A Kiuwan On-Premises (KoP) update that includes the following enhancements and fixed issues.

Contents

Latest Versions

  • KLA: master.1808.p685.q13371
  • Cloud: 2.8.2402.3
  • Engine: master.p685.q13371.a1910.i654

Enhancements

Javascript language analysis

  • Added .jsx extension in javascript languages analysis
  • KLA (KiuwanLocalAnalyzer) now runs under Java 16

Cobol script

  • New Cobol preprocessor script:
    • A new script (cobolPreprocess.xml) for pre-processing COBOL sources and replacing COPY statements with the content of copybooks is provided. This tool is useful when COPY statements are used in a way that makes the common strategy of parsing separately COBOL programs and copybooks lead to a high rate of parse errors but with the cost of losing the source code lines in reported defects, due to plain code substitution. The script is located in the local analyzer bin directory, and usage is as follows:

Where:

    • SOURCES_DIR: The input
    • dialect: cobol85, cobolibm, cobolmicrofocus, coboltandem, acucobol, rmcobol.
       Default: cobol85.
    • marginType: The margin type to use when formatting. The default, autodetect, tries to detect the margin format heuristically. both_margin is the ANSI format.
    • freeform: true | false. If true, free-format COBOL. Default: false.
    • encoding: The encoding for reading and writing files. Default: UTF-8.
    • programExtensions: Extensions for COBOL programs. Default: cob,cbl,cobol,pco.
    • copyExtensions: Extensions for COBOL copybooks. Default: cpy,copy.
    • include: Comma-separated patterns of files to include. Two asterisks mean 'all directories and subdirectories'. Default: */.
    • exclude: Comma-separated patterns of files to include. Default: empty.
    • OUTPUT_DIR: Directory where the pre-processed files will be written. Defaults to the current directory.

JavaScript Vue.js framework

  • Added support for the JavaScript Vue.js framework. The following rules were added:
    • VueComponentDataMustBeFunction: Component data must be a function.
    • VueForWithoutKey: Always use key with v-for.
    • VueHtmlEscapeDisabled: Vue HTML escaping is disabled.
    • VueIfWithForDirective: Never use v-if on the same element as v-for.

CWE and OWASP

UI for user definition of neutralizers, sources, and sinks

This release includes a new Graphic User Interface (GUI) tool to allow customers to define and modify their custom metadata files. This tool should ease the process of the following actions:

  • Finding the existing metadata files (both products and custom)
  • Seeing the default product metadata
  • Avoiding conflicts between different definitions (for all the systems/for an application/for a given analysis). Only custom metadata is allowed to be edited - but it is possible to see all existing metadata.

The tool should help the configurator to see possible alternative definitions and values for each field, it includes some tooltips and examples.

Insight checkpoint based on vulnerabilities

  • This release includes a new Insight checkpoint based on component vulnerabilities. This checkpoint allows you to filter by group, component name or version, and by vulnerability severity risk    

REST API endpoint to set up users and manage Life Cycle Permission

    • Kiuwan now allows to add users and set user permissions for VIEW_LIFE_CYCLE access rights through REST API

Java 16 and 17

  • Kiuwan now supports Java 16 and 17

    • This new version also contains the following code quality rules for Java versions 16 and 17:

      • OPT.JAVA.DECL.AvoidDeprecatedPrimitivesConstructorsRule: Quality rule for deprecated primitive wrapper class constructors (Active for Java version 16 and up)
      • OPT.JAVA.SYNC.DoNotUseSynchronizationOnValueBasedClasses: Quality rule for synchronization on value-based classes (Active for Java version 16 and up)
      • OPT.JAVA.SERI.AvoidSerializationMethodsInRecords: Members ignored during record serialization should not be used (Active for Java version 16 and up)
      • OPT.JAVA.DECL.RecordWithArrayFieldsNotOverridingMethods: Methods should be overridden in records containing array fields (Active for Java version 16 and up)
      • OPT.JAVA.DECL.DoNotUseAppletAPI: Report usage of deprecated Applet API (Active for Java version 17 and up)
      • OPT.JAVA.SEC_JAVA.SecurityManagerDeprecatedRule: Report usage of deprecated security manager API (Active for Java version 17 and up)

Other Enhancements

  • QAK-6751 The engine now uses log4j version from the "reload4j" library version 1.2.25. This improves the performance and reliability of the logging mechanism used by the engine.
  • QAK-6786 Improved the detection rule for commented code in the Natural language (rule "OPT.NATURAL.NAT_MAN.RemoveCommentedCode"). This rule may not have found commented-out code lines. The engine now checks if any line of code is commented out and reports it as a violation. This rule detects commented Natural code blocks.
  • QAK-6821 The engine now supports negation operation in the Natural language (IF #SOMETHING ¬= 'NOTHING' is an example of a negation operation in the Natural language). The engine now understands how to use logical operators like NOT and XOR in natural language expressions.
  • QAK-6936 Updated the version of the slf4j library to 1.7.36. eCore, to provide logging functionality.
  • SAS-5556 Improve Portfolio edition time 
  • SAS-5824 Change default value for new customers
  • SAS-5786 Add log traces to InsightResportHandler and used classes
  • SAS-5502 Add applications check box in access permissions
  • SAS-5505 Allow deleting a single rule from checkpoints/audit
  • SAS-6788 Kiuwan Insights main Base Score from CVSS2 to CVSS3
  • SAS-6913 Implement ZK Upload Patch
  • QAK-6737 The engine now supports source file encoding using Windows code pages under Linux machines.
  • SAS-6522 Show the number of applications
  • SAS-6785 Add a Rule name field to an endpoint in REST-API

REST API Enhancements

  • Add attribute 'muted' for the endpoint /insights/analysis/security GET method
  • New endpoint: GET /applications/mutepatterns
  • New endpoint: GET /applications/{application}/defect/{defectId}/firstdate
  • New parameter for GET /apps/analysis/{code}/defects endpoint to filter muted status
  • Add PDF download to life cycle and rest API to obtain the pdf. New endpoint GET /audits/result/componentsPDF 
  • New parameters for GET/insights/analysis/summary/export endpoint 
  • New endpoint GET/auditResult/components
  • New endpoint POST/applications/defects/mute
  • Change return status for PUT /users/{username} endpoint when some of the applications in the request list do not exist
  • GET/stats endpoint returns new "24hlocs" value.

Parsing Errors

  • QAK-6780 Resolved parsing issue in Natural language on "PROTOTYPE" statement due to an unexpected token "END" that could not be recognized by the language parser.
  • QAK-6787 Resolved parsing error in Natural language files related to "READ WORK FILE" statements.
  • QAK-6798 Fixed parsing errors in Natural language files related to the "END" token.
  • QAK-6800 Resolved parsing issue in Natural language when encountering "HANDLE OF OBJECT” at "DEFINE DATA" statement.
  • QAK-6820 Resolved parsing issue in Natural language on handling the "MARK" keyword.
  • QAK-6822 Resolved parsing issue in Natural language on handling the "VALUE 1 ,2" statement or similar statements.
  • QAK-6829 Resolved parsing errors in PL/SQL language while analyzing a PL/SQL file with the reserved word "WORK".
  • QAK-6863 Resolved parsing errors in Natural language files containing the reserved keyword "REL."
  • QAK-6866 Resolved an issue of not parsing Natural language files with "EXAMINE" followed by two "GIVING" clauses.
  • QAK-6873 Resolved errors in the analysis of execution logs related to Java.
  • QAK-6874 Resolved a parsing error when analyzing T-SQL file containing "FOR JSON PATH" statements.
  • QAK-6876 Resolved an issue in Natural language related to fields-to-table assignment.
  • QAK-6879 Resolved the parsing issue in the Natural language related to "PERFORM" keyword with additional keywords, such as "PERFORM READ".
  • QAK-6882 Resolved a parsing issue in Natural language related to "FOR" statement with a plus (+) character.
  • QAK-6934 Resolved parsing issue in Natural language on "STARTING WITH ISN" statement.

Fixed Issues

  • SAS-5625 OOM with Insights analysis
  • SAS-5787 Fix long computation times with empty group + artifact dependency when computing obsolescence in Kiuwan
  • QAK-6707 Add .jsx extension in the default configuration
  • QAK-6694 Upgrade libraries for running under Java 16
  • QAK-6706 COBOL preprocessor script: Deploy for KLA
  • QAK-6640 Add support for VUE framework
  • QAK-6642 Possible false positives in rule OPT.CPP.CERTC.EXP33
  • QAK-6643 Possible false positive in rule OPT.CPP.CorrectUseMemoryLeaks
  • QAK-6662 Possible false positive on rule OPT.C.CERTC.STR31
  • QAK-6664 Parsing error JCL
  • QAK-6666 [FP] OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule
  • QAK-6683 False positive / no sense datapath on Java rule: Trust boundary violation
  • QAK-6687 False positives in Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • QAK-6690 Review EAR rules for the rest of technologies (Go, Kotlin, Objective-C, PHP, Python, Scala)
  • QAK-6691 Inconsistent results for rule "OPT.JAVA.SPRING.AvoidBeansWithTheSameIdAcrossDiferentDescriptors"
  • QAK-6692 False positive "Evaluate integer expressions in a larger size before comparing or assigning to that size" in C file
  • QAK-6694 Upgrade libraries for running under Java 16
  • QAK-6695 CWETOP25:2010:13 should be removed
  • QAK-6698 Update CWETOP25 tags to 2021 version
  • QAK-6699 Bug in PHP rule: Avoid unused private fields
  • QAK-6700 COBOL paser errors (AcuCOBOL)
  • QAK-6701 False positive of PT.JAVA.SEC_JAVA.CodeInjectionWithDeserializationRule (ZD-4720)
  • QAK-6703 COBOL Tandem parse errors
  • QAK-6704 False positive in OPT.KOTLIN.UnreachableCode
  • QAK-6706 COBOL preprocessor script
  • QAK-6707 Adding .jsx extension in the default configuration
  • QAK-6708 Analysis Failing when trying with Java returned 1 and AN-1 errors on both KLA and cloud
  • QAK-6709 Bug on the rule "Follow the limit for number of return statements"
  • QAK-6710 Fix dependency issues in power script parser and rules
  • QAK-6711 [FP] OPT.JAVA.SEC_JAVA.PotentialInfiniteLoop
  • QAK-6712 Possible false positive in the rule OPT.JAVA.FMETODOS.SAOP
  • QAK-6713 Possible false positive in the rule: OPT.JAVA.DECLARA.UCDC
  • QAK-6714 Possible false positive in rule OPT.CPP.CERTC.EXP33
  • QAK-6717 New OWASP ranking
  • QAK-6720 Parsing Error in .VB File
  • QAK-6722 False positive on Prevent denial of service attack through malicious regular expression ('Regex Injection') (ZD-5002)
  • QAK-6723 Parse errors in COBOL app
  • QAK-6724 Unable to parse cobol file: Error at line 1: Encountered: $COPYRIGHT
  • QAK-6725 Parsing Error in .4gl (Informix) files
  • QAK-6727 False positive in OPT.NATURAL.NAT_PF.UseWithLimitClauseInReadAndFind
  • QAK-6728 False positive Improper Control of Generation of Code ('Code Injection') (ZD-5068).
  • QAK-6729 COBOL Parse error: Encountered EXEC PBCF
  • FOG-249 INS - Failure detecting components (null components)
  • FOG-250 glob-base / preserve lost components
  • FOG-251 False Negative: CVE-2021-21252 - jQuery Validation Plugin
  • FOG-252 Missing CVE reference in Insights component
  • FOG-253 Possible error in Insight Vulnerability CVE-2021-23406
  • QAK-6714  Possible false positives in rule OPT.CPP.CERTC.EXP33
  • QAK-6730  Parsing error in Natural source
  • QAK-6734  False positives OPT.CPP.DontUseCast
  • QAK-6739  COBOL Parse errors due to errors in margin detection
  • QAK-6741  Getting Natural Parser error while parsing
  • QAK-6742  Update language support - Kotlin 1.6.0
  • QAK-6744  False positive "Password input field is not masked" while analyzing HTML file
  • QAK-6746  False positive of OPT.PLSQL.GEN_PLSQL.NDFException (ZD-5306)
  • QAK-6748  False positive of OPT.PLSQL.GEN_PLSQL.GER2 (ZD-5310)
  • QAK-6750  Parse error in Natural source
  • QAK-6760  COBOL parse errors: REPORT and TYPE as user identifiers
  • QAK-6761  Error when generating the AST: DEFINE FUNCTION
  • QAK-6763  False Negatives OPT.NATURAL.NAT_MAN.AvoidDebuggingWriteInOnlineProgs
  • QAK-6764  Natural parser error
  • QAK-6765  False positive OPT.NATURAL.NAT_PF.AvoidFindReadWithHold
  • QAK-6768  AST generation error with RECORD
  • QAK-6769  COBOL Parse Error - 'WITH NO ADVANCING'
  • SAS-5592  Remove reference to Kayako ticket from KLA log
  • SAS-5838  Add timeout for KLA uploads to Kiuwan Server
  • SAS-5950  Increment timeout limit in KLA from 24h to 4d
  • SAS-5627  Insights Sysadmin console induces OOM
  • SAS-5891  Duplicate key storing Insights' Hibernate DependencyBean
  • SAS-5515  Export CSV of defects with filters in incorrect Life Cycle
  • SAS-5519  Add "central configuration removed" event to the Activity Log
  • SAS-5518  No-admin user has 'remove central config' button enabled
  • SAS-5517  Centralized configuration disappears when the owner's account is transferred to another user
  • SAS-5521  Improved error message for REST-API calls when Kiuwan server is busy with analysis
  • SAS-5508  Filter for mute pattern list
  • SAS-5364  Ability to hide/show CS/CA/LC/INSIGHTS product menus
  • SAS-5420  Audit report is missing columns available in the portal
  • SAS-5583  Wrong IMPACT METRICS (A) vulnerability value in Insight PDF document
  • SAS-5582  Wrong LAST MODIFIED vulnerability value in Insight PDF document
  • SAS-6322  Fix empty CSV exported in Insights
  • SAS-6751 Report QRCWAPT, issue 2 - File
  • SAS-6750 Report QRCWAPT, issue 1 - Script
  • SAS-6589 Avoid duplicate promotions
  • SAS-6588 Catch AnalysisNotFoundException for insight rest endpoint
  • SAS-6581 Avoid NPE when adding notes to defects with "none" status
  • SAS-6579 Fix defect notes propagation bug
  • SAS-6460 Unable to view muted lines for developers no "mute defects" role
  • SAS-6313 Password recover page showing error when pressing enter
  • SAS-5560 Feature Request for Action Plans and Jira
  • SAS-4955 Rules compare is not working as expected: missing modified rules
  • SAS-5373 Rules compare is not working as expected when new parameters in rule definition
  • SAS-5685 Avoid too long computation time searching for all the childs
  • SAS-4896 Add action to Insight permissions to enable admin options in users management
  • SAS-5595 Improve delete portfolios time operation for large accounts
  • SAS-6288 OWASP Link in the rules are throwing 404 error
  • SAS-5882 Not working mutes in third-party languages (ruby) imported reports
  • SAS-6589 Avoid duplicate delivery promotions
  • SAS-6588 Error in insight list components rest endpoint
  • SAS-6581 NPE when creating a note for a defect with "None" status
  • SAS-6874 Quota limit REST-API passed too fast for accounts with low applications limit
  • SAS-5490 Lines of Code for a project
  • SAS-6447 New API endpoint to get info from Activity
  • SAS-5585 "Status" filter malfunction
  • SAS-5512 Mute pattern only shows last change
  • SAS-5619 Make "Muted” and “MutedReason" filters behavior coherent
  • SAS-5612 Missing options in REST API model for applications
  • SAS-6773 - INSIGHTS components CSV/pdf report download issue
  • QAK-6867 - Fixed an error in generating AST tree with Angular components (the parser was not generating the AST tree correctly; there are closing tags that do not have their corresponding generated opening in the tree). The engine now correctly parses and generates AST trees for Angular components.
  • QAK-6738 - Fixed the VB.net parsing error that occurred when trying to parse the code with DIM XElement statement. The engine now recognizes the correct syntax for declaring an XElement object.
  • SAS-6827 Users get deactivated without reason
  • SAS-6851 XML External Entity Injection (XXE)
  • SAS-6852 Reflected Cross-Site Scripting (XSS)
  • SAS-6853 Insecure Direct Object Reference
  • SAS-6859 KLA - Sensitive Data Stored Insecure
  • SAS-5421  The Subscription page is immediately updated without delay
  • SAS-6781  KLA in Linux leaves files in /tmp which are not deleted upon finishing the analysis
  • SAS-6796  Language filter for language "other" is not working in REST API
  • SAS-6802  Used scans of an account do not show in Kiuwan Sales Console
  • SAS-6827  Users get deactivated without reason
  • SAS-6948  The "Consumed LOC" increased by the wrong value after scanning the application
  • QAK-6755 Resolved issues related to Objective C programming language: The analysis might give invalid source code references (line numbers) for the Kiuwan rule OPT.OBJECTIVEC.MethodCyclomaticComplexity.
  • QAK-6795 (FOG-255) Kiuwan Insights is no longer detecting false positives in certain files and reporting CVEs related to the Spring Framework versions in Java.
  • QAK-6886 An issue in the Kiuwan parser for Natural Language has been resolved related to handling the "LOCAL" keyword.
  • SAS-6799 KLA is no longer vulnerable to CVE-2022-42889 defect
  • SAS-6803 Muting and commenting specific lines in a sink group are no longer replicating in other lines
  • SAS-6628 Defect status is now propagating correctly when promoting the delivery analysis to baseline analysis
  • SAS-6910 The overflow caused by a LOC Limit high value in newly created Scan accounts has been solved
  • SAS-6914 Package /KiuwanLocalAnalyzer/lib/gson-2.8.5.jar is updated
  • SAS-6915 Package /KiuwanLocalAnalyzer/lib/log4j-1.2.12.jar is updated
  • SAS-6907 Cobol.include.marker property is analyzing the code as expected
  • Kiuwan is no longer storing sensitive data for MySQL
  • This release fixes displaying sensitive data for the Wildfly issue
  • This release includes the change of Containers running from Root user to KoP user
  • Changes to Containers running from Root user to KoP user
  • Changes to address Sensitive Data Stored Insecurely (CVE-2023-49113)


  • No labels