Skip to content

Releases: secdec/astam-correlator

v1.3.8

16 Mar 12:23
Compare
Choose a tag to compare

This release fixes an issue with Struts parsing on UNIX-based hosts (issue #10) and updates the Jsoup dependency.

v1.3.7

10 Feb 14:21
Compare
Choose a tag to compare

This release updates the log4j dependency from 1.2.17 to 2.17.1.

v1.3.6

19 Jul 21:40
Compare
Choose a tag to compare

This release updates Spring MVC and replaces a vulnerable dependency:

  • Adds support for @RequestBody annotation in Spring MVC projects
  • Allow multiple endpoint declarations via @RequestMapping annotation in Spring MVC projects
  • Relaxed requirements for model object expansion/enumeration in Spring MVC projects
  • Replace JSON parsing libraries to remove the vulnerable dependency on jackson-mapper-asl

v1.3.5

01 Nov 21:36
Compare
Choose a tag to compare

This release contains bugfixes for Rails projects:

  • NullPointerException occurred under certain conditions
  • Fix regex parse error for endpoints containing ({param})-like content
  • Routes may fail to detect if comments in routes.rb contained scoping operators ie (, [, etc.
  • Controllers would not be detected if they contained an inner class

v1.3.4

25 Oct 20:42
Compare
Choose a tag to compare

This release contains bugfixes and performance improvements.

Improvements:

  • More accurate assignment of ASP.NET MVC/API/Core parameter types
  • Minimize redundant disk access during file search operations
  • Better parameter detection in Struts when checking for parameters referenced by an endpoint
  • More comprehensive expansion of composite parameter types

Bugfixes:

  • Exception occasionally thrown by internationalized DjangoEndpoint when calling compareRelevance
  • ASP.NET MVC/API/Core parameters were included from unrelated routes
  • Occasional duplication of composite parameter data types
  • Multiple ASP.NET Web Forms endpoints referencing different files with the same name would be overwritten/ignored
  • Struts endpoints could be generated from methods inherited from Struts-framework base-types ie ActionSupport.input
  • Struts endpoint parameters could be over-culled when checking for references within the endpoint

v1.3.3

11 Oct 12:54
Compare
Choose a tag to compare

This release adds further support for ASP.NET Core by considering 2.1-specific APIs.

Improvements:

  • Detect "Microsoft.AspNetCore.App" package references for ASP.NET Core detection
  • Support ControllerBase as a valid base type for controllers
  • Support for [ApiController] attribute on controllers
  • Classes inherit attributes from their base types
  • Support for ASP.NET Core parameter attributes - [FromQuery], [FromFile], [FromRoute], [FromForm], [FromServices]

v1.3.2

27 Sep 18:39
a432b09
Compare
Choose a tag to compare

This release contains bugfixes primarily improving line number detection for endpoint source code.

Improvements:

  • Better web.xml detection for struts projects
  • Struts actions deferring to ActionSupport class have line numbers set to the result HTML/JSP/etc file
  • Files and line numbers for Struts will map to execute method automatically if an action class is defined without a method
  • Rails endpoints generated by recognized third-party routers have (lib) attached to source file names to indicate that the source code is not available but the endpoint is valid
  • Better line range detection for Django endpoints
  • JSP getLineNumberForParameter now returns first line occurrence of a parameter

Bugfixes:

  • Struts actions deferring to JSP files no longer use endLine + 1 for source code end line
  • Struts result file detection respects package namespacing
  • Rails parsing detects module names embedded in class names while resolving route controllers
  • JSP file extension checks no longer case-sensitive
  • JSPF files are now ignored
  • Fix occasional NullPointerException when parsing ASP.NET Core projects
  • Fix exception in JSP parsing on case-sensitive file systems

v1.3.1

25 Sep 17:13
Compare
Choose a tag to compare

This release modifies the Endpoint.Info.fromEndpoint utility method to optionally clean source code information from Endpoint.Info objects.

v1.3.0

24 Sep 18:23
Compare
Choose a tag to compare

This release simplifies the contents of the Endpoint data types to minimize JSON footprint, and contains some small bugfixes.

JSON generated via com.denimgroup.threadfix.framework.engine.full.EndpointSerialization is incompatible with previous versions. This version cannot parse JSON pre-1.3.0, and previous versions are not guaranteed to parse JSON from this version.

Improvements:

  • Remove redundant internal data from Endpoint implementations that may contain absolute file paths to the source code on the machine that generated the Endpoints
  • Apply variant detection for ASP.NET MVC projects

Bugfixes:

  • Fix NullPointerException when parsing an ASP.NET MVC project with a MapRoute call whose template string could not be determined

v1.2.18

21 Sep 16:33
Compare
Choose a tag to compare

This release contains improvements for ASP.NET MVC endpoint detection in the Hybrid Analysis Mapping (HAM) endpoint detection module.

ASP.NET MVC endpoint detection has undergone a significant refactor to support Web API, ASP.NET Core, and provide more accurate and complete results.

Improvements:

  • Support multi-attribute attachments (ie [HttpGet, HttpDelete])
  • Detect endpoints routed via naming conventions for Web API projects
  • Convention-based routing supports methods with default parameter values (ie Get(int? id = 10) maps to / and /{id})
  • Detect attribute parameters with and without explicit variable names (ie [Bind(Include = "...")] vs [Bind("...")])
  • Generally more robust ASP.NET Core/Standard MVC/WebAPI endpoint detection
  • Ignore methods with [NonAction] attached
  • Support .UseMvcWithDefaultRoute() in ASP.NET Core
  • Support for convention-based routing in ASP.NET Core
  • Support for controller classes that do not directly inherit from Controller or ApiController, but have a base class that does
  • Controller classes inherit actions from their base types, if available
  • Detect parameter types by route constraints, if available
  • Support [AcceptVerbs] attribute
  • Support [RoutePrefix] and [Route] attributes for Web API

Bugfixes:

  • Detect string interpolation and verbatim strings to avoid parsing errors
  • Fix exception during endpoint matching that include wildcards
  • Relax requirements on detection of MapRoute calls
  • Change comments detection to work with interpolated strings
  • Support default actions that are not named Index