Releases: secdec/astam-correlator
v1.3.8
v1.3.7
v1.3.6
This release updates Spring MVC and replaces a vulnerable dependency:
- Adds support for
@RequestBody
annotation in Spring MVC projects - Allow multiple endpoint declarations via
@RequestMapping
annotation in Spring MVC projects - Relaxed requirements for model object expansion/enumeration in Spring MVC projects
- Replace JSON parsing libraries to remove the vulnerable dependency on
jackson-mapper-asl
v1.3.5
This release contains bugfixes for Rails projects:
NullPointerException
occurred under certain conditions- Fix regex parse error for endpoints containing
({param})
-like content - Routes may fail to detect if comments in
routes.rb
contained scoping operators ie(
,[
, etc. - Controllers would not be detected if they contained an inner class
v1.3.4
This release contains bugfixes and performance improvements.
Improvements:
- More accurate assignment of ASP.NET MVC/API/Core parameter types
- Minimize redundant disk access during file search operations
- Better parameter detection in Struts when checking for parameters referenced by an endpoint
- More comprehensive expansion of composite parameter types
Bugfixes:
- Exception occasionally thrown by internationalized
DjangoEndpoint
when callingcompareRelevance
- ASP.NET MVC/API/Core parameters were included from unrelated routes
- Occasional duplication of composite parameter data types
- Multiple ASP.NET Web Forms endpoints referencing different files with the same name would be overwritten/ignored
- Struts endpoints could be generated from methods inherited from Struts-framework base-types ie
ActionSupport.input
- Struts endpoint parameters could be over-culled when checking for references within the endpoint
v1.3.3
This release adds further support for ASP.NET Core by considering 2.1-specific APIs.
Improvements:
- Detect "Microsoft.AspNetCore.App" package references for ASP.NET Core detection
- Support
ControllerBase
as a valid base type for controllers - Support for
[ApiController]
attribute on controllers - Classes inherit attributes from their base types
- Support for ASP.NET Core parameter attributes -
[FromQuery]
,[FromFile]
,[FromRoute]
,[FromForm]
,[FromServices]
v1.3.2
This release contains bugfixes primarily improving line number detection for endpoint source code.
Improvements:
- Better
web.xml
detection for struts projects - Struts actions deferring to
ActionSupport
class have line numbers set to the result HTML/JSP/etc file - Files and line numbers for Struts will map to
execute
method automatically if an action class is defined without a method - Rails endpoints generated by recognized third-party routers have
(lib)
attached to source file names to indicate that the source code is not available but the endpoint is valid - Better line range detection for Django endpoints
- JSP
getLineNumberForParameter
now returns first line occurrence of a parameter
Bugfixes:
- Struts actions deferring to JSP files no longer use
endLine + 1
for source code end line - Struts result file detection respects package namespacing
- Rails parsing detects module names embedded in class names while resolving route controllers
- JSP file extension checks no longer case-sensitive
- JSPF files are now ignored
- Fix occasional
NullPointerException
when parsing ASP.NET Core projects - Fix exception in JSP parsing on case-sensitive file systems
v1.3.1
v1.3.0
This release simplifies the contents of the Endpoint data types to minimize JSON footprint, and contains some small bugfixes.
JSON generated via com.denimgroup.threadfix.framework.engine.full.EndpointSerialization
is incompatible with previous versions. This version cannot parse JSON pre-1.3.0, and previous versions are not guaranteed to parse JSON from this version.
Improvements:
- Remove redundant internal data from Endpoint implementations that may contain absolute file paths to the source code on the machine that generated the Endpoints
- Apply variant detection for ASP.NET MVC projects
Bugfixes:
- Fix
NullPointerException
when parsing an ASP.NET MVC project with aMapRoute
call whose template string could not be determined
v1.2.18
This release contains improvements for ASP.NET MVC endpoint detection in the Hybrid Analysis Mapping (HAM) endpoint detection module.
ASP.NET MVC endpoint detection has undergone a significant refactor to support Web API, ASP.NET Core, and provide more accurate and complete results.
Improvements:
- Support multi-attribute attachments (ie
[HttpGet, HttpDelete]
) - Detect endpoints routed via naming conventions for Web API projects
- Convention-based routing supports methods with default parameter values (ie
Get(int? id = 10)
maps to/
and/{id}
) - Detect attribute parameters with and without explicit variable names (ie
[Bind(Include = "...")]
vs[Bind("...")]
) - Generally more robust ASP.NET Core/Standard MVC/WebAPI endpoint detection
- Ignore methods with
[NonAction]
attached - Support
.UseMvcWithDefaultRoute()
in ASP.NET Core - Support for convention-based routing in ASP.NET Core
- Support for controller classes that do not directly inherit from
Controller
orApiController
, but have a base class that does - Controller classes inherit actions from their base types, if available
- Detect parameter types by route constraints, if available
- Support
[AcceptVerbs]
attribute - Support
[RoutePrefix]
and[Route]
attributes for Web API
Bugfixes:
- Detect string interpolation and verbatim strings to avoid parsing errors
- Fix exception during endpoint matching that include wildcards
- Relax requirements on detection of MapRoute calls
- Change comments detection to work with interpolated strings
- Support default actions that are not named
Index