You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

New CQM (v1.2.9) and Kiuwan Engine (XXXXX)

 

new Kiuwan’s CQM version (v.1.2.9) is available.

Basically, v1.2.9 contains new rules for Python and Javascript (node.js).

These new rules are available in new CQM together with new Kiuwan Engine (XXXXXX).

Unless you have blocked the Kiuwan Engine, Kiuwan Local Analyzer will automatically upgrade it to the last version once a new analysis is run.

 

Below you can find new rules of CQM v1.2.9.

Please remember that you can also find those new rules by comparing v1.2.9 of CQM against previous versions.

New Python Rules

Support to Python (our last supported technology) is being improved by adding new rules to the current set (95).

This new release of Kiuwan adds 24 new rules to the current set, enhancing Python support.  Below you can find a listing of these new rules:

  • OPT.PYTHON.PORTABILITY.HardcodedAbsolutePath : Improper control of resource identifiers ("Resource Injection")
  • OPT.PYTHON.SECURITY.ConnectionStringParameterPollution : Connection string polluted with untrusted input
  • OPT.PYTHON.SECURITY.CookiePoisoning : Cookie Poisoning  
  • OPT.PYTHON.SECURITY.CrossSiteRequestForgery : Cross-site request forgery (CSRF)
  • OPT.PYTHON.SECURITY.CrossSiteScripting : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • OPT.PYTHON.SECURITY.DoSRegexp Potential denial-of-service attack through malicious regular expression (ReDoS)  
  • OPT.PYTHON.SECURITY.HardcodedCredential : Empty or hardcoded passwords may compromise system security in a way that cannot be easily remedied
  • OPT.PYTHON.SECURITY.InsecureRandomness : Standard pseudo-random number generators cannot withstand cryptographic attacks
  • OPT.PYTHON.SECURITY.InsecureTransport : Insecure transport
  • OPT.PYTHON.SECURITY.MailCommandInjection : Mail Command Injection
  • OPT.PYTHON.SECURITY.PasswordInComments : Storing passwords or password details in plaintext anywhere in the system or system code can compromise system security
  • OPT.PYTHON.SECURITY.ResourceInjection : Improper control of resource identifiers ("Resource Injection") 
  • OPT.PYTHON.SECURITY.ServerInsecureTransport : Insecure transport in Node.js HTTP servers
  • OPT.PYTHON.SECURITY.ServerSideRequestForgery : Creation of requests from a vulnerable server using untrusted input (server side request forgery, SSRF)
  • OPT.PYTHON.SECURITY.StoredCrossSiteScripting : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • OPT.PYTHON.SECURITY.UnsafeCookie : Generate server-side cookies with adequate security properties
  • OPT.PYTHON.SECURITY.WeakCryptographicHash : Weak cryptographic hash
  • OPT.PYTHON.SECURITY.WeakEncryptionAlgorithm : Weak symmetric encryption algorithm
  • OPT.PYTHON.DJANGO.CookieBasedSessions : Cookie-based session with a unsafe configuration
  • OPT.PYTHON.DJANGO.InsecureDirectObjectReferences : Check for user authentication and/ or authorization before let him modifying a sensible system resource
  • OPT.PYTHON.DJANGO.MassAssigmentAttack : Insufficient form fields validation
  • OPT.PYTHON.DJANGO.MissingBrowserXssFilter : Secure browser XSS filter
  • OPT.PYTHON.DJANGO.MissingFunctionLevelAccessControl : Perform an authorization check when performing an action which requires authorization
  • OPT.PYTHON.DJANGO.WeakCryptographicHashInSettings : Weak cryptographic hashes cannot guarantee data integrity

 

New JavaScript / Node.js Rules

Support to JavaScript is also being improved by adding new rules to the current set (150).

This new release of Kiuwan adds XXX  new rules to the current set, enhancing Python support.  Below you can find a listing of these new rules (please remember that you can also find them by comparing v1.2.9 of CQM against previous versions) .

 

New Kiuwan Engine (XXXX)

Latest Kiuwan Engine (XXXX) contains XXXXXXXXXXXXXXXXXXX

 

New searching criteria for Defects and Rules

Kiuwan ruleset is becoming larger, as we add new rules.

That’s OK for analytics purposes, but searching and browsing over the whole set of rules is becoming an important feature.

In this sense, we have added some new searching criteria to Defects and Rules pages:

  • Normative
  • Framework

You can use them right now to better search for specific rules and defects.

Normatives

You can filter now your defects or your model’s rules using the new search “Normative” field.

You could select one or various values among the most common and broadly accepted security and quality normatives :  CWE, OWASP, CERT-Java/C/C++, SANS-Top25, WASC, PCI-DSS, NIST, MISRA, BIZEC, etc.

Framework

Same way as with Normatives, you can filter now your defects or your model’s rules using the new search “Framework” field.

You could select one or various values among the most common and broadly used programming frameworks : XXXX

 

Enhanced Calendar behavior

Kiuwan’s Calendar behavior has been improved to better satisfy your filtering needs:

  • FROM and TO dates are both now being considered (formerly, only TO date was being used to filter analyses data)
  • If no analyses are found within the selected date range, a warning page is displayed, and you are presented the option to load all the analyses of the current application.
  • If you select a date range that leaves out the newest analyses of your application, a warning will inform you (preventing you to forget you have selected a date range not displaying data for the newest analyses of your application).

 

 

  • No labels