March 2025 change log

Added and updated rules

1. [PHP] Added SQL injection rule for these libraries: MySQL, SQLite, PostgreSQL, Oracle, MongoDB, DynamoDB and PDO. This rule covers cases where untrusted user input is passed to these libraries for execution. 2. [Java] Added new rules to detect potential code quality and performance issues in exception handling, loop constructs, and string operations 3. [Java] Added a new rule to identify common date and time formatting mistakes in Java applications, with a focus on detecting the misuse of 'YYYY' format pattern which can lead to incorrect year representations. 4. [Python] Added rule to discourage the use of strptime for formatting ISO dates, promoting more robust alternatives. 5. [Go] Added rule for detecting hardcoded credentials in database connects, SMTP and other libraries / APIs where we are certain that the string is a hardcoded credential 6. [Kotlin] Enhanced detection of hardcoded credentials, including access tokens, API keys, and AWS credentials. Expanded coverage for third-party libraries (Jedis, HTTP headers) and database connections (MongoDB, Redis). 7. [Kotlin] Enhanced Cross-Site Scripting (XSS) detection, including expanded source and sink pattern recognition across multiple frameworks (Ktor, Servlets, AWS Lambda). 8. [Kotlin] Enhanced log injection detection, including expanded source pattern recognition across multiple frameworks (Ktor, Spark, AWS Lambda) and enhanced sink pattern detection for various logging frameworks. 9. [Kotlin] Enhanced SQL injection detection, including expanded source pattern recognition across multiple web frameworks and enhanced sink pattern detection for various database access methods and ORM frameworks. Added support for JDBC, PostgreSQL, Apache Commons DBUtils, JDBI, SQLDelight, JOOQ, Exposed, and Ktorm. 10. [Go] Enhanced SQL injection rule by only considering sources from HTTP request objects 11. [Go] Enhanced log injection rule - Logging length of objects should be safe and does not constitute a log injection vulnerability. 12. [Scala] Enhanced XSS detection capabilities across multiple Scala web frameworks, including Scalatra, Play Framework, and Akka HTTP. Added support for various HTTP methods, directives, and request parsing techniques. 13. [Scala] Enhanced CRLF injection detection in Scala applications across multiple web frameworks. Expanded coverage of input sources, including Scalatra, Play Framework, and Akka HTTP methods. 14. [JavaScript] Enhanced hardcoded credential detection by confirming proper use of dynamic AWS role assumption and secure runtime credential retrieval, aligning with best security practices. 15. [JavaScript] Enhanced DOS attack detection to focus on cases with tainted user input, reducing false positives. 16. [JavaScript] Enhanced unsanitized query detection, with a focus on sequelize.query usage. 17. [JavaScript] Enhanced XSS detection where any parameter used directly in the href attribute was potentially unsafe, and the new code ensures more secure handling of user input. 18. [C] Enhanced precision of bitwise operation checks on signed operands to reduce false positives. 19. [Python] Updated crypto compliance checks to correctly handle SHA-512 usage from the pyCrypto library, addressing false positives. 20. [TypeScript] Enhanced missing-encryption-of-sensitive-data-cdk by verifying that the ElastiCache Redis cluster correctly implements encryption in transit, with the 'transitEncryptionEnabled' property set to true in a more complex, but secure configuration pattern. 21. [Java] Fixed False Positive alert for unhandled-exceptions by adding more appropriate way to handle JsonProcessingException.

Disabled rules

The following rules were disabled due to false positives:

1. python-docker-arbitrary-container-run 2. python-missing-pagination 3. python-insecure-deserialization 4. javascript-hardcoded-api-key 5. javascript-use-valid-values-in-typeof 6. javascript-url-instantiated 7. javascript-unprofessional-language-detector 8. javascript-missing-pagination