Versions Compared

Old Version 10

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 11

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

A new Kiuwan’s CQM version (v.1.2.9) is available.

Basically, v1.2.9 contains new rules for Python and Javascript (node.js).

These new rules are available in new CQM together with new Kiuwan Engine (XXXXXXmaster.p453.q7002).

Unless you have blocked the Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version once a new analysis is run.

...

This new release of Kiuwan adds 25 new rules:

 

  • OPT.JAVASCRIPT.ANGULARJS.ContextualEscapingDisabled : Strict Contextual Escaping (SCE) disabled 
  • OPT.JAVASCRIPT.ANGULARJS.UnsafeUrlWhitelist : Unsafe URL whitelist 
  • OPT.JAVASCRIPT.AvoidArguments : Do not use arguments object 
  • OPT.JAVASCRIPT.AvoidWebSQL : Avoid Web SQL 
  • OPT.JAVASCRIPT.ClickjackingProtection : No clickjacking protection configured
  • OPT.JAVASCRIPT.ClientSideTemplateInjection : Client-side Template Injection
  • OPT.JAVASCRIPT.CommandInjection : Avoid non-neutralized user-controlled input to be part of an OS command
  • OPT.JAVASCRIPT.ConnectionStringParameterPollution : Connection string polluted with untrusted input 
  • OPT.JAVASCRIPT.CookiePoisoning : Cookie Poisoning 
  • OPT.JAVASCRIPT.DoSRegexp : Potential denial-of-service attack through malicious regular expression (ReDoS) 
  • OPT.JAVASCRIPT.ExternalControlOfConfigurationSetting :  External Control of System or Configuration Setting
  • OPT.JAVASCRIPT.HardcodedCryptoKey : Hardcoded cryptographic keys 
  • OPT.JAVASCRIPT.HidePoweredByHeader : Deactivate X-Powered-By header 
  • OPT.JAVASCRIPT.ImproperCertificateValidation : Improper Certificate Validation 
  • OPT.JAVASCRIPT.InsecureTransport : Insecure transport 
  • OPT.JAVASCRIPT.NoSQLInjection : Improper neutralization of special elements in data query logic (NoSQL injection) 
  • OPT.JAVASCRIPT.OpenRedirectHanaXS : Open Redirect (HANA XS) 
  • OPT.JAVASCRIPT.PreventMIMESniffing : Prevenir ataques por inspección del tipo MIME Prevent MIME sniffing 
  • OPT.JAVASCRIPT.ServerInsecureTransport : Insecure transport in Node.js HTTP servers 
  • OPT.JAVASCRIPT.ServerSideRequestForgery : Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF) 
  • OPT.JAVASCRIPT.ServerSideTemplateInjection : Server-side Template Injection
  • OPT.JAVASCRIPT.StoredCrossSiteScripting : Improper neutralization of input during web content generation (Cross-site Scripting, XSS) 
  • OPT.JAVASCRIPT.UnsafeCookie : Generate server-side cookies with adequate security properties 
  • OPT.JAVASCRIPT.UseStrictTransportSecurity : Use HTTP Strict Transport Security 
  • OPT.JAVASCRIPT.XssProtectionDisabled : Cross-site scripting protection disabled

 

Rules renaming to match CWE identifiers

With the aim of normalization with CWE, many Kiuwan rules have been renamed to mactch match CWE identifiers and , as well as to unify rule nomenclature between different technologies.

...

Moreover, Kiuwan rules have been exhaustively reviewed to fully match their corresponding CWE identifier.

 

New Kiuwan Engine (XXXX)

Latest Kiuwan Engine (XXXX) contains XXXXXXXXXXXXXXXXXXXThis renaming is completeley transparent to previous analyses (the Kiuwan internal code remains unchanged), although you could find a different name for a rule due to these changes.

 

New searching criteria for Defects and Rules

...