Angular dynamic components
The underlying vulnerability from using dynamic components construction is not different from other "eval injection" issues, review the following links for more information:
The following elements have been identified as potential security flaws and detected by the existing JS rules:
dangerouslySetInnerHTML attribute acts as the entrance door to perform an XSS attack (See dangerouslySetInnerHTML).
Server-side rendering attacker-controlled initial state XSS in React apps using Redux.
XSS in explicit calls to React.createElement(...) with untrusted props or children (See Avoiding XSS in React is Still Hard).
Attribute injection also leads to XSS.
In React, the HTML code is embedded into the JS code, so the HTML code must be checked to mark sources, sinks, or neutralization (For example: <input> elements).
Also, the embedded HTML code is analyzed by Kiuwan with the rules from the HTML technology. The following existing checks might be applied:
Jenkins Kiuwan plugin update
Kiuwan has its plugin to integrate with a Jenkins environment:
This new version includes the following updates:
- Connection Profiles: Currently, Kiuwan Jenkins Plugin connection settings are limited to one configuration per Jenkins installation. Now, you can set several profiles, you can use multiple accounts, and Kiuwan On-Premises customers may use different environments.
- New analysis result dashboard.
- Improve support for short-lived nodes.
- Pipeline support.
Other bug fixes and improvements
- SAS-5238 (REST API) new endpoint to retrieve ‘last delivery’ analysis results
- SAS-5235 Code Security. PDF and CSV reports don’t match the exported vulnerabilities
- SAS-5211 Typo in PDF vulnerabilities report
- SAS-5208 (REST API) Python sample code for Rest API client does not work
- SAS-5181 Use class attributes with user data in singleton beans
- SAS-5141 QMM does not export rules custom configuration
- SAS-5071 (REST API) add additional info at GET /applications endpoint
- SAS-4955 Rules compare is not working as expected: missing modified rules
- SAS-4902 mute defect - default option + rest api
- SAS-4843 Missing field "Remediation" in the CSV export for a rule
- SAS-4836 (REST API) Add ‘unparsed files’ to responses to any ‘analysis’ related endpoint
- SAS-4817 Group by portfolio option in CS/CA dashboard is not excluding deliveries
- SAS-4747 disabled the ‘reset password’ option for disabled users
- SAS-4738 disable the kiuwan account removal
- QAK-6467 Projects is constantly running into an timeout
- QAK-6443 ERROR analyzing C application with newest engine
- QAK-6439 BUG C++ Java returned 1: java.lang.StackOverflowError
- QAK-6432 PARSE ERROR para fichero 4GL
- QAK-6424 FP OPT.JAVA.FMETODOS.GNE
- No labels