Skip to content

1.6.0

Latest

Choose a tag to compare

@n1ckl0sk0rtge n1ckl0sk0rtge released this 03 Jul 14:26
6c2f1d2

Highlights

This release focuses on detection accuracy, CBOM correctness, and CycloneDX alignment.

Detection fixes & improvements

  • Python (pyca/cryptography): detect stream ciphers with mode=None, standalone PyCA hash constructions, and correctly resolve parameterized dictionary subscriptions and *args/**kwargs.
  • Java (JCA/BouncyCastle): fixed the ChaCha20Poly1305 ENCRYPT method-name matching, narrowed overly broad Ed25519/Ed448 generate() rules to prevent false positives, and added OID mappings for PBES1 combinations.

CBOM & CycloneDX correctness

  • Algorithm names now match the CycloneDX Cryptography Registry.
  • Fixed asset deduplication logic and enabled the duplicate-depending-findings check.
  • Correct handling of empty CBOMs when no SonarQube rule is active.

Quality & maintenance

  • Added regression tests across Java and Python (MD5 detection, RSADigestSigner edge cases, occurrence locations, detection inside custom functions).
  • Dependency and toolchain bumps, incl. sonar-java 8.22 and cyclonedx-core-java 12.0.1.
  • Initial C# scanner work was explored during this cycle but removed before release; C# support is not included in 1.6.0.

What's Changed

  • feat: C# support (System.Security.Cryptography) - initial draft by @fynnth in #376
  • Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0 by @dependabot[bot] in #364
  • Bump sonar.java.version from 8.18.0.40025 to 8.22.0.41895 by @dependabot[bot] in #366
  • Bump org.cyclonedx:cyclonedx-core-java from 11.0.1 to 12.0.1 by @dependabot[bot] in #367
  • Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.26 by @dependabot[bot] in #368
  • Bump org.assertj:assertj-core from 3.27.4 to 3.27.7 by @dependabot[bot] in #369
  • Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #370
  • Bump cbomkit/cbomkit-action from 2.1.2 to 2.2.0 by @dependabot[bot] in #373
  • Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #375
  • test(java): add regression test for MD5 detection in JCA MessageDigest by @sachin9058 in #393
  • integrate csharp scanner with cbomkit-lib by @san-zrl in #405
  • Fixed obsolete license statements by @san-zrl in #416
  • test(java): add RSADigestSigner constructor edge-case coverage by @sachin9058 in #410
  • feat(pbes1): add OID mappings for PBES1 combinations by @Ayush-Patel-56 in #389
  • added c# parser sources by @san-zrl in #454
  • Fixes issue of empty CBOM creation when no SonarQube rule is activated by @medha-14 in #388
  • improved handling and testing of empty CBOMs by @san-zrl in #455
  • test(python): verify detection inside custom functions (part of #9) by @sachin9058 in #394
  • test(java): verify occurrence locations for issue #339 by @sachin9058 in #430
  • fix: detect pyca stream ciphers with mode=None by @Truty424 in #460
  • Fix resolution of parameterized dictionary subscriptions by @somiljain2006 in #457
  • Ed25519 and Ed448 generate() rules were matching too broadly by @Arijit429 in #429
  • fixes handling of *args and **kwargs by @san-zrl in #466
  • fix correct method name in ChaCha20Poly1305 ENCRYPT detection rule by @vishnudathks in #459
  • Fix asset deduplication logic by @somiljain2006 in #465
  • Remove csharp by @san-zrl in #467
  • fix(python): detect standalone PyCA hash constructions by @sachin9058 in #464
  • Enable DuplicateDependingFindingsTest by @somiljain2006 in #468
  • Update algorithm names to match CycloneDX schema by @n1ckl0sk0rtge in #362

New Contributors

Full Changelog: 1.5.1...1.6.0