Amazon QDetector Library Sign in to Amazon Q

September 2025 change log

This change log includes updates to detectors made in September 2025.

Added and updated rules

1. [Java] [XML External Entity Detection] Added rule to detect unsafe XML parsing in DocumentBuilder, XMLInputFactory, SAXParser, TransformerFactory, and XMLDecoder without secure configurations. 2. [Java] [Server-Side Request Forgery Detection] Added rule to detect SSRF in OkHttp, Spring RestTemplate/WebClient, Apache HttpClient, Retrofit, and Async HTTP Client using user-controlled inputs. 3. [Java] [Unchecked Return Value Detection] Added rule to detect ignored return values in DynamoDB batch operations like batchSave(), batchWrite(), and transactionWrite(). 4. [Java] [Null Pointer Dereference Detection] Added rule to detect potential null dereferences in chained method calls without proper validation. 5. [Java] [Insufficient Exception Handling Detection] Added rule to detect improper exception handling where exceptions are ignored or only logged. 6. [C#] [Mass Assignment Detection] Improved precision and recall for mass assignment vulnerability detection. 7. [C#] [Unvalidated Redirect Detection] Improved precision and recall for unvalidated redirect detection. 8. [C#] [LDAP Injection Detection] Improved precision and recall for LDAP injection detection. 9. [C#] [Untrusted Format Strings Detection] Improved precision and recall for untrusted format strings detection. 10. [C#] [Cross-Site Scripting Detection] Improved precision and recall for cross-site scripting detection. 11. [C#] [X509 Subject Name Validation Detection] Improved precision and recall for X509 subject name validation detection. 12. [Scala] [Parse Expression Detection] Improved precision and recall for parse expression detection. 13. [Scala] [Weak Message Digest Detection] Improved precision and recall for weak message digest detection. 14. [Scala] [Format String Manipulation Detection] Improved precision and recall for format string manipulation detection. 15. [Go] [Useless If Conditional Detection] Improved precision and recall for useless conditional detection. 16. [Java] [String Formatting in Logging Detection] Improved precision and recall for avoid string formatting in logging detection. 17. [Ruby] [Mass Assignment Detection] Improved precision and recall for mass assignment detection. 18. [Ruby] [SSL Verification Detection] Improved precision and recall for SSL verification bypass detection. 19. [Ruby] [Untrusted Deserialization Detection] Improved precision and recall for untrusted deserialization detection. 20. [JavaScript] [Insecure Deserialization Detection] Improved precision and recall for insecure deserialization detection. 21. [Kotlin] [CSRF Protection Detection] Enhanced CSRF detection by adding coverage for Ktor, Quarkus, Android WebView, OkHttp, and Spring REST controllers. 22. [Kotlin] [Code Injection Detection] Enhanced detection by consolidating patterns, expanding taint sources, and strengthening reflection and template handling (Freemarker/Thymeleaf). 23. [Scala] [Code Injection Detection] Enhanced detection for unsafe code execution by unifying HTML, reflection, eval, and template patterns across multiple frameworks. 24. [Scala] [CSRF Protection Detection] Enhanced rule to detect missing anti-forgery tokens in forms, APIs, and POST actions. 25. [C++] [CSRF Protection Detection] Enhanced rule to detect missing CSRF validation in POST/PUT/DELETE endpoints across httplib, Pistache, cpp-netlib, and cpp-rest-sdk. 26. [C++] [Path Traversal Detection] Enhanced detection for unsafe file path handling and directory traversal in file operations. 27. [C++] [Stack Address Return Detection] Enhanced rule to reduce false positives by adding function context and excluding global variables. 28. [C++] [Memory Address Exposure Detection] Fixed false positives by excluding hexadecimal-formatted integers. 29. [Python] [Log Injection Detection] Enhanced detection for unsafe user input in logging.info(), logger.debug(), and print() statements. 30. [JavaScript] [Log Injection Detection] Enhanced detection for unvalidated user input in console.log() and logger functions. 31. [JavaScript] [Path Traversal Detection] Enhanced rule to detect unsafe file path construction and directory traversal attempts. 32. [TypeScript] [CSRF Protection Detection] Enhanced rule to detect missing CSRF protection in Express.js routes, fetch/axios calls, and unsafe state-changing APIs. 33. [PHP] [Path Traversal Detection] Enhanced rule to detect unsafe file path use in include, require, and file_get_contents operations. 34. [PHP] [CSRF Protection Detection] Enhanced detection for missing CSRF tokens in forms, POST handlers, and session-based operations.

Disabled rules

The following rules were disabled due to high false positive rate: 1. Java: java-generic-exception-throws 2. Python: python-import-specific-module-from-library 3. Python: python-log-injection-ide 4. Shell: shell-literal-carriage-return 5. Shell: shell-unquoted-variables 6. JavaScript: javascript-missing-authorization 7. JavaScript: javascript-log-injection-ide 8. JavaScript: javascript-jsx-not-internationalized 9. C: c-use-of-uninitialized-variable 10. TypeScript: typescript-no-sql-injection-ide