v0.31.0

What's Changed

• fix(js): incorrect CWE for observable timing rule by @elsapet in #334
• feat(java): add xxe rule by @elsapet in #333
• feat(java): add jwt missing signature verification by @elsapet in #337
• feat(ruby): add third parties AppSignal (CWE-201) by @jbockler in #335
• fix: linting and missing rule severity by @gotbadger in #339

New Contributors 🎉

• @jbockler made their first contribution in #335

Full Changelog: v0.30.0...v0.31.0

v0.30.0

What's Changed

• chore: update checkout to use node20 by @cfabianski in #329
• feat(js): expand JS rules by @cfabianski in #327
• feat(java): extend hardcoded secret rule by @elsapet in #330
• feat(tools): improve rule gen by @gotbadger in #331
• fix: fix typo in dynamic os command by @cfabianski in #332

Full Changelog: v0.29.1...v0.30.0

v0.29.1

What's Changed

• fix: improve path traversal by @cfabianski in #324

Full Changelog: v0.29.0...v0.29.1

v0.29.0

What's Changed

• feat(go): fix missing input type by @gotbadger in #322
• feat(js): add path traversal from dynamic input by @cfabianski in #323

Full Changelog: v0.28.0...v0.29.0

v0.28.0

What's Changed

• ci(java): update some snapshots by @gotbadger in #307
• ci(go): snapshots to annotations for gosec by @gotbadger in #310
• feat(js): add deserialization rule by @elsapet in #308
• fix(js): extend and add open redirect rules by @elsapet in #309
• feat: add timing attack js by @cfabianski in #312
• chore: update testJSContent.js by @cfabianski in #314
• fix: open redirect js rules by @elsapet in #315
• feat(js): add external input in filename by @elsapet in #313
• fix: add missing severity by @elsapet in #318
• feat(js): add missing TLS rule for Node by @elsapet in #316
• feat(js): add handlebars XSS rule by @elsapet in #317
• fix: update slowloris gosec by @cfabianski in #320
• feat(java): missing or permissive ssl hostname verifier (CWE-295) by @elsapet in #231
• ci: remaining snapshots and runner update by @gotbadger in #319
• fix: missing description and message by @cfabianski in #321
• feat(java): third parties ElasticSearch (CWE-201) by @elsapet in #261

Full Changelog: v0.27.0...v0.28.0

v0.27.0

What's Changed

• feat(java): third parties rollbar (CWE-201) by @elsapet in #266
• feat(java): add third parties open telemetry by @elsapet in #265
• feat(java): third parties new relic by @elsapet in #264
• feat(java): add third parties Datadog (CWE-201) by @elsapet in #262
• chore: use sink instead of source by @cfabianski in #272
• fix: typo by @elsapet in #274
• feat(java): third parties sentry by @elsapet in #268
• feat(go): deserialization of user input (CWE-502) by @elsapet in #273
• feat(go): add log output neutralization (CWE-117) by @elsapet in #275
• feat(golang): add open redirect rule by @cfabianski in #279
• feat(go): OS command injection (CWE-78) by @elsapet in #281
• feat(golang): add cwe 330 by @cfabianski in #284
• feat(go): add html tag injection rule (CWE-80) by @elsapet in #283
• fix: golang injection rules by @elsapet in #287
• feat(golang): add CWE 295 ssl verification by @cfabianski in #285
• feat(go): permissive regexp (CWE-625) by @elsapet in #288
• feat: add severity where missing by @elsapet in #291
• ci: update validation by @gotbadger in #296
• ci: migrate away from snaps by @gotbadger in #276
• feat(js): add insuffiently random values by @cfabianski in #295
• feat(js): add file permissions CWE 276 by @cfabianski in #293
• chore: add log leakage generic by @cfabianski in #298
• ci(ruby): update snaps to annotations by @gotbadger in #299
• ci(go): update to use annotations by @gotbadger in #303
• ci(python): update to use annotations by @gotbadger in #302
• feat(java): add warning-level logger rule by @elsapet in #297
• ci(js): remove snaps by @gotbadger in #304
• ci(php): test snaps to annotations by @gotbadger in #300
• feat: extend go logger rule by @elsapet in #301
• ci(java): migrate to annotations by @gotbadger in #305
• feat(golang): add hardcoded database password by @cfabianski in #282

Full Changelog: v0.26.0...v0.27.0

v0.26.0

What's Changed

• feat(php): add coverage for crc32 and adler32 by @gotbadger in #260
• feat(java): add third party rule for Algolia (CWE-201) by @elsapet in #254
• feat(java): third parties clickhouse rule by @elsapet in #259
• feat(java): vulnerable Apache commons collection version (CWE-1395) by @elsapet in #250
• feat(java): add third parties bugsnag rule (CWE-201) by @elsapet in #258
• feat: improve allow origin matching by @gotbadger in #263

Full Changelog: v0.25.0...v0.26.0

v0.25.0

What's Changed

• feat(java): add warning-level rule about socket creation best practices (CWE-319) by @elsapet in #233
• feat(java): open redirect rule (CWE-601) by @elsapet in #234
• feat(java): add SSRF rule (CWE-918) by @elsapet in #235
• feat(java): add AWS query injection rule (CWE-943) by @elsapet in #236
• feat(java): deserialization of user input (CWE-502) by @elsapet in #237
• fix: remove unused imports by @elsapet in #238
• fix: cwe for Java insecure allow origin by @elsapet in #240
• fix: allow origin cwes for php rules by @elsapet in #241
• feat(java): add permissive allow origin rule (CWE-942) by @elsapet in #242
• fix: java testdata for code injection rule by @elsapet in #243
• feat(java): add path traversal rule (CWE-22) by @elsapet in #239
• feat(java): add eval injection rule (CWE-95) by @elsapet in #244
• feat(java): exception rule (CWE-210) by @elsapet in #245
• feat(java): add cookie leaks rule (CWE-315) by @elsapet in #246
• feat(java): unsafe reflection (CWE-470) by @elsapet in #247
• feat(java): regex using user input (CWE-1287) by @elsapet in #249
• feat(java): permissive cookie config (CWE-693) by @elsapet in #248
• fix: quick solution to handle third parties repo by @elsapet in #251
• feat(java): airbrake library (CWE-201) by @elsapet in #252
• fix: go sha rule description by @gotbadger in #253
• feat: improve SQLi by @cfabianski in #255
• feat(php): improve input sanitizer by @gotbadger in #257

Full Changelog: v0.24.0...v0.25.0

v0.24.0

What's Changed

• docs: fix broken link in contribution guide by @elsapet in #188
• test: improve helper.js for new invoker by @cfabianski in #189
• feat: add script to write test files for V2 tests by @elsapet in #190
• test: update snapshots for canary by @cfabianski in #191
• feat(java): add bad hex conversion rule (CWE-704) by @elsapet in #192
• feat(java): blowfish key size rule (CWE-326) by @elsapet in #193
• feat(java): add dangerous permissions rule (CWE-269) by @elsapet in #198
• feat(java): add ECB cipher mode rule (CWE-327) by @elsapet in #199
• feat(java): custom MessageDigest class (CWE-327) by @elsapet in #196
• feat(java): add EL injection rule (CWE-917) by @elsapet in #200
• fix: improve test helper script by @elsapet in #201
• feat(java): add SQL external config rule (CWE-15) by @elsapet in #202
• feat(jave): add CRLF injection rule (CWE-93) by @elsapet in #195
• feat(java): add file upload filename rule (CWE-73) by @elsapet in #203
• fix(java): clean up EL injection rule by @elsapet in #204
• feat(java): format string manipulation rule (CWE-134) by @elsapet in #205
• fix(java): hardcoded database secret rule by @elsapet in #207
• feat(java): empty database password rule (CWE-306) by @elsapet in #208
• feat(java): HTTP Param Pollution (CWE-88) by @elsapet in #211
• feat(java): extend HTTP response splitting rule by @elsapet in #209
• chore: improve writing rules by @cfabianski in #212
• feat(java): add hardcoded secret rule (CWE-798) by @elsapet in #206
• feat(java): extend insecure cookie rules by @elsapet in #213
• feat(java): add missing SMTP SSL host check rule (CWE-297) by @elsapet in #216
• fix: inverted rule description by @gmontard in #214
• fix: multiple CWEs for Java EL injection rule by @elsapet in #221
• fix: incorrect CWE for Java file upload filename rule by @elsapet in #222
• feat(java): code injection rule (CWE-94) by @elsapet in #224
• feat(java): add insecure allow origin rule (CWE-942) by @elsapet in #220
• feat: bulk update script by @gotbadger in #226
• fix: remove rule from rule name by @elsapet in #225
• feat(java/android): add screenshot prevention rule (CWE-200) by @elsapet in #228
• feat(java/android): add world readable/writeable rule (CWE-276) by @elsapet in #229
• feat(java): missing TLS validation by @elsapet in #230
• chore: bulk update cwe and desc by @gotbadger in #227
• fix: split cookie rules by @elsapet in #219
• fix: tighten java format string rule by @elsapet in #232

New Contributors

• @gmontard made their first contribution in #214

Full Changelog: v0.23.6...v0.24.0

v0.23.6

What's Changed

• docs: Update reduce_fingerprint.yml by @gotbadger in #183

Full Changelog: v0.23.5...v0.23.6