Date: Thu, 28 Mar 2024 12:34:48 +0100 (CET)
Message-ID: <551863826.1215.1711625688352@localhost>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_1214_39042878.1711625688352"
------=_Part_1214_39042878.1711625688352
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
CQM (v1.2.9) and Kiuwan Engine (master.p453.q7002)
Please remember that you can also find new rules by comparing v1.2.9 of CQM=
against previous versions.
New Python Rules
Support to Python (our last supported technology) is be=
ing improved by adding new rules to the current set (95).
This new release of Kiuwan adds 24 new rules :
- OPT.PYTHON.PORTABILITY.HardcodedAbsolutePath : Improper control of reso=
urce identifiers ("Resource Injection")
- OPT.PYTHON.SECURITY.ConnectionStringParameterPollution : Connection str=
ing polluted with untrusted input
- OPT.PYTHON.SECURITY.CookiePoisoning : Cookie Poisoning
- OPT.PYTHON.SECURITY.CrossSiteRequestForgery : Cross-site request forger=
y (CSRF)
- OPT.PYTHON.SECURITY.CrossSiteScripting : Improper Neutralization of Inp=
ut During Web Page Generation ('Cross-site Scripting')
- OPT.PYTHON.SECURITY.DoSRegexp Potential denial-of-service attack throug=
h malicious regular expression (ReDoS)
- OPT.PYTHON.SECURITY.HardcodedCredential : Empty or hardcoded passwords =
may compromise system security in a way that cannot be easily remedied
- OPT.PYTHON.SECURITY.InsecureRandomness : Standard pseudo-random number =
generators cannot withstand cryptographic attacks
- OPT.PYTHON.SECURITY.InsecureTransport : Insecure transport
- OPT.PYTHON.SECURITY.MailCommandInjection : Mail Command Injection
- OPT.PYTHON.SECURITY.PasswordInComments : Storing passwords or password =
details in plaintext anywhere in the system or system code can compromise s=
ystem security
- OPT.PYTHON.SECURITY.ResourceInjection : Improper control of resource id=
entifiers ("Resource Injection")
- OPT.PYTHON.SECURITY.ServerInsecureTransport : Insecure transport in Nod=
e.js HTTP servers
- OPT.PYTHON.SECURITY.ServerSideRequestForgery : Creation of requests fro=
m a vulnerable server using untrusted input (server side request forgery, S=
SRF)
- OPT.PYTHON.SECURITY.StoredCrossSiteScripting : Improper Neutralization =
of Input During Web Page Generation ('Cross-site Scripting')
- OPT.PYTHON.SECURITY.UnsafeCookie : Generate server-side cookies with ad=
equate security properties
- OPT.PYTHON.SECURITY.WeakCryptographicHash : Weak cryptographic hash
- OPT.PYTHON.SECURITY.WeakEncryptionAlgorithm : Weak symmetric encryption=
algorithm
- OPT.PYTHON.DJANGO.CookieBasedSessions : Cookie-based session with a uns=
afe configuration
- OPT.PYTHON.DJANGO.InsecureDirectObjectReferences : Check for user authe=
ntication and/ or authorization before let him modifying a sensible system =
resource
- OPT.PYTHON.DJANGO.MassAssigmentAttack : Insufficient form fields valida=
tion
- OPT.PYTHON.DJANGO.MissingBrowserXssFilter : Secure browser XSS filter=
li>
- OPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl : Perform an author=
ization check when performing an action which requires authorization
- OPT.PYTHON.DJANGO.WeakCryptographicHashInSettings : Weak cryptographic =
hashes cannot guarantee data integrity
New JavaScrip=
t (Node.js) Rules
Support to JavaScript is also being improved by adding new rules to the =
current set (150).
This new release of Kiuwan adds 25 new rules:
- OPT.JAVASCRIPT.ANGULARJS.ContextualEscapingDisabled : Strict Contextual=
Escaping (SCE) disabled
- OPT.JAVASCRIPT.ANGULARJS.UnsafeUrlWhitelist : Unsafe URL whitelist =
;
- OPT.JAVASCRIPT.AvoidArguments : Do not use arguments object
- OPT.JAVASCRIPT.AvoidWebSQL : Avoid Web SQL
- OPT.JAVASCRIPT.ClickjackingProtection : No clickjacking protection conf=
igured
- OPT.JAVASCRIPT.ClientSideTemplateInjection : Client-side Template Injec=
tion
- OPT.JAVASCRIPT.CommandInjection : Avoid non-neutralized user-controlled=
input to be part of an OS command
- OPT.JAVASCRIPT.ConnectionStringParameterPollution : Connection string p=
olluted with untrusted input
- OPT.JAVASCRIPT.CookiePoisoning : Cookie Poisoning
- OPT.JAVASCRIPT.DoSRegexp : Potential denial-of-service attack through m=
alicious regular expression (ReDoS)
- OPT.JAVASCRIPT.ExternalControlOfConfigurationSetting : External Co=
ntrol of System or Configuration Setting
- OPT.JAVASCRIPT.HardcodedCryptoKey : Hardcoded cryptographic keys <=
/li>
- OPT.JAVASCRIPT.HidePoweredByHeader : Deactivate X-Powered-By header&nbs=
p;
- OPT.JAVASCRIPT.ImproperCertificateValidation : Improper Certificate Val=
idation
- OPT.JAVASCRIPT.InsecureTransport : Insecure transport
- OPT.JAVASCRIPT.NoSQLInjection : Improper neutralization of special elem=
ents in data query logic (NoSQL injection)
- OPT.JAVASCRIPT.OpenRedirectHanaXS : Open Redirect (HANA XS)
- OPT.JAVASCRIPT.PreventMIMESniffing : Prevent MIME sniffing
- OPT.JAVASCRIPT.ServerInsecureTransport : Insecure transport in Node.js =
HTTP servers
- OPT.JAVASCRIPT.ServerSideRequestForgery : Creation of requests from a v=
ulnerable server using untrusted input (server side request forgery, SSRF)&=
nbsp;
- OPT.JAVASCRIPT.ServerSideTemplateInjection : Server-side Template Injec=
tion
- OPT.JAVASCRIPT.StoredCrossSiteScripting : Improper neutralization of in=
put during web content generation (Cross-site Scripting, XSS)
- OPT.JAVASCRIPT.UnsafeCookie : Generate server-side cookies with adequat=
e security properties
- OPT.JAVASCRIPT.UseStrictTransportSecurity : Use HTTP Strict Transport S=
ecurity
- OPT.JAVASCRIPT.XssProtectionDisabled : Cross-site scripting protection =
disabled
Rules =
renaming to match CWE identifiers
With the aim of normalization with CWE, many Kiuwan rules have been rena=
med to match CWE identifiers, as well as to unify rule nomenclature between=
different technologies.
This will make easier to understand the meaning of the rule as well as t=
o find associated CWE identifiers.
Moreover, Kiuwan rules have been exhaustively reviewed to fully match th=
eir corresponding CWE identifier.
This renaming is completeley transparent to previous analyses (the Kiuwa=
n internal code remains unchanged), although you could find a different nam=
e for a rule due to these changes.
Improvements in Kiuwan Engine (master.p453.q7002)
New Kiuwan engine contains enhanced versions of parsers and rules:
- Enhancements in JSP, PL_SQL, JS and Cobol parsers
- Cobol, Java and Obj-C rules documentation improvements
- Bug fixing, performance and reliability issues in C#, HTML, JS, Cobol, =
ASP.NET, PYTHON and Java rules
Ne=
w searching criteria for Defects and Rules
Kiuwan ruleset is becoming larger, as we add new rules.
That=E2=80=99s OK for analytics purposes, but searching and browsing ove=
r the whole set of rules is becoming an important feature.
In this sense, we have added some new searching criteria to Defe=
cts and Rules pages:
You can use them right now to better search for specific rules and defec=
ts.
Normatives
You can filter now your defects or your model=E2=80=99s rules using the =
new search =E2=80=9CNormative=E2=80=9D field.
You could select one or various values among the most common and broadly=
accepted security and quality normatives : CWE, OWASP, CERT-Java/C/C=
++, SANS-Top25, WASC, PCI-DSS, NIST, MISRA, BIZEC, etc.
Framework
Same way as with Normatives, you can filter now your defects or your mod=
el=E2=80=99s rules using the new search =E2=80=9CFramework=E2=80=9D field.<=
/p>
You could select one or various values among the most common and broadly=
used programming frameworks : Android, AngularJS, CakePHP, Hibernate, JAX,=
JAX-RS, JAX-WS, jsf, Node.js, Spring, Spring-Batch, Spring-Boot, Spring-Co=
re, Spring-Data, Spring-Data-REST, Spring-MVC, struts1, struts2, Symfony, Z=
end.
Enhanced Calenda=
r behavior
Kiuwan=E2=80=99s Calendar behavior has been improved to better satisfy y=
our filtering needs:
- FROM and TO dates are both now being considered (formerly, only TO date=
was being used to filter analyses data)
- If no analyses are found within the selected date range, a warning page=
is displayed, and you are presented the option to load all the analyses of=
the current application.
- If you select a date range that leaves out the newest analyses of your =
application, a warning will inform you (preventing you to forget you have s=
elected a date range not displaying data for the newest analyses of your ap=
plication).
------=_Part_1214_39042878.1711625688352--