Version 1.4.5 - Eh.. What's Up, Doc?

@h3xstream h3xstream released this Jan 5, 2016 · 249 commits to master since this release

Many bug patterns have been added for this release (see Full Changelog below).

During this milestone, few important documentation additions were made:

The support for Scala specific bug patterns is starting slowly. We are looking for feedback from the community and potentially bug patterns ideas.


Full Changelog

Implemented enhancements:

  • Play framework demo #154
  • New Rule : Scala Command injection #153
  • New Rule : Unvalidated redirect in Play Framework #152
  • New Rule : Additional coverage for predictable random generator in Scala #151
  • New Rule: Detect weak HostnameVerifier #150
  • Migrate the old XSS detector to the new TaintDetector mecanism #149
  • Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
  • (Dev internal) DSL for more intuitive method matching #147
  • New Rule : Missing HttpOnly flag on cookie #144
  • New Rule : Trust Boundary Violation #133
  • Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
  • New Rule : EL Expression Injection #130
  • New Rule : XSS detector using the taint detector approach #129
  • (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
  • New Rule : Seam Logger usage could lead to remote code execution #56
  • New Rule: Detect SSL disabler (Java + Scala implementation) #34

Fixed bugs:

  • Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
  • Hard coded keys false positive when loading bytes from FileInputStream #126
  • Description for weak digest need an update #119
  • Error scanning Scala code in IntelliJ #112

Merged pull requests:

  • Change description of cryptography plus bad grammar #146 (mcwww)
  • Change to description #145 (mcwww)
  • Correct SonarQube product name #142 (agabrys)
  • Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
  • Properly handle paths to files #136 (jsotuyod)
  • Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)

Downloads