_doc j0nS3idman-patch-1 j0nS3idman-patch-2 j0nS3idman-patch-3 j0nS3idman-patch-4 j0nS3idman-patch-5 javaagent-appname-change linux-pkgs master mobile-help-doc nahsra-cve-shields nahsra-protect-rules-update node-8 node-env opendocs-redesign-links org-stats-filename-bug orientation-tests philtest rebranding remove-profilerBehavior revert-525-CONTRAST-27047 reword-node-OS-support route-coverage-jersey rss search solarisSupport static-site-generator test-image-standards update-node-config wrong-min-version zookeeper_docs
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
49 lines (27 sloc) 3.86 KB

Use YAML-based common configuration properties for all of our agents, and track your vulnerabilities with our Agile Central integration.

Fixes

  • IE11 users can load the Contrast login page for SaaS and complete actions in the Servers grid row.
  • Delete a server without errors, even if you just deleted the application.
  • Protect will show as "on" for merged and child applications on Protect-enabled servers.
  • The Application page stops loading once your search is complete.
  • The Route Coverage page is free from Invalid Form errors.
  • Send a vulnerability to your configured bugtracker after you refresh the page.

Improvements

  • Send vulnerabilities to Agile Central (FKA Rally) with our one-way integration that lets you set fields like Project Name, Defect State, Environment, Priority and more.

  • We changed the default filtering in the Applications grid to show you only licensed applications. Of course, you can still filter by your other favorite categories to make your search even easier.

Agent Updates

Java summary

The Java team fixed a bug that caused Assess events to be labeled with the wrong type as well as a bug where user-provided Sanitizers that returned a new object could break data flow analysis. We added support of YAML-based common configuration options. We also improved reliability of Assess data flow analysis.

.NET summary

Users can now enable “profiler chaining” to allow the .NET agent to work alongside other third-party profilers such as New Relic, App Dynamics and Dynatrace. Set agent.dotnet.enable_chaining=true in the contrast_security.yaml common configuration file (or ProfilerChainingEnabled=true in the XML-based configuration file). The team made improvements to Protect to handle attacks via JSON deserialization within ASPNET MVC applications, instrumentation reliability within Web API applications, and Assess accuracy for interned strings within XML reading. We also fixed bugs where instrumentation lead to a crash on 32-bit applications on Windows Server 2008, the agent didn't use the configured agent data directory, and the agent would always use the “QA” environment settings for servers.

Node.js summary

The Node team added additional Assess rules - HTTP Only and Secure Flag Missing - for the Hapi 17 framework as well as additional support for session management. The team fixed issues related to file paths in the Windows OS, rendering of null values in templates, and an auto-update issue. We also added additional common configuration options, and implemented initial metadata support for instrumented applications.

Ruby summary

The Ruby team has been working on performance enhancements to the agent. The team made asynchronous inventory and route analysis the default. We deferred instrumentation until explicitly enabled, refactored our gem analysis algorithm, and streamlined many of the utility methods. The agent is updated to align with changes to the common configuration options, and added initial metadata support. In addition, the team is working towards general availability of the Ruby Assess features with the completion of the following Assess rules: XXE, NoSQL Injection and Unvalidated Redirect.

Python summary

The Python team has continued to implement advanced Protect rules with updates to the Path Traversal rule. The agent now supports changes to the common configuration options, and added initial metadata support. The service layer added support for binary request bodies.