version-1.4.5 (2016-01-05)
Implemented enhancements:
- Play framework demo #154
- New Rule : Scala Command injection #153
- New Rule : Unvalidated redirect in Play Framework #152
- New Rule : Additional coverage for predictable random generator in Scala #151
- New Rule: Detect weak HostnameVerifier #150
- Migrate the old XSS detector to the new TaintDetector mecanism #149
- Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
- (Dev internal) DSL for more intuitive method matching #147
- New Rule : Missing HttpOnly flag on cookie #144
- New Rule : Trust Boundary Violation #133
- Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
- New Rule : EL Expression Injection #130
- New Rule : XSS detector using the taint detector approach #129
- (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
- New Rule : Seam Logger usage could lead to remote code execution #56
- New Rule: Detect SSL disabler (Java + Scala implementation) #34
Fixed bugs:
- Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
- Hard coded keys false positive when loading bytes from FileInputStream #126
- Description for weak digest need an update #119
- Error scanning Scala code in IntelliJ #112
Merged pull requests:
- Change description of cryptography plus bad grammar #146 (mcwww)
- Change to description #145 (mcwww)
- Correct SonarQube product name #142 (agabrys)
- Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
- Properly handle paths to files #136 (jsotuyod)
- Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)
version-1.4.4 (2015-11-20)
Implemented enhancements:
- Path traversal and Xpath injection detectors should use taint analysis #97
- Detector for external control of configuration (CWE-15) #124
- Detector for CRLF injection in logs (CWE-117) #123
- Detector for HTTP response splitting #121
- New Rule : JSTL out escapeXml=false #114
- Improvements for JSP support #110
- Add taint sinks for XPath injection #108
- Missing taint sinks for LDAP Injection #105
- New rule : Detect dynamic JSP Includes #104
- Standalone command line tool to scan jars with or without the source #100
- Better support for collections #99
- Consider inheritance for method summaries #98
- Refactor injection detectors #96
- New Rule : Detect Spring Eval JSP taglib #55
Fixed bugs:
- Path traversal false positives #113
Closed issues:
- mvn compile failing after adding findsecbugs-plugin #128
- Add methods for weak message digest #120
- How can I mark / exclude false positives? #116
- Missing taint sinks for Spring SQL injection #109
- Method arguments are not tainted if their derived summary is stored #106
- Push release 1.4.3 to upstream projects #101
Merged pull requests:
- CRLF in loggers and taint analysis improvements #125 (formanek)
- Response splitting, hash functions and messages #122 (formanek)
- Refactored and fixed injection detectors #115 (formanek)
- Inheritance aware taint analysis, extended collections support #107 (formanek)
- Fix injection copy. #102 (mweiden)
- Add detector for java object deserialization #127 (minlex)
version-1.4.3 (2015-09-16)
Implemented enhancements:
- All Runtime.exec methods should be taint sinks #92
- Add coverage for LDAP injection #89
- Improve the detection of weak message digest #88
- Improve the detection in the use of old ciphers #87
- Insecure cookie #86
- Spring JDBC API #74
- JDBC api coverage #73
- False positive on Static IV when using Cipher.getIv() #62
Fixed bugs:
- Parametric taint state not changed when used as an argument of an unknown method #90
- Bad method summaries derived for complex flow #85
- Invalid taint modifications of local variables, when loaded from method summary #84
- Taint not transfered in chained call of StringBuilder.append #83
- Too many iterations bug #82
- Issue with constructor with List and array as parameter (Command injection detection) #80
- Fix DES detection #79
- EntityManager createQuery trips SECSQLIJPA even with safe usage #76
- The IV generation should only be verified for the encryption mode #64
Merged pull requests:
- Fixed incomplete candidate method for LDAP injections #94 (formanek)
- Added command injection sinks and CWE identifiers #93 (formanek)
- Unknown methods made to modify taint state of their parameters to unknown #78 (formanek)
- Global taint analysis, improvements and bug fixes #75 (formanek)
- Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)
version-1.4.2 (2015-08-18)
Implemented enhancements:
- Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14
Fixed bugs:
- Remove slash from XXE short message #68
Merged pull requests:
- Refactoring of classes for taint analysis #71 (formanek)
- Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
- Taint sources locations added to bug reports #69 (formanek)
- Separated hard coded password and key reporting #67 (formanek)
- Taint sources and improved taint transfer #66 (formanek)
- Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
- Allow analyze to set classpath entries #60 (mbmihura)
- website: corrected typos #59 (obilodeau)
version-1.4.1 (2015-05-30)
Implemented enhancements:
- Detector hard coded Spring OAuth secret key #57
- Add CWE references to messages (few missing) #52
- Create a tutorial for IntelliJ IDE #51
- Create a japanese page on the micro-website for the bug patterns #50
- NetBeans tutorial #45
- Update the documentation for Sonar Qube #44
Fixed bugs:
- XXE - reader False Positive #47
- Fix URLs in messages.xml #43
- CustomInjectionSource.properties not found #42
Merged pull requests:
- ECB and no integrity detection + tests #53 (formanek)
- Update messages_ja.xml #49 (naokikimura)
- Detector for hard coded passwords and cryptographic keys #46 (formanek)
version-1.4.0 (2015-04-03)
Implemented enhancements:
- Support java 8 - upgrade to findbugs 3.0.0 or higher. #37
- New Android Security detectors #39
- Move command injection to the main injection detector mecanism #33
Merged pull requests:
- Create messages_ja.xml #38 (naokikimura)
- Enable additional signatures to detector of injection #36 (naokikimura)
version-1.3.1 (2015-02-23)
Implemented enhancements:
- Add supports for the new URL specification for bug reference #35
- Higher priority for injections #32
- Remove ESAPI references in messages #31
- XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
- XXE - Avoid false positive when secure features are set. #26
- Fix links in the descriptions #25
- JDO Query - Potential Injections #23
- JDO PersistenceManager - Potential Injections #22
- Hibernate Restrictions API - Potential Injections #21
Fixed bugs:
- MethodUnprofitableException throwing could be suppressed #29
- Fix links in the descriptions #25
- CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24
Merged pull requests:
version-1.3.0 (2015-01-02)
Implemented enhancements:
- Tag 1.2.1 release #18
version-1.2.1 (2014-10-03)
Implemented enhancements:
- SQL injection on JPA EntityManager.createNativeQuery() is not checked #15
Fixed bugs:
- The BAD_HEXA_CONVERSION detector seems to have issues when UnconditionalValueDerefAnalysis is run later #12
- Parent POM referenced but not published to Maven Central #11
Merged pull requests:
version-1.2.0 (2013-10-30)
Fixed bugs:
- Findbugs Security Plugin #5
Merged pull requests:
version-1.1.0 (2013-07-11)
Fixed bugs:
- NullPointerException at BadHexadecimalConversionDetector.java:65 #3
Merged pull requests:
- Various fixes for findbugs.xml, messages.xml and ECB detection #9 (samuelreed)
- Bug fix for BadHexadecimalConversionDetector #4 (pcavezzan)
- Removed duplicate entry of bug pattern SERVLET_HEADER. #1 (uhafner)
version-1.0.0 (2012-10-20)
* This Change Log was automatically generated by github_changelog_generator