This new release introduce absolutely no new detector. Nonetheless, it include major contributions from David Formanek of Y Soft regarding the new taint analysis. FindSecBugs now take advantage of FindBugs taint analysis engine.
What does it means for the user? This means that less false positive will be raise regarding injection vulnerabilities.
We highly encourage users to update to this version to take advantage of these improvements. It should not remove any vulnerability that was found before. Open an issue if you see performance problems or side effects regarding those changes.
Thanks again to David who made this release possible.
Implemented enhancements:
- Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14
Fixed bugs:
- Remove slash from XXE short message #68
Merged pull requests:
- Refactoring of classes for taint analysis #71 (formanek)
- Translate a message of HARD_CODE_KEY pattern. #70 (naokikimura)
- Taint sources locations added to bug reports #69 (formanek)
- Separated hard coded password and key reporting #67 (formanek)
- Taint sources and improved taint transfer #66 (formanek)
- Improved hardcoded passwords and key detector + taint analysis #63 (formanek)
- Allow analyze to set classpath entries #60 (mbmihura)
- website: corrected typos #59 (obilodeau)