Versions Compared

Old Version 10

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version Current

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

 

...

 

New version of Kiuwan, CQM

...

, and Kiuwan Engine 

Info

Main features of this release are:

  1. Kiuwan CQM (v1.2.18) and Engine (*)
    • Support for SAP HANA - SQLScript (17 new rules for SQLScript)TypeScript has been unified with JavaScript (see XXXX)
    • Enhanced support for security in Python (24 new security rules)
    • Recategorization of TypeScript and Angular rules
    • Improved documentation of Java SQL-Injection and XSS rules
    • Bug fixing, performance and reliability issues improvements in rules for XXXXXX Java, Cobol, Abap, RPG, Java, JavaScript, ObjetiveC, JPS, C#, C++ , JavaScript and VB.NETEnhancements in XXXXXX parser:

  2. Kiuwan website
    • New passwords policy
      Blocking state of
  3. Kiuwan EngineKiuwan Insights
    • Enhanced readability of Software Licenses Terms
    • Improved analysis performance

 

 

 

Additional features of this new version are:

  • Support for detecting CWE-1022 vulnerabilities in HTML, JSP and ASP.NET

  • Bug fixing, performance and reliability issues in rules for Java, C++, JavaScript and VB.NET

  • Enhancements in JavaScript parser:

 

(*) You can find new rules by comparing this release of CQM against previous version.  

A detailed description of the behavior of these new rules is available in rule’s description.

Unless you have blocked Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version once a new analysis is run.

In order for these new rules be applicable, your Kiuwan account must be configured to allow automatic engine upgrade:

  • If you are using CQM, these new rules will automatically become active and will be applied to new analyses.
    • If you are using your own custom model, you can activate them in case you want to be applied to your code.
      • and components/vulnerabilities detection

     

    Kiuwan CQM and Engine

    New SAP HANA SQLScript Rules

    As SAP is introducing many new programming technologies, more and more SAP users are confronted with new languages besides ABAP.

    One of these is SAP HANA SQLScript, which is used to develop high-performance stored procedures for the SAP HANA in-memory database. 

    iuwan Kiuwan adds support for SQLScript by providing a specific set of SQLScript rulesrules (*) that will apply to files with extensions: .sqlscript and .hana

    • OPT.HANA.EFFICIENCY.AvoidTraceInProduction 
    • OPT.HANA.EFFICIENCY.AvoidUsingCursors 
    • OPT.HANA.EFFICIENCY.DeeplyNestedSubqueries 
    • OPT.HANA.EFFICIENCY.ModificationStatementInLoop 
    • OPT.HANA.EFFICIENCY.NonTrivialSubquery 
    • OPT.HANA.EFFICIENCY.ReadsSqlDataNotSpecified 
    • OPT.HANA.EFFICIENCY.SelectInScalarFunction 
    • OPT.HANA.EFFICIENCY.UnusedVariable 
    • OPT.HANA.EFFICIENCY.UseOfCalculationEngineOperator 
    • OPT.HANA.MAINTAINABILITY.LanguageNotSpecified 
    • OPT.HANA.MAINTAINABILITY.UnusedCondition 
    • OPT.HANA.RELIABILITY.ImproperParameterUsage 
    • OPT.HANA.RELIABILITY.NonCustomErrorCode 
    • OPT.HANA.RELIABILITY.UseOfUninitializedVar 
    • OPT.HANA.SEC.ExcessivePrivilegesGranted 
    • OPT.HANA.SEC.ForbiddenCall 
    • OPT.HANA.SEC.SqlInjection

     

    New Python security rules

    • OPT.PYHTON.SECURITY.AvoidHostNameChecks 
    • OPT.PYHTON.SECURITY.TooMuchOriginsAllowed 
    • OPT.PYTHON.SECURITY.InsufficientSessionExpiration 
    • OPT.PYTHON.DJANGO.InsufficientDjangoSettingsSessionExpiration 
    • OPT.PYTHON.SECURITY.CookiesInSecurityDecision 
    • OPT.PYTHON.SECURITY.ExecutionAfterRedirect 
    • OPT.PYTHON.SECURITY.FormatStringInjection 
    • OPT.PYTHON.SECURITY.HardcodedCryptoKey 
    • OPT.PYTHON.SECURITY.HardcodedSalt 
    • OPT.PYTHON.SECURITY.HttpParameterPollution 
    • OPT.PYTHON.SECURITY.InformationExposureThroughErrorMessage 
    • OPT.PYTHON.SECURITY.InsufficientKeySize 
    • OPT.PYTHON.SECURITY.JSONInjection 
    • OPT.PYTHON.SECURITY.LdapInjection 
    • OPT.PYTHON.SECURITY.NonRandomIVWithCBCMode 
    • OPT.PYTHON.SECURITY.PasswordInConfigurationFile 
    • OPT.PYTHON.SECURITY.PasswordInRedirect 
    • OPT.PYTHON.SECURITY.PlaintextStorageInACookie 
    • OPT.PYTHON.SECURITY.PotentialInfiniteLoop 
    • OPT.PYTHON.SECURITY.TrustBoundary 
    • OPT.PYTHON.SECURITY.UncheckedInputInLoopCondition 
    • OPT.PYTHON.SECURITY.UnhandledSSLError 
    • OPT.PYTHON.SECURITY.UnsafeReflection 
    • OPT.PYTHON.SECURITY.UserControlledSQLPrimaryKey

     

    (*) You can find new rules by comparing this release of CQM against previous version.  

    A detailed description of the behavior of these new rules is available in rule’s description.

    Unless you have blocked Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version once a new analysis is run.

    In order for these new rules be applicable, your Kiuwan account must be configured to allow automatic engine upgrade:

    • If you are using CQM, these new rules will automatically become active and will be applied to new analyses.
    • If you are using your own custom model, you can activate them in case you want to be applied to your code.

     

    ...

    Recategorization of TypeScript and Angular rules

    After adding support to TypeScript, it was not clear for many users that TypeScript support was embedded within JavaScript.

    ...

    • All existing JavaScript rules are able to distinguish between JavaScript  and TypeScript source code, acting accordingly.
    • Nevertheless, there are some rules specific to TypeScript (filter : Framework -> TypeScript )

    Besides, Angular rules have been cathegorized according to Angular versions:

    • Angular versions previous to 2.x : filter : Framework -> AngularJS
    • Angular versions equal or above 2.x  : filter : Framework -> Angular

     

    Kiuwan Website

    New Passwords Policy

    Kiuwan has implemented a more strict password policy that applies to password strength. 

    ...

    You can set your acccount's password policy at Account Management >> Password Policies tab (only available to account owner)

     

     

    Blocking state of Kiuwan Engine

    As you probably know, Kiuwan allows to "block" the engine, i.e. to freeze the version of Kiuwan engine so it's not automatically updated as a new one is available.

    This blocking mechanism is commoly used in some scenarios where the Kiuwan defects and indicators are used for very strict assessment purposes. 

    This blocking mechanism has its pros and cons, and you should carefully decide what's the mechanism that best suites to your needs.

    The blocking state of the engine was only available to account admins, Now, information about if the engine is or not blocked is available to any user.

    You can find it at Account Management >> Engine tab ( blocking/unblocking only available to account owner)

     

    Image Removed

    Kiuwan Insights

    Enhanced readability of Software Licenses Terms

    Kiuwan Insights has improved the information about software Licenses.

    ...