Closed issues:
- Run coveralls after each build #287
Merged pull requests:
version-1.6.0 (2017-03-15)
Implemented enhancements:
- Unexpected deserialization with RestEasy/Jersey #198
- Turbine SQL Injection #238
- Detect hardcoded password in unknown API #231
- Malicious deserialization from LDAP entry #228
- (Dev internal) Validate the configuration files automatically #158
- Turbine SQL injections #253 (h3xstream)
- Adding overly permissive CORS policy detector #248 (plr0man)
- LDAP improvements #278 (h3xstream)
- Add HTTP Parameter Pollution Injection Detector #267 (plr0man)
- Add File Disclosure Injection detector #265 (plr0man)
- Java source and target from 1.6 to 1.7 & API compatibility check #264 (ptamarit)
- Add JavaBeans Property Injection detector #263 (plr0man)
- Add Insecure SMTP SSL detector #259 (plr0man)
- SQL Injection (CWE-89) - Scala Slick & Scala Anorm injection detectors #254 (MaxNad)
- Add Url rewriting detector #252 (plr0man)
- UNENCRYPTED_SERVER_SOCKET: use of java.net.ServerSocket #239 (edrdo)
- Server Side Request Forgery (CWE 918) - Basic detector implementation #234 (MaxNad)
Fixed bugs:
- Out of bounds mutables in ... (Assertion trigged) #275
- Force encoding to UTF-8 on windows when generating micro-website #232
- Freemarker description fix #230
- Bug fix of detection of bad cipher modes of operation and minor improvements #271 (formanek)
Closed issues:
- Find-sec-bugs maven plugin failed to execute #274
- False negatives in detection of bad modes of operation #270
- findbugs not working with Sonarqube 6.1 #235
- Update JSP compiler #279
Merged pull requests:
- Remove duplicated word in README #282 (jwilk)
- Update JSP compiler #281 (h3xstream)
- Fix #275 #277 (h3xstream)
- Add Format String Manipulation Injection Detector #266 (plr0man)
- Travis improvements: batch mode and verify phase #262 (ptamarit)
- Add AWS Query Injection detector #260 (plr0man)
- Fix false negatives in InsufficientKeySizeRsaDetector #257 (plr0man)
- Fix false negative SHA in WeakMessageDigestDetector #255 (plr0man)
- Persistent cookie detector #251 (plr0man)
- Anonymous LDAP Bind detector #250 (plr0man)
- Fix Maven warnings (missing plugin version, relocation, proprietary API) #247 (ptamarit)
- Adding ThreadLocalRandom detection #246 (plr0man)
- Improve SpringMvcEndpointDetector by detecting new RequestMapping annotation shortcuts #244 (ptamarit)
- Update plugins #279 #280 (h3xstream)
- Spring CSRF: Protection Disabled & Unrestricted RequestMapping #261 (ptamarit)
- (internal) Refactoring: Rename Summary to TaintConfig #258 (h3xstream)
version-1.5.0 (2016-10-06)
Implemented enhancements:
- Detect template usage (template injection) #227
- Reduce the number of FP related to Trust Boundary Violation #226
- XSS in Portlet #216
- How to set findsecbugs.taint.customconfigfile through gradle? #215
- Identify weak XML parser properties that could lead to XXE #209
- Scala : XSS in twirl template #207
- Scala: XSS in Play controller #206
- XML parsing vulnerable to XXE (XMLReader) shortage #191
- Path Traversal (CWE 22) - Scala Path Traversal injection sinks #223 (MaxNad)
- Sensitive data exposure (CWE 200) - Sensitive data exposure in cookies #221 (MaxNad)
- XSS (CWE 79) - Scala - The detector can be fooled when the .as("text/html") is in uppercase #208 (MaxNad)
- Taint analysis bug fixes and improvements #214 (topolik)
- Potential fix for issue #182 (INSECURE_COOKIE detector can be fooled by creating two or more cookies) #204 (MaxNad)
- XSS (CWE 79) - Scala Play vulnerable code #203 (MaxNad)
- CWE 200 (Information Exposure) - Scala Play vulnerable code #202 (MaxNad)
Fixed bugs:
- FP: sending local broadcasts via LocalBroadcastManager #224
- False positive: ResourceBundle in JSP #213
- Out of bounds mutables in static myclass$.<clinit>()V #199
- Issue #224 - Added an exception for the LocalBroadcastManager in the detector. #225 (MaxNad)
- Potential fix for issue \#182 \(INSECURE\_COOKIE detector can be fooled by creating two or more cookies\) #204 (MaxNad)
Closed issues:
- not to report null-porter dereference if there is code already throws RuntimeError #197
- Release version 1.4.6 #195
- Release 1.4.5 #159
- Fix mix-content on micro-website #229
Merged pull requests:
- Custom config file method refactoring #218 (topolik)
- Accept environment variables spelled with underscores #217 (kuhnmi)
version-1.4.6 (2016-06-02)
Implemented enhancements:
- Detect deserialization gadgets #189
- CustomInjection issues #172
- New Rule : XSLT processing detection #168
- Better sink confirmation mechanism, safe fields #173 (formanek)
- Credentials detector for Hashtable improved #155 (mcwww)
- Update owasp.txt #188 (s-tikhomirov)
- Correct japanese messages formatting #185 (marcosbento)
- Support for sanitization using replace methods in String #171 (formanek)
- Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
- Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
- Fix typo in taint-config/java-lang.txt #157 (apasel422)
Fixed bugs:
- find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
- Memory leak in the tests #193
- Test failure : Invalid VNA after location #192
- java.util.ConcurrentModificationException during analysis #184
- CustomInjection issues #172
- FindSecBugs plugin crash in Intellij #167
- Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)
Closed issues:
- No plugin support for findbugs4sbt #181
- Fixing the build #180
- Standalone execution #179
- AbstractInjectionDetector.checkTaintSink() modifies Set<TaintSink> while iterating over it #177
- Make the test less verbose #194
Merged pull requests:
- Safe enums, dates, time and context path + javadoc #190 (formanek)
- New analysis parameters and extended taint config #187 (formanek)
- Add Struts DynaValidatorForm support in addition to ValidatorForm #178 (mkienenb)
- Fix URL shown for CUSTOM_INJECTION bug warning #174 (mkienenb)
version-1.4.5 (2016-01-05)
Implemented enhancements:
- Play framework demo #154
- New Rule : Scala Command injection #153
- New Rule : Unvalidated redirect in Play Framework #152
- New Rule : Additional coverage for predictable random generator in Scala #151
- New Rule: Detect weak HostnameVerifier #150
- Migrate the old XSS detector to the new TaintDetector mecanism #149
- Support alternative bytecode for setEscapeXml="false" JSP (Weblogic appc) #148
- (Dev internal) DSL for more intuitive method matching #147
- New Rule : Missing HttpOnly flag on cookie #144
- New Rule : Trust Boundary Violation #133
- Taint analysis : Add taint parameters annotate (RequestParam, PathVariable, ..) #132
- New Rule : EL Expression Injection #130
- New Rule : XSS detector using the taint detector approach #129
- (Dev internal) Debug info for taint value to allow troubleshooting of the stack #81
- New Rule : Seam Logger usage could lead to remote code execution #56
- New Rule: Detect SSL disabler (Java + Scala implementation) #34
- Change description of cryptography plus bad grammar #146 (mcwww)
- Correct SonarQube product name #142 (agabrys)
- Analysis of indirect subclasses of HttpServlet for XSS #137 (formanek)
Fixed bugs:
- Fix code bloc in description for multiples Bug Patterns : JSP_INCLUDE, JSP_SPRING_EVAL and JSP_JSTL_OUT #131
- Hard coded keys false positive when loading bytes from FileInputStream #126
- Description for weak digest need an update #119
- Error scanning Scala code in IntelliJ #112
Merged pull requests:
- Change to description #145 (mcwww)
- Properly handle paths to files #136 (jsotuyod)
- Fixed hard coded keys detector and out-of-bounds index in TaintAnalysis #135 (formanek)
version-1.4.4 (2015-11-20)
Implemented enhancements:
- Path traversal and Xpath injection detectors should use taint analysis #97
- Detector for external control of configuration (CWE-15) #124
- Detector for CRLF injection in logs (CWE-117) #123
- Detector for HTTP response splitting #121
- New Rule : JSTL out escapeXml=false #114
- Improvements for JSP support #110
- Add taint sinks for XPath injection #108
- Missing taint sinks for LDAP Injection #105
- New rule : Detect dynamic JSP Includes #104
- Standalone command line tool to scan jars with or without the source #100
- Better support for collections #99
- Consider inheritance for method summaries #98
- Refactor injection detectors #96
- New Rule : Detect Spring Eval JSP taglib #55
- Add detector for java object deserialization #127 (minlex)
Fixed bugs:
- Path traversal false positives #113
Closed issues:
- mvn compile failing after adding findsecbugs-plugin #128
- Add methods for weak message digest #120
- How can I mark / exclude false positives? #116
- Missing taint sinks for Spring SQL injection #109
- Method arguments are not tainted if their derived summary is stored #106
- Push release 1.4.3 to upstream projects #101
Merged pull requests:
- CRLF in loggers and taint analysis improvements #125 (formanek)
- Response splitting, hash functions and messages #122 (formanek)
- Refactored and fixed injection detectors #115 (formanek)
- Inheritance aware taint analysis, extended collections support #107 (formanek)
- Fix injection copy. #102 (mweiden)
version-1.4.3 (2015-09-16)
Implemented enhancements:
- All Runtime.exec methods should be taint sinks #92
- Add coverage for LDAP injection #89
- Improve the detection of weak message digest #88
- Improve the detection in the use of old ciphers #87
- Insecure cookie #86
- Spring JDBC API #74
- JDBC api coverage #73
- False positive on Static IV when using Cipher.getIv() #62
- Improved taint analysis (several bugs fixed, refactoring) #91 (formanek)
Fixed bugs:
- Parametric taint state not changed when used as an argument of an unknown method #90
- Bad method summaries derived for complex flow #85
- Invalid taint modifications of local variables, when loaded from method summary #84
- Taint not transfered in chained call of StringBuilder.append #83
- Too many iterations bug #82
- Issue with constructor with List and array as parameter (Command injection detection) #80
- Fix DES detection #79
- EntityManager createQuery trips SECSQLIJPA even with safe usage #76
- The IV generation should only be verified for the encryption mode #64
Merged pull requests:
- Fixed incomplete candidate method for LDAP injections #94 (formanek)
- Added command injection sinks and CWE identifiers #93 (formanek)
- Unknown methods made to modify taint state of their parameters to unknown #78 (formanek)
- Global taint analysis, improvements and bug fixes #75 (formanek)
version-1.4.2 (2015-08-18)
Implemented enhancements:
- Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14
Fixed bugs:
- Remove slash from XXE short message #68
Merged pull requests:
- Refactoring of classes for taint analysis #71 (formanek)
- Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
- Taint sources locations added to bug reports #69 (formanek)
- Separated hard coded password and key reporting #67 (formanek)
- Taint sources and improved taint transfer #66 (formanek)
- Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
- Allow analyze to set classpath entries #60 (mbmihura)
- website: corrected typos #59 (obilodeau)
version-1.4.1 (2015-05-30)
Implemented enhancements:
- Detector hard coded Spring OAuth secret key #57
- Add CWE references to messages (few missing) #52
- Create a tutorial for IntelliJ IDE #51
- Create a japanese page on the micro-website for the bug patterns #50
- NetBeans tutorial #45
- Update the documentation for Sonar Qube #44
- ECB and no integrity detection + tests #53 (formanek)
- Detector for hard coded passwords and cryptographic keys #46 (formanek)
Fixed bugs:
- XXE - reader False Positive #47
- Fix URLs in messages.xml #43
- CustomInjectionSource.properties not found #42
Merged pull requests:
- Update messages_ja.xml #49 (naokikimura)
version-1.4.0 (2015-04-03)
Implemented enhancements:
- Support java 8 - upgrade to findbugs 3.0.0 or higher. #37
- New Android Security detectors #39
- Move command injection to the main injection detector mecanism #33
- Create messages_ja.xml #38 (naokikimura)
- Enable additional signatures to detector of injection #36 (naokikimura)
version-1.3.1 (2015-02-23)
Implemented enhancements:
- Add supports for the new URL specification for bug reference #35
- Higher priority for injections #32
- Remove ESAPI references in messages #31
- XXE - Separate guidelines (XMLReader/SaxParser/DocumentParser) #27
- XXE - Avoid false positive when secure features are set. #26
- Fix links in the descriptions #25
- JDO Query - Potential Injections #23
- JDO PersistenceManager - Potential Injections #22
- Hibernate Restrictions API - Potential Injections #21
Fixed bugs:
- MethodUnprofitableException throwing could be suppressed #29
- Fix links in the descriptions #25
- CipherWithNoIntegrityDetector throws exception on algorithm-only cipher lookups #24
- Copy all files in metadata folder #30 (jsotuyod)
version-1.3.0 (2015-01-02)
Implemented enhancements:
- Tag 1.2.1 release #18
version-1.2.1 (2014-10-03)
Implemented enhancements:
- SQL injection on JPA EntityManager.createNativeQuery() is not checked #15
- Add scala.util.Random to PredictableRandomDetector #17 (HairyFotr)
Fixed bugs:
- The BAD_HEXA_CONVERSION detector seems to have issues when UnconditionalValueDerefAnalysis is run later #12
- Parent POM referenced but not published to Maven Central #11
version-1.2.0 (2013-10-30)
Fixed bugs:
version-1.1.0 (2013-07-11)
Implemented enhancements:
- Various fixes for findbugs.xml, messages.xml and ECB detection #9 (samuelreed)
Fixed bugs:
- NullPointerException at BadHexadecimalConversionDetector.java:65 #3
- Bug fix for BadHexadecimalConversionDetector #4 (pcavezzan)
- Removed duplicate entry of bug pattern SERVLET_HEADER. #1 (uhafner)
version-1.0.0 (2012-10-20)
* This Change Log was automatically generated by github_changelog_generator