[2020-11-25] Change Log

Contents

Engine

• QAK-5221 OPT.VB6.VBDC.VGNU low performance for one analysis.
• QAK-5593 XML detected wrongfully as oracle forms.
• QAK-5615 New rule CWE-759-Use of a One-Way Hash without a Salt.
• QAK-5683 C files not parsed correctly.
• QAK-5735 False Negative in "Guarantee that copies are made into storage of sufficient size" rule.
• QAK-5921 False positive in OPT.CSHARP.PathTraversal and rule documentation improvement
• QAK-5922 Other language with the DUP code rule.
• QAK-5926 OPT.HTML.ObsoleteElements rule improvement.
• QAK-5928 OPT.HTML.AddLabelForInputField rule improvement.
• QAK-6024 CORS coverage improvement.
• QAK-6162 @Override considered in the "Always use specific exceptions in the throws clause" rule.
• QAK-6277 KLA crash with Java analysis over JSP files.
• QAK-6347 False negatives in Everis-IT_Cpp.
• QAK-6365 A log warning is shown when CCN is below the threshold and may lead to a low performance.
• QAK-6414 OPT.JSP.SEC_JSP.TargetBlankVulnerability rule improvements.
• QAK-6416 False positives in OPT.PYTHON.DJANGO.InsecureDirectObjectReferences rule.
• QAK-6417 OPT.JAVA.SEC_JAVA.OpenRedirectRule improvement.
• QAK-6418 Incorrect JSP/Razor (cshtml) data path lines.
• QAK-6419 False positive in OPT.C.CERTC.MEM00 rule.
• QAK-6422  Removed metafiles DTD files for specific technologies.
• QAK-6425 CWE:400 'Regex Injection' instead of CWE:185.
• QAK-6426 False positive in OPT.PLSQL.GEN_PLSQL.NDFexception.
• QAK-6427 False negative in OPT.JAVASCRIPT.CrossSiteScripting.
• QAK-6430 False negative in OPT.C.CERTC.EXP34 rule.
• QAK-6437 False negative in OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule.
• QAK-6440 OPT.PHP.HttpSplitting rule enhancement.
• QAK-6445 Rule OPT.XML.XSLT_MAN.NOUSEDPARAM only shows the last defect.
• QAK-6446 Typescript not parsed correctly.
• QAK-6447 Possible regression problems when analyzing Java files.
• QAK-6448 Nullpointer in custom rule using com.als.core.rule.MetricThresholdsRule.
• QAK-6452 Issue when analyzing with the rule OPT.COBOL.MAN_COBOL.VLIN: VALUES not aligned.
• QAK-6454 False positive in the OPT.JAVA.IO.CS OPT.JAVA.IO.CS rule.
• QAK-6456 Tainting propagation in method arguments improvement (.NET).
• QAK-6457 Missing DataPath in OPT.CSHARP.OpenRedirect.
• QAK-6458 .NET custom metadata malfunction for static method calls definitions.
• QAK-6459 False positive in OPT.PYTHON.RELIABILITY.UnreachableCode.
• QAK-6460 False positive "Avoid calling magic methods" in Python rule.
• QAK-6463 C# parsing error in CSHTML files “MismatchedTokenException” has been fixed.
• QAK-6464 Possible false positive in OPT.JAVA.CONV.ObjectTypeVerification.
• QAK-6465 Kiuwan Local Analyzer does not execute JavaScript rules when there are only JSP files in basedir.
• QAK-6468 OPT.ASPNET.CredentialsMisconfiguration error causes hardcoded password visibility.
• QAK-6469 OPT.XML.XSLT_MAN.NONUSEDVARIABLES enhancement.
• QAK-6470 OPT.JAVA.SEC_JAVA.SqlInjectionRule and metadata libraries support improvement.
• QAK-6471 False negative in OPT.XML.XSLT_MAN.EFFICIENTUSEOFCHOOSE.
• QAK-6473 False negative in OPT.VBNET.VBnet.RemoveUnusedLocals.
• QAK-6477 False negative in OPT.JAVA.SEC_JAVA.XmlEntityInjectionRule.
• QAK-6478 False negative in OPT.JAVASCRIPT.ERRORCOMUN.UnusedLocalVar.
• QAK-6479 OPT.JSP.SEC_JSP.SpecifyIntegrityAttribute rule improvement.
• QAK-6483 Unable to analyze application due timeout killed the sub-process java.lang.NullPointerException and high ccn complexity in several files.
• QAK-6485 JavaScript not parsed correctly.
• QAK-6486 Two validations done in integration tests should be moved to standard rule test, and testImplementationClassExist() should test something.
• QAK-6487 Swift 5 Language supported version enhancement.
• QAK-6489 RPG not parsed correctly when using EndSr opcode as the user identifier.
• QAK-6490 False positives in OPT.JAVA.RGME.EAOF.
• QAK-6491 Upgrade support for C# from v7 to v8.
• QAK-6492 Add support for MatchKind.fullsignature in VB.NET CallSignature.getMethodPredicate().
• QAK-6495 COBOL file not parsed correctly.
• QAK-6496 Parsing error in Cobol caused by the SWCOPY command.
• QAK-6497 SQL file not parsed correctly.
• QAK-6498 VB file not parsed correctly.
• QAK-6500 CS file not parsed correctly.
• QAK-6501 COBOL parsing error: “TYPE clause in data-description entry”.
• QAK-6502 False positive in OPT.PLSQL.SEC.WeakSymmetricEncryptionAlgorithm.
• QAK-6503 NPE and OOM error while analyzing C++ and Java application.
• QAK-6504 TypeScript Technology not parsed correctly.
• QAK-6505 Few .tsx files not parsed correctly.
• QAK-6506 False positive in GamoraDevOps application.
• QAK-6509 False positive in Helios application.
• QAK-6512 Strict dataflow analysis limit in OPT.COBOL.SEC.DynamicStorageLeakRule when complexity threshold exceeded.
• QAK-6513 Add support for 'this' receiver paramenter (Java 8).
• QAK-6526 OOM errors when analyzing Typescript.
• QAK-6533 StackOverflowError IndirectTaintingSitesTask.   

Kiuwan Local Analyzer

• QAK-5593 rules_oracleforms.key error does not exist.
• QAK-6511 Cobol file not parsed correctly.
• SAS-4155 KLA filter rules by priority.     

Kiuwan    

• SAS-5152 When user deletes an analysis without label, many are hidden in the list
• SAS-5184 After the user logins for the first time, it's required to change the default password.
• SAS-5213 Compare of Models is not matching correctly when the user "manually" returns the default values.
• SAS-5321 After installing custom rule, the rule active status is NOK.
• SAS-5323 Error when uploading only a jar file of custom rules.
• SAS-5325 Error when downloading defects PDF in apps with large amounts of defects.
• SAS-5326 Error in Insights checkpoint and partial delivery.
• SAS-5390 Error in email notification after creating a new user.
• SAS-5434 Explanation with invalid character cannot be inserted into DB.
• SAS-5435 High memory consumption in session.
• SAS-5437 Many alert notification sent when cannot connect to REDIS cluster.
• SAS-5446 Distribution request to MongoDB from the mongo client in Kiuwan.
• SAS-5450 The Endpoint /apps/list takes 116 seconds.