December 2025 Changelog

Feature Add

Go

• go-resource-leak-defer-after-early-return
  • Added rule to detect resource leaks by:
    • Identifying early return statements that bypass deferred cleanup
    • Targeting common resource allocation patterns including:
      • HTTP clients
      • File operations
      • Database connections
      • Network operations
    • Excluding legitimate error handling and proper cleanup scenarios to minimize false positives

Bug Fixes / Enhancement

Python

• python-resource-leak-detector

  • Enhanced to reduce false positives by:
    • Excluding HTTP request methods that do not require manual resource cleanup
    • Excluding resources managed via context managers (with statements)

• python-empty-container-check

  • Enhanced to reduce false positives by:
    • Adding type filtering to only evaluate specific container types for len() operations
    • Excluding dictionary containers from empty container checks to prevent incorrect flagging

• python-hardcoded-credentials-ide

  • Enhanced to improve AWS Bedrock credential detection by:
    • Adding specific patterns for Bedrock-related credential variables (bedrock_key, bedrock_token, etc.)
    • Expanding regex patterns to detect AWS Bedrock API keys and authentication tokens

Java

• java-poor-error-handling

  • Enhanced to reduce noise by:
    • Consolidating multiple broad catch exceptions in the same method into a single finding
    • Reporting related issues in the format: "Similar issue at line number X, Y, Z"

• java-path-traversal-ide

  • Enhanced to comprehensively detect CWE-22 path traversal vulnerabilities by:
    • Improving detection for risky file operations
    • Excluding safe patterns such as:
      • Hardcoded file paths
      • Temporary file creation using Files.createTempFile()
      • Validated file operations within proper conditional checks
      • Legitimate resource loading from the classpath
    • Expanding coverage across enterprise Java applications including Spring MVC and Spring Boot web controllers, JAX-RS REST endpoints, file processing libraries, configuration management, logging systems, and specialized file operations

• java-spring-4-shell

  • Enhanced to reduce false positives by:
    • Excluding controllers that use @ModelAttribute for binding data from URL/query parameters
    • Ignoring cases using @RequestBody, @PathVariable, or @RequestParam, which are not vulnerable

• java-misconfigured-concurrency

  • Enhanced to reduce false positives by:
    • Excluding CompletableFuture.allOf() patterns with proper timeout handling
    • Excluding calls using orTimeout() for timeout management

• java-guice-insecure-thread-pool

  • Enhanced to reduce false positives by:
    • Adding Guice import detection to flag only Guice-managed classes
    • Refining ExecutorService parameter detection to focus on field assignments
    • Improving rule messaging with actionable guidance and documentation links

• java-null-dereference

  • Enhanced to reduce redundant findings by:
    • Consolidating multiple similar null dereference detections into a single finding
    • Referencing all affected line numbers to maintain full vulnerability coverage

• java-shared-state-thread-safety

  • Enhanced to reduce false positives by:
    • Improving error messages to provide clearer and more actionable remediation guidance
    • Adding filters for cases where shared state is intentionally guarded by conditional checks
    • Including test coverage to validate false positive reduction

TypeScript

• typescript-csrf-disabled

  • Enhanced to reduce false positives by:
    • Excluding cases where Bearer token authentication requires the token strictly in the Authorization header
    • Ensuring CSRF is flagged only when Bearer tokens are accepted via cookies
    • Treating Authorization header–based authentication as not vulnerable to CSRF

• typescript-cdk-auto-scaling-group-health-check

  • Enhanced to improve availability detection by:
    • Inverting the rule logic to flag Auto Scaling Groups that use EC2 health checks (or default to them) while load balancers are attached
    • Detecting misconfigurations that can lead to reduced availability when ELB/ALB health checks are not used

• typescript_cdk_ecs_cluster_cloud_watch_container_insights

  • Enhanced to improve accuracy by:
    • Fixing incorrect imports from aws-rds to aws-ecs
    • Adding detection support for containerInsightsV2 when explicitly set to DISABLED

• typescript-cdk-neptune-cluster-multi-az

  • Enhanced to correctly detect Neptune Multi-AZ configurations by:
    • Updating the rule to validate instance count–based Multi-AZ setup
    • Removing reliance on the incorrect multiAz property for Neptune clusters

C/C++

• c-cpp-incorrect-format-specifier
  • Enhanced to reduce false positives by:
    • Excluding hardcoded string literals without format specifiers
    • Excluding printf / fprintf calls to unbounded streams (stdout, stderr)
    • Validating correct format specifier and argument type matching
    • Excluding trusted and validated format strings
    • Ignoring standard logging and debug statements with controlled input

Go

• go-nil-pointer-dereference
  • Enhanced to reduce false positives by:
    • Improving nil pointer vulnerability pattern matching
    • Excluding safe patterns such as:
      • Proper nil validation
      • Error handling flows
      • Safe memory allocation and type casting
      • Validated function parameter usage

PHP

• php-cross-site-scripting-ide
  • Enhanced to eliminate false positives by:
    • Removing duplicate echo / print sinks already covered by the php-echoed-request rule