May 2026 change log

This change log includes updates to detectors made in May 2026.


Added and updated rules

Feature Add

Java

  • java-ffm-type-confusion

    • Created new rule to detect type confusion vulnerabilities (CWE-843) in the Java Foreign Function & Memory API (java.lang.foreign):
      • Identifies MemorySegment accessed using incompatible ValueLayout types, mismatched byte orders, or ADDRESS layouts in place of primitive types
      • Covers MemorySegment.get(), MemorySegment.set(), MemorySegment.getAtIndex(), MemorySegment.setAtIndex(), MemorySegment.asSlice(), and VarHandle accessors
      • Recognizes misuse of ValueLayout constants: JAVA_INT, JAVA_LONG, JAVA_FLOAT, JAVA_DOUBLE, JAVA_SHORT, JAVA_BYTE, JAVA_CHAR, JAVA_BOOLEAN, and ADDRESS

  • java-insecure-simple-web-server

    • Created new rule to flag use of Java's built-in Simple Web Server (JEP 408) without TLS encryption:
      • Detects HttpServer.create() and SimpleFileServer.createFileServer() configured without HTTPS/TLS, exposing traffic to eavesdropping and man-in-the-middle attacks (CWE-1188)
      • Applies to Java 18+ codebases using the com.sun.net.httpserver package

  • java-resolver-race-condition

    • Created new rule to detect race conditions in custom DNS resolvers:
      • Identifies InetAddressResolver implementations that use non-thread-safe collections (HashMap, TreeMap, LinkedHashMap) as DNS caches
      • Flags cache corruption and DNS poisoning vulnerabilities under concurrent access (CWE-362)
      • These collections lack synchronization guarantees and are unsafe when accessed from multiple threads simultaneously

  • java-simple-web-server-uncontrolled-resource-consumption

    • Created new rule to identify denial-of-service vulnerabilities in Java 18 Simple Web Server:
      • Detects unbounded thread pool configurations: Executors.newCachedThreadPool(), Executors.newWorkStealingPool(), or servers created with no executor (CWE-770, CWE-400)
      • Flags unlimited request body reads via HttpExchange.getRequestBody().readAllBytes(), which can be exploited to exhaust server memory
      • Applies to com.sun.net.httpserver package implementations

  • java-unbounded-concurrent-task-creation

    • Created new rule to detect denial-of-service vulnerabilities in concurrent task spawning:
      • Identifies untrusted input controlling the number of concurrent tasks spawned via Java Virtual Threads or Structured Concurrency APIs (CWE-770, CWE-400)
      • Covers Executors.newVirtualThreadPerTaskExecutor() and StructuredTaskScope.fork()
      • Complements java-resolver-race-condition by detecting additional DoS patterns in concurrent programming

  • java-unsafe-memory-segment-access-no-bounds-check

    • Created new rule to identify unsafe MemorySegment access in Java 22's Foreign Function & Memory API:
      • Detects operations without bounds verification, which can lead to buffer overflows or out-of-bounds reads (CWE-119, CWE-120, CWE-122, CWE-125, CWE-787)
      • Covers setAtIndex(), getAtIndex(), set(), get(), and MemorySegment.copy() calls lacking byteSize() validation
      • Applies to code using the java.lang.foreign package introduced as a stable API in Java 22


Python

  • python-asyncio-race-condition

    • Created new rule to detect TOCTOU race conditions in Python asyncio code:
      • Identifies patterns where task state is checked before acting on it, without accounting for concurrent state changes between the check and the operation (CWE-362)
      • Flags patterns where task.done() is called before task.result(), task.cancel(), or task.exception()
      • The window between the state check and the subsequent call allows another coroutine to change the task's state, leading to unexpected behavior or exceptions

  • python-asyncio-task-cleanup

    • Created new rule to flag improper resource management in Python 3.14's asyncio.capture_call_graph():
      • Detects call graph snapshots that accumulate without cleanup and cause unbounded memory growth (CWE-404)
      • Identifies snapshots stored in unbounded collections with no release mechanism
      • Applies to Python 3.14+ codebases using the asyncio call graph introspection API

  • python-debug-port-exposure

    • Created new rule to identify debugpy.listen() calls bound to publicly accessible network interfaces:
      • Flags debug server configurations that bind to non-loopback addresses without authentication controls (CWE-306)
      • An exposed debug port allows any network-reachable host to attach a debugger and execute arbitrary code on the server
      • Prevents unauthorized remote access and code execution vulnerabilities

  • python-itertools-batched-resource-exhaustion

    • Created new rule to detect resource exhaustion vulnerabilities in itertools.batched():
      • Identifies user-controlled values flowing into itertools.batched() batch sizes, or when unbounded iterables are fully materialized from untrusted input (CWE-400)
      • Covers input from Flask (request.args, request.form, request.json, request.get_json(), request.data, request.values), Django (request.GET, request.POST, request.body), FastAPI (request.query_params, request.path_params, Query()), AWS Lambda event handlers, and sys.argv
      • Attacker-controlled batch sizes can trigger unbounded memory allocation or force the server to process arbitrarily large datasets

  • python-mass-assignment

    • Created new rule to detect mass assignment vulnerabilities in ORM operations:
      • Identifies HTTP request data passed directly into ORM operations without field filtering (CWE-915)
      • Covers Flask request inputs (request.get_json(), request.form, request.args, request.data, request.json, request.headers.get()) flowing into Django ORM methods: objects.create(), objects.get_or_create(), objects.update_or_create(), objects.filter().update(), and Python 3.13+ copy.replace()
      • This pattern allows attackers to set arbitrary model fields, including privileged attributes not intended to be user-controlled

  • python-zstd-unbounded-decompression

    • Created new rule to flag decompression of untrusted data using the zstd library:
      • Detects decompression operations without size limits, which can result in resource exhaustion (CWE-400, CWE-664)
      • Covers zstd.decompress(), zstd.ZstdDecompressor.decompress(), and zstd.open()
      • Recognizes user-supplied data from Flask: request.data, request.files, request.args, request.form, request.json, request.get_data(), and request.stream


TypeScript

  • typescript-cdk-s3-overly-permissive-cors
    • Created new rule to detect overly permissive CORS configurations on S3 buckets:
      • Identifies S3 buckets defined via AWS CDK where any origin is permitted access to bucket resources
      • Flags allowedOrigins: ['*'] on s3.Bucket from aws-cdk-lib/aws-s3 and @aws-cdk/aws-s3
      • Covers both the cors constructor property and the addCorsRule() method

Bug Fixes / Enhancement

Java

  • java-sql-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Adding Spring MVC annotations (@PathVariable, @RequestParam, @RequestBody, @ModelAttribute) as recognized SQL injection entry points in Spring applications
      • Removing string concatenation and String.format variants from detection scope, which were causing scan timeouts on large codebases

  • java-untrusted-load-java

    • Enhanced to improve detection coverage by:
      • Extending deserialization vulnerability detection to cover additional libraries used in enterprise Java applications
      • Adding Castor XML Unmarshaller, FST serialization (FSTObjectInput), and JBoss Marshalling Unmarshaller as untrusted deserialization entry points


Kotlin

  • kotlin-bad-hexa-conversion

    • Enhanced to improve detection coverage by:
      • Adding detection for hexadecimal conversion patterns that produce variable-length output, which can cause incorrect cryptographic comparisons
      • Covering Integer.toString(b, 16), byte.toString(16), String.format("%x", b), and "%x".format(b) — all of which omit leading zeros for single-digit byte values, producing output that does not round-trip correctly through equality checks

  • kotlin-insufficient-key-size

    • Enhanced to improve detection coverage by:
      • Broadening insufficient key size detection to cover additional Kotlin JCA key generation APIs and weak elliptic curve configurations
      • Covering KeyPairGenerator.getInstance() with initialize(), RSAKeyGenParameterSpec, and ECGenParameterSpec with weak named curves
      • Recognizing provider overload variants for RSA, DSA, DH, DiffieHellman, and EC algorithms

  • kotlin-os-command-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Extending OS command injection detection to cover additional execution APIs used in Kotlin applications
      • Adding ProcessExecutor, Docker Java client, Kubernetes client, AWS SSM, and JNA command execution APIs as detectable command execution points
      • Replacing flat @QueryParam, @PathParam, @HeaderParam, and @QueryValue annotation matching with context-aware parameter-level detection, reducing false positives


Python

  • python-code-injection

    • Enhanced to improve detection coverage by:
      • Adding exec as a detectable code injection execution point
      • Covering scenarios where user-controlled data flows into exec(), enabling arbitrary Python code execution

  • python-file-injection

    • Enhanced to improve detection coverage by:
      • Adding BufferedRandom.write to file injection detection, covering binary file I/O scenarios not previously flagged
      • Applying when user-controlled data flows into buffered binary file write operations

  • python-insecure-random

    • Enhanced to improve detection coverage by:
      • Adding random.binomialvariate() (Python 3.12+) as a detectable insecure randomness source (CWE-338, CWE-330)
      • Flagging use of random.binomialvariate() in security-sensitive contexts such as token generation or sampling for authentication

  • python-os-command-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Extending detection to cover Apache Airflow task execution APIs used in workflow automation pipelines
      • Adding BashOperator, LegacyBashOperator, Command, Connection, and CronTab as OS command injection entry points
      • Removing overly broad patterns that generated false positives on non-command-execution code

  • python-path-traversal-hb

    • Enhanced to improve remediation guidance by:
      • Updating the rule message to recommend pathlib.Path.resolve() for path canonicalization as a safe alternative to string manipulation
      • Providing clearer remediation guidance for developers addressing path traversal findings

  • python-path-traversal-ide

    • Enhanced to improve detection coverage by:
      • Adding base64.z85decode() (Python 3.13+) as a recognized source of user-controlled path data in path traversal detection
      • Covering cases where user input is Z85-decoded before being used in filesystem operations, which could conceal traversal sequences

  • python-remote-debug-in-production

    • Enhanced to improve rule accuracy by:
      • Updating the rule message to more accurately describe the risk of enabling remote debugging in production environments
      • Clarifying that an exposed debug server allows unauthenticated remote code execution, not merely information disclosure


Ruby

  • ruby-code-injection

    • Enhanced to improve performance by:
      • Removing JSON.parse and Lambda handler event inputs from detection scope
      • These sources were causing performance bottlenecks on large files without contributing meaningful code injection signal

  • ruby-code-injection-ide

    • Enhanced to reduce false positives by:
      • Removing redundant safe-use exclusions subsumed by simpler equivalents
      • Reducing false positives caused by overly complex matching logic that over-matched benign code patterns

  • ruby-cross-site-scripting

    • Enhanced to improve scan performance by:
      • Consolidating separate HTML tag and HTTP/WebSocket URL scheme detection into a single equivalent pattern
      • Reducing rule complexity and improving scan performance without changing detection coverage

  • ruby-cross-site-scripting-ide

    • Enhanced to reduce false positives and improve performance by:
      • Removing JSON.parse, JSON.load, URI.decode_www_form, Rack::Utils.parse_query, and Rack::Request as input sources
      • These sources were causing false positives and performance degradation on large Ruby files

  • ruby-no-sql-injection-ide

    • Enhanced to reduce false positives and improve detection accuracy by:
      • Removing inapplicable input sources — gets, ENV, ARGV, STDIN, YAML.load, Marshal.load, File.read, IO.read — that were generating false positives in NoSQL injection detection
      • Adding exclusions for parameterized and prepared statement calls to avoid flagging these safe query patterns

  • ruby-os-command-injection-ide

    • Enhanced to improve detection accuracy by:
      • Removing overly broad run and sprintf patterns that generated false positives unrelated to OS command injection
      • Removing CGI.escapeHTML, ERB::Util.html_escape, and Rack::Utils.escape from detection exclusions — these are HTML/URL escaping functions that do not prevent OS command injection and were incorrectly suppressing findings

  • ruby-path-injection

    • Enhanced to improve detection coverage and reduce false negatives by:
      • Adding File.basename and sanitize_path as recognized safe alternatives for path input handling
      • Removing overly specific variants of these patterns that were causing false negatives on common path-handling code

  • ruby-sql-injection-active-record

    • Enhanced to improve detection precision by:
      • Removing an overly broad exclusion for nested hash rocket syntax that was causing false positives in symbol-keyed hash assignments
      • Tightening detection scope to focus on patterns where user-controlled data reaches Active Record query methods directly

  • ruby-sql-injection-ide

    • Enhanced to reduce false positives by:
      • Adding Base64.encode64, Base64.strict_encode64, Base64.urlsafe_encode64, CGI.escape, and Float as recognized safe transformations that prevent SQL injection
      • Removing overly broad detection patterns that were generating false positives on benign Ruby code

  • ruby-untrusted-send

    • Enhanced to improve detection accuracy by:
      • Removing system, exec, backtick execution, and Kernel.exec from detection scope — these belong to OS command injection (CWE-78), not untrusted method dispatch
      • Removing JSON.parse and Lambda handler inputs that were causing false positives and performance bottlenecks

  • ruby-weak-hash-algorithm

    • Enhanced to improve detection coverage by:
      • Extending weak algorithm detection to cover OpenSSL::HMAC across all HMAC methods, not just hexdigest
      • Removing the now-redundant hardcoded OpenSSL::HMAC.hexdigest("sha1") pattern, which is fully subsumed by the broader HMAC coverage


Scala

  • scala-os-command-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Adding OS command injection detection for fs2.io.process.ProcessBuilder, JNA Function.invoke, Apache Commons Exec CommandLine.parse, and Scala Native LibC.system
      • Removing overly broad input sources (StdIn.readLine, os.read, System.getenv) that were generating false positives on non-command-execution code

  • scala-weak-message-digest

    • Enhanced to reduce false positives by:
      • Adding path exclusions for test, benchmark, and demo directories to reduce false positives in non-production code
      • Removing the dead SHA1 alias from weak algorithm detection — only the SHA_1 variant is in active use


TypeScript

  • typescript-path-traversal-ide
    • Enhanced to improve performance and reduce false positives by:
      • Removing a duplicate headers input source, standalone file.path detection, and crypto.createHash digest from detection scope to reduce false positive noise
      • Removing verbose multi-line block forms for adm-zip extraction methods, glob, Formidable, and express.static that were causing significant performance degradation on large TypeScript codebases

Disabled rules

No rules were disabled in May 2026.