Created by N Padmavathi on Sep 25, 2020
1.5.6-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 44970 | Replace the vulnerable struts2-core-2.5.20.jar with struts2-core-2.5.33.jar. |
1.5.5-funcrel
Other Updates
| Details |
|---|
| Improvements have been implemented to resolve a situation where a Struts operation was missed during the analysis. |
| Fixed an issue casuing "FileNotFoundError" exceptions in the log file. |
| Fixed missing violation for "Avoid Duplicate Struts validation forms with the same name" (1042004). |
Rules
| Rule Id | New Rule | Details |
|---|
| 1042004 | FALSE | Fixed missing violations for the rule "Avoid Duplicate Struts validation forms with the same name". |
1.5.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 38055 | Fixed missing Struts Operation. |
Other Updates
| Details |
|---|
| Upgrade internal API. Upgrade application level API to 1.6.13. |
1.5.3-funcrel
Rules
| Rule Id | New Rule | Details |
|---|
| 1042030 | FALSE | The rule: "Avoid using Default exclude patterns (excludeParams) for Struts 2.3.20 (and older)" has been set as critical. |
| 1042036 | FALSE | The rule: "Avoid Long request parameter names in Struts 2.0.0 - struts 2.3.4" has been set as critical. |
1.5.2-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 32427 | Missing Struts operation objects in the analyzed application |
| 30184 | Internal issue during parsing |
| 33313 | Internal issue during parsing |
1.5.1-funcrel
Link Improvements
| Callee Type | Caller Type | Details |
|---|
| Struts Operation | Struts Operation | When a struts operation was calling several struts operation (through forward), only one link was created to a randomly selected operation among all called operations. This has now been fixed. |
1.5.0-funcrel
Note
This release of the extension contains a number of rule related improvements, which will have a significant impact on any existing analysis results generated with a previous release of the extension. When re-analyzing existing and unchanged source code with this new extension, you should therefore expect grade and violation changes. When using AIP Console, if you do not want this extension to be used, you should ensure that you implement an extension strategy to prevent the automatic download and installation of the extension. If you are onboarding a new application, CAST actively encourages you to use this new release to take advantage of the improvements that have been implemented.
Rules
| Rule Id | New Rule | Details |
|---|
| 1042010 | FALSE | Avoid using ParametersInterceptor with class parameter for Struts 2.3.16 (and older). Increased the Threshold. |
| 1042012 | FALSE | Avoid Unused Validation Form in Struts 1.x. Increased the Threshold. |
| 1042016 | FALSE | Avoid Struts action Mapping with disabled validator. Increased the Threshold. |
| 1042022 | FALSE | Avoid using CookieInterceptor with Struts 2.3.16 (and Older). Increased the Threshold. |
| 1042024 | FALSE | Avoid Unescaped User-controlled Input attribute in Struts 1.x and 2.x. Increased the Threshold. |
| 1042050 | FALSE | Avoid using special top object in struts 2.0.0 - struts 2.3.24. Increased the Threshold. |
