November 2025 change log

Multi-language

Enhanced Coverage

Improved performance by reducing false positives through better recognition of safe coding patterns:

• multilanguage-hardcoded-dns

  • Improved DNS IP pattern regex with negative lookbehind/lookahead to avoid matching IP patterns within larger numbers
  • Fixed false positives where DNS patterns were part of longer numeric sequences or identifiers

Java

Enhanced Coverage

Improved performance by reducing false positives through better recognition of safe coding patterns:

• java-poor-logging-practice

  • Enhanced to exclude PrintWriter and PrintStream usage patterns from detection
  • Multiple System.out.println statements in the same method are consolidated into a single finding reported as "Similar issue at line number X, Y, Z" to reduce noise

• java-check-uncaught-exceptions

  • Enhanced to reduce false positives by properly recognizing safe patterns:
    • Test methods annotated with @Test excluded from exception handling checks
    • Mock test scenarios with mocked AWS SDK calls that don't propagate real exceptions
    • Unit test code patterns where exception handling recommendations don't apply

• java-missing-release-of-resources

  • Enhanced to reduce false positives by properly recognizing safe patterns:
    • System.in usage patterns that don't require explicit closing
    • Resources properly closed in finally blocks
    • Close method patterns including closeQuietly for proper resource cleanup
    • try-catch-finally blocks with proper resource management

• java-step-function-input-file

  • Enhanced to check for AWS::StepFunctions::StateMachine presence before detecting violations

Python

Enhanced Coverage

Improved performance by reducing false positives through better recognition of safe coding patterns:

• python-empty-container-check

  • Enhanced to reduce false positives by properly recognizing safe patterns:
    • Assertion contexts where len() checks are used with AssertionError patterns for validation
    • Union type definitions that require explicit length validation checks
    • Test scenarios where len() usage is legitimate for matrix validation and data structure verification

• python-aware-datetime-with-tzinfo

  • Enhanced to reduce false positives by properly recognizing safe patterns:
    • Time difference calculations between two datetime.now() calls where timezone information is not required
    • Datetime objects used with .astimezone() or .replace(tzinfo=...) methods for explicit timezone handling
    • Timestamp conversion scenarios where timezone-aware datetime objects are properly created before .timestamp() calls
    • Added detection for deprecated Python 3.12+ methods (datetime.utcnow() and datetime.utcfromtimestamp())

• python-log-injection

  • Updated rule to reduce false positives by:
    • Converting from method-based to file-based rule implementation
    • Adding detection for logger.addFilter() to prevent false positives
    • Refactoring tests to match the new file-based approach
    • Adding test cases for false positive scenarios

• python-s3-copy-bucket-owner

  • Enhanced to check for both ExpectedBucketOwner and ExpectedSourceBucketOwner parameters
  • Ensures the rule identifies cases where bucket owner validation is completely missing rather than partially implemented

JavaScript

Enhanced Coverage

Improved performance by reducing false positives through better recognition of safe coding patterns:

• javascript-lazy-load-module

  • Enhanced to reduce false positives by properly recognizing safe patterns:
    • Top-level static module imports at file initialization level
    • Static CDN/URL imports using hardcoded URL strings with regex pattern matching
    • Standard Node.js module loading patterns that don't impact request handling performance

• javascript-hardcoded-credentials-ide

  • Implemented robust exclusions for safe patterns using environment variables and configuration getters
  • Updated regex patterns to better identify risky credential assignment patterns across multiple JavaScript contexts
  • Enhanced detection for function returns, object setters, and method parameters with hardcoded credentials

• javascript-csrf-missing-protection

  • Added comprehensive pattern detection for state-changing HTTP requests (POST, PUT, PATCH, DELETE) across multiple frameworks including Express.js, Fastify, Koa, Axios, and Fetch API
  • Implemented robust exclusions for safe patterns including CSRF middleware, authentication handlers, secure cookie configurations, and protected routes with proper CSRF token validation
  • Enhanced detection with extensive pattern matching for vulnerable endpoints including client-side AJAX requests missing CSRF headers and server-side routes without CSRF protection

PHP

Enhanced Coverage

Improved performance by reducing false positives through better recognition of safe coding patterns:

• php-laravel-eloquent-sql-injection-ide

  • Added comprehensive taint source detection for user-controlled inputs from HTTP requests, file operations, session data, and JSON parsing, with robust sanitization patterns for Laravel's built-in security features (parameter binding, validation, and safe query methods)
  • Implemented pattern matching to identify risky SQL injection vulnerabilities across Laravel/Eloquent contexts including raw queries, dynamic table names, and unsafe method calls
  • Enhanced detection with extensive sink patterns covering Laravel Query Builder methods, Eloquent ORM operations, and raw SQL execution contexts