Skip to content

Latest commit

 

History

History
47 lines (38 loc) · 3.4 KB

CHANGELOG.md

File metadata and controls

47 lines (38 loc) · 3.4 KB
Raw

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[2.0.0] - 2024-01-23

Added

  • Added owasp:api2:2023-short-lived-access-tokens to error on OAuth 2.x flows which do not use a refresh token.
  • Added owasp:api3:2023-no-unevaluatedProperties (format oas3_1 only.)
  • Added owasp:api3:2023-constrained-unevaluatedProperties (format oas3_1 only.)
  • Added owasp:api5:2023-admin-security-unique.
  • Added owasp:api8:2023-no-server-http which supports servers having a url which is a relative path.

Changed

  • Renamed owasp:api1:2019-no-numeric-ids to owasp:api1:2023-no-numeric-ids.
  • Renamed owasp:api2:2019-protection-global-unsafe-strict to owasp:api2:2023-write-restricted.
  • Renamed owasp:api2:2019-protection-global-safe to owasp:api2:2023-read-restricted and increased severity from info to warn.
  • Renamed owasp:api2:2019-auth-insecure-schemes to owasp:api2:2023-auth-insecure-schemes.
  • Renamed owasp:api2:2019-jwt-best-practices to owasp:api2:2023-jwt-best-practices.
  • Renamed owasp:api2:2019-no-api-keys-in-url to owasp:api2:2023-no-api-keys-in-url.
  • Renamed owasp:api2:2019-no-credentials-in-url to owasp:api2:2023-no-credentials-in-url.
  • Renamed owasp:api2:2019-no-http-basic to owasp:api2:2023-no-http-basic.
  • Renamed owasp:api3:2019-define-error-validation to owasp:api8:2023-define-error-validation.
  • Renamed owasp:api3:2019-define-error-responses-401 to owasp:api8:2023-define-error-responses-401.
  • Renamed owasp:api3:2019-define-error-responses-500 to owasp:api8:2023-define-error-responses-500.
  • Renamed owasp:api4:2019-rate-limit to owasp:api4:2023-rate-limit.
  • Renamed owasp:api4:2019-rate-limit-retry-after to owasp:api4:2023-rate-limit-retry-after.
  • Renamed owasp:api4:2019-rate-limit-responses-429 to owasp:api4:2023-rate-limit-responses-429.
  • Renamed owasp:api4:2019-array-limit to owasp:api4:2023-array-limit.
  • Renamed owasp:api4:2019-string-limit to owasp:api4:2023-string-limit.
  • Renamed owasp:api4:2019-string-restricted to owasp:api4:2023-string-restricted and downgraded from error to warn.
  • Renamed owasp:api4:2019-integer-limit to owasp:api4:2023-integer-limit.
  • Renamed owasp:api4:2019-integer-limit-legacy to owasp:api4:2023-integer-limit-legacy.
  • Renamed owasp:api4:2019-integer-format to owasp:api4:2023-integer-format.
  • Renamed owasp:api6:2019-no-additionalProperties to owasp:api3:2023-no-additionalProperties and restricted rule to only run the oas3_0 format.
  • Renamed owasp:api6:2019-constrained-additionalProperties to owasp:api3:2023-constrained-additionalProperties and restricted rule to only run the oas3_0 format.
  • Renamed owasp:api7:2023-security-hosts-https-oas2 to owasp:api8:2023-no-scheme-http.
  • Renamed owasp:api7:2023-security-hosts-https-oas3 to owasp:api8:2023-no-server-http.

Removed

  • Deleted owasp:api2:2023-protection-global-unsafe as it allowed for unprotected POST, PATCH, PUT, DELETE and that's always going to be an issue. Use the new owasp:api2:2023-write-restricted rule which does not allow these operations to ever disable security, or use Spectral overrides if you have an edge case.