June 2025 change log

Added and updated rules

1. [Python, Java, JavaScript, C#] [Missing CSRF Protection Detection] Added rules to detect missing or incomplete CSRF protection, identifying scenarios where cross-site request forgery safeguards are absent or misconfigured. 2. [Python, Java, C#, Kotlin] [OS Command Injection Vulnerability] Added rules to detect OS Command Injection vulnerabilities by tracking user-controlled input flowing into dangerous command execution APIs. 3. [Python, Java, TypeScript, C#] [Path Traversal Detection Enhancement] Added rules to identify path traversal risks, detecting unsafe usage of user-controlled input in file system path operations. 4. [Python, Java, JavaScript, C#] [Code Injection Vulnerabilities] Added rules to detect Code Injection vulnerabilities by identifying unsafe execution of user-controlled input in dynamic code evaluation and execution functions. 5. [Java] [AWS Client Builder Shared Instance Detection] Added rule to identify shared AWS SDK client builders used in multi-threaded contexts, helping prevent race conditions where one thread's configuration overwrites another's, potentially resulting in clients with incorrect settings and security vulnerabilities. 6. [Java] [Blocking Call Operation Detection] Added rule to identify indefinite blocking operations in synchronization, I/O, networking, and native interface calls, helping prevent application hangs and resource exhaustion that can lead to system-wide performance degradation and potential service outages. 7. [Java] [GWT Cross-Site Scripting Prevention] Added rule to detect unsanitized user input in Google Web Toolkit (GWT) web applications that could lead to Cross-Site Scripting (XSS) vulnerabilities, preventing potential client-side attacks including data theft and session hijacking. 8. [TypeScript] [Object Reference Mutation Detection] Added rule to detect direct object reference mutations that can lead to unintended side effects where modifications to a copied object accidentally change the original object's data, causing bugs that are difficult to track in larger applications. 9. [Scala] [Enhanced Coverage] Improved precision and recall performance for scala-absolute-relative-path-traversal, scala-os-command-injection, scala-parse-expression, scala-script-injection-eval, and scala-filename-utils rules. 10. [Ruby] [Enhanced Coverage] Improved precision and recall performance for ruby-untrusted-send, ruby-avoid-render-dynamic-path, ruby-untrusted-eval, ruby-avoid-link-to, ruby-avoid-tainted-ftp-call, ruby-json-entity-escape, ruby-unsafe-html, ruby-path-injection, ruby-untrusted-open, ruby-unsafe-code-construction, ruby-code-injection, ruby-avoid-tainted-file-access, and ruby-excon-ssl-verify rules. 11. [Kotlin] [Enhanced Coverage] Improved precision and recall performance for kotlin-groovy-injection, kotlin-unsafe-expr-evaluation, kotlin-path-traversal, kotlin-lambda-snapstart-runtime-hooks, and kotlin-insecure-bean-validation rules. 12. [Go] [Enhanced Coverage] Improved precision and recall performance for rule-channel-guarded-with-mutex, rule-hardcoded-eq-true-or-false, rule-math_big_rat-updatedMIT, and rule-use-filepath-join rules. 13. [PHP] [Enhanced Coverage] Improved precision and recall performance for php-exec-use, php-laravel-cookie-same-site, php-tainted-session, php-wp-file-manipulation-audit, and php-allow-url-fopen-or-include rules. 14. [C#] [Enhanced Coverage] Improved precision and recall performance for stack-trace-exposure, mvc-missing-antiforgery, razor-template-injection-csharp-rule, X509-subject-name-validation-csharp-rule, unsigned-security-token-csharp-rule, double-epsilon-equality, sslcertificatetrust-handshake-no-trust, use-weak-rsa-encryption-padding-csharp-rule, csharp-csrf-disabled-ide, weak-cipher-algorithm, csharp_assembly_path_injection, and path-traversal-csharp-rule rules. 15. [JavaScript] [Hardcoded Credentials Detection Enhancement] Enhanced rule coverage to identify additional patterns of sensitive hardcoded credentials across JavaScript libraries, improving detection capabilities by adding support for 32 new patterns from common credential exposure scenarios. 16. [Java] [HashMap Initialization Recommendation Update] Updated customer-facing comments to remove Guava dependency and use standard Java approach with calculated initial capacity for java-usenewhashmapwithexpectedsize rule. 17. [Java] [Cross-Site Scripting Rule Enhancement] Improved precision of cross-site scripting detection by fixing incorrect identification of potential vulnerabilities in validated input scenarios, reducing false positives for java-cross-site-scripting-ide rule. 18. [Java] [Blocking Service Calls Enhancement] Removed duplicate and redundant patterns, and enhanced the rule to add exclusions for acceptable cases such as ExecutorService usage and short timeouts for java-detect-blocking-service-calls rule. 19. [Python] [OS Command Injection Enhancement] Enhanced OS Command Injection rule for Python to provide broader coverage across more libraries and command execution methods. 20. [Kotlin] [Cross-Site Scripting Enhancement] Enhanced the Cross-Site Scripting (XSS) detection rule for improved accuracy and broader coverage of various attack vectors.

Disabled rules

The following rules were disabled due to false positives:

1. java-format-string-injection - Disabled due to timeout in Express, moving to Semgrep based rule 2. checkov-custom-dynamodb-table-encryption - Disabled as rule is not targeting any vulnerability 3. javascript-hardcodedsecrets - Disabled due to migration to Semgrep-based rule