Check back next release!
The Java team improved memory usage of Assess analysis, reduced noise in data flow analysis against applications using logback, and added an Assess validator for the Spring framework. We fixed an issue in Assess data flow analysis involving unmodifiable lists as well as an issue where reporting of parameter names and values could be swapped under JaxRS applications.
The .NET team fixed race conditions when evaluating exclusions and capturing a stack trace, and improved performance of instrumentation. We also implemented Untrusted Deserialization for Protect covering all formatters with known exploits in the .NET Framework Base Class Library (BCL) as well as JSON.NET.
The Node team resolved an issue where the asar library was causing an
npm audit run to fail. We updated the NoSQL rule to catch a potential attack using the not equal operator. We also closed an issue where the agent couldn't be installed on a bare-bones Linux distribution due to a dependency of a dependency relying on the git executable being available.
The Ruby team has focused on performance and security updates in the Assess features of the agent. We moved Regex, Kernel and Enumerator patching from the Ruby code to the underlying C level. We updated the policy to be more conservative about patching ancestors of methods. We also added a check for port in use before starting the Contrast Service.
The Python agent team added support for the urllib3 and requests library for the SSRF Protect Rule. We made additional updates for performance and code stability in how Protect Rules are applied to sinks.
Check back next release!
The Java team improved accuracy of Protect SQL-Injection, XSS and Expression Language Injection rules, as well as the Assess SQL-Injection rule. We fixed several errors that don't affect analysis, but would cause noise within agent logs:
We also fixed an error that could occur under the Play framework, and reduced log severity when the agent can't determine the database type of a database architecture component. We added support for using
contrast namespace for command line and system property YAML configuration properties (e.g.,
Java 1.5 is no longer supported as of version 3.6.0 of the Java agent. The Java agent supports most Java runtimes for version 1.6 - 1.8. For a complete list of supported Java runtimes, see Supported Technologies.
The .NET team fixed an issue where the agent could cause an error when ASPX pages are used to generate CSS files.
The Node team released the last 1.x agent before we migrate to the new dataflow tracking technology in the 2.0 version of the agent, which we plan to release in February. The latest version of the agent has updates to prevent side effects in data flow through ternary statements as well as updates to the Syslog support.
The Ruby team added support for server names that contain non-UTF8 characters, and fixed a defect where the agent couldn't send activity messages when the path segment of the URI was nil. In Assess mode, the agent includes updates to better handle edge cases with frozen strings.
The Python team added support for Python 3.7. We added additional support for the metadata feature by sending metadata in the application startup message. The agent also includes support for a configuration to disable automatic startup of the service in environments where the service is being launched by and external runner.
Our gift to you: completely revamped grids for all your applications, servers and vulnerabilities!
Redesigned and enhanced grids for applications, servers, and vulnerabilities make the most important data easier to find and streamline your daily tasks. Improvements include, but are certainly not limited to, filters per column, enhanced search functions, instantly visible tags and easier access to row actions. If you have questions or suggestions for more improvements, use the Give Us Feedback button above any of the grids.
Assign key:value pairs to applications during onboarding for better organization and tracking. Go to Organization Settings > Applications to define custom fields - such as such as Application ID, Business Unit and Point of Contact - for new and existing applications. Contrast even provides a preformatted configuration property to copy and use in your own files.
Configure your VSTS integration to send tickets to a specific backlog for a subproject.
The Java team expanded coverage of the Protect Expression Language Injection rule to also cover RichFaces CVEs, including CVE-2018-14667. We improved the accuracy of a Regular Expression DoS rule as well as the reliability of a Protect CSRF rule. We also fixed an issue where the agent could fail to enable Assess rules if all rules were enabled.
The .NET agent installer no longer requires a DotnetAgentSettings.ini file; it now requires a contrast_security.yaml file. Unlike the .ini file, the YAML file supports all of the .NET agent’s configuration options.
The agent now detects new values for application version, group and tags in re-deployed web.config files without requiring a restart of the agent. Changes in Protect rule modes take effect without requiring a restart of the agent. The .NET team also completed the following bug fixes:
In version 1.36.0, the Node team improved the accuracy of our hard-coded keys vulnerability detection. We fixed a bug that caused some vulnerability reports to be rejected due to having an invalid data type set for the server's port value. We also fixed a bug in the agent's startup process that, under certain policy conditions, prevented the agent from discovering route coverage information for Express.js applications.
For the 2.0.10 release, Ruby team worked to enhance the agent's Assess functionality. We moved several method patches to C and refactored how extensions are generated to more reliably instrument applications in Assess mode. We also resolved a bug around parameter tracking in Assess, which allows for more accurate dataflow detection.
Version 1.4.0 brings new Protect enhancements for XSS, Path Traversal and Command Injection. The Python team also improved our library analysis architecture to be more memory efficient and use less processes. We made configuration updates to include backward compatibility of existing YAML files.
As of Contrast version 3.5.8, the auto-updating version of the Java agent is no longer available for download. The auto-update feature is not compatible with Contrast's design changes made to support the Java Platform Module System included in Java beginning with version 9. Existing agents with the auto-update feature will continue to function; however, once Contrast releases an agent capable of supporting Java 9+, they will no longer update to the latest version.
For more details on Java agent updates, see the Java summary below.
See your Protect data logs in SumoLogic via integration with the SIEM API. Browse through logs, and quickly find exactly what you’re looking for.
Contrast upgraded to MySQL 5.7 for embedded MySQL.
The Java agent team improved accuracy of the Assess Path Traversal rule on Spring applications. We added better Assess support for Jersey 2.0, including route detection for Jersey 2.0+ applications. The agent also supports configuration of common configuration properties via environment variables.
The .NET team fixed a bug in which the agent wasn't respecting the legacy
TeamServerValidateCert configuration setting. We also fixed a bug in which the agent failed to restart properly when profiler chaining was enabled and the Assess or Protect mode was changed. We made improvements to:
System.Charvalues in the trigger event of Assess vulnerabilities
The agent supports Azure Application Service-hosted applications that are hosted outside of the wwwroot/bin directory.
The Node agent now supports Node 10, the latest long-term support (LTS) version of Node. The Node team also updated support for TLS connections to Contrast UI using common configuration options. We modified the logging levels for the agent to match the other agents, and closed a bug in the Winston logger. We also enhanced logging around
Ruby team has released the Assess agent! The Ruby agent also supports the common configuration entries to customize TLS connections to Contrast UI. Due to performance issues, we removed log enhancers for classes loaded after the agent has initialized. (This functionality will be re-enabled in the next release.)
The Python agent now supports communication to the Contrast Service using Unix sockets. The Python team updated configuration to support customized TLS connections to the Contrast UI. The agent also supports a periodic thread for verifying connection status in Contrast UI.
Set up administrative approval for vulnerability closures and see route coverage for Jersey applications.
Use our new option to require administrative approval when a user attempts to close a vulnerability. Go to the Organization Settings > Applications page to choose which closed statuses and severities require approval. When a user attempts to close a vulnerability with a status and severity you’ve chosen, the it goes into a Pending state until you approve or deny the change.
The Jenkins 2.8 plugin lets you query by build numbers or vulnerability timestamps, and also fail a build for only new vulnerabilities. For large-scale deployments, the plugin also supports the use of application UUIDs instead of application names.
The Java agent now reports route-based application coverage for Jersey 2.26+. The Java team fixed an issue in which the agent would fail to instrument certain Equinox classes as well as a false positive when applications used
HttpServletRequest.getContextPath. Springboot applications using the
contrast.standalone.appname configuration accurately reports libraries.
The .NET agent team added “System.Web.Mvc.UrlHelper.IsLocalUrl” as a validator for unsafe redirects, and improved agent performance when analyzed application communicates with web services using HttpClient. We also fixed bugs where:
Check back next month for an update on our latest (and greatest) work.
The Ruby agent team is preparing the final updates for GA of the Ruby Assess agent. The team has also been working on performance by optimizing the initial inventory message and moving library analysis into its own thread. We fixed an issue where Rails under Passenger wasn't correctly generating routes for GET requests as well as a separate issue where Sinatra wasn't starting in Assess mode and
class_eval was being used.
Python has been continuing to implement the REP Protect rules with the Path Traversal rule complete. The Python agent team made a few updates to the implementation of the common configuration properties, including support for the global enable flag, more support for ENV overrides, and a fix where an ENV variable allows the entire configuration section to be omitted in the YAML file.