v0.15.0 — Spring Boot 2 (javax) support + Map-typed sources
Driven by, and verified against, a real vendor app — Contrast-Security-OSS/vulnerable-spring-boot-application (Spring Boot 2, javax.*, value read from a @RequestParam Map). Testing on real projects surfaced two gaps; both are now fixed:
- Spring Boot 2 / Java EE (
javax.*) —javax.persistencecreateQuery/createNativeQueryandjavax.servletsendRedirect/getParameter/getHeader/getQueryString, alongside thejakarta.*signatures. The analyzer now works on Boot 2 apps (still widely deployed), not only Boot 3. - Map-typed sources — a
Map.get/getOrDefaulttaint transfer, so a tainted@RequestParam Map<String,String>propagates to values read out of it.
The analyzer now finds that app's cross-layer SQL injection:
[CRITICAL] sql-injection (confidence: 99%)
Source: ProviderController.java:32 - search() (@RequestParam Map)
Sink: ProviderSearchDAO.java:18 - createNativeQuery() (javax.persistence)
Benchmark grows to 35 vulnerable cases (34 by the taint engine alone, 0 false positives). docs/validation.md now documents three real apps across both Boot generations — precision (petclinic) and recall (two vulnerable apps).