Skip to content

Releases: pixee/codemodder-java

v0.98.7

09 Jan 15:13
37de8c3
Compare
Choose a tag to compare
Honor new combined Sonar flag (#489)

https://github.com/pixee/codemodder-specs/pull/43

v0.98.6

19 Dec 16:48
bb3eced
Compare
Choose a tag to compare
Deprioritize log injection (#487)

This way, it runs "after" other codemods, and higher priority fixes will
be merged first, in a conflict.

v0.98.5

18 Dec 20:14
b841ee3
Compare
Choose a tag to compare
Add several Sonar hotspot mappings (#486)

v0.98.4

12 Dec 20:29
394739f
Compare
Choose a tag to compare
Fix more shapes of `log-injection` (#485)

This change fixes more shapes of log injection vulnerabilities, and
bumps the toolkit version to guarantee safety when passing non-`String`
types to `stripAll`.

v0.98.3

09 Dec 14:09
56aba73
Compare
Choose a tag to compare
New rules, first implemented in CodeQL (#483)

This change introduces new remediation logic for weak crypto algorithms,
and log injection, two unexciting vulnerability classes for different
reasons, but for completeness, should be present.

v0.98.2

06 Dec 14:48
f69332a
Compare
Choose a tag to compare
Changed default XML parser to Woodstox (#482)

Changes the default StAX parser to Woodstox. This will allow us to be
more in control of the parser's behavior. Also it's a bit faster than
Java's default one.

v0.98.1

06 Dec 02:27
4eecd14
Compare
Choose a tag to compare
Add ability to remediate other XSS code shapes (#481)

Took logic specific to Semgrep and generalized.

v0.98.0

24 Nov 20:05
9e68b29
Compare
Choose a tag to compare
Add tests and more stable behavior when seeing Maven failure (#476)

v0.97.9

23 Nov 18:55
e261a7f
Compare
Choose a tag to compare
Don't throw exceptions if dependencies can't be pre-calculated (#475)

We observed this issue:

```
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - Problem scanning file /tmp/codemodder-project6927415874030968841/app/src/main/java/org/apache/roller/weblogger/util/PasswordUtility.java
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - io.codemodder.plugins.maven.MavenProvider$DependencyUpdateException: Failure when retrieving dependencies
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - at io.codemodder.plugins.maven.MavenProvider.getAllDependencies(MavenProvider.java:146)
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - at io.codemodder.DefaultCodemodExecutor.lambda$execute$0(DefaultCodemodExecutor.java:187)
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273)
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
INFO - 4abaf6cf-c5e6-4f48-b198-edc124aedf71 - at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
...
io.codemodder.DefaultCodemodExecutor.lambda$execute$1(DefaultCodemodExecutor.java:188)
edc124aedf71 - Caused by: org.dom4j.DocumentException: Error on line 781 of document  : The element type "sequential" must be terminated by the matching end-tag "</sequential>".
```

This error is preventing _analysis_ from occurring, not the updating of
Maven dependencies. We should still run our codemods, even if
dependencies can't be pre-calculated.

v0.97.8

22 Nov 01:33
3b5d693
Compare
Choose a tag to compare
Improve CodeQL handling of multiple rules (#474)

Also fixed incidental bug in header injection remediation when applied
to interfaces.