This release includes 7 new detectors, improvements to injections rules, improvements to taint analysis and a new standalone command line tools.
7 new detectors
- Detector for java object deserialization (Created by @minlex)
- Detector for external control of configuration (Created by @formanek)
- Detector for CRLF injection in logs (Created by @formanek)
- Detector for HTTP response splitting (Created by @formanek)
- Detect dynamic JSP Includes
- Detect Spring Eval JSP taglib
- JSTL out escapeXml=false
Standalone client
The standalone CLI is a new packaging of existing features. For more information about the usage of the new tool visit the wiki page.
Implemented enhancements:
- Path traversal and Xpath injection detectors should use taint analysis #97
- Detector for external control of configuration (CWE-15) #124
- Detector for CRLF injection in logs (CWE-117) #123
- Detector for HTTP response splitting #121
- Improvements for JSP support #110
- Missing taint sinks for LDAP Injection #105
- New rule : Detect dynamic JSP Includes #104
- Standalone command line tool to scan jars with or without the source #100
- Better support for collections #99
- Consider inheritance for method summaries #98
- Refactor injection detectors #96
- New Rule : Detect Spring Eval JSP taglib #55
- New Rule : JSTL out escapeXml=false #114
Fixed bugs:
- Path traversal false positives #113
Closed issues:
- mvn compile failing after adding findsecbugs-plugin #128
- Add methods for weak message digest #120
- How can I mark / exclude false positives? #116
- Missing taint sinks for Spring SQL injection #109
- Method arguments are not tainted if their derived summary is stored #106
- Push release 1.4.3 to upstream projects #101
Merged pull requests: