May 2025 change log

Added and updated rules

1. [Java, Python, JavaScript, TypeScript, C#] [SQL Injection Detection Enhancement] Added SQL injection detection rules for multiple databases including MySQL, SQLite, PostgreSQL, Oracle, treating function parameters as potentially tainted input in addition to HTTP requests. 2. [Java, Python, JavaScript, TypeScript, C#] [NoSQL Injection Detection Enhancement] Added NoSQL injection detection rules with expanded coverage for MongoDB and DynamoDB, analyzing function parameters and user-controlled inputs. 3. [Java, Python, JavaScript, TypeScript, C#] [Log Injection Detection] Added new Log Injection detection rules to identify log-based attack vulnerabilities across various logging frameworks. 4. [Java, Python, JavaScript, TypeScript, C#] [Cross-Site Scripting (XSS) Detection] Enhanced Cross-Site Scripting (XSS) detection rules to better identify XSS vulnerabilities across web applications. 5. [Java, Python, JavaScript, TypeScript, C#] [Hardcoded Credentials Detection Enhancement] Enhanced detection of hardcoded credentials by adding new rules for frequently used libraries and frameworks across multiple categories like API keys, database credentials, SMTP login credentials, cryptography function keys, and JWT encoding secrets. 6. [JavaScript/TypeScript] Added rule to detect improper environment variable unset operations using undefined assignments, preventing unexpected application behavior in containerized and cloud environments. 7. [Java] Added rule to identify ExecutorService configurations lacking proper resource bounds, preventing resource exhaustion, out-of-memory errors, and system instability under high load conditions. 8. [Java] Added rule to detect unsafe list element selection patterns where multiple matching elements aren't properly validated, preventing potential security vulnerabilities and inconsistent behavior in resource identification. 9. [Java] Added rule to detect non-static ThreadLocal field declarations that cause memory leaks in long-running applications and thread pool environments. 10. [Java] Added rule to identify lock acquisitions without timeout specifications, preventing deadlocks and system outages caused by indefinite thread blocking. 11. [Java] Added rule to detect non-daemon threads that prevent clean JVM shutdown, causing service hangs during deployment updates or maintenance operations. 12. [Java] Added rule to detect unreliable JRE assertions in JUnit tests, recommending JUnit's built-in assertion methods for consistent evaluation and better error reporting. 13. [PHP] Improved precision for MD5 loose equality, unsafe file extensions, security-sensitive operations, regex evaluation, CSRF protection, redirect handling, weak crypto, CORS configurations, socket usage, SQL tampering, and session management. 14. [Kotlin] Enhanced XML decoder vulnerabilities, trust manager implementations, URL security, concurrency issues, Android storage access, intent security, database encryption, integer overflow, and metrics factory security. 15. [C#] Enhanced RSA encryption padding, HTTP listener bindings, template injection, integer overflow, pagination, JSON deserialization, authentication, format strings, stack trace exposure, XML entities, cookies, and assembly path injection. 16. [Scala] Improved JavaScript evaluation vulnerabilities, cookie usage security, HTML auto-escape bypasses, JWT hardcoded secrets, database query injection, unsafe permissions, insecure cookies, insecure cipher block chaining, Apache XML-RPC vulnerabilities, filename utilities security, trust boundary violations, HTTP parameter pollution, and hardcoded credentials detection for libraries. 17. [Ruby] Enhanced file permissions, inline rendering, code construction, deserialization vulnerabilities, and weak cipher detection. 18. [Go] Improved precision and recall performance for rule-not-recommended-apis,rule-integer_overflow-updatedMIT and rule-useless-if-conditional 19. [Go] Enhanced filepath.Join() rule with updated recommendations and usage guidance for proper cross-platform path handling, preventing path traversal vulnerabilities across different operating systems. 20. [TypeScript CDK] Updated CWE mapping from CWE-311 (Missing Encryption of Sensitive Data) to CWE-399 (Resource Management Errors) to accurately reflect the rule's focus on monitoring resource state changes in Auto Scaling Groups. Both the CFC message and manifest file were updated to maintain consistency.

Disabled rules

The following rules were disabled due to false positives:

1. javascript-hardcodedsecrets