July 2025 change log

Added and updated rules

1. [Kotlin, Scala, Go, Ruby, PHP] [Missing CSRF Protection Detection] Added rules to detect missing or incomplete CSRF protection, identifying scenarios where cross-site request forgery safeguards are absent or misconfigured. 2. [Kotlin, Scala, JavaScript, TypeScript] [OS Command Injection Vulnerability] Added rules to detect OS Command Injection vulnerabilities by tracking user-controlled input flowing into dangerous command execution APIs. 3. [JavaScript, Scala, Kotlin, Go, Ruby, PHP] [Path Traversal Detection Enhancement] Added rules to identify path traversal risks, detecting unsafe usage of user-controlled input in file system path operations. 4. [Kotlin, Scala, Java, Go] [Code Injection Vulnerabilities] Added rules to detect Code Injection vulnerabilities by identifying unsafe execution of user-controlled input in dynamic code evaluation and execution functions. 5. [Java] [Non-Daemon Thread Detection] Enhanced Java non-daemon thread detection rule to improve pattern matching for various Executor service creation methods using metavariable regex and add detection for ThreadFactoryBuilder with setDaemon(false). 6. [Java] [Unsafe JNDI Operation Detection] Added rule to detect unsafe JNDI lookups with untrusted user input that could lead to remote code execution vulnerabilities. When unvalidated user input is passed to JNDI lookup methods, attackers can manipulate the lookup process to execute malicious code through compromised LDAP/RMI servers. 7. [Java] [Insecure Format String Detection] Added rule to detect format string injection vulnerabilities where untrusted input is used to construct format strings in String.format() or Formatter.format() methods. When malicious input containing format specifiers is processed by these methods, attackers can cause information disclosure or denial of service attacks. 8. [Java] [Misconfigured CSP Header Detection] Added rule to detect Content Security Policy (CSP) header misconfigurations that could lead to XSS attacks. The rule identifies missing script-src directives, use of unsafe directives ('unsafe-inline', 'unsafe-eval'), wildcard (*) usage, HTTP URLs in script-src, and contradictory configurations that can bypass CSP protections. 9. [Java] [Missing SRI Attribute Detection] Added rule to detect external scripts and stylesheets loaded from HTTPS sources without Subresource Integrity (SRI) attributes. When external resources are included without integrity validation, attackers who compromise a CDN or third-party host could inject malicious content into the application. 10. [Java] [Untrusted Control Sphere Detection] Added rule to detect code that loads or executes functionality from untrusted or user-controlled sources. When applications load classes, resources, libraries, or execute code from locations specified by user input, attackers can control what functionality is included in the application. 11. [Java] [Unsafe CSP Frame-Ancestors Detection] Added rule to detect insecure Content Security Policy (CSP) configurations, specifically targeting the frame-ancestors directive. When applications configure CSP headers with unsafe values like wildcards, HTTP URLs, missing frame-ancestors directives, or use deprecated header names, attackers can exploit clickjacking and frame injection vulnerabilities. 12. [Java] [Enhanced Coverage] Improved precision and recall performance for java-deprecated-cryptographic-classes, java-unnecessary-synchronization-concurrent-collections, java-deprecated-client-constructor, java-insecure-deserialization-serialization-utils, and java-redis-cache-data-loss rules. 13. [JavaScript] [Enhanced Coverage] Improved precision and recall performance for javascript-missing-authn-critical-function, javascript-cross-site-scripting-ide, and javascript-process-env-undefined rules. 14. [Kotlin] [Enhanced Coverage] Improved precision and recall performance for kotlin-unsafe-expr-evaluation, kotlin-biometric-authentication, kotlin-use-of-weak-hashes, kotlin-cookie-missing-secure-flag, kotlin-command-injection, kotlin-csrf-protection, and kotlin-anonymous-ldap-bind rules. 15. [Go] [Enhanced Coverage] Improved precision and recall performance for go-xml-external-entity, go-html-template-insecure-types, go_dir_traversal, go_os_injection_write, and go_useless_if_body rules. 16. [C#] [Enhanced Coverage] Improved precision and recall performance for csharp-use-weak-rsa-encryption-padding, csharp-session-handling-authentication, csharp_misconfigured_lockout_option, and s3-improper-encryption rules. 17. [C#] [CSRF Detection Enhancement] Enhanced Cross Site Request Forgery detection by moving to method level for more precise identification. Updated rule annotations to improve accuracy of CSRF vulnerability detection and refined pattern matching to better identify missing CSRF protections in API endpoints, controllers, and Razor pages. 18. [C#] [Cross-Site Scripting Enhancement] Enhanced the Cross-Site Scripting (XSS) detection rule for improved accuracy and broader coverage of various attack vectors. 19. [C#] [OS Command Injection Enhancement] Enhanced OS Command Injection rule to provide broader coverage across more libraries and command execution methods. 20. [Python] [Code Injection Enhancement] Improved detection of code injection vulnerabilities by enhancing the pattern recognition for dynamic code execution scenarios. Reduced false positives by better differentiating between trusted and untrusted input sources. 21. [Java] [OS Command Injection Enhancement] Strengthened detection of command injection vulnerabilities by expanding coverage to various execution mechanisms. Enhanced precision by minimising false positives in cases with validated input handling. 22. [JavaScript] [Code Injection Enhancement] Refined code injection detection by broadening the rule scope to capture more dynamic execution patterns. Adjusted logic to better distinguish between secure and insecure input usage. 23. [JavaScript] [Cross-Site Scripting Enhancement] Improved precision of cross-site scripting detection by fixing incorrect identification of potential vulnerabilities in validated input scenarios, reducing false positives. 24. [TypeScript] [Code Injection Enhancement] Enhanced rule logic for identifying code injection risks in dynamic execution contexts. Improved accuracy in recognising unsafe patterns without flagging legitimate and validated code constructs. 25. [Python, JavaScript] [SecurityGuard Enhancement] Enabled javascript-cross-site-scripting-ide, python-cross-site-scripting-ide, python-avoid-marksafe, python-flask-unescaped-template, python-flask-unsanitized-route, and python-tainted-html-string rules in SecurityGuard use case to improve security coverage with better acceptance rates.

Disabled rules

The following rules were disabled due to timeout in standard: 1. java-jackson-insecure-deserialization 2. java-lackoffileextensionvalidation 3. java-sql-injection-rds 4. java-sql-injection-redshift 5. java-cross-site-scripting 6. java-shopping-portal-horizonte-service-without-cloud-auth 7. java-crypto-compliance-cipher 8. java-coral-allowlist-authorizer 9. java-coral-bypass-lambda-authorizer 10. java-jwt-exposed-credentials 11. java-jwt-none-algorithm The following rules were disabled due to timeout in Express, moving to Semgrep based rule: 1. java-crlf-injection 2. java-xss 3. java-cross-site-scripting-gwt 4. java-jndi-injection