Versions Compared

Old Version 1

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 2

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

 

...

 

New version of CQM (v1.2.

...

17) and Kiuwan Engine 

Info

A new Kiuwan’s CQM and Engine is available.

 

Main features Features of this new version release are:

  • New PHP security rules (10)
  • Improved Java support with new rules for Android (7) and support for Play Framework
  • New security rules (2) for Django (Python)
    1. Kiuwan's "Support for TypeScript"
      • there are 30 new rules specifically suited to TypeScript (tagged as "typescript")
      • most of existing JavaScript rules have been improved to work also on TypeScript code
    2. Enhanced integration with SAP
      1. Availabilty of a completely new SAP Extractor for Kiuwan that allows a seamlessly integration of Kiuwan with SAP
      2. Visit SAP Extractor for Kiuwan for further information

    Additional features of this new version are:

    • Support for detecting CWE-1022 vulnerabilities in HTML, JSP and ASP.NET

    • Bug fixing, performance and reliability issues in rules for Java, C++, JavaScript and VB.NET

    • Enhancements in JavaScript parser:

     

    New ABAP rules (17)

    You can find these new rules by comparing v1.2.15 this release of CQM against previous version.  

    A detailed description of the behavior of these new rules is available in rule’s description.

    Unless you have blocked Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version once a new analysis is run.

    In order for these new rules be applicable, your Kiuwan account must be configured to allow automatic engine upgrade:

    • If you are using CQM, these new rules will automatically become active and will be applied to new analyses.
    • If you are using your own custom model, you can activate them in case you want to be applied to your code.

     

    New

    ...

    TypeScript Rules

    • OPT.JAVASCRIPT.PHPTYPESCRIPT.SECANGULAR.PlaintextStorageInACookieRule AvoidAliasingInputOutput 
    • OPT.JAVASCRIPT.PHPTYPESCRIPT.SECANGULAR.InsufficientSessionExpirationRule AvoidForwardRefs 
    • OPT.JAVASCRIPT.PHPTYPESCRIPT.SECANGULAR.CookiesInSecurityDecisionAvoidImpurePipes 
    • OPT.JAVASCRIPT.PHPTYPESCRIPT.SECANGULAR.CrossSiteHistoryManipulation AvoidNoneViewEncapsulation 
    • OPT.PHPJAVASCRIPT.TYPESCRIPT.SECANGULAR.InsufficientKeySizeRule AvoidPrefixingOutput 
    • OPT.PHPJAVASCRIPT.SECTYPESCRIPT.TrustBoundaryViolationRule OPT.PHP.SEC.UncheckedInputInLoopCondition ANGULAR.AvoidTemplateAsyncNegation 
    • OPT.PHPJAVASCRIPT.SECTYPESCRIPT.ImproperValidationOfArrayIndex OPT.PHP.SEC.UserControlledSQLPrimaryKey ANGULAR.DecoratorIncompatibility 
    • OPT.PHPJAVASCRIPT.SEC.PotentialInfiniteLoop

    Improved Java support (Android and Play Framework)

    Android support has been improved with the addition of new rules:

    • OPT.JAVA.ANDROID.ReceiverWithoutPermission TYPESCRIPT.ANGULAR.InvalidPipeImplementation 
    • OPT.JAVAJAVASCRIPT.ANDROIDTYPESCRIPT.PrivilegeEscalationAttack OPT.JAVA.ANDROID.ExportedProvider ANGULAR.NamingConventions 
    • OPT.JAVAJAVASCRIPT.ANDROIDTYPESCRIPT.ExportedActivity OPT.JAVA.ANDROID.CheckLocationPermission ANGULAR.NoParameterAttributeDecorator 
    • OPT.JAVAJAVASCRIPT.ANDROIDTYPESCRIPT.CheckInternetPermission 
    • OPT.JAVA.ANDROID.CheckExternalStoragePermission

    Also, support for Play Framework (OPT.JAVA.SEC_JAVA.PlaySecurityMisconfiguration) has been added to Kiuwan.

    Enhanced Django Python support

    Existing security rules for Django framework have been enhanced by supporting new sinks/sources as well as improvements in tainting propagation.

    Besides, 2 new security rules have added to current Django set:

    • OPT.PYTHON.SECURITY.MemcachedInjection 
    • OPT.PYTHON.SECURITY.InformationExposureThroughDebugLog

    You can find Django rules by filtering by "Django" Framework in CQM model.

    New ABAP Rules

    • OPT.ABAP.SEC.UsagesOfSyUname 
    • OPT.ABAP.SEC.UsagesOfSySysid 
    • OPT.ABAP.SEC.RfcDestinationInjection 
    • OPT.ABAP.SEC.RfcCallbackAttack 
    • OPT.ABAP.SEC.NoAuthorizationGroup4Table 
    • OPT.ABAP.SEC.HardcodedUsernameCheck 
    • OPT.ABAP.SEC.DangerousFileUpload 
    • OPT.ABAP.SEC.DangerousFileDownload 
    • OPT.ABAP.SEC.Calls2CriticalFunctions 
    • OPT.ABAP.SEC.AuthorityChecks 
    • OPT.ABAP.RELIABILITY.UncaughtExceptionInRfcCall 
    • OPT.ABAP.RELIABILITY.ModifiedInputParameter 
    • OPT.ABAP.RELIABILITY.LogicDependingOnTextSymbols 
    • OPT.ABAP.RELIABILITY.DirectRecursiveCall 
    • OPT.ABAP.PORTABILITY.DeprecatedAsyncronousRFC 
    • OPT.ABAP.EFFICIENCY.LoopAtInto 
    • OPT.ABAP.EFFICIENCY.JoinInsteadOfSelectInLoop
    • ANGULAR.UseHostDecorator 
    • OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseInjectableDecorator 
    • OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseInputDecorator 
    • OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseLifeCycleInterface 
    • OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseOutputDecorator 
    • OPT.JAVASCRIPT.TYPESCRIPT.ANGULAR.UseTrackBy 
    • OPT.JAVASCRIPT.TYPESCRIPT.AvoidAnnotatingInferableTypes 
    • OPT.JAVASCRIPT.TYPESCRIPT.AvoidCastingIObjectLiterals 
    • OPT.JAVASCRIPT.TYPESCRIPT.NoEmptyInterface 
    • OPT.JAVASCRIPT.TYPESCRIPT.NoReturnTypeAny 
    • OPT.JAVASCRIPT.TYPESCRIPT.PreferReadOnly 
    • OPT.JAVASCRIPT.TYPESCRIPT.ReviewNonNullAssertions 
    • OPT.JAVASCRIPT.TYPESCRIPT.SkipInternalModuleOrNamespace 
    • OPT.JAVASCRIPT.TYPESCRIPT.TooManyClassesPerFile 
    • OPT.JAVASCRIPT.TYPESCRIPT.UselessTypeCast 
    • OPT.JAVASCRIPT.TYPESCRIPT.UselessTypeIntersection 
    • OPT.JAVASCRIPT.TYPESCRIPT.UsePrimitiveTypes 
    • OPT.JAVASCRIPT.TYPESCRIPT.UseTypeAlias 
    • OPT.JAVASCRIPT.TYPESCRIPT.UseTypeAnnotations 
    • OPT.JAVASCRIPT.UnhandledPromise

    ...