Skip to main content

Release news for on-premises customers

The Release News is published every month for on-premises customers.

November (3.11.10)

Contrast 3.11.10 on-premises was released on December 18, 2024. Download a PDF of the 3.11.10 documentation .

Advance notice regarding Contrast MS Teams Integration

  • On January 31st, 2025, the Microsoft Webhook-based connectors within the O365 Connectors service in Teams are transitioning to a new URL structure due to the implementation of further service hardening updates. This will impact the Contrast MS Teams Integration. As a result, we will update the MS Teams integration to support this change as part of our January release. We ask customers using the MS Teams integration to follow this guide to prepare themselves for the change. More information on our upcoming change can be found on the Microsoft Teams preview page.

New and improved

  • Bulk exporting of vulnerability details as CSV is now managed asynchronously (the user requests the export and a notification is provided when the export is ready for download) to address the occasional issue of the UI timing out using the previous synchronous method. (TS-35424)

Security bug fixes

  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes

  • Fixed an issue that resulted in servers appearing to have Protect Disabled in the UI when the actual status of the server was Enabled. (TS-36111)

October (3.11.9)

Contrast 3.11.9 on-premises was released on November 20, 2024. Download a PDF of the 3.11.9 documentation .

New and improved

  • This release introduces improved accuracy in identifying vulnerabilities within your application's framework. We now analyze filters and middleware for vulnerabilities and utilize filters to add granularity within signature routes. This will help whether a vulnerability originates from a specific route or its associated filter. (PROD-2408)

Security bug fixes

  • Removed unused Bugzilla integration. (COMP-663)

  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes

  • Fix to missing scores on the legacy dashboard. (TS-31770)

  • Fix to blank applications list on the Policy Management page. (TS-35113)

  • Extremely long filenames and paths in vulnerability names are now truncated to avoid overwriting vulnerability information tabs. (TS-35258)

  • Fix to incorrectly generated application metadata name field in the Add Agent wizard. (TS-35768)

September (3.11.8)

Contrast 3.11.8 on-premises was released on October 16, 2024. Download a PDF of the 3.11.8 documentation.

Security bug fixes

  • Updates to vulnerable third-party dependencies (multiple COMP tickets)

Bug fixes

  • Fix to library caching issue that resulted in old, no longer used, versions of a library still showing up for an application (but no longer associated with any server). (SCA-1817)

  • Fix to address access issue with JIRA integrations which were configured to apply to applications which were subsequently archived. (TS-31984)

  • Fix to address inability to create an exclusion for some attack events. (TS-34299)

  • A generic webhook request with a response code of 2xx is now treated as successful (previously only response codes of 200 were considered so).  (TS-34515)

  • Fix to No organization assigned error when multi-factor authentication is enabled. (TS-34780)

August (3.11.7)

Contrast 3.11.7 on-premises was released on September 18, 2024. Download a PDF of the 3.11.7 documentation.

New and improved

  • Added a link to the Contrast agent configuration editor to the Add agent wizards. (PROD-2773)

Security bug fixes

  • Updated vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes

  • Fix to address Content-Security-Policy (CSP) Header false positives that were caused by outdated rules. (TS-33707)

  • Fix to address a Contrast web interface defect when filtering on Users in Organization settings. (TS-33626)

  • Performance improvements to the Contrast web interface when loading vulnerabilities. (TS-32694)

July (3.11.6)

Contrast 3.11.6 on-premises was released on August 21, 2024. Download a PDF of the 3.11.6 documentation.

New and improved

  • Added support for regex validators as a new security control. (PROD-1887)

Security bug fixes

  • Updated vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes

  • Fix to JIRA Integration configuration page to handle fetching Epic data from JIRA server when a large (greater than 50) number of Epics exist. (INT-1154)

  • Performance improvement to Attestation Report generation when routes are associated with thousands of observations. (TS-32692)

  • Fix to Attestation report to no longer include deleted servers. (TS-33044)

  • Fix to address duplicate Python libraries showing up due to a case-sensitivity issue. (SCA-1735)

  • Fix to vulnerability export issue where the CSV version export resulted in an empty file. (TS-33273)

Archive

June (3.11.5)

Contrast 3.11.5 on-premises was released on July 24, 2024. Download a PDF of the 3.11.5 documentation .

New and improved
  • End of support for Java 11

    Starting with this release, the Contrast installer includes Java 17. If you are using your own version of Java for a distributed deployment, ensure you are using a minimum of Java 17. The installation no longer supports earlier versions of Java. (PROD-3023)

Security bug fixes
  • Added a binding restriction to internal form object. (TS-33018)

  • Updated vulnerable third-party dependencies (multiple COMP tickets).

Bug fixes
  • Fix to address missing application module libraries when generating an Attestation report from a merged application that contains modules with multiple languages. (TS-32210)

  • Fix for label mapping issues in the JIRA integration. (INT-1173)

May (3.11.4)

Contrast 3.11.4 on-premises was released on June 20, 2024. Download a PDF of the 3.11.4 documentation .

Important

If you are installing Contrast on-premises and using your own version of Java, support for Java 11 will end with the release of Contrast 3.11.5 next month. It is recommended to upgrade as soon as possible.

New and improved
  • Protect for PHP

    The PHP agent now supports Protect rules and features including Command Injection, SQL Injection, Path Traversal, Reflected XSS, Bot Blocking, IP Blocking, and Sensitive Data Masking. (PROD-1636)

Security bug fixes
  • Alert for organization administrators to enable 2FA. (COMP-201)

  • PHP agent security update. (COMP-599)

  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes
  • Bugtracker issues and email notifications are now populated with CVSS3 details (Confidentiality Impact, Attack Vector etc.) rather than CVSS2. (SCA-1587)

  • List of servers on which .NET Core libraries reside is now correctly populated. (SCA-1644)

  • Improvements to Attestation Report Generation to resolve timeout when many route observations exist. (TS-31541)

  • All users with Edit permission can now make bulk changes to vulnerability Status fields when using “Select All’. (TS-31021)

  • .NET Libraries now display the package version when available, rather than the assembly version. (SCA-1682)

April (3.11.3)

Contrast 3.11.3 on-premises was released on May 15, 2024. Download a PDF of the 3.11.3 documentation .

New and improved
  • Contrast is now able to check if routing frameworks are supported after agent instrumentation. The Contrast dashboard will display details about which frameworks it finds during route discovery. Currently, the latest versions of the Java and .NET agents support this feature. (PROD-2447)

  • Added gRPC support for Java. (PROD-2546)

  • Added support for Glassfish/Payara 5 and 6 for Java. (PROD-2792)

  • Added gRPC support for DOTNET.  (PROD-2289)

Security bug fixes
  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

March (3.11.2)

Contrast 3.11.2 on-premises was released on April 17, 2024. Download a PDF of the 3.11.2 documentation .

New and improved
  • Activity logs in the vulnerability tab will now include information about changes made to the vulnerability status. Information about the changes will include:

    • User name

    • New severity status

    • Previous severity status

    • Date of change

    Note that only Organization Administrators can change the vulnerability status. (PROD-2800)

Security bug fixes
  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

Bug fixes
  • Fixes to address issues where application tags would not be applied correctly when onboarding an application. (TS-28882)

February (3.11.1)

Contrast 3.11.1 on-premises was released on March 22, 2024. Download a PDF of the 3.11.1 documentation .

Announcement

A reminder that JRE (Java Runtime Environment) 17 is now supported on-premises. We recommend upgrading your JRE.

New and improved
  • SCA users will be getting more accurate mapping between CVEs and libraries. We have improved our ability to automatically collect and map CVE and library data so you will be getting more accurate data, faster. To provide the most accurate SCA dataset possible, Contrast is enriching our vulnerability database with data pulled from Open Source Vulnerabilities (OSV), a Google-sponsored open-source vulnerability database.

    • While the new backend and database have already been deployed and have been collecting data from OSV for some time while we monitor it, test against it, and validate the incoming data, the full switch to the improved dataset will be effective from 20th March 2024.

    • While the addition of a new data source provides more accurate data, that comes along with potential changes to the CVEs currently mapped to each library. Subsequently, this may mean changes to individual library grades and, in turn, changes to library scores and application grades.

    • If you have a Library Policy configured or have security gates within your pipeline that consider SCA data, you may see applications fall in or out of policy. However, based on our analysis, the new data is more accurate. As such, although there will potentially be changes, they are changes that result in a more accurate picture of the applications’ true SCA risk.

    If you have any questions or concerns or would like to discuss this issue further, please do not hesitate to reach out to us at support@contrastsecurity.com.

    This feature is disabled by default and can be enabled upon request. It will be enabled by default in the next release. (PROD-2717)

  • Added a route expiration policy to help enforce gates and policy fairly and accurately, and to aid developers in not having to deal with wrongly gated builds. This policy is based on the following criteria:

    • Discovered routes will expire after not being detected for 30 days in an active application. They will be deleted and will not be included in route coverage calculation.

    • Expiration can be configured in Contrast.

    • Applicable only to active applications.

    • If the vulnerability is attached to a single route in an active application, it will be marked as Remediated - Auto-Verified before expiring the route.

    This feature is enabled through the Applications section of the Organization settings. See configure route expiration policy for more information. (PROD-2558)

Security bug fixes
  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

  • Fix to Two-Step Verification. (COMP-580)

  • Deprecation of PDF Generation of Vulnerability Trend Reports. (COMP-232)

Bug fixes
  • Installer improvements. (TS-30346, TS-28294)

January (3.11.0)

Contrast 3.11.0 on-premises was released on February 21, 2024. Download a PDF of the 3.11.0 documentation .

Announcement

A reminder that JRE (Java Runtime Environment) 17 is now supported on-premises. We recommend upgrading your JRE.

New and improved
  • Vulnerability Notes updated with new OWASP API Rules mapping. (TS-29753)

Security bug fixes
  • Updates to vulnerable third-party dependencies. (multiple COMP tickets)

  • Additional field added to Sensitive Data Masking defaults. (COMP-549)

Bug fixes
  • Fix to “Internal Server Error” popup on the Reports and Organization Statistics pages. (TS-26601)

  • Fix to User Settings page when 2FA is configured. (TS-28665)

  • Fix to address inconsistent behavior when both SAML and 2FA are enabled. (TS-29425)

  • Audit log now correctly shows changes to the user role/group. (TS-29048)

  • Fix to error when creating a new organization in LDAP-configured On-Premises instances. (TS-29807)

December (3.10.11)

Contrast 3.10.11 on-premises was released on January 17, 2024. Download a PDF of the 3.10.11 documentation .

Announcement

A reminder that JRE (Java Runtime Environment) 17 is now supported on-premises. We recommend upgrading your JRE.

New and improved
  • Performance improvements when fetching filtered routes via the API. (TS-27539)

Security bug fixes
  • Update to vulnerable third-party dependency ThymeLeaf. (COMP-542)

  • Updates to other third-party dependencies. (multiple tickets)

  • Modified default user access group behavior when SSO is being set. (TS-28753)

November (3.10.10)

Contrast 3.10.10 on-premises was released on December 14, 2023. Download a PDF of the 3.10.10 documentation .

Announcement

A reminder that JRE (Java Runtime Environment) 17 is now supported on-premises. We recommend upgrading your JRE.

New and improved
  • Added the ability to sort libraries by the Usage column. (SCA-1394)

  • Further improvements to Attestation Report generation to address memory issues. (TS-28014)

Security bug fixes
  • Logic added to prevent sensitive data exposure in application logs. (TS-28956)

  • Updated third-party dependencies. (multiple tickets)

  • Removed unused vendor SDK from UI. (COMP-537)

Bug fixes
  • Fix to issue where servers in the QA environment were labeled incorrectly in the Libraries filter dropdown. (TS-29069)

  • Fix to on-premises uninstall issue on Linux. (TS-28329)

  • Several fixes to permissions issues when RBAC is enabled in the organization. (TS-28403, TS-28582, TS-28734, TS-28983)

  • Fix to address missing last_seen timestamp on libraries API endpoints. (SCA-1455)

October (3.10.9)

Contrast 3.10.9 on-premises was released on November 15, 2023. Download a PDF of the 3.10.9 documentation.

New and improved
  • Removed the Security Standards report. Use the Attestation report in its place. The Attestation report provides similar information as the Security standards report. It will help you meet compliance requirements and Identify areas of urgent attention. (PROD-2421)

  • Added support for version 9 of Jira Data Center to the existing Jira integration. (PROD-2622)

  • Onboarding fails if application and session metadata are missing. (PROD-2303)

  • New trend graph functionality using Session Metadata in the application Route Coverage tab. (TS-24507)

Security bug fixes
  • API Documentation/API Playground patched and is available for public use. (COMP-261)

  • Autobinding vulnerability patched. (COMP-508)

  • Deserialization vulnerability patched. (COMP-394)

  • Serialized class manipulation vulnerability patched.

Bug fixes
  • The Vulnerability Details tab now correctly filters custom code where it previously also included some third-party methods. (TS-26927)

  • Fixed the inability to enable Protect via the UI switch for some servers. (TS-27068)

  • Fix to Libraries tab issues for some applications in RBAC-enabled organizations. (TS-27962)

  • Fix to libraries API endpoints returning an incorrect list of associated servers. (SCA-1372)

  • Addressed issue where some authorized users were unable to submit vulnerabilities via the Azure Boards bugtracker integration. (TS-28039)

  • Fix to intermittent issue with auto-remediation of vulnerabilities. (TS-28213)

  • Fix to allow Route Coverage filtering on multiple applications in a merge. (TS-28289)

September (3.10.8)

Contrast 3.10.8 on-premises was released on October 18, 2023. Download a PDF of the 3.10.8 documentation.

Special announcement - End of support
  • On November 7th, 2023, the Security Standards report will be deprecated in favor of the Attestation report. Check out our Support bulletin for more information.

  • Reminder: JRE (Java Runtime Environment) 17 is now supported on-premises. We recommend upgrading your JRE.

New and improved
  • Admins can now configure whether users with Edit permissions can delete vulnerabilities or archive applications. (PROD-2441) Note: There will be an improvement with the Contrast web interface in the following on-premises release.

Bug fixes
  • Installation of Contrast on-premises in a non-default location on an SELinux-enabled distribution now allows for systemctl to start and stop the service. (TS-25805)

  • Fix to address Contrast on-premises installation issues when using the embedded database in a non-default location. (TS-19725)

  • Fix to Contrast on-premises installer to ensure that old versions of Log4j and other unused packages are cleaned up on an upgrade. (TS-23001)

  • Fix to allow users to be added to User Access Groups using the API. (TS-27431)

  • Fix to address the issue of inability to delete some vulnerabilities using the API. (TS-27734)

  • An error no longer occurs when removing the final tag from an application. (TS-22074)

  • Fix to inconsistency between Classes Used and Classes Loaded displayed for an application. (SCA-1225)

August (3.10.7)

Contrast 3.10.7 on-premises was released on September 20, 2023. Download a PDF of the 3.10.7 documentation.

Important

CA certificate upgraded with the Java 17 upgrade in the Contrast on-premises release 3.10.6. Before upgrading to Java 17, back up the cacerts file in the $CONTRAST_INSTALLATION/jre/lib/security directory. This will help reduce login issues after the upgrade process.

New and improved
  • Optimizations to improve the performance of the Attack Events grid. (TS-26639, TS-26637, TS-26533)

  • Added entry to audit log for changes to user organization roles. (TS-23981)

  • Performance improvements to the Application Vulnerabilities tab when vulnerabilities have associated session metadata. (TS-18755)

Security bug fixes
  • Updated third-party dependencies. (multiple COMP tickets)

  • Sensitive data redacted in Contrast logs. (COMP-338)

Bug fixes
  • Fix to API endpoint /ng/{orgUuid}/applications/{appId}/route to no longer require the addition of a sort parameter regardless of the database sql_mode setting. (TS-27890)

  • Improvements to Attestation report generation to prevent issues when a route has many associated vulnerabilities. (TS-26402)

  • Fix to issue where bulk send to bugtracker would sometimes fail within a merged application. (TS-26345)

  • Fix to issue where adding a user to an RBAC User Access Group would result in a 404. (TS-27080)

  • Fix for missing security standards names in the “Notes” tab for some vulnerabilities. (TS-27061)

  • Fix to address missing user options (Login Lockout etc.) when LDAP, AD, or SSO are enabled. (TS-21192)

  • Fix to issue where LDAP group section would allow the same group to be added twice. The Contrast web interface would then fail to load due to duplicates. (TS-8192)

July (3.10.6)

Contrast 3.10.6 on-premises was released on August 16, 2023. Download a PDF of the 3.10.6 documentation.

Special Announcement

For the EOP installation this month the following messages are expected. Note that we are not releasing for Windows this time.

WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by com.install4j.runtime.installer.frontend.headless.AbstractHeadlessScreenExecutor (file:/opt/Contrast.sh.3042.dir/i4jruntime.jar)
WARNING: Please consider reporting this to the maintainers of com.install4j.runtime.installer.frontend.headless.AbstractHeadlessScreenExecutor
WARNING: System::setSecurityManager will be removed in a future release

These messages are from the installer tool we use, which could not be suppressed. These messages can be ignored.

Note

This message will be displayed after starting the installer:

root@ubuntu:/opt# ./Contrast.sh
Unpacking JRE ...
Starting Installer ...
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by com.install4j.runtime.installer.frontend.headless.AbstractHeadlessScreenExecutor (file:/opt/Contrast.sh.2982.dir/i4jruntime.jar)
WARNING: Please consider reporting this to the maintainers of com.install4j.runtime.installer.frontend.headless.AbstractHeadlessScreenExecutor
WARNING: System::setSecurityManager will be removed in a future release
This will install Contrast Enterprise On-Premises on your computer.
OK [o, Enter], Cancel [c]
New and improved
  • Created a new process hardening rule that blocks an application from starting processes inside JVM. This will prevent any attack that attempts RCE from succeeding if the agent input analysis fails to detect the attack. (PROD-2338)

  • Added support for Java 17 in the agent, JDK, and EOP JRE as well as EOS support for JRE 11. (PROD-2342)

  • Implemented session difference APIs. Developers can now compare two sessions running the same test suite (in cases where sessions use varied test suites) and identify newly created, assumed closed, and remaining open vulnerabilities in order to enforce policies and implement auto-verification. (PROD-2413)

  • Added ability to easily manage credentials when multiple Jira integrations have been configured in the organization settings. (TS-25947)

  • Improvements to vulnerability de-duplication logic via URL normalization. (TS-24577)

  • Performance improvements when exporting bulk vulnerability reports. (TS-20381)

  • Performance improvements when loading Servers grid. (TS-25764)

  • Improved Route Coverage display on the new dashboard. (TS-17639)

Security bug fixes
  • Updated third-party dependencies. (multiple COMP tickets)

  • Updated vulnerable version of jQuery. (COMP-337)

  • Added standard security headers to static pages. (COMP-336)

  • Added support for WebFlux Spring MVC for Java agent. (COMP-328)

  • Broken Access Control fix. (COMP-315)

Bug fixes
  • Fixed an issue where the effective configuration of agents was not correctly displayed in some cases. (TS-25421)

  • Fixed an issue where a Node.js application could not be licensed for Protect due to confusion over the Assess status when setting it via the agent configuration. (TS-25970)

  • Fix to UI issue when changing the severity of a vulnerability. (TS-22895)

  • Fix to broken links to vulnerabilities in the Contrast UI from bugtracker tickets created using the bugtracker integration. (SCA-157)

  • Fix for usage details not loading for some libraries. (SCA-475)

June (3.10.5)

Contrast 3.10.5 on-premises was released on July 19, 2023. Download a PDF of the 3.10.5 documentation.

New and improved
  • Performance improvements in vulnerability search. (TS-23239)

  • Addition of application name in audit log entries when a new exclusion is created. (TS-24005)

  • A dot character is now allowed in Contrast Server usernames. (TS-24558)

  • For on-premises installations of Contrast running behind a load balancer, the ability has been added to use Tomcat’s RemoteIPValve logging component to allow client IP addresses (i.e. the server running a Contrast Agent) to be logged in the access_log instead of the IP address of the load balancer. (TS-24643)

Security bug fixes
  • Fixed broken access control. (COMP-315)

  • Node Agent (v4.32.0) - several updates to outdated dependencies. (COMP-341)

Bug fixes
  • Resolved issue where detail was missing from Response Without X-Content-Type-Options Header detected vulnerabilities in the overview. (TS-22390)

  • Fixed the mismatch between the count of vulnerabilities pending review in notifications versus the actual number pending review. (TS-23268)

  • Removed extraneous warning messages in on-premises Contrast Server logs when starting the server. (TS-3916)

  • Fixed issues with session metadata not being displayed in merged applications where large numbers of routes and vulnerabilities caused a backend query to time out. (TS-24734)

  • Fixed issue where the Number of allowed vulnerabilities field in Jenkins Job Outcome Policy configuration would not allow a zero value. (TS-25102)

  • Incorrect cookies reported in some attack events. (TS-25130)

  • Unmerging applications would sometimes result in a 500 - Internal Server Error. (TS-25477)

May (3.10.4)

Contrast 3.10.4 on-premises was released on June 14, 2023. Download a PDF of the 3.10.4 documentation.

New and improved
  • Improved visibility of Protect and Assess servers and licenses in use. The Contrast web interface dashboard now reflects the complete, accurate and latest enablement, licensing, and agent configuration for Protect and Assess. (PROD-2186)

Security bug fixes
  • Patched Apache HTTP server vulnerabilities. (COMP-300)

Bug fixes
  • VM Options revisited in On-Premises installs to better manage garbage collection per Java 11 best practices. (TS-24107)

  • On-Premises installations using the embedded database now correctly support customization of database server options via the my_extra.cnf file. (TS-23316)

  • Better handling of agent user names containing whitespace characters. (TS-24379)

April (3.10.3)

Contrast 3.10.3 on-premises was released on May 17, 2023. Download a PDF of the 3.10.3 documentation.

New and improved
  • Improved auto-verification feature. Implemented session-based auto verification and added an End Session endpoint. Users will be able to see vulnerabilities are closed out in a convenient way and will see the Autoverified with Session Based Autoverification status. (PROD-1737)

Security bug fixes
  • Resolved unauthorized access vulnerability. (COMP-296)

  • Resolved issue around locked accounts for SSO users. (COMP-297)

Bug fixes
  • Removed defunct Usage Survey from Activity Digest email messages. (TS-23049)

March (3.10.2)

Contrast 3.10.2 on-premises was released on April 19, 2023. Download a PDF of the 3.10.2 documentation.

New and improved
  • Added Message Queue Support for Java (Kafka). (PROD-2151)

  • The Contrast .NET Core agent now supports Azure ServiceBus Triggers in Assess for Azure Functions. (PROD-2158)

  • Compliance reports now include the latest standard for PCI DSS v4. (PROD-2387)

  • Created an entry in the Contrast Hub for the Software Bill of Materials (SBOM) of the latest EOP release. (PROD-2450)

Security bug fixes
  • Customer IP restrictions applied in Contrast during Impersonation workflow. (COMP-244)

  • Organization administrators can no longer edit a SuperAdmin’s user settings if the SuperAdmin is a member of their organization. (COMP-226)

Bug fixes
  • Fixed “Internal Server Failure” when opening the Overview tab of some NodeJS application vulnerabilities. (TS-23973)

  • CSV file export from the Route Coverage tab will now honor the currently configured view when filtering by session - so the export will only include routes matching the chosen set of session_metadata. (TS-23027)

  • Fixed display of virtual patch names where the name showed up as “rule.name.null”. (TS-23799)

  • Fixed the inability to assign licenses to organizations (403 response code) when the license file contained only Assess instances. (TS-23045)

  • Fixed error when uninstalling on-premises Contrast instances on Linux. (TS-23044)

February (3.10.1)

Contrast 3.10.1 on-premises was released on March 15, 2023. Download a PDF of the 3.10.1 documentation.

New and improved
  • The Contrast PHP Agent now supports applications written with the Symfony framework. (PROD-1552)

  • The Contrast dashboard’s summary elements now link directly to the data they are summarizing. Navigating between the dashboard and its underlying data is simpler and more direct than ever. Beta version. (PROD-1911)

  • Route Coverage CSV file export via the API can now include an agentSessionId to allow the export of routes that match a given set of session_metadata. (TS-22425)

  • Try out the new Projects experience to run SCA on non-instrumented applications by installing v2 of the CLI from npm.

Security bug fixes
  • Contrast EOP packaged with an updated version of JRE - jdk-v11.0.16+8. (COMP-291)

  • SuperAdmins can be removed from an organization by Organization Administrators. (COMP-238)

Bug fixes
  • When on the latest version of a library - display “up to date” instead of the version number. (SCA-608)

  • Under some circumstances, if a library had an associated CVE that was subsequently removed, the removal did not take effect in on-premises Contrast installations. (SCA-683)

  • Attacks performed against a module of a merged application would show up in the application overview but the target of the corresponding hyperlink only showed attacks against the parent. (TS-20125)

January (3.10.0)

Contrast 3.10.0 on-premises was released on February 15, 2023. Download a PDF of the 3.10.0 documentation.

New and improved
  • Protect licensing update. Contrast Security will no longer place a cap on Protect licenses and will alert users if they have gone over their purchased amount. The Superadmin will now have to go into the License summary on the Organizations page to allocate licenses. No customer action is required. (PROD-1499)

  • The Software Bill of materials (SBOM) report now meets the minimum requirements for the National Telecommunications and Information Administration (NTIA). Information now includes supplier details and component relationships. (PROD-2194)

  • Ability to configure the on-premises instance to ensure super admin access even if an LDAP configuration is misconfigured.  (TS-18955)

Security bug fixes
  • Upgraded JRE bundle (openjdk11) to v11.0.17 (Oracle’s recommended security baseline for JDK 11). (COMP-291)

Bug fixes
  • Session Metadata filtering in the Route coverage grid will now correctly filter exercised routes to only show those associated with the filter. (TS-22269)

  • Host validation would bypass any proxy configuration (on-premises instances only) when configuring webhook integration.  The proxy is now correctly honored. (TS-22403)

  • Fix to the issue where changes to associated applications for an existing Azure DevOps integration changes were not being saved. (TS-22091)

  • Fix to the issue where JIRA integrations did not correctly display “options-with-child” fields. (TS-21666)

December (3.9.11)

Contrast 3.9.11 on-premises was released on January 18, 2023. Download a PDF of the 3.9.11 documentation.

New and improved
  • Contrast now enables users to filter the applications list by the “Score” field. (PROD-1910)

Bug fixes
  • Fix to occasional 403 when opening a vulnerability in the case where a user is a member of more than one organization. (TS-21471)

  • Fix to ensure that active attacks have an “end”.  This issue caused searches to produce no results if an old attack didn’t “end” within the search window. (TS-21406)

  • Fix to regression that caused bugtracker integrations not to be marked unavailable if an auto-create fails. (TS-21611)

November (3.9.10)

Contrast 3.9.10 on-premises was released on December 14, 2022. Download a PDF of the 3.9.10 documentation.

Please note that starting with v3.9.10, we will no longer be providing a Contrast installer that includes the bundled SCA library data. Unbundling the SCA library data significantly reduces the binary size and allows us to offer an improved installation experience.

New and improved
  • Added support for the Chi framework in the Go agent for Contrast Assess. (PROD-2312)

  • Added contrast learn command to Contrast CLI, which launches Contrast’s Secure Code Learning Hub. (PROD-2306)

  • Improved handling of tags in the vulnerability list to address readability when the number of tags would otherwise cause the vulnerability name to be obscured. (TS-19594)

Security fixes
  • Authentication and Authorization added to API Playground. (COMP-261)

  • Contrast CLI patched for arbitrary command injection. (COMP-249)

Bug fixes
  • Ability to lock or unlock users in Contrast On-Premises installations when SSO is in use. (TS-21171)

October (3.9.9)

Contrast 3.9.9 on-premises was released on November 18, 2022. Download a PDF of the 3.9.9 documentation.

New and improved
  • Added support for Go 1.19 in the Go agent. (PROD-2299)

  • New Contrast CLI with improved SCA (including SBOM) and scan features. (PROD-2275)

  • Enabled setting up exclusions for message queues. (PROD-2089)

  • Added message queue support for JMS MQ. JMS 2.0, which includes IBM MQ 9.2.x and Spring JMS 2.4. Reach out to your customer service representative to enable it in your environment. (PROD-1846)

  • Added support for .NET 7 for the .NET Core agent. (PROD-1819)

  • Implemented session metadata filters on Route and Vulnerability grids to view vulnerabilities and route information for a specific branch, build, committer, repository, or any custom session metadata a user selects. (PROD-1698)

  • Implemented the ability to create exclusions based on input and URL to suppress events from security analysis in the Ruby and Python agents (NET and Java already support this). This leads to better performance and accuracy. (PROD-1034,PROD-1035)

Security fixes
  • Added feature flag to enable BIRT reporting (TS-20400_enable_birt-reporting) - can be disabled (set false) to address potential security concerns in Contrast on-premises. (TS-20400)

Bug fixes
  • Internal Server Error when saving application exclusions. (TS-20557)

  • Route Coverage Exclude icon available for users without the necessary permissions leading to a 403 when clicked. (TS-19873)

September (3.9.8)

Contrast 3.9.8 on-premises was released on October 19, 2022. Download a PDF of the 3.9.8 documentation.

New and improved
Bug fixes
  • Change to the method of string concatenation for feature keys (for example vulnerability_uuid) to prevent heap exhaustion experienced by on-premises customers. (TS-19909)

  • Additional style options available when creating custom footers in on-premise installations to provide more control over sizing. (TS-19891)

  • Add entry to audit log when severity of a vulnerability is changed in the vulnerabilities grid - previously only logged when changed via the Policy Management options. (TS-19129)

  • “How to fix” for Clickjacking vulnerability updated for clarity. (TS-18828)

  • Fix to on-premises installer to carry over existing JRE and Memory settings when upgrading. (TS-19726)

  • Fix to prevent Protect from being re-enabled if config setting to enable is subsequently removed from the agent configuration file. (TS-17755)

August (3.9.7)

Contrast 3.9.7 on-premises was released on September 21, 2022. Download a PDF of the 3.9.7 documentation.

New and improved
  • For library remediation, users without Administrator permissions will now require Administrator approval when closing vulnerabilities. (PROD-1939)

  • Library results can now be filtered by environment to easily find any vulnerable libraries in Production. (PROD-1884)

  • A flag is now available at the organization level to enable and disable Impersonation access. This feature can be modified via the System Administrator or Organization Administrator API. Impersonation is turned off by default. (PROD-1807)

  • Library export now contains policy violation indications in the CSV/XML file. (PROD-1771)

  • Created a diagnostic tool in the Go agent to help users easily gather and send diagnostics information when submitting a troubleshooting ticket. (PROD-1765)

  • Added filters to select vulnerability burndown data across any custom time range up to 12 months to help users view data trends for a set of applications, including details about vulnerabilities and remediations over time. (PROD-1700)

  • The PHP agent now supports Drupal versions 8 and 9 for Assess and SCA. (PROD-1527)

  • Added a new data visualization module to help users view important data on the number of vulnerabilities closed versus the number of vulnerabilities open over time. This module can be feature flagged ON upon request. Please note that the vulnerability status reflected in the UI will be the same as the data in Contrast, so please ensure that vulnerability management practices (such as manual vulnerability closure or a 2-way bugtracker integration) or auto-verification policies have been adopted. (PROD-897)

Security fixes
  • Improved de-duplication for .NET libraries. (OSS-2156)

Bug fixes
  • API Endpoint / api/ng/<ORGID>/orgtraces/filter?status=CONFIRMED returning a 400 status code. (TS-18720)

  • Deletion of merged applications sometimes results in a failure. (TS-18490)

  • Missing navigation between vulnerabilities (for example “< 3 of 29 >“). (TS-13528)

  • “Error executing request” when bulk deleting vulnerabilities in some cases. (TS-17928)

  • Incorrect vulnerability count when filtering by environment. (TS-14346)

  • Some Node library details not populated due to a timeout retrieving data from back end. (OSS-3158)

  • .NET libraries not included in export. (OSS-3153)

July (3.9.6)

Contrast 3.9.6 on-premises was released on August 24, 2022. Download a PDF of the 3.9.6 documentation.

Important

Support for MySQL 5.7 will end on August 31, 2022. After that, the Contrast system will require MySQL 8.0.

Contrast Security will no longer support earlier versions of the Contrast server using MySQL 5.7 or fix any critical bugs for those versions.

On-premises customers using their own MySQL installation will need to upgrade to 8.0 prior to upgrading the Contrast server.

On-premises customers using the MySQL instance bundled with the Contrast installer will be automatically upgraded to MySQL 8.0 when running the installer for Linux 3.9.0 and Windows 3.9.3.

If you are using the bundled MySQL on a Linux installation, no action is necessary, but please ensure that your installation platform does not exceed the documented system requirements.

New and improved
  • Enhanced logging available for organization audits on system or super admin level activity.

  • Parent applications now show which vulnerabilities and routes are associated with which child application with a filter in the respective grid. This will enable easier triage and analysis of vulnerability and route data associated with child applications.

  • New diagnostics tool for .NET that allows you to easily gather and send information from your yaml configuration or environment variables to receive faster support.

  • Users now have increased visibility into vulnerability, library, and route details for children of a merged application. Vulnerability and Route Coverage grids add an application filter. (TS-12586, TS-12587, TS-12588)

  • Improvements to performance of Application Vulnerabilities tab when vulnerabilities have many sessions with metadata. (TS-17228)

Security fixes
  • Resolved an issue where multifactor-authentication could be bypassed. (TS-17065)

  • Resolved IDOR where any user can check the progress of a job if job ID is guessed/known. (TS-17303)

Bug fixes
  • Creating new users failed with “Invalid Form” errors when LDAP or AD is in use, due to a regression.  (TS-18612)

  • When a server dropped offline, users were notified hourly as opposed to just once. (TS-18094)

  • Closing all open vulnerabilities results in the inability to subsequently display them due to a missing drop down option. (TS-17883)

  • “Send to Bugtracker” does not work for child applications not configured in connection. (TS-17715)

June (3.9.5)

Contrast 3.9.5 on-premises was released on July 20, 2022. Download a PDF of the 3.9.5 documentation.

Important

Support for MySQL 5.7 will end on August 31, 2022. After that, the Contrast system will require MySQL 8.0.

Contrast Security will no longer support earlier versions of the Contrast server using MySQL 5.7 or fix any critical bugs for those versions.

On-premises customers using their own MySQL installation will need to upgrade to 8.0 prior to upgrading the Contrast server.

On-premises customers using the MySQL instance bundled with the Contrast installer will be automatically upgraded to MySQL 8.0 when running the installer for Linux 3.9.0 and Windows 3.9.3.

If you are using the bundled MySQL on a Linux installation, no action is necessary, but please ensure that your installation platform does not exceed the documented system requirements.

New and improved
  • Contrast can now create Jira tickets in an optional epic when Contrast is auto-creating tickets.

  • Vulnerability statuses are now reported in the correct sequence when route-based auto verification is enabled.

  • The Contrast .NET Azure Site Extension now supports Azure Functions.

  • Developers can now access Contrast API documentation from https://api.contrastsecurity.com.

  • The Contrast GitHub Action for Scan is now available as a starter workflow.

Security fixes
  • Removed logging of LDAP configuration (sensitive information). (TS-17304)

  • Added stricter validation to user first/last name. (TS-17357)

  • Updated authorization check for several APIs to check for org-level authorization. (TS-17462)

  • Updated X-XSS-Protection response header value. (TS-17305)

  • Updated dependency Okio to 3.1.0. (TS-16064)

Bug fixes
  • Updating users failed with "Invalid Form" errors due to special characters. (TS-17494)

  • Jira integration won't save when assignee field is configured for a user. (TS-17716)

  • Attack events are slow to load on some applications. (TS-17565)

  • Contrast web interface freezes experienced when selecting libraries from search results. (TS-17405)

  • Allow URL exclusions to accept more than three escaping slashes \. (TS-17064)

  • EOP installer on Windows fails when setting non-default database directory. (TS-16954)

  • /route/filter endpoint not returning expected results for session_metadata. (TS-16610)

  • Add Security Control form not allowing some valid API signatures. (TS-15919)

  • Vulnerabilities not accurately filtered by environments in the Contrast web interface. (TS-15470)

  • "New Server" notifications were sent for applications not configured in the notifications system. (TS-1415)

  • The Server tab is slow to load when there is excessive tagging in the Contrast web interface. (TS-17442)

  • Totals in Attack overview are incorrect in the Contrast web interface. (TS-16058)

May (3.9.4)

Contrast 3.9.4 on-premises was released on June 24, 2022. Download a PDF of the 3.9.4 documentation.

Important

Support for MySQL 5.7 will end on August 31, 2022. After that, the Contrast system will require MySQL 8.0.

Contrast Security will no longer support earlier versions of the Contrast server using MySQL 5.7 or fix any critical bugs for those versions.

On-premises customers using their own MySQL installation will need to upgrade to 8.0 prior to upgrading the Contrast server.

On-premises customers using the MySQL instance bundled with the Contrast installer will be automatically upgraded to MySQL 8.0 when running the installer for Linux 3.9.0 and Windows 3.9.3.

If you are using the bundled MySQL on a Linux installation, no action is necessary, but please ensure that your installation platform does not exceed the documented system requirements.

New and improved
  • The Contrast GitHub action for Scan can now scan .NET and Javascript projects automatically on every code push or pull request.

  • The standalone_app_name setting is no longer required to install the Java agent.

  • Contrast now checks for any new or updated CVEs every 30 minutes.

  • SBOM reports now support SPDX format.

  • A cleaner view of route coverage in the web interface shows fewer servers and no longer displays deleted servers in the list of servers.

Security fixes
  • Updated dependency Okio. (TS-16476)

  • Resolved session fixation issues. (TS-16447, TS-16684).

Bug fixes
  • Application dashboard's vulnerability tab fails to open. (SUP-3764, SUP-3787)

  • Inconsistency in the number of vulnerabilities between application's overview and vulnerability pages. (SUP-3776)

  • Error licensing an application with large amounts of vulnerability instances. (SUP-3799)

  • Receiving 400 bad response errors using the Contrast Python SDK. (SUP-3721)

  • Intermittent 403 errors when logging into Contrast (on-premises). (SUP-3696)

  • New vulnerability notifications not being sent in some hosted (SaaS) environments. (SUP-3813)

  • On-premises Contrast service crashing due to open file limits. (TS-16887)

  • Route deletion appears to function for users with limited permissions. (SUP-3742)

  • Microsoft Teams integration not filtering properly by environment. (SUP-3730)

  • Score not showing for unlicensed applications. (SUP-3675)

  • API documentation not available with on-premises WAR deployments. (SUP-3575)

April (3.9.3)

Contrast 3.9.3 on-premises was released on May 17, 2022. Download a PDF of the 3.9.3 documentation.

New and improved
  • On-premises Windows users can upgrade to the 3.9.3 version Contrast which also includes embedded MySQL 8.

  • You can now configure whether library data should be retained when server clean up runs. On server clean up, if you want to retain the library data, opt in.

  • When using the endpoint that allows an exclusion by route ID, or the one that excludes by filtering for multiple routes, you no longer have to close a vulnerability during route exclusions.

  • Added a new Assess rule to identify JNDI Injection vulnerability. This gives Assess even more complete coverage to detect Log4j vulnerabilities.

  • Triage and analysis of parent and child apps is now easier and more efficient:

    • Individual child-app route coverage, grade, and language information is surfaced.

    • The /modules endpoint, that returns information on child apps with “coverage” and “scores” parameters, now also includes parent app information.

    • You will also see a separate column for child-app information under Route coverage, Vulnerabilities and Applications.

  • CVSS is used to report the severity of CVEs. CVSS 3.1 is the latest standard. Contrast is now compatible with CVSS 3.1. Contact support to request CVSS 3 scoring be enabled and this will immediately update all CVEs.

Security fixes
  • Updated various out-of-date Bouncy Castle crypto libraries. (TS-11188)

Bug fixes
  • Excluded routes shown in API response with quickFilter parameter. (SUP-3739)

  • Java agent fails to start if the server is deleted and re-enabled. (SUP-3703)

  • Unable to send vulnerability to Jira project with a create screen without assignee. (SUP-3553)

  • Jira configurations with application importance showing up for non-applicable applications. (SUP-3603)

  • YAML file bundled with .NET Framework agent from Windows on-premises has bad linefeeds. (SUP-3689)

  • Servers and Applications filter in the web interface does not sort alphabetically with merged apps. (SUP-3449)

  • API endpoint discovered could sometimes be less than exercised. (SUP-3439)

  • Renamed server name does not show up In vulnerability filter. (SUP-3048)

March (3.9.2)

Contrast 3.9.2 on-premises was released on April 13, 2022. Download a PDF of the 3.9.2 documentation.

Important

  • Contrast 3.9.2 on-premises is being released for Linux only.

  • For latest details around Spring4Shell, a large-scale, high-impact vulnerability, please see this support bulletin. If you have questions or concerns please contact us at support@contrastsecurity.com.

  • By late summer 2022, the Contrast service will no longer be required for Python, Go, Ruby and Node.js agents. The Contrast Node.js agent version 3.X will EOL in June 2022.

New and improved
  • Contrast now has a PHP agent.

  • Go agent users can now configure the agent to report directly to Contrast, removing the need to install the Contrast service. In addition to simplifying installation and maintenance of the Contrast agent, this allows support for vulnerability detection for gRPC APIs written with the google.golang.org/grpc module.

  • The Java agent added a new Protect rule, Class Loader Manipulation, to provide additional hardening against exploits like Spring4Shell and others.

  • When a LDAP or Active Directory identity store is unavailable due to connectivity issues, SuperAdmin users whose accounts reside in the local Contrast database will now be able to log onto the system.

  • Contrast Serverless now has a native Jira integration so that you can can more consistently remediate vulnerabilities across development teams.

  • Now when you run a report, you can more easily see which vulnerabilities align with the latest OWASP API compliance standards. Additionally, the compliance policy and security standard for the OWASP Top 10 2021 is now visible in the attestation report generator.

Bug fixes
  • Jira integration fails to load when fields are left empty. (TS-15606)

  • Excluding all routes for an application in the Contrast web interface removes the ability re-add them. (TS-15299)

  • Security standards and attestation reports failing to generate. (TS-15680)

  • Some vulnerabilities failing to load in the Contrast web interface due to 500 error codes. (TS-13242)

  • Exporting libraries from one application in the Contrast web interface would result and exporting all libraries. (OSS-2632)

  • Unable to render application page in Contrast web interface after enabling compliance policies. (TS-13677)

  • Two-way integration with Jira not syncing status changes from Jira. (INT-1136)

Security fixes
  • Updated various out-of-date libraries including: common-compress, aws-java-sdk-s3, xmlsec, jQuery, bootstrap, tomcat, Spring and more.

  • Updated authentication error message to be more vague.

  • Removed Elastic Search Library and usage.

  • Replaced MySQL Connector.

February (3.9.1)

Contrast 3.9.1 on-premises was released on March 16, 2022. Download a PDF of the 3.9.1 documentation.

Important

Contrast 3.9.1 on-premises is being released for Linux only.

New and improved
  • You can now create a full SBOM report for merged applications.

  • Contrast now supports GraphQL APIs when instrumenting your .NET Core application.

  • Contrast Verify is a GitHub action that makes sure no new vulnerabilities are introduced with a pull request. It checks against a Job Outcome Policy or an open-vulnerability threshold that you define through an input parameter. Available on the GitHub Marketplace.

Security bug fixes
  • Upgraded common-compress library. (TS-14042)

  • Upgraded mysql-connector-java library. (TS-13173)

  • Upgraded aws-java-sdk-s3 library. (TS-13174)

  • Removed unauthorized user system message. (TS-12979)

  • Upgraded Tomcat to 9.0.55 for on-premises. (TS-12930)

  • ContrastHub upgrades to jQuery, jQuery-UI, and bootstrap libraries (TS-11370)

Bug fixes
  • When the New Asset notification was enabled for specific applications, notifications were being sent for newly onboarded apps outside of that scope. (TS-14150)

  • When making API calls with an API-Only user, the Last Login timestamp for that user was not being populated. (TS-13290)

  • If the global search field is left populated and specific navigation occurs, the “X” to clear the search field will no longer work. (TS-13519)

January (3.9.0)

Contrast 3.9.0 on-premises was released on March 1, 2022. Download a PDF of the 3.9.0 documentation.

Important

  • Contrast 3.9.0 on-premises is being released for Linux only.

  • As of 3.9.0, Linux on-premises Contrast supports MySQL 8. All on-premises Linux customers should upgrade to MySQL 8 by summer 2022 when support for MySQL 5.7 ends. Learn more.

  • As of July 2022, with the launch of the Contrast Java agent 4.X, Java 6 and 7 will no longer be supported. Learn more.

New and improved
  • A new tool to make installing and configuring agents easier is here in Beta. The Contrast agent configuration editor helps you create a YAML configuration file from scratch, by checking YAML and recommending the proper settings based on agent type. You can also upload, edit and validate existing YAML or download new files for local use. Learn more.

  • The workflow for installing the .NET Core agent from the Contrast web interface has been updated to clarify language and allow for use of custom fields.

    Only the .NET Framework and .NET Core agent for IIS installers will be available for download from Contrast. For all other agents, please refer to each agents' instructions to learn how to install them with their respective package managers.

Security bug fixes
  • Upgraded aws-java-sdk-s3 in Contrast Hub to remediate CVE-2020-28491 in the sub-dependency jackson-dataformat-cbor 2.6.7. (TS-13174)

  • Upgraded jquery, jquery-ui, and Bootstrap libraries on Contrast Hub to avoid reflected XSS vulnerabilities. (TS-11370)

  • Upgraded commons-compress.jar. (TS-11190)

  • Disabled ability to write to a server’s agent log file without restriction. (TS-10262)

  • Deprecation of TLS 1.0 on Community Edition and hosted (SaaS) servers. (PROD-341, PROD-1591)

Bug fixes
  • The reflected XSS rule is incorrectly classified as Critical instead of Moderate. (PROD-1350)

  • When authenticating a request to Jira, a 401 error is returned. (SUP-3374)

  • When hovering over a server in the servers tab, the container may be shown as "unknown". (TS-11544)

  • When an organization has a compliance policy enabled, the Application page fails to load. (TS-12607)

  • Using the quick_filter parameter to filter vulnerabilities returned by the Contrast Python SDK results in a 500 error. (INT-1049)

  • When exporting a subset of vulnerabilities to CSV, an incorrect selection of findings are included in the resultant file. (TS-13567, TS-13635)

  • When filtering vulnerabilities in an application by environment, vulnerabilities tied to deleted servers are shown incorrectly. (TS-13203)

December Release News (3.8.11)
December (3.8.11)

Contrast 3.8.11 on-premises was released on January 11, 2022. Download a PDF of the 3.8.11 documentation.

Important

All Contrast on-premises (EOP) customers should upgrade to Contrast version 3.8.10.1596449597 or higher and read this Support Bulletin for latest information on Log4j impact on Contrast applications.

New and improved
  • Contrast Serverless is now generally available! It features dynamic scanning, static scanning, graph visualization, and resource observability for your AWS Lambda environments.

  • Contrast Scan now supports client-side JavaScript including jQuery. In addition to scanning Java files, you can now scan your JS files to find vulnerabilities.

  • The Java agent now supports Scala applications.

  • Both Python and Ruby agents have updated support to align with the languages' LTS policies.

  • You can now use a toggle to group all vulnerabilities in by sink. Fixing the code associated with a particular vulnerable sink can remediate all the vulnerabilities associated with that sink - making it the most efficient way to remediate.

Bug fixes:
  • Early versions of the 3.8.10 on-premises installer failed when connecting to MySQL 8x databases. (TS-13325)

  • Exclusion rules for untrusted-deserialization could not be saved correctly in the Contrast web interface. (TS-13144)

  • Session-based auto verification was continually marking some vulnerabilities as remediated - auto verified and back to reported. (TS12947)

  • Total URL hits was inaccurate for servers with less than 7 days of activity. (TS-12919)

  • Servers were incorrectly showing "Protect is Coming" when Protect was already enabled on the agent. (TS-12424)

  • Webhooks were not using proxy settings from the Contrast web interface. (INT-915)

  • Vulnerability timeline charts show wrong number of vulnerabilities for merged applications. (TS-10461)

  • Vulnerability Mappings not populating from CSV imports. (OSS-2518)

November (3.8.10)

Contrast 3.8.10 on-premises was released on November 30, 2021. Download a PDF of the 3.8.10 documentation.

New and improved
  • Rules have been updated for Node.js exclusions.

  • Ruby, Python and Go installation process has been simplified in the Contrast web interface. Find the latest agent versions in their respective package managers.

  • Improved performance for the Contrast Node.js agent with more efficient native functions and dead-zoning.

Bug fixes
  • Vulnerability option "Send to bugtracker" fails to open dialog. (TS-12455)

  • Cannot edit groups incorrectly throws error "Group name is already taken." (TS-12428)

  • Application page fails to load when organization has compliance policies set. (TS-12718)

  • Server activity graph is not being populated. (TS-12572)

  • Vulnerability tab is not accurately filtering by environment. (TS-12542)

  • Edit user page could time-out when user is associated with a large amount of applications. (TS-12456)

  • Attestation reports sometimes fail to generate. (TS-11769)

  • Protect licenses not applied automatically to servers after automatic server cleanup. (TS-11375)

  • Server page loads and searches taking inordinate amount of time with large server counts. (TS-10249)

October 2021 (3.8.9)
New and improved
  • The .NET Core agent now discovers and reports trust boundary violation vulnerability types. This new rule is of medium severity.

  • Contrast now offers a default configuration more optimized for performance. For the default, medium severity hard-coded password and hard-coded cryptographic key rules are turned off. You can still enable all rules for more comprehensive security testing when needed.

  • The Contrast Node.js agent now supports applications running Node 16 LTS.

  • The web interface for adding a Java agent is now improved, making it easier to get and install the Java agent.

Important notes
  • In our September (3.8.8) release we announced the move to eight designated IP addresses. We are happy to announce those changes are live, but we are extending support for our previous IP addresses while customers update to our new certificate authority, GlobalSign. A certificate authority update may be required to fully implement the fixed IP solution. Please reach out to support@contrastsecurity.com if you have any questions.

Agent versions released this month

The most recent version shown is bundled with the on-premises release.

Security bug fixes

These security related bugs have been fixed in the past month:

  • Security library upgrades. (TS-11185, TS-11190, TS-11191, TS-11189)

  • Limited brute-force login issue. (TS-11142)

Bug fixes

These bugs have been fixed in the past month:

  • Attestation reports fail to generate or include custom code vulnerabilities. (TS-12126)

  • Resetting application may fail in the Contrast web interface when there are active agents. (TS-11553)

  • Vulnerability merge button not selectable. (TS-11571)

  • Users experiencing poor performance in vulnerabilities page with large number of items. (TS-10374, TS-9839)

  • YAML download failing for Java agent when application metadata is preset. (TS-10132)

  • URL count remains zero even when application is exercised. (TS-11939)

  • Selecting vulnerability count on an archived application generates a 403 error. (TS-10767)

September 2021 (3.8.8)
New and improved
  • You can now download a Software Bill of Materials (SBOM) for your applications from the reports menu.

  • You can now scan Java applications and automate scanning in a CI pipeline directly from the CLI.

  • Just like the .NET Framework agent, the .NET Core agent now also discovers and reports stored XSS vulnerability types in instrumented applications.

  • If your Contrast instance is on-premises in an airgap environment, or if you prefer alternate access to documentation, you can now access a versioned PDF of Contrast Documentation from the Release News (above).

  • Added support for Go 1.17.

Important notes
  • Beginning September 17th, organization administrators using a hosted instance of Contrast must add the eight designated IP addresses, otherwise agent and user traffic will be interrupted until the required IP addresses are allowed.

    By October 31st all traffic will be going to these address and you will no longer need to allowlist the Amazon IP space.

  • The move to bundling MySQL 8 with the Contrast on-premises installer is being further tested to improve transition quality. Previously this was announced as part of 3.8.8. It is being delayed to a future release.

Agent versions released this month

The most recent version shown is bundled with the on-premises release.

Security bug fixes

These security related bugs have been fixed in the past month:

  • Failed login attempts that occur in rapid succession are not counted. (COMP-60)

  • Teamserver is utilizing outdated and vulnerable libraries: spring-web-5.2.9.release.jar and velocity-engine-core-2.0.jar. (COMP-54)

  • Including the Apache Tomcat version number in error messages provides potential attackers with this information. (COMP-53)

  • The application is vulnerable to user enumeration during the login process. (COMP-38)

Bug fixes

These bugs have been fixed in the past month:

  • Changing master to primary impacts downstream integrations causing breaking changes. (Changes were reverted back to master).

  • The buildNumbers filter is not included in the filter list causing the filter to fail. (TS-11484, 6618)

  • Using a version picker custom field when logging tickets from Contrast in Jira results in error message. (INT-853)

  • ServerEnvironment filter causes a 500 error. (INT-805)

  • Error saving settings, when updating sampling for server in Contrast web interface. (TS-10765)

  • Rules defaulted to ON cause performance degradation. (TS-7939)

  • Attempting to select Attacks causes a 504 error when there is a large number of attacks. (TS-10691)

August 2021 (3.8.7)

On-premises release: September 8, 2021

Hosted release: Continuous

New and improved:

  • With Contrast Scan you can now test your build artifacts without having to set up a test environment or install an agent. Customers using a hosted version of Contrast can upload a build artifact to test for security vulnerabilities and conduct compliance-based security testing. Start a scan from a Maven build integration, the Java SDK, CLI, API or the Contrast web interface.

  • You can now filter vulnerabilities at the organization level to find a subset of vulnerabilities (from one application or more applications) that originate from the same sink. From there you can change the status, send multiple vulnerabilities to Jira, or export this set of vulnerabilities to other formats like CSV.

  • You can now exclude specific application routes from the route coverage calculation. Administrators can also include routes that were previously excluded if the attack surface of the application changes.

  • The Ruby agent now offers full web application framework support for Grape.

  • You can now define security controls for the .NET Framework and .NET Core agents to prevent these agents from reporting a vulnerability on specific untrusted data.

  • Customers who use Kenna can try our Kenna integration and provide feedback.

  • Customers who use Azure Sentinel can try our Azure Sentinel integration and provide feedback.

Important notes

  • Beginning September 17th, organization administrators using a hosted instance of Contrast must add the eight designated IP addresses, otherwise agent and user traffic will be interrupted until the required IP addresses are allowed.

    By October 31st all traffic will be going to these address and you will no longer need to allowlist the Amazon IP space.

  • As of Node.js agent version 4.1.0 we no longer support Contrast Node.js agent versions 2.X.

  • The move to bundling MySQL 8 with the Contrast on-premises installer is being further tested to improve transition quality. Previously this was announced as part of 3.8.8. It is being delayed to a future release.

Agent versions released this month:

The most recent version shown is bundled with the on-premises release.

Bug fixes:

These bugs have been fixed in the past month:

  • Users encounter display issues with the user menu and login pages in the Contrast Web interface. (SUP-2545, SUP-2291)

  • Configuring LDAP with Anonymous binding fails with NPE. (SUP-3021)

  • When setting up LDAP, entering a URL with a single letter into the Hostname field is disallowed. (SUP-3043)

  • Saving a custom notification fails with an "internal server failure." (SUP-2993)

  • When an agent re-detected a vulnerability with "Remediated" status, its status did not change to "Reported" if a session based auto-verification policy is set for another application. (SUP-3008)

  • Entering a Japanese comment in the Contrast web interface displayed incorrectly in the Slack integration. (SUP-2979)

  • Session metadata call has been changed from GET to POST for Python SDK. (SUP-2815)

July 2021 (3.8.6)

On-premises release: August 10, 2021

Hosted release: Continuous

New and improved:

  • The Node.js agent release of version 4.0.0 brings improved performance with the Babel rewriter, startup caching, better testing, and required installation of Contrast service.

  • Protect applications can now startup with a default rule configuration that balances performance impact with security value for common attacks.

  • Improve performance for the Python agent, including shorter startup time, reduced latency, and reduced CPU overhead.

Important notes

  • As of Contrast 3.8.8, the MySQL version that is bundled with the on-premises installer will be upgraded to version 8. If you are currently using the bundled MySQL 5.7 in your deployment, you will be upgraded to version 8 for Contrast versions 3.8.8 and later. (If you are using a distributed version of MySQL 5.7 or 8, this will not affect you.)

Agent versions released this month:

The most recent version shown is bundled with the on-premises release.

Bug fixes:

These bugs have been fixed in the past month:

  • When attempting to filter vulnerabilities by module in Contrast, it's not possible to select the Module option. (SUP-2997, TS-10179)

  • When sending vulnerabilities to an external bugtracker, auto-ticket creation will fail due to a regression. (SUP-2974, INT-734)

  • When generating a security standards report, any server-side request forgery (SSRF) findings are erroneously excluded. (SUP-2920, TS-9529)

  • When viewing the library stats for a merged application, the breakdown of libraries by Years Out of Date shows only libraries of the master application (SUP-2989, OSS-2232)

  • When logging back into the Contrast web interface following a session expiration, the user is redirected to a 404 page. (TS-9946)

June 2021

3.8.5 on-premises release date: July 13, 2021

New and improved:

  • With improvements to route coverage in the Contrast web interface, you can delete multiple routes at once.

  • Now when you select Add agent in the Contrast web interface, the process for installing the Java and .NET Core agents is clearer and simpler.

  • The new .NET Core installer improves the process for those installing the .NET Core agent for IIS-hosted applications.

  • The Go agent is available to on-premises customers as of Contrast version 3.8.5.

Agent versions released this month:

Bug fixes:

These bugs have been fixed in the past month:

  • When a user marks a vulnerability Remediated in the Contrast web interface, the status is not always changed back to Reported if the vulnerability is rediscovered. (SUP-2823, TS-8920)

  • When the vulnerability severity breakdown for a merged application is obtained via the API, the response will not include child applications unless the includeMerged parameter is set to true. (TS-8352)

  • When upgrading to EOP 3.8.4 with a custom Java installation, the Contrast server reverts to using the bundled JRE. (SUP-2906, TS-9319)

  • When auto-ticket creation is enabled for the Contrast Jira integration, an incorrect field list will intermittently be used leading to failed ticket creation. (SUP-2901, INT-607)

  • When a user visits the Contrast web interface, dates default to Japanese format as opposed to the users’ locale. (SUP-2670, TS_9051)

  • When viewing the HTTP Info tab for a vulnerability, text formatting tags are exposed. (SUP-1937, TS-5418)

May 2021

3.8.4 on-premises release date: June 1, 2021

New and improved:

  • For hosted (SaaS) customers, Contrast now supports applications that use Golang. Support for on-premises customers will be included in the 3.8.5 release. The Go agent instruments your application at build-time. It provides visibility into vulnerabilities within your custom code and third-party libraries (including CVEs), and a visualized dependency tree across your libraries and license reporting.

  • You can filter libraries to find high-risk libraries with a security score of C or below and prioritize them for remediation.

Agent versions released this month:

Important notes:

  • In August 2021, Microsoft will end support for .NET Core 2.1. In accordance with Microsoft's support policy, the Contrast .NET Core agent will drop support for .NET Core 2.1 and 3.0 (which is already end of life) in August for hosted (SaaS) users, and for the 3.8.7 on-premises release.

Bug fixes:

These bugs have been fixed in the past month:

  • When viewing the HTTP request of an attack event in the Contrast web interface, the URL being protected is not shown correctly. (TS-8655, SUP-2745)

  • When viewing the OSS dependency tree, not all reported libraries are shown. (OSS-1350, SUP-2587)

  • When using the automated server cleanup, a subset of servers remain. (TS-8661, SUP-2764)

  • On-premises server opens the JMX port to query queue size and, if the port is blocked, repeatedly throws benign errors. (TS-8616, SUP-2591)

  • When selecting Libraries in the header, the vulnerability status bar displayed doesn't match the severity of the vulnerabilities tied to the library. (TS-8872, SUP-2788)

April 2021

3.8.3 on-premises release date: May 4, 2021

New and improved:

  • Contrast Assess now identifies NoSQL injection vulnerabilities for .NET Framework and .NET Core applications running on MongoDB.

  • For Python applications using the Bottle web framework, Assess can now detect vulnerabilities and Protect can now detect and block attacks.

  • Job outcome policies for Jenkins are now generally available. You can now drive CI/CD policy enforcement, standardize build success criteria across application teams, and improve mean time to remediation. Visit the Support Portal to learn how to meet key integration use cases and to use the public APIs for job outcome policies with non-Jenkins CI tools.

  • A new Secure Code Warrior beta integration embeds links to vulnerability training in vulnerability's How to fix section in both the Contrast web interface and in IDE integrations. Visit the Support Portal and this GitHub repository to learn more about setting up this new integration. By installing this integration, you agree to the Contrast Beta Terms and Conditions.

  • Contrast will now generate a notification when a new vulnerability is discovered on an existing library. To receive the new alerts, set a library “New Vulnerability” notification.

  • The Contrast database now includes .NET Core and .NET Framework DLLs that are not part of the NuGet package manager. Vulnerabilities that are found in .NET framework DLLs will be reported, and you can view data on latest DLL updates available. These libraries will now also be considered as part of the overall library score for an application.

  • The dependency tree has received a number of enhancements including a summary of dependency risks, callouts for total vulnerabilities per library and tree views offering historical context.

  • You will now see a warning message if a server is licensed for Protect, but a particular application on that server does not have Protect enabled.

Important notes:

  • Node.js agent 4.X, the next major version, will be available in the June release (3.8.5 on-premises release). All Node.js developers should review the upcoming release to become familiar with new capabilities and performance improvements. For the best upgrade experience, please be aware of these changes in the default behavior.

Agent versions released this month:

Bug fixes:

These bugs have been fixed in the past month:

  • When logging into Contrast using Azure IDP, a 405 error is sporadically thrown (TS-8083, SUP-2366)

  • When calculating the Library Score for an Application, in rare scenarios a library can be scored -1 resulting in a skewed grade (OSS-1977, SUP-2695)

  • When adding users through the bulk CSV API, the request fails when one of the users already exists (TS-5688, SUP-2127)

  • When installing EOP on Windows, a number of benign warnings are logged to catalina.out (TS-3394, SUP-1478)

March 2021

3.8.2 on-premises release date: April 6, 2021

New and improved:

  • CSV and XML vulnerability exports will now include all the instances associated with a given vulnerability. You will see a new column labeled Instance IDs in the vulnerability export.

  • When viewing vulnerabilities, you can now select the Show licensed only checkbox to filter vulnerabilities to show only those vulnerabilities that are from applications licensed for Assess.

  • You can now see the offending URL for all Insecure Authentication Protocol vulnerabilities. Select the vulnerability, and you will see the URL in the Overview under What happened?.

  • The Node.js agent added support for the Validator library, the Python agent added support for Bottle, and the .NET Core and .NET Framework agents added support for the async functions for Assess.

Agent versions released this month:

Bug fixes:

These bugs have been fixed in the past month:

  • When creating a new Pivotal Cloud Foundry Service for Contrast, a 403 error is thrown. (SUP-2677, TS-8134)

  • When a server entry is deleted from Contrast and re-onboarded, it retains its previous configuration rather than honoring the latest configuration. (TS-7405, TS-7690)

  • When querying the /applications/filter API endpoint, the includeOnlyLicensed parameter does not take effect. (SUP-2520, TS-7335)

  • When an auto-remediation policy is run, vulnerabilities found on servers which have since been deleted from Contrast are not marked as remediated. (SUP-2405, TS-7165)

  • When generating an attestation report, the report fails with the error, “The report cannot be accessed at this time.” (SUP-2635, TS-7832)

February 2021

3.8.1 on-premises release date: March 9, 2021

New and improved:

  • Dependency confusion is a new type of vulnerability where internal libraries may be replaced by potentially malicious libraries from public repositories. The Contrast CLI now warns you of Node.js libraries that are at risk for dependency confusion.

    This improvement is available to all Contrast customers.  Further Centralized Dependency Confusion improvements will be available to customers with a Contrast OSS license.

    Learn more about dependency confusion in this blog or webinar.

  • The Contrast CLI was updated with a --cve_threshold command to give you more control over when to fail a build.

Agent versions released this month:

Bug fixes:

These bugs have been fixed in the past month:

  • When querying for vulnerability details with the API with the metadataFilters parameter, a NullPointerException is thrown and a 500 response is returned. (TS-7322, SUP-2511)

  • When viewing vulnerabilities in the Visual Studio IDE plugin, unstyledData tags are visible in the vulnerability overview. (TS-7239, SUP-2332)

  • When sending notifications with the Slack, MS Teams or Generic Webhook integrations, placeholders for the Application name, Server name and other dynamic content are not resolved. (TS-7214, TS-7237, SUP-2389)

  • When viewing a vulnerability found on a Server which has since been deleted, no Environment (Dev, QA or Prod) is shown. (TS-7162, SUP-2419)

  • After adding a new application to a custom access group, the group may be hidden from Organization Administrators until they log out and log back in to Contrast. (TS-5784, SUP-2113)

January 2021

3.8.0 on-premises release date: February 9, 2021

Agent versions released this month:

Important notes:

  • On June 30, 2021, support for communication to the multi-tenant Contrast SaaS system (https://app.contrastsecurity.com) using TLS 1.0 and 1.1 will be deprecated. All future communication will require TLS 1.2 or later. For further information please refer to this support bulletin.

New and improved:

  • It is now possible to run the CLI when multiple configuration files exist. For users with multiple languages, specify the CLI language parameter with the --language command in order for the CLI to run.

Bug fixes:

These bugs have been fixed in the past month:

  • When an application is reset in the Contrast web interface, the associated vulnerabilities persist. (TS-7129, SUP-2414)

  • When querying for application details through the API, users intermittently receive a 403 response. (TS-6789, SUP-2336)

  • When generating an attestation report, the download link is not posted to the notifications icon. (TS-6469, SUP-2258)

  • When you use the Select all icon to export of the vulnerability list, not all vulnerabilities are exported. (TS-3378, SUP-1332)

  • When viewing the Activity tab for a vulnerability which has undergone status changes, no activity is shown unless comments have also been added manually. (TS-6522, SUP-2212)

December 2020

3.7.11 on-premises release date: January 8, 2021

Agent versions released this month:

Important notes:

  • Beta users can view filtered data in one place, including app rating, route coverage, license usage and a vulnerability histogram by status, type and severity.

New and improved:

  • You can now set library policy on commercial third-party libraries.

  • You can now see which libraries are used by master applications and their merged applications. Some libraries may only be used in a single merged application while others may be used in several.

  • On-premises customers using a proxy can now connect to our central server to get automatic updates for library data. This can be done under system level proxy settings.

  • The Java agent now supports newer versions of Java including 13, 14, and 15.

Bug fixes:

These bugs have been fixed in the past month:

  • When a user filters the application list to show unlicensed applications, a react error is thrown. (TS-6724, SUP-2316)

  • For on-premises users, when a user is removed from a linked LDAP group, they are not removed from the corresponding Contrast access group. (TS-6379, SUP-2231)

  • When there are multiple instances of a vulnerability, the detected environment is not correct for all instances. (TS-6451, SUP-2248)

  • When a user changes the policy for the “semantic” SQL Injection rules, the agent doesn’t honor these changes.(DOTNET-2390, DOTNET-2431, SUP-2325)

November 2020

3.7.10 on-premises release date: December 1, 2020

Agent versions released this month:

Important notes:

  • As of December 1, 2020, Contrast will support only version 9 of Tomcat. This impacts on-premises customers running Contrast on Tomcat version 7. Customers who use the Contrast-supplied, embedded Tomcat should just upgrade to Contrast version 3.7.10 when it is released in December. Please refer to the support bulletin for more information.

  • As of January 25, 2021, inbound traffic to the Contrast SaaS system will be moved from AWS Application Load Balancer to AWS CloudFront Content Delivery Network (CDN). If you are a hosted customer and have previously added an IP-based rule to your firewall that allows traffic to reach Contrast, you may need to take action. Please refer to the support bulletin for more information.

New and improved:

  • Runtime library usage has now been extended to include merged applications.

  • Added support for instrumenting applications that use the Java 2 security manager for permissions.

  • The .NET Core agent now supports .NET (Core) 5.0.

  • Added Java 14 and 15 compatibility.

  • Added support for .NET Core CLR instrumentation engine (CIE).

Bug fixes:

These bugs have been fixed in the past month:

  • When viewing the vulnerability Overview and How to fix text, code snippets are incorrectly rendered. (TS-6375, SUP-2235)

  • Selecting Vulnerabilities displays a 500 error in rare cases indicating that an entry exists without a corresponding vulnerability instance entry. (TS-5636, SUP-2178, SUP-2049)

  • When using the form to create a library policy, performance is very slow when there are many libraries in the Organization. (TS-2084, SUP-1051)

  • When viewing vulnerable libraries, some mapped CVEs are not displayed. (OSS-1465, SUP-2091)

October 2020

3.7.9 on-premises release date: November 3, 2020

Agent versions released this month:

Important notes:

  • As of December 1, 2020, Contrast will support only version 9 of Tomcat. This impacts on-premises/non-SaaS customers running Contrast on Tomcat version 7. Customers who use the Contrast-supplied, embedded Tomcat should just upgrade to Contrast version 3.7.10 when it is released in December. Please refer to the support bulletin for more information.

New and improved:

  • Contrast OSS now shows more detailed data about libraries. You can see not only if a library is used, but how much that library is used. You can analyze runtime library usage generally under Libraries, or in much more detail under Applications. Contrast now reports the exact classes that have been used by the application. Runtime library usage has been extended across all languages in our platform. (It was previously limited to Java and .NET Framework.)

  • The .NET Framework agent is now compatible with the Azure ApplicationInsight APM tool. The ApplicationInsight agent runs in the Common Instrumentation Engine (CIE) runtime. The CIE is now supported and the Contrast .NET agent can be deployed in all environments alongside ApplicationInsight. This compatibility works out-of-the-box for Azure SaaS deployments when the Contrast .NET site extension is used.

  • Added Hibernate 4 and 5 support for Java developers using JPA/JPQL, Hibernate JQL, native SQL and Criteria API data access.

  • For Java users, you can now use profiles in a multi-tenant application configuration to apply individual options to each application.

Bug fixes:

These bugs have been fixed in the past month:

  • On-premises instances are unable to connect to Ardy. (TS-5698, SUP-2126)

  • ReDoS Protect event causes null pointer exception. (JAVA-1771, SUP-2086)

  • Java agent doesn’t honor Websphere trust store configuration. (JAVA-742, SUP-772)

  • Node.js is not emitting a Protect QUERY event in loopback. (NODE-1063, SUP-2009)

  • When deleting route coverage data, transaction times out. (TS-5658, SUP-2064)

September 2020

3.7.8 on-premises release date: September 29, 2020

Agent versions released this month:

New and improved:

  • The Contrast CLI now returns details of the CVE's found on each library. This output can be configured by setting a CVE severity threshold which will limit the output returned. The CLI can also return an exit code which can be used as part of a CI/CD pipeline to prevent vulnerable libraries from being deployed to production. CLI support has also been added for Gradle projects.

  • A Visual Studio Code extension is now generally available from Microsoft's Marketplace, so you can receive a remediation experience native to your code editor.

  • Contrast is now compatible with Java 13.

  • Route coverage is now available for Servlet API versions 2.4+ and 3.0+ on GlassFish web servers.

  • The contrast extension to Azure DevOps now has a release gate, in addition to a build task.

  • Improved coverage and support for Spring 5 MVC and Spring Boot 2.X.

Bug fixes:

These bugs have been fixed in the past month:

  • Liferay CMS accuracy needs improvement. (JAVA-1409, SUP-1663, SUP-1664, SUP-1711)

  • .NET service restart causes IIS workers to fail to start. (DOTNET-1928, SUP-1818)

  • Insecure Encryption Algorithm reported at incorrect code location. (NODE-1038, SUP-1852)

  • Library bulk export failing to filter by application. (TS-5325, SUP-1928)

  • On-premises instances replacing log4j2.xml on startup. (TS-3354, SUP-1422)

August 2020

3.7.7 on-premises release date: September 1, 2020

Agent versions released this month:

Important notes:

  • For Jenkins users, you can now try out centralized policy configuration. Create consistent build failure policies across teams while eliminating the need to define vulnerability thresholds in the plugin. This public beta feature is available to all Contrast administrators.

Bug fixes:

These bugs have been fixed in the past month:

  • Organization Administrator unable to load access group details. TS-4745 (SUP-1769)

  • Unable to view route coverage for merged child applications. TS-4028 (SUP-1632)

  • Hash algorithm shown as “null” in insecure hash findings. TS-3087 (SUP-1407)

  • Certain attack events missing from daily email digest. TS-4568 (SUP-1681)

3.7.6 on-premises release date: August 4, 2020

New and improved:

This release brings several improvements that help CLI users collect information on library dependencies early on:

Bug fixes:

These bugs have been fixed in the past month:

  • TS-4419 (SUP-1704) Library page was timing out.

  • TS-4666, 3123 (SUP-1751, 1339) Vulnerability instance ID being used as opposed to the global vulnerability ID.

  • TS-4259 (SUP-1645) Library scoring not refreshing in air-gapped on-premises Contrast installations.

  • JAVA-1278 (SUP-1312) Java agent impacting handling of disabled TLS algorithms.

  • TS-3647 (SUP-1599) Security Standards PDF report failing due to high number of backend components.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.6.16040

New features and improvements:

  • Added Spring support for Accessing Relational Data using JDBC.

  • You can now access JPA Data with REST in Spring.

Bug fixes:

These bugs were fixed during the past month:

  • jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.

  • Race condition with CreateApp settings meaning Server level disabled rules are used.

  • Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).

  • finding-send broken due to FrameworkManager bringing in dispatchers from java.lang.

  • Agent fails to request permission before calling setAccessible.

  • Command Injection in Protect received false positive from argparse4j.

  • Agent on WebSphere changes handling of disabled TLS algorithms.

  • Spring PathVariable is not detected as a source.

  • Dataflow is lost through some Spring Util classes.

  • False positive unvalidated forward in Tomcat with Spring DeferredResult.

  • SQLi FP with HttpClient's RetryExec with MariaDB

  • False positive received with XSS Keyword.

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.6, 20.7.2, 20.7.3, 20.7.4

New features and improvements:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Important notes:

  • The agent’s file analysis rules now execute within the context of the agent’s sensors component. These rules will now execute in Azure App Service and Docker deployments. Previously these rules only executed in the agent’s background Windows service component.

Bug fixes:

  • When a third-party profiler would be chained with Contrast, that profiler could instrument some internal Contrast methods which lead to some instability. This issue has been fixed now.

  • The agent could fail to properly observe some Web API 2 routes. This issue has been fixed now.

  • When an OWIN-based application was deployed to Azure App Service, the agent would cause an application error. This issue has been fixed.

  • When the agent’s background Windows service was shutting down it could sometimes harmlessly crash. This issue has been fixed.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.10, 1.5.11, 1.5.12

New features and improvements:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Language versions currently supported: 10 and 12 LTS

Agent versions released during the past month: 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.17.0

New and improved:

  • Added multiple architecture changes and fixes that improve Assess performance.

  • Added support for URL Exclusions when using Assess. In Contrast, you can designate URLs that ignore selected rules or all rules. The agent now respects these settings for Assess rules in the Node.js agent.

  • Protect rule modes now default to OFF for best backward and forward compatibility.

  • Improved Fastify support to work better with GraphQL and Apollo Server.

  • Removed support for Protect Cross-site Request Forgery (CSRF).

  • Updated the version of Lodash used by the Node.js agent to 4.17.19 in response to a CVE for Lodash 4.17.15.

Important notes:

  • Version 3.0.0 of the Node.js agent will be released at the end of August and will introduce these changes:

    • The Node.js agent will be required to run with the Contrast service enabled. Currently the service is shipped with the agent but is optional; this change will enable the service by default.

    • The service will provide multiple functional and performance benefits to the Node.js agent.

    • The legacy auto-update policy for the Node.js agent will be deprecated when running with the service enabled.

      Note

      You will need to upgrade to Version 3.0.0, because the legacy auto-update feature does not upgrade to a major version. You can update your agent to 3.x with npm (recommended), the Contrast API or by using the Contrast web interface. Using npm allows version updates by using the customer’s application’s package.json with semantic versioning.

  • All new features will only be available for 3.0.0 and higher. Version 2.18.0 will also be released at the end of August and will be the final version that doesn't require the Contrast service. This version will continue to be supported for patch releases.

  • There are two optional features that may be useful to some customers. Contact your Customer Success Representative if you would like to know more about these:

    • Re-write caching provides faster subsequent start-up times.

    • Performance may improve when you skip (or deadzone) certain modules. For example, if you have modules passing large strings that are irrelevant to security, like logging, you can choose not to instrument them.

Bug fixes:

  • Node.js agent failed to initialize. Missing gRPC framework was resolved.

  • An exception occurred because of a syntax error for Fastify. This was fixed.

  • Crash when requiring the aws-s3 module was resolved.

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0

New features and improvements:

  • Replaced google-protobuf with protobuf.

  • Improved logging to include Thread Id as well as Process Id.

  • Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

Important notes:

  • The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

  • In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Bug fixes:

  • Improved handling of logging to unwritable destinations.

  • Improved handling of propagation to children of the String class.

  • Improved handling of propagation through Regular Expression where the result of a match is nil.

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0

New features and improvements:

  • Added route coverage support for Django 3.0.

  • Added Falcon 2.0 support.

  • Improved accuracy of library file usage.

  • Improved propagation through regular expressions in Assess.

Important notes:

  • The team made significant internal cleanup to Request representation

Bug fixes:

  • Fixed a bug where regex propagation was throwing an exception under certain conditions.

  • Fixed a bug related to agent handling of very short JSON keys and values.

  • Updated protobuf dependency requirement in response to incompatibility issues with older versions.

  • Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.

  • Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.

  • Improved error handling around stack trace construction.

3.7.4 on-premises release date: June 2, 2020

New and improved:

  • For on-premises customers, daily exports of our library data are now available for download. Airgap environments can now update versions without updating the Contrast environment.

  • A new integration plugin beta displays vulnerability information directly in Visual Studio Code so developers can quickly and easily learn about security issues found in their application during functional testing, shifting security left.

Important notes:

  • With this release the .NET Framework agent has forked into two agents. The modern agent will continue to be developed to support recent versions of the .NET Framework, CLR and Windows OS versions. The legacy agent has all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be further developed.

  • Previously, organizations with very large numbers of Jira users could time out when attempting to set up a Jira integration in Contrast. We have scaled our Jira integration so that this is no longer an issue.

Bug fixes:

These bugs have been fixed in the past month:

  • SUP-549, 1386 (SEC-530, JAVA-455, 1201) Protect was returning false positives and delivering duplicate attack events for some customers.

  • SUP-306 (TS-35) When upgrading Contrast, SQL backup files were silently deleted.

  • SUP-1426 (TS-3129) Null values in mapping application score triggered error messages.

  • SUP-1287, 1432 (JAVA-1191) Customers experienced performance degradation in Protect. This was remedied with significant performance improvements to the CMD Injection, XSS and SQLi rules.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.4.14937

New features and improvements:

  • Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.

  • Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.

Bug fixes:

  • XXE vulnerability missed in Assess but flagged as path traversal

  • UI displaying blocked and exploited HTTP Method Tampering events

  • Protect was receiving false negatives for XSS Bypass via Bug Bounty

  • Spring auto binding rule causing false negatives

  • Protect Path Traversal False Positive due to base64 null char

  • NPE in ContrastHttpRouteRegistrationWatcherDispatcherImpl

  • ReportFindings acceptance test annotation is broken

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.5.1

New features and improvements:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

Important notes:

  • Beginning with this release, the minimum supported operating system is Windows Server 2012 and the minimum .NET Framework version is .NET 4.7.1.

  • The legacy .NET Framework agent maintains support for Windows Server 2008 and older .NET Framework versions. The legacy agent has all of the current features of the .NET Framework agent and receives critical bug fixes but otherwise will not be further developed.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, it was rejected due to missing information. The agent now sends all expected information for this vulnerability.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.3

New features and improvements:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

  • The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

  • When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

  • When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.0

Important notes:

Bug fixes:

  • The customer application would fail to start when all Assess rules were disabled. This is fixed now.

  • The customer application would fail to start because worker threads would hang and generate multiple processes with the same pid. This is fixed now.

  • The agent would not output the security log to stdout (or stderr). This is fixed now.

  • Duplicated vulnerabilities were being reported for unique routes. This is fixed so that TeamServer displays distinct findings for each request uri.

  • An out-of-memory error caused by a regex match resulted in an infinite loop. This has been fixed.

  • Node.js agent’s migration to npm and incorrectly bundled modules made it seem like the agent was missing two dependencies. This has been resolved.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New features and improvements:

  • Added support for Django Rest Framework

  • Added copyright to all agent files

  • Removed the agent's external dependency on the wrapt package

  • Improved INFO level logging for easier tracking of applications with multiple processes

Bug fixes:

  • When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.

Language versions currently supported: 2.5 - 2.7

Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0

New features and improvements:

  • Improved Stack Trace capturing

  • Improved library analysis performance leading to a decrease in first request penalty

Important notes:

  • The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

3.7.5 on-premises release date: July 7, 2020

New and improved:

  • There is a new Vulnerability Instances section under the Notes tab on a vulnerability's detail page.  Here you can see associated vulnerability instances with links that navigate to them. Vulnerability instances are listed by ID in descending order based on when they were first found, with the most recently found vulnerability (Last Detected) at the top.

  • The library grid will now sort by library score as the default. This ensures libraries with the most risk are clearly visible. Library version information is now more clearly reported and includes if the library in use is the latest version.

  • Contrast Documentation is still available at docs.contrastsecurity,com but with a new cleaner look, an improved search, and content organized by user role. Give us your feedback to help us keep improving.

Bug fixes:

These bugs have been fixed in the past month:

  • TS-3091 (SUP-1267, 1286) Some servers were appearing offline erroneously.

  • TS-3272 (SUP-1443) On-premises upgrade was requiring a java.security adjustments. This is no longer required.

  • DOTNET-1738 (SUP-1471,1491) .NET agent would crash when overly complex typesec was encountered.

  • NODE-904 (SUP-1634) Node.js agent was requiring the gRPC module which caused the agent to crash.

  • TS-2778 (SUP-1269) Searching for a vulnerability by ID was causing a global search timeout.

  • TS-2641 (SUP-1215) Attestation report was failing to generate when requested.

  • TS-3403 (SUP-1530) On-premises contrast-server.service was failing to restart after upgrade.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480

New features and improvements:

  • Provided route coverage support for the Servlet API.

  • Implemented Sensitive Data Masking with the mask_attack_vector.

  • Added Assess support for DynamoDB.

Bug fixes:

  • Protect caches input no matter the size potentially leading to OOMs for large requests

  • Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

  • Path Traversal False Positive Due to Spring's ServletContextResource

  • Race condition in App Inventory along with Protect Struts Cve rules

  • Log4j2 instrumentation fails on Log4j2 2.13.1

  • Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

  • Protect SQLi SimpleOrSearcher has poor performance on large inputs

  • Assess CSRF Detection Fails When Request Uses form-data/multipart

  • SSRF detection must not take use of tainted path as a SSRF vulnerability

  • Java Agent does not provide a findings field for PathTraversalSemanticDTM

  • Agent Prevents Graceful JVM Shutdown

  • Fix performance metric reporting for Acceptance Tests

  • StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.1, 20.6.3, 20.6.4

New features and improvements:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • Added support for OWIN based-hosting and self-hosted Web API applications outside of IIS.

  • The agent will now clean up old logs in Azure App Service and Docker-based deployments.

  • Improved logging and reliability around the agent’s auto-upgrade process.

  • Improved performance of Protect XSS.

  • Added support for route-based coverage of WCF services using Unity interception.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When the agent’s service would restart IIS with Contrast sensors on an overloaded server, the service could start receiving messages from those sensors before it was ready to handle them which lead to the sensors failing to initialize. This issue has been fixed now.

  • When a user would set up profiler chaining with AppDynamics in an Azure App Service environment, the AppDynamics profiler would fail to load. This has now been fixed.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New features and improvements:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.1 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4

New and improved:

  • Multiple architecture and performance improvements.

  • New gRPC communication protocol between the agent service improves performance.

  • Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.

  • Added a sensor for SQLite for Protect.

  • Added support for Koa version 2.12.

  • Reflected XSS is now not reported if Content-Type is allowlisted as safe.

Important notes:

  • A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.

Bug fixes:

  • Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service

  • Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify

  • Resolved a false positive issue when correctly using Sequelize to escape strings.

  • Resolved exception when fastify.route is called with an uppercase verb.

  • Resolved an issue that manifested as reporting duplicate routes when using the Express framework.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New features and improvements:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New features and improvements:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules

3.7.3 on-premises release date: May 8, 2020

New and improved:

  • In addition associating vulnerabilities, you can now also associate both discovered and exercised routes to build numbers, application versions, branches or repositories using session metadata. This means you can also query route information with a public API endpoint. With a single call to a public endpoint you can get detailed information on how much of an application has been exercised and where the critical vulnerabilities are.

  • You now have a choice to receive individual policy violation emails or to consolidate them into a single email. Find this option under Organization Settings > Notifications.

  • Your AppSec team can more easily assess library security risk and prioritize work with changes to surface CVE severity and make libraries easier to find. Select Libraries to see a filterable list of libraries with visual display of CVE severity for each one.

Important notes:

  • To improve security, the Contrast JRE version has been updated to Java 11 for both hosted and on-premises customers. This should not affect end users.

Bug fixes:

These significant bugs have been fixed in the past month:

  • SUP-1244 (TS-2697, TS-1494) 3.7.2 on-premises upgrade caused Contrast server and mysqld to attempt to run as the wrong user.

  • SUP-1153 (JAVA-1051) RBAV was incorrectly auto-verifying vulnerabilities.

  • SUP-1172 (JAVA-1060, JAVA-1061, JAVA-1062) Protect input after a rule change caused false positives.

  • SUP-1231 (DOTNET-1458) .NET agent failed to initialize after upgrade.

  • UP-1156 (TS-2526) Inconsistent authorization redirected user to login and then an unauthorized page.

  • SUP-1074, 1234, 1312 (JAVA-1085) WebSphere LDAP/SAML authentication broke with newer versions of Contrast.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657

New features and improvements:

  • Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

Important notes:

  • This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

Bug fixes:

  • When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.

  • When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone_app_name configuration.

Language versions currently supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.4.1, 20.4.2, 20.4.3

New features and improvements:

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example, invalid yaml).

Important notes:

  • The agent’s auto-update feature will no longer update the agent when running on Windows Server 2008 or servers with .NET Framework 4.7.0 or older. This change is in preparation for the upcoming fork of the Contrast .NET Framework agent. See below for more details.

  • The next release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Bug fixes:

  • When an application hosted on IIS was (mis)configured without a virtual path, the agent’s background Windows service would crash. The agent’s background Windows service now properly handles this configuration.

  • A race condition around requests for configuration values that did not have default values could lead to a crash of the agent’s background Windows service. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New features and improvements:

  • Added support for Linux Azure App Service.

  • Added support for Alpine.

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

Language versions currently supported:

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New features and improvements:

  • Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent

  • NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository

  • Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.

Important notes:

  • Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax:

    node-contrast<app-main>

    The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.

Bug fixes:

  • After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:

    cls.run(() => {
        ^
    TypeError: Cannot read property 'run' of undefined
    
    OR
    
    /usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188
        if (ns.active) {
    
    TypeError: Cannot read property 'active' of undefined

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New features and improvements:

  • Added initial support for Stored XSS rule in Assess for django framework.

  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.

  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.

  • Removed the agent’s external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.

  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved. 

Language versions currently supported: 2.4 - 2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New features and improvements:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

  • It is recommended to use RubyGems at this point.