Skip to content

Latest commit

 

History

History
391 lines (294 loc) · 32.7 KB

CHANGELOG.md

File metadata and controls

391 lines (294 loc) · 32.7 KB

Change Log

Full Changelog

Closed issues:

  • Run coveralls after each build #287

Merged pull requests:

version-1.6.0 (2017-03-15)

Full Changelog

Implemented enhancements:

  • Unexpected deserialization with RestEasy/Jersey #198
  • Turbine SQL Injection #238
  • Detect hardcoded password in unknown API #231
  • Malicious deserialization from LDAP entry #228
  • (Dev internal) Validate the configuration files automatically #158
  • Turbine SQL injections #253 (h3xstream)
  • Adding overly permissive CORS policy detector #248 (plr0man)
  • LDAP improvements #278 (h3xstream)
  • Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
  • Add File Disclosure Injection detector #265 (plr0man)
  • Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
  • Add JavaBeans Property Injection detector #263 (plr0man)
  • Add Insecure SMTP SSL detector #259 (plr0man)
  • SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
  • Add Url rewriting detector #252 (plr0man)
  • UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
  • Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)

Fixed bugs:

  • Out of bounds mutables in ... (Assertion trigged) #275
  • Force encoding to UTF-8 on windows when generating micro-website #232
  • Freemarker description fix #230
  • Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)

Closed issues:

  • Find-sec-bugs maven plugin failed to execute #274
  • False negatives in detection of bad modes of operation #270
  • findbugs not working with Sonarqube 6.1 #235
  • Update JSP compiler #279

Merged pull requests:

  • Remove duplicated word in README #282 (jwilk)
  • Update JSP compiler #281 (h3xstream)
  • Fix #275 #277 (h3xstream)
  • Add Format String Manipulation Injection Detector #266 (plr0man)
  • Travis improvements: batch mode and verify phase #262 (ptamarit)
  • Add AWS Query Injection detector #260 (plr0man)
  • Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
  • Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
  • Persistent cookie detector #251 (plr0man)
  • Anonymous LDAP Bind detector #250 (plr0man)
  • Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
  • Adding ThreadLocalRandom detection #246 (plr0man)
  • Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
  • Update plugins #279 #280 (h3xstream)
  • Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
  • (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)

version-1.5.0 (2016-10-06)

Full Changelog

Implemented enhancements:

  • Detect template usage (template injection) #227
  • Reduce the number of FP related to Trust Boundary Violation #226
  • XSS in Portlet #216
  • How to set findsecbugs.taint.customconfigfile through gradle? #215
  • Identify weak XML parser properties that could lead to XXE #209
  • Scala : XSS in twirl template #207
  • Scala: XSS in Play controller #206
  • XML parsing vulnerable to XXE (XMLReader) shortage #191
  • Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
  • Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
  • XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
  • Taint analysis bug fixes and improvements #214 (topolik)
  • Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
  • XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
  • CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)

Fixed bugs:

  • FP: sending local broadcasts via LocalBroadcastManager #224
  • False positive: ResourceBundle in JSP #213
  • Out of bounds mutables in static myclass$.<clinit>()V #199
  • Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
  • Potential fix for issue \#182 \(INSECURE\_COOKIE detector can be fooled by creating two or more cookies\) #204 (MaxNad)

Closed issues:

  • not to report null-porter dereference if there is code already throws RuntimeError #197
  • Release version 1.4.6 #195
  • Release 1.4.5 #159
  • Fix mix-content on micro-website #229

Merged pull requests:

  • Custom config file method refactoring #218 (topolik)
  • Accept environment variables spelled with underscores #217 (kuhnmi)

version-1.4.6 (2016-06-02)

Full Changelog

Implemented enhancements:

  • Detect deserialization gadgets #189
  • CustomInjection issues #172
  • New Rule : XSLT processing detection #168
  • Better sink confirmation mechanism, safe fields #173 (formanek)
  • Credentials detector for Hashtable improved #155 (mcwww)
  • Update owasp.txt #188 (s-tikhomirov)
  • Correct japanese messages formatting #185 (marcosbento)
  • Support for sanitization using replace methods in String #171 (formanek)
  • Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
  • Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
  • Fix typo in taint-config/java-lang.txt #157 (apasel422)

Fixed bugs:

  • find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
  • Memory leak in the tests #193
  • Test failure : Invalid VNA after location #192
  • java.util.ConcurrentModificationException during analysis #184
  • CustomInjection issues #172
  • FindSecBugs plugin crash in Intellij #167
  • Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)

Closed issues:

  • No plugin support for findbugs4sbt #181
  • Fixing the build #180
  • Standalone execution #179
  • AbstractInjectionDetector.checkTaintSink() modifies Set<TaintSink> while iterating over it #177
  • Make the test less verbose #194

Merged pull requests:

  • Safe enums, dates, time and context path + javadoc #190 (formanek)
  • New analysis parameters and extended taint config #187 (formanek)
  • Add Struts DynaValidatorForm support in addition to ValidatorForm #178 (mkienenb)
  • Fix URL shown for CUSTOM_INJECTION bug warning #174 (mkienenb)

version-1.4.5 (2016-01-05)

Full Changelog

Implemented enhancements:

  • Play framework demo #154
  • New Rule : Scala Command injection #153
  • New Rule : Unvalidated redirect in Play Framework #152
  • New Rule : Additional coverage for predictable random generator in Scala #151
  • New Rule: Detect weak HostnameVerifier #150
  • Migrate the old XSS detector to the new TaintDetector mecanism #149
  • Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
  • (Dev internal) DSL for more intuitive method matching #147
  • New Rule : Missing HttpOnly flag on cookie #144
  • New Rule : Trust Boundary Violation #133
  • Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
  • New Rule : EL Expression Injection #130
  • New Rule : XSS detector using the taint detector approach #129
  • (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
  • New Rule : Seam Logger usage could lead to remote code execution #56
  • New Rule: Detect SSL disabler (Java + Scala implementation) #34
  • Change description of cryptography plus bad grammar #146 (mcwww)
  • Correct SonarQube product name #142 (agabrys)
  • Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)

Fixed bugs:

  • Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
  • Hard coded keys false positive when loading bytes from FileInputStream #126
  • Description for weak digest need an update #119
  • Error scanning Scala code in IntelliJ #112

Merged pull requests:

  • Change to description #145 (mcwww)
  • Properly handle paths to files #136 (jsotuyod)
  • Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)

version-1.4.4 (2015-11-20)

Full Changelog

Implemented enhancements:

  • Path traversal and Xpath injection detectors should use taint analysis #97
  • Detector for external control of configuration (CWE-15) #124
  • Detector for CRLF injection in logs (CWE-117) #123
  • Detector for HTTP response splitting #121
  • New Rule : JSTL out escapeXml=false #114
  • Improvements for JSP support #110
  • Add taint sinks for XPath injection #108
  • Missing taint sinks for LDAP Injection #105
  • New rule : Detect dynamic JSP Includes #104
  • Standalone command line tool to scan jars with or without the source #100
  • Better support for collections #99
  • Consider inheritance for method summaries #98
  • Refactor injection detectors #96
  • New Rule : Detect Spring Eval JSP taglib #55
  • Add detector for java object deserialization #127 (minlex)

Fixed bugs:

  • Path traversal false positives #113

Closed issues:

  • mvn compile failing after adding findsecbugs-plugin #128
  • Add methods for weak message digest #120
  • How can I mark / exclude false positives? #116
  • Missing taint sinks for Spring SQL injection #109
  • Method arguments are not tainted if their derived summary is stored #106
  • Push release 1.4.3 to upstream projects #101

Merged pull requests:

  • CRLF in loggers and taint analysis improvements #125 (formanek)
  • Response splitting, hash functions and messages #122 (formanek)
  • Refactored and fixed injection detectors #115 (formanek)
  • Inheritance aware taint analysis, extended collections support #107 (formanek)
  • Fix injection copy. #102 (mweiden)

version-1.4.3 (2015-09-16)

Full Changelog

Implemented enhancements:

  • All Runtime.exec methods should be taint sinks #92
  • Add coverage for LDAP injection #89
  • Improve the detection of weak message digest #88
  • Improve the detection in the use of old ciphers #87
  • Insecure cookie #86
  • Spring JDBC API #74
  • JDBC api coverage #73
  • False positive on Static IV when using Cipher.getIv() #62
  • Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)

Fixed bugs:

  • Parametric taint state not changed when used as an argument of an unknown method #90
  • Bad method summaries derived for complex flow #85
  • Invalid taint modifications of local variables, when loaded from method summary #84
  • Taint not transfered in chained call of StringBuilder.append #83
  • Too many iterations bug #82
  • Issue with constructor with List and array as parameter (Command injection detection) #80
  • Fix DES detection #79
  • EntityManager createQuery trips SECSQLIJPA even with safe usage #76
  • The IV generation should only be verified for the encryption mode #64

Merged pull requests:

  • Fixed incomplete candidate method for LDAP injections #94 (formanek)
  • Added command injection sinks and CWE identifiers #93 (formanek)
  • Unknown methods made to modify taint state of their parameters to unknown #78 (formanek)
  • Global taint analysis, improvements and bug fixes #75 (formanek)

version-1.4.2 (2015-08-18)

Full Changelog

Implemented enhancements:

  • Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

Fixed bugs:

  • Remove slash from XXE short message #68

Merged pull requests:

  • Refactoring of classes for taint analysis #71 (formanek)
  • Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
  • Taint sources locations added to bug reports #69 (formanek)
  • Separated hard coded password and key reporting #67 (formanek)
  • Taint sources and improved taint transfer #66 (formanek)
  • Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
  • Allow analyze to set classpath entries #60 (mbmihura)
  • website: corrected typos #59 (obilodeau)

version-1.4.1 (2015-05-30)

Full Changelog

Implemented enhancements:

  • Detector hard coded Spring OAuth secret key #57
  • Add CWE references to messages (few missing) #52
  • Create a tutorial for IntelliJ IDE #51
  • Create a japanese page on the micro-website for the bug patterns #50
  • NetBeans tutorial #45
  • Update the documentation for Sonar Qube #44
  • ECB and no integrity detection + tests #53 (formanek)
  • Detector for hard coded passwords and cryptographic keys #46 (formanek)

Fixed bugs:

  • XXE - reader False Positive #47
  • Fix URLs in messages.xml #43
  • CustomInjectionSource.properties not found #42

Merged pull requests:

version-1.4.0 (2015-04-03)

Full Changelog

Implemented enhancements:

  • Support java 8 - upgrade to findbugs 3.0.0 or higher. #37
  • New Android Security detectors #39
  • Move command injection to the main injection detector mecanism #33
  • Create messages_ja.xml #38 (naokikimura)
  • Enable additional signatures to detector of injection #36 (naokikimura)

version-1.3.1 (2015-02-23)

Full Changelog

Implemented enhancements:

  • Add supports for the new URL specification for bug reference #35
  • Higher priority for injections #32
  • Remove ESAPI references in messages #31
  • XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
  • XXE - Avoid false positive when secure features are set. #26
  • Fix links in the descriptions #25
  • JDO Query - Potential Injections #23
  • JDO PersistenceManager - Potential Injections #22
  • Hibernate Restrictions API - Potential Injections #21

Fixed bugs:

  • MethodUnprofitableException throwing could be suppressed #29
  • Fix links in the descriptions #25
  • CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24
  • Copy all files in metadata folder #30 (jsotuyod)

version-1.3.0 (2015-01-02)

Full Changelog

Implemented enhancements:

  • Tag 1.2.1 release #18

version-1.2.1 (2014-10-03)

Full Changelog

Implemented enhancements:

  • SQL injection on JPA EntityManager.createNativeQuery() is not checked #15
  • Add scala.util.Random to PredictableRandomDetector #17 (HairyFotr)

Fixed bugs:

  • The BAD_HEXA_CONVERSION detector seems to have issues when UnconditionalValueDerefAnalysis is run later #12
  • Parent POM referenced but not published to Maven Central #11

version-1.2.0 (2013-10-30)

Full Changelog

Fixed bugs:

  • Findbugs Security Plugin #5
  • Clarify the test scope of test dependencies. #13 (dbaxa)

version-1.1.0 (2013-07-11)

Full Changelog

Implemented enhancements:

  • Various fixes for findbugs.xml, messages.xml and ECB detection #9 (samuelreed)

Fixed bugs:

  • NullPointerException at BadHexadecimalConversionDetector.java:65 #3
  • Bug fix for BadHexadecimalConversionDetector #4 (pcavezzan)
  • Removed duplicate entry of bug pattern SERVLET_HEADER. #1 (uhafner)

version-1.0.0 (2012-10-20)

* This Change Log was automatically generated by github_changelog_generator