Special thanks to David Formanek for the significant contributions. He submits his thesis on taint analysis two weeks ago while this version was being released.
A special thanks to Y Soft in believing in the idea of contributing to a community project.
Better taint analysis
The most important improvement of this release is the introduction of a tagging system in the taint analysis engine. This change was introduced by @formanek. It will now support the detection of escaping function for various contexts XSS, SQL injection, etc.
Custom Signatures
The configuration of custom signatures was updated to a new format. If you were using this feature make sure to transform your configuration to this new format. More information is available on the Wiki.
Japanese Messages
The Japanese messages are now officially deprecated. There are a lot of missing descriptions for the Japanese language.
New Detectors
A new set of rules was added to find XSLT vulnerability. Security researchers will also be happy to find an automate deserialization gadget detector.
version-1.4.6 (2016-06-02)
Implemented enhancements:
- Detect deserialization gadgets #189
- CustomInjection issues #172
- New Rule : XSLT processing detection #168
- Update owasp.txt #188 (s-tikhomirov)
- Correct japanese messages formatting #185 (marcosbento)
- Support for sanitization using replace methods in String #171 (formanek)
- Taint tags for injections, proper tag derivation, added and fixed summaries #169 (formanek)
- Taint tags - support for taint sanitization (starting with XSS) #166 (formanek)
- Fix typo in taint-config/java-lang.txt #157 (apasel422)
Fixed bugs:
- find-sec-bugs always claims "The following classes needed for analysis were missing" for enums #176
- Memory leak in the tests #193
- Test failure : Invalid VNA after location #192
- java.util.ConcurrentModificationException during analysis #184
- CustomInjection issues #172
- FindSecBugs plugin crash in Intellij #167
- Fixed exception, debug info to visitGETFIELD, formatting #156 (formanek)
Closed issues: