Release News

The monthly Release News shows highlights from all Contrast hosted, on-premises and agent releases over the past month. Select the agent in the left navigation to view the latest release notes for that agent.

Release News - August 2020

This page shows highlights from all Contrast hosted, on-premises and agent releases over the past month.

3.7.7 on-premises release date: September 1, 2020

Agent versions released this month:

Important notes:

  • For Jenkins users, you can now try out centralized policy configuration. Create consistent build failure policies across teams while eliminating the need to define vulnerability thresholds in the plugin. This public beta feature is available to all Contrast administrators.

Bug fixes:

These bugs have been fixed in the past month:

  • Organization Administrator unable to load access group details. TS-4745 (SUP-1769)

  • Unable to view route coverage for merged child applications. TS-4028 (SUP-1632)

  • Hash algorithm shown as “null” in insecure hash findings. TS-3087 (SUP-1407)

  • Certain attack events missing from daily email digest. TS-4568 (SUP-1681)

This page shows highlights from our all Contrast hosted, on-premises and agent releases over the past month.

3.7.6 on-premises release date: August 4, 2020

New and improved:

This release brings several improvements that help CLI users collect information on library dependencies early on:

Bug fixes:

These bugs have been fixed in the past month:

  • TS-4419 (SUP-1704) Library page was timing out.

  • TS-4666, 3123 (SUP-1751, 1339) Vulnerability instance ID being used as opposed to the global vulnerability ID.

  • TS-4259 (SUP-1645) Library scoring not refreshing in air-gapped on-premises Contrast installations.

  • JAVA-1278 (SUP-1312) Java agent impacting handling of disabled TLS algorithms.

  • TS-3647 (SUP-1599) Security Standards PDF report failing due to high number of backend components.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.6.16040

New and improved:

  • Added Spring support for Accessing Relational Data using JDBC.

  • You can now access JPA Data with REST in Spring.

Bug fixes:

These bugs were fixed during the past month:

  • jaxrs/Jersey vulnerabilities not triggered due to losing track of tainted data.

  • Race condition with CreateApp settings meaning Server level disabled rules are used.

  • Protect false negative: Jackson unsafe deserialization (CVE-2017-17485).

  • finding-send broken due to FrameworkManager bringing in dispatchers from java.lang.

  • Agent fails to request permission before calling setAccessible.

  • Command Injection in Protect received false positive from argparse4j.

  • Agent on WebSphere changes handling of disabled TLS algorithms.

  • Spring PathVariable is not detected as a source.

  • Dataflow is lost through some Spring Util classes.

  • False positive unvalidated forward in Tomcat with Spring DeferredResult.

  • SQLi FP with HttpClient's RetryExec with MariaDB

  • False positive received with XSS Keyword.

  • -Dcontrast.rootapp name ignored when ServletContext.getServletContextName() returns non-empty value.

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.6, 20.7.2, 20.7.3, 20.7.4

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Important notes:

  • The agent’s file analysis rules now execute within the context of the agent’s sensors component. These rules will now execute in Azure App Service and Docker deployments. Previously these rules only executed in the agent’s background Windows service component.

Bug fixes:

  • When a third-party profiler would be chained with Contrast, that profiler could instrument some internal Contrast methods which lead to some instability. This issue has been fixed now.

  • The agent could fail to properly observe some Web API 2 routes. This issue has been fixed now.

  • When an OWIN-based application was deployed to Azure App Service, the agent would cause an application error. This issue has been fixed.

  • When the agent’s background Windows service was shutting down it could sometimes harmlessly crash. This issue has been fixed.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.10, 1.5.11, 1.5.12

New and improved:

  • Added connect to contrast-dotnet-diagnostics to test the agent’s ability to connect to Contrast.

  • Added config-keys to contrast-dotnet-diagnostics to display configuration options supported by the agent.

  • Added cert-info to contrast-dotnet-diagnostics to display information about the certificate provided by the value of the api.url configuration setting.

  • Improved the performance of Protect SQL-Injection detection.

  • Improved the performance of Protect against XML-based inputs.

  • Added validate-yaml to contrast-dotnet-diagnostics to verify the agent’s contrast-security.yaml configuration file.

Language versions currently supported: 10 and 12 LTS

Agent versions released during the past month: 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.17.0

New and improved:

  • Added multiple architecture changes and fixes that improve Assess performance.

  • Added support for URL Exclusions when using Assess. In Contrast, you can designate URLs that ignore selected rules or all rules. The agent now respects these settings for Assess rules in the Node.js agent.

  • Protect rule modes now default to OFF for best backward and forward compatibility.

  • Improved Fastify support to work better with GraphQL and Apollo Server.

  • Removed support for Protect Cross-site Request Forgery (CSRF).

  • Updated the version of Lodash used by the Node.js agent to 4.17.19 in response to a CVE for Lodash 4.17.15.

Important notes:

  • Version 3.0.0 of the Node.js agent will be released at the end of August and will introduce these changes:

    • The Node.js agent will be required to run with the Contrast service enabled. Currently the service is shipped with the agent but is optional; this change will enable the service by default.

    • The service will provide multiple functional and performance benefits to the Node.js agent.

    • The legacy auto-update policy for the Node.js agent will be deprecated when running with the service enabled.

      Note

      You will need to upgrade to Version 3.0.0, because the legacy auto-update feature does not upgrade to a major version. You can update your agent to 3.x with npm (recommended), the Contrast API or by using the Contrast web interface. Using npm allows version updates by using the customer’s application’s package.json with semantic versioning.

  • All new features will only be available for 3.0.0 and higher. Version 2.18.0 will also be released at the end of August and will be the final version that doesn't require the Contrast service. This version will continue to be supported for patch releases.

  • There are two optional features that may be useful to some customers. Contact your Customer Success Representative if you would like to know more about these:

    • Re-write caching provides faster subsequent start-up times.

    • Performance may improve when you skip (or deadzone) certain modules. For example, if you have modules passing large strings that are irrelevant to security, like logging, you can choose not to instrument them.

Bug fixes:

  • Node.js agent failed to initialize. Missing gRPC framework was resolved.

  • An exception occurred because of a syntax error for Fastify. This was fixed.

  • Crash when requiring the aws-s3 module was resolved.

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0

New and improved:

  • Replaced google-protobuf with protobuf.

  • Improved logging to include Thread Id as well as Process Id.

  • Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

Important notes:

  • The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

  • In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Bug fixes:

  • Improved handling of logging to unwritable destinations.

  • Improved handling of propagation to children of the String class.

  • Improved handling of propagation through Regular Expression where the result of a match is nil.

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0

New and improved:

  • Added route coverage support for Django 3.0.

  • Added Falcon 2.0 support.

  • Improved accuracy of library file usage.

  • Improved propagation through regular expressions in Assess.

Important notes:

  • The team made significant internal cleanup to Request representation

Bug fixes:

  • Fixed a bug where regex propagation was throwing an exception under certain conditions.

  • Fixed a bug related to agent handling of very short JSON keys and values.

  • Updated protobuf dependency requirement in response to incompatibility issues with older versions.

  • Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.

  • Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.

  • Improved error handling around stack trace construction.

This page shows highlights from our all Contrast hosted, on-premises and agent releases over the past month.

3.7.5 on-premises release date: July 7, 2020

New and improved:

  • There is a new Vulnerability Instances section under the Notes tab on a vulnerability's detail page.  Here you can see associated vulnerability instances with links that navigate to them. Vulnerability instances are listed by ID in descending order based on when they were first found, with the most recently found vulnerability (Last Detected) at the top.

  • The library grid will now sort by library score as the default. This ensures libraries with the most risk are clearly visible. Library version information is now more clearly reported and includes if the library in use is the latest version.

  • Contrast Documentation is still available at docs.contrastsecurity,com but with a new cleaner look, an improved search, and content organized by user role. Give us your feedback to help us keep improving.

Bug fixes:

These bugs have been fixed in the past month:

  • TS-3091 (SUP-1267, 1286) Some servers were appearing offline erroneously.

  • TS-3272 (SUP-1443) On-premises upgrade was requiring a java.security adjustments. This is no longer required.

  • DOTNET-1738 (SUP-1471,1491) .NET agent would crash when overly complex typesec was encountered.

  • NODE-904 (SUP-1634) Node.js agent was requiring the gRPC module which caused the agent to crash.

  • TS-2778 (SUP-1269) Searching for a vulnerability by ID was causing a global search timeout.

  • TS-2641 (SUP-1215) Attestation report was failing to generate when requested.

  • TS-3403 (SUP-1530) On-premises contrast-server.service was failing to restart after upgrade.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.5.15634, 3.7.5.15480

New and improved:

  • Provided route coverage support for the Servlet API.

  • Implemented Sensitive Data Masking with the mask_attack_vector.

  • Added Assess support for DynamoDB.

Bug fixes:

  • Protect caches input no matter the size potentially leading to OOMs for large requests

  • Undertow Resource Handlers Should Not Trigger Path Traversal Attacks

  • Path Traversal False Positive Due to Spring's ServletContextResource

  • Race condition in App Inventory along with Protect Struts Cve rules

  • Log4j2 instrumentation fails on Log4j2 2.13.1

  • Agent Reports Incorrect HTTP Protocol Version on Servlet Containers

  • Protect SQLi SimpleOrSearcher has poor performance on large inputs

  • Assess CSRF Detection Fails When Request Uses form-data/multipart

  • SSRF detection must not take use of tainted path as a SSRF vulnerability

  • Java Agent does not provide a findings field for PathTraversalSemanticDTM

  • Agent Prevents Graceful JVM Shutdown

  • Fix performance metric reporting for Acceptance Tests

  • StringUtil methods for case sensitive string comparison are wrong for non alphabet inputs

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.6.1, 20.6.3, 20.6.4

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • Added support for OWIN based-hosting and self-hosted Web API applications outside of IIS.

  • The agent will now clean up old logs in Azure App Service and Docker-based deployments.

  • Improved logging and reliability around the agent’s auto-upgrade process.

  • Improved performance of Protect XSS.

  • Added support for route-based coverage of WCF services using Unity interception.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When the agent’s service would restart IIS with Contrast sensors on an overloaded server, the service could start receiving messages from those sensors before it was ready to handle them which lead to the sensors failing to initialize. This issue has been fixed now.

  • When a user would set up profiler chaining with AppDynamics in an Azure App Service environment, the AppDynamics profiler would fail to load. This has now been fixed.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.5, 1.5.7, 1.5.8, 1.5.9

New and improved:

  • Improved the Assess analysis used to identify SSRF vulnerabilities to reduce the number of false positives reported by the agent.

  • Improved the Protect analysis used to analyze user inputs for potential SQL injection attacks to improve accuracy and performance.

  • The agent will now clean up old logs.

  • Removed the dependency on Microsoft.Extensions.Caching.Memory.

  • Improved performance of Protect XSS.

  • Improved performance of Protect SQL-Injection.

Bug fixes:

  • When the agent would report vulnerabilities for four response-based Assess rules related to CSP and HSTS, the report would be rejected by Contrast due to missing information. The agent now sends all expected information for these rules.

  • When an instrumented application defined a type using a large number of nested generic types, the agent could cause a StackOverflow error. This has now been fixed.

  • When a user would disable multiple Protect rules through the ‘contrast.protect.disabled_rules’ setting in the yaml file, the agent would not respect this setting. The agent will now respect this configuration setting.

  • When a user would disable logging, the agent’s profiler component would still log high level information during initialization. The profiler will no longer create a log when logging is disabled.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.1 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4

New and improved:

  • Multiple architecture and performance improvements.

  • New gRPC communication protocol between the agent service improves performance.

  • Removed name and value cookie sources for reflected XXS per updated guidance for both Assess and Protect.

  • Added a sensor for SQLite for Protect.

  • Added support for Koa version 2.12.

  • Reflected XSS is now not reported if Content-Type is allowlisted as safe.

Important notes:

  • A major version release for the Node.js agent is planned for late July or August 2020. Node.js agent version 3.0.0 will introduce breaking changes for customers using the 2.x.x version of the agent and service.

Bug fixes:

  • Implemented multiple bug fixes due to the introduction of the gRPC communication protocol between the JavaScript agent and the agent service

  • Implemented fixes to resolve route coverage issues that surface when using graphQL, Apollo Server, and Fastify

  • Resolved a false positive issue when correctly using Sequelize to escape strings.

  • Resolved exception when fastify.route is called with an uppercase verb.

  • Resolved an issue that manifested as reporting duplicate routes when using the Express framework.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New and improved:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules

This page highlights all Contrast hosted, on-premises and agent releases over the past month.

3.7.4 on-premises release date: June 2, 2020

New and improved:

  • For on-premises customers, daily exports of our library data are now available for download. Airgap environments can now update versions without updating the Contrast environment.

  • A new integration plugin beta displays vulnerability information directly in Visual Studio Code so developers can quickly and easily learn about security issues found in their application during functional testing, shifting security left.

Important notes:

  • With this release the .NET Framework agent has forked into two agents. The modern agent will continue to be developed to support recent versions of the .NET Framework, CLR and Windows OS versions. The legacy agent has all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be further developed.

  • Previously, organizations with very large numbers of Jira users could time out when attempting to set up a Jira integration in Contrast. We have scaled our Jira integration so that this is no longer an issue.

Bug fixes:

These bugs have been fixed in the past month:

  • SUP-549, 1386 (SEC-530, JAVA-455, 1201) Protect was returning false positives and delivering duplicate attack events for some customers.

  • SUP-306 (TS-35) When upgrading Contrast, SQL backup files were silently deleted.

  • SUP-1426 (TS-3129) Null values in mapping application score triggered error messages.

  • SUP-1287, 1432 (JAVA-1191) Customers experienced performance degradation in Protect. This was remedied with significant performance improvements to the CMD Injection, XSS and SQLi rules.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.4.14937

New features and improvements:

  • Added support for (WebSphere) Route Discovery for Servlet 2.5 Declarative Servlets.

  • Increased sensitive data masking coverage, specifically for SQLi, XSS, Command Injection, Path Traversal, CSRF, ReDoS, OGNL Injection.

Bug fixes:

  • XXE vulnerability missed in Assess but flagged as path traversal

  • UI displaying blocked and exploited HTTP Method Tampering events

  • Protect was receiving false negatives for XSS Bypass via Bug Bounty

  • Spring auto binding rule causing false negatives

  • Protect Path Traversal False Positive due to base64 null char

  • NPE in ContrastHttpRouteRegistrationWatcherDispatcherImpl

  • ReportFindings acceptance test annotation is broken

Language versions currently supported: .NET Framework: 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.5.1

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

Important notes:

  • Beginning with this release, the minimum supported operating system is Windows Server 2012 and the minimum .NET Framework version is .NET 4.7.1.

  • The legacy .NET Framework agent maintains support for Windows Server 2008 and older .NET Framework versions. The legacy agent has all of the current features of the .NET Framework agent and receives critical bug fixes but otherwise will not be further developed.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, it was rejected due to missing information. The agent now sends all expected information for this vulnerability.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.5.3

New and improved:

  • Improved detection of dangerous path use in Protect; specifically, when interacting with the file system (path-traversal-semantic-dangerous-paths rule) and in arguments to OS commands (cmd-injection-semantic-dangerous-paths rule).

  • The agent will no longer attempt to load under .NET Core versions less than 2.1 as these versions are not supported.

Bug fixes:

  • When an application sent a request to the same URL as the current request, the agent would report an SSRF vulnerability. This is fixed now.

  • When the agent would report an xcontenttype-header-missing vulnerability, Contrast would reject the vulnerability report due to missing information. The agent now sends all expected information for this vulnerability.

  • When an instrumented application closed the response stream, the agent could cause an application error. This is fixed now.

  • When an instrumented application seeked within a response stream, the agent could cause an application error. This is fixed now.

Language versions currently supported:10 LTS and 12 LTS

Agent versions released during the past month: 2.15.0

Important notes:

Bug fixes:

  • The customer application would fail to start when all Assess rules were disabled. This is fixed now.

  • The customer application would fail to start because worker threads would hang and generate multiple processes with the same pid. This is fixed now.

  • The agent would not output the security log to stdout (or stderr). This is fixed now.

  • Duplicated vulnerabilities were being reported for unique routes. This is fixed so that TeamServer displays distinct findings for each request uri.

  • An out-of-memory error caused by a regex match resulted in an infinite loop. This has been fixed.

  • Node.js agent’s migration to npm and incorrectly bundled modules made it seem like the agent was missing two dependencies. This has been resolved.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Added support for Django Rest Framework

  • Added copyright to all agent files

  • Removed the agent's external dependency on the wrapt package

  • Improved INFO level logging for easier tracking of applications with multiple processes

Bug fixes:

  • When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.

Language versions currently supported: 2.5 - 2.7

Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0

New and improved:

  • Improved Stack Trace capturing

  • Improved library analysis performance leading to a decrease in first request penalty

Important notes:

  • The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

This page shows highlights from our all Contrast hosted, on-premises and agent releases over the past month.

3.7.3 on-premises release date: May 8, 2020

New and improved:

  • In addition associating vulnerabilities, you can now also associate both discovered and exercised routes to build numbers, application versions, branches or repositories using session metadata. This means you can also query route information with a public API endpoint. With a single call to a public endpoint you can get detailed information on how much of an application has been exercised and where the critical vulnerabilities are.

  • You now have a choice to receive individual policy violation emails or to consolidate them into a single email. Find this option under Organization Settings > Notifications.

  • Your AppSec team can more easily assess library security risk and prioritize work with changes to surface CVE severity and make libraries easier to find. Select Libraries to see a filterable list of libraries with visual display of CVE severity for each one.

Important notes:

  • To improve security, the Contrast JRE version has been updated to Java 11 for both hosted and on-premises customers. This should not affect end users.

Bug fixes:

These significant bugs have been fixed in the past month:

  • SUP-1244 (TS-2697, TS-1494) 3.7.2 on-premises upgrade caused Contrast server and mysqld to attempt to run as the wrong user.

  • SUP-1153 (JAVA-1051) RBAV was incorrectly auto-verifying vulnerabilities.

  • SUP-1172 (JAVA-1060, JAVA-1061, JAVA-1062) Protect input after a rule change caused false positives.

  • SUP-1231 (DOTNET-1458) .NET agent failed to initialize after upgrade.

  • UP-1156 (TS-2526) Inconsistent authorization redirected user to login and then an unauthorized page.

  • SUP-1074, 1234, 1312 (JAVA-1085) WebSphere LDAP/SAML authentication broke with newer versions of Contrast.

Language versions currently supported: Java 1.6 - Java 11

Agent versions released during the past month: 3.7.3.14727, 3.7.3.14657

New and improved:

  • Contrast Assess more accurately detects Path Traversal vulnerabilities. Contrast Assess and Protect more accurately detect vulnerabilities and attacks respectively in Apache Struts based applications. Contrast Protect more accurately detects SQL Injection attacks.

Important notes:

  • This release includes breaking changes to Contrast Assess route coverage reporting when used with on-premise Contrast servers version 3.7.2 and older.

Bug fixes:

  • When WebSphere users configured their WebSphere services with custom TLS certificates, the Contrast Java agent prematurely initialized WebSphere's certificate manager as a side-effect. This caused the WebSphere TLS connections to fail unexpectedly. This issue has been resolved by adding a special exception for WebSphere to Contrast's TLS initialization whereby Contrast will use an isolated `SSLSocketFactory` instead of the Java runtime's default system socket factory.

  • When users configure their application with a session-based vulnerability auto-verification policy, and the user does not configure their Contrast agent with an explicit session_id configuration parameter, then Contrast wrongfully auto-verifies vulnerabilities. We resolved this issue by fixing a race condition, so we can ensure that auto-verification will work as expected when the user has configured their agent to use the contrast.agent.java.standalone_app_name configuration.

Language versions currently supported: .NET Framework: 3.5, 4.0, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8

Agent versions released during the past month: 20.4.1, 20.4.2, 20.4.3

New and improved:

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example, invalid yaml).

Important notes:

  • The agent’s auto-update feature will no longer update the agent when running on Windows Server 2008 or servers with .NET Framework 4.7.0 or older. This change is in preparation for the upcoming fork of the Contrast .NET Framework agent. See below for more details.

  • The next release of the .NET Framework agent will raise the minimum supported operating system to Windows Server 2012 and raise the minimum .NET Framework version to .NET 4.7.1. Support for Windows Server 2008 and older versions of the .NET Framework will be maintained via a fully featured legacy .NET Framework agent. This legacy agent will have all of the current features of the .NET Framework agent and will receive critical bug fixes but otherwise will not be the focus for future .NET development.

Bug fixes:

  • When an application hosted on IIS was (mis)configured without a virtual path, the agent’s background Windows service would crash. The agent’s background Windows service now properly handles this configuration.

  • A race condition around requests for configuration values that did not have default values could lead to a crash of the agent’s background Windows service. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

Language versions currently supported: .NET Core: 2.1, 2.2, 3.0, 3.1

Agent versions released during the past month: 1.4.0, 1.5.0

New and improved:

  • Added support for Linux Azure App Service.

  • Added support for Alpine.

  • Improved handling of scenarios where the agent would write repeated errors to log files, creating larger than necessary log files.

  • The agent will now log unknown configuration keys at startup. This should help with troubleshooting configuration issues (for example invalid yaml).

Bug fixes:

  • When applications redirected to a URL that had been validated using Url.IsLocalUrl, the agent would still report an unvalidated redirect vulnerability. The agent will now respect the Url.IsLocalUrl validator.

  • A race condition around requests for configuration values that did not have default values could lead to an unhandled error in the agent. The race condition has been fixed, default configuration values have been provided for all configuration options, and missing default configuration values are now properly handled.

Language versions currently supported:

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Fastify framework support: Fastify 2.x is now a supported framework for the Contrast Node.js agent.

  • NPM availability: The Contrast Node.js agent can now be installed directly from the Contrast Security public NPM repository

  • Pre-load capabilities: The Node.js agent can now be run as a pre-load module using the -r flag. This is also now the recommended method of running the Contrast Node.js agent.

Important notes:

  • Running the node agent as a runner will now generate a deprecation message. This is the deprecated syntax:

    node-contrast<app-main>

    The agent will continue to function when executed as a runner. However, we encourage customers to migrate to the new method of running the Contrast Node.js agent as this is no longer recommended.

Bug fixes:

  • After architecture improvements were made to the agent, some applications were prevented from starting with the agent. This has been resolved and users should no longer receive error messages like these:

    cls.run(() => {
        ^
    TypeError: Cannot read property 'run' of undefined
    
    OR
    
    /usr/src/app/node_modules/node_contrast/lib.asar/AsyncStorage/index.js:188
        if (ns.active) {
    
    TypeError: Cannot read property 'active' of undefined

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Added initial support for Stored XSS rule in Assess for django framework.

  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.

  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.

  • Removed the agent’s external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.

  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved. 

Language versions currently supported: 2.4 - 2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New and improved:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

  • It is recommended to use RubyGems at this point.