• Update sast-rules version 2.0.8 (!360)
  • Update java/cookie/rule-CookieHTTPOnly.yml to support jakarta servlet
  • Removed java/xss/rule-XSSReqParamToSendError.yml as sendError is now automatically encoded and this was a bug (CVE-2008-1232) fixed in Apache Tomcat 6 in 2008
  • Update java/cookie/rule-CookieInsecure.yml to support jakarta servlet
  • Update java/xss/rule-WicketXSS.yml to cover more sinks
  • Update java/script/rule-ScriptInjection.yml to match invokeFunction() and invokeMethod() with added sinks and rule out false positives for eval()
  • Update java/xpathi/rule-XpathInjection.yml to include taint mode analysis and to add sanitizer for setting custom variable resolver
  • Update csharp/injection/rule-CommandInjection.yml to ignore hardcoded strings
  • Update python/deserialization/rule-pickle.yml to reduce false positives
  • Add back java/inject/rule-CustomInjectionSQLString.yml with more strict patterns for matching possible sql injection strings
  • Update csharp/other/rule-UnsafeXSLTSettingUsed.yml by changing CWE-611 to 74, update patterns
  • Update javascript/eval/rule-eval-with-expression.yml to add more sinks for eval style injections
  • Update java/cookie/rule-RequestParamToHeader.yml to fix regex match on new lines, add more sinks
  • Update csharp/injection/rule-CommandInjection.yml to add more patterns to match command injection
  • Update csharp/endpoint/rule-UnvalidatedRedirect.yml to add sources and sinks
  • Update java/xml/rule-SAMLIgnoreComments.yml to add fully qualified class name