August 2025 change log

Added and updated rules

1. [TypeScript, C++] [CSRF Protection Detection] Added rules to detect missing or incomplete CSRF protection, identifying scenarios where cross-site request forgery safeguards are absent or misconfigured. 2. [Go, PHP, Ruby, C++] [OS Command Injection Detection] Added rules to detect OS Command Injection vulnerabilities by tracking user-controlled input flowing into dangerous command execution APIs. 3. [PHP, C++, Ruby] [Code Injection Detection] Added rules to detect Code Injection vulnerabilities by identifying unsafe execution of user-controlled input in dynamic code evaluation and execution functions. 4. [C++] [Path Traversal Detection] Added rules to identify path traversal risks in C++ code, detecting unsafe usage of user-controlled input in file system path operations. 5. [Java] [Thread Safety Violation Detection] Implemented comprehensive thread safety violation detection to identify concurrent programming issues that could lead to race conditions, data corruption, and unpredictable application behavior. 6. [Java] [Unsafe JNI Operation Detection] Added security rule to detect unsafe Java Native Interface (JNI) usage patterns that could lead to memory corruption, buffer overflows, or privilege escalation vulnerabilities. 7. [Java] [Mock Static Resource Leak Detection] Added rule to detect resource leaks in static mocking scenarios during testing that could lead to memory exhaustion and test reliability issues. 8. [Java] [DNS Failure Initialization Detection] Added reliability rule to detect improper DNS initialization patterns that could lead to network connectivity failures and service outages. 9. [Java] [WebLab Coverage Enforcement] Implemented comprehensive WebLab experiment coverage validation to ensure proper A/B testing implementation and statistical validity. 10. [Java] [String Replace Pattern Detection] Detects code that dynamically loads classes, libraries, or executes functionality from user-controlled or untrusted sources. 11. [Java] [Unsafe Content Security Policy Detection] Detects unsafe or missing Content Security Policy frame-ancestors directives that could allow clickjacking attacks. 12. [Multi-language] [Hardcoded DNS Detection] Enhanced cross-language detection of hardcoded DNS configurations that reduce application flexibility and deployability across different environments. 13. [C#] [Code Injection Enhancement] Enhanced code injection detection patterns at method and parameter levels, strengthening validation rules for unsafe dynamic code execution. 14. [Kotlin] [Path Traversal Enhancement] Strengthened detection of path traversal vulnerabilities by expanding coverage to various file access mechanisms while minimizing false positives. 15. [Kotlin] [Code Injection Enhancement] Enhanced code injection detection patterns at method and parameter levels with improved analysis for detecting potential injection points. 16. [Scala] [OS Command Injection Enhancement] Enhanced scanning for unsafe command execution patterns with improved checks for shell command injection and input sanitization. 17. [Go] [CSRF Protection Enhancement] Enhanced detection of missing CSRF protection in Go web applications with improved pattern matching for HTTP handlers lacking proper CSRF token validation. 18. [JavaScript, TypeScript] [OS Command Injection Enhancement] Enhanced detection of command injection vulnerabilities with improved sanitization patterns for child_process executions. 19. [Ruby, PHP] [CSRF Protection Enhancement] Enhanced CSRF protection detection with improved validation of token implementation and security checks for forms and API endpoints. 20. [C#] [Structured Logging Precision] Improved precision and recall performance for structured logging detection rules. 21. [Scala] [EL Injection Precision] Improved precision and recall performance for expression language injection detection. 22. [Go] [Nil Pointer Dereference Precision] Improved precision and recall performance for nil pointer dereference detection. 23. [Java] [Redis Cache Data Loss Precision] Improved precision and recall performance for Redis cache data loss detection. 24. [Ruby] [SSL Verification Precision] Improved precision and recall performance for SSL verification false detection.

Disabled rules

The following rules were disabled due to timeout issue: 1. Java: privileged_action_java_rule - Due to timeout issue 2. Java: text_high_entropy_network_credentials_oth - Due to timeout issue 3. Java: weblab_marketplace_config_rules - Due to timeout issue 4. Java: java_shopping_portal_horizonte_service_without_cloud_auth - Due to timeout issue 5. Java: code_injection_java_rule - Due to timeout issue 6. Java: cross_site_scripting_java_rule_exp - Due to timeout issue 7. Java: unsecure_comparison_rule - Due to timeout issue The following rules were disabled due to performance issues: 1. Java: thread_safety_violation (Infer) - Performance issues and false positives in test environments 2. Python: python-import-specific-module-from-library - Production stability issues across multiple environments