Highlights
This release focuses on detection accuracy, CBOM correctness, and CycloneDX alignment.
Detection fixes & improvements
- Python (pyca/cryptography): detect stream ciphers with
mode=None, standalone PyCA hash constructions, and correctly resolve parameterized dictionary subscriptions and*args/**kwargs. - Java (JCA/BouncyCastle): fixed the
ChaCha20Poly1305ENCRYPT method-name matching, narrowed overly broadEd25519/Ed448generate()rules to prevent false positives, and added OID mappings for PBES1 combinations.
CBOM & CycloneDX correctness
- Algorithm names now match the CycloneDX Cryptography Registry.
- Fixed asset deduplication logic and enabled the duplicate-depending-findings check.
- Correct handling of empty CBOMs when no SonarQube rule is active.
Quality & maintenance
- Added regression tests across Java and Python (MD5 detection,
RSADigestSigneredge cases, occurrence locations, detection inside custom functions). - Dependency and toolchain bumps, incl.
sonar-java8.22 andcyclonedx-core-java12.0.1. - Initial C# scanner work was explored during this cycle but removed before release; C# support is not included in 1.6.0.
What's Changed
- feat: C# support (System.Security.Cryptography) - initial draft by @fynnth in #376
- Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0 by @dependabot[bot] in #364
- Bump sonar.java.version from 8.18.0.40025 to 8.22.0.41895 by @dependabot[bot] in #366
- Bump org.cyclonedx:cyclonedx-core-java from 11.0.1 to 12.0.1 by @dependabot[bot] in #367
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.26 by @dependabot[bot] in #368
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.7 by @dependabot[bot] in #369
- Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #370
- Bump cbomkit/cbomkit-action from 2.1.2 to 2.2.0 by @dependabot[bot] in #373
- Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #375
- test(java): add regression test for MD5 detection in JCA MessageDigest by @sachin9058 in #393
- integrate csharp scanner with cbomkit-lib by @san-zrl in #405
- Fixed obsolete license statements by @san-zrl in #416
- test(java): add RSADigestSigner constructor edge-case coverage by @sachin9058 in #410
- feat(pbes1): add OID mappings for PBES1 combinations by @Ayush-Patel-56 in #389
- added c# parser sources by @san-zrl in #454
- Fixes issue of empty CBOM creation when no SonarQube rule is activated by @medha-14 in #388
- improved handling and testing of empty CBOMs by @san-zrl in #455
- test(python): verify detection inside custom functions (part of #9) by @sachin9058 in #394
- test(java): verify occurrence locations for issue #339 by @sachin9058 in #430
- fix: detect pyca stream ciphers with mode=None by @Truty424 in #460
- Fix resolution of parameterized dictionary subscriptions by @somiljain2006 in #457
- Ed25519 and Ed448 generate() rules were matching too broadly by @Arijit429 in #429
- fixes handling of *args and **kwargs by @san-zrl in #466
- fix correct method name in ChaCha20Poly1305 ENCRYPT detection rule by @vishnudathks in #459
- Fix asset deduplication logic by @somiljain2006 in #465
- Remove csharp by @san-zrl in #467
- fix(python): detect standalone PyCA hash constructions by @sachin9058 in #464
- Enable DuplicateDependingFindingsTest by @somiljain2006 in #468
- Update algorithm names to match CycloneDX schema by @n1ckl0sk0rtge in #362
New Contributors
- @fynnth made their first contribution in #376
- @sachin9058 made their first contribution in #393
- @Ayush-Patel-56 made their first contribution in #389
- @medha-14 made their first contribution in #388
- @Truty424 made their first contribution in #460
- @somiljain2006 made their first contribution in #457
- @Arijit429 made their first contribution in #429
- @vishnudathks made their first contribution in #459
Full Changelog: 1.5.1...1.6.0