The 1.4.3 can be summarized into less false positive and better coverage. Building on top of the new taint analysis engine introduce in the previous release, bugs fixes and enhancement were made to support more code patterns.
From 1.4.2 to 1.4.3, the false positive are moving from "Low" priority to hidden. If you are seeing sensible that are not flagged, you open an issue about it.
David Formanek of Y Soft is responsible of most (if not all) the taint analysis major improvements.
Implemented enhancements:
- All Runtime.exec methods should be taint sinks #92
- Add coverage for LDAP injection #89
- Improve the detection of weak message digest #88
- Improve the detection in the use of old ciphers #87
- Insecure cookie #86
- Spring JDBC API #74
- JDBC api coverage #73
- False positive on Static IV when using Cipher.getIv() #62
Fixed bugs:
- Parametric taint state not changed when used as an argument of an unknown method #90
- Bad method summaries derived for complex flow #85
- Invalid taint modifications of local variables, when loaded from method summary #84
- Taint not transfered in chained call of StringBuilder.append #83
- Too many iterations bug #82
- Issue with constructor with List and array as parameter (Command injection detection) #80
- Fix DES detection #79
- EntityManager createQuery trips SECSQLIJPA even with safe usage #76
- The IV generation should only be verified for the encryption mode #64
Merged pull requests: