Release News

Contrast 3.6.5 - June 2019

Fixes

  • Default library score settings weren't reflected correctly in the application score.
  • Attempting to approve or deny pending vulnerabilities caused an error.
  • Users with an Edit role couldn't export library data from the library's Overview page.
  • Sending a vulnerability to Jira with an attachment caused an error in some cases.
  • Managing user access groups caused internal server errors for some SaaS users.
  • Cache issues prevented users from seeing vulnerability details after applying a license to an application.
  • Slack integration notifications ignored New Asset selections made in Notification Settings.
  • The Libraries grid timed out and returned errors in some users' SaaS environments.

Improvements

  • Set up session metadata to pinpoint the source of vulnerabilities for each of your applications. To get started, configure your agent to report one of the available metadata types, including build numbers, branch names, repositories, and committers. Go to your application’s Vulnerabilities tab to see the data in the new vulnerabilities timeline, and use the Seen By column in the grid to filter vulnerabilities by specific values.

  • Use source names to label attack events by expected sources so you can promptly choose which attack events to investigate. All you need is the IP information for a known source (like a pen tester) to get started. When you view attacks in the Attacks > Monitor page and Attacks Details pages, Contrast will display the source name instead of the attacker’s IP information. (We’ll be adding source names to the Attack Events grid next!)

  • Contrast offers two new Protect rules against unsafe files: The Unsafe File Uploads rule blocks malicious files being uploaded to web applications, and the Zip File Overwrite rule protects against malicious files and directory structures within zip files uploaded to web applications. These rules are available for all languages.

Agent Updates

Java summary

Check back next release for updates!

.NET summary

The .NET team added support for agent use within Docker containers for .NET 4.5.2+ applications. We improved accuracy of an insecure authentication protocol Assess rule, and added a new Assess rule to detect the “X-Powered-By” header. We fixed a bug that caused a null reference error in processing exclusions. We also added support for setting application.code.

Note: The agent no longer supports the legacy DotnetAgentService.exe.config file for application pool whitelisting and blacklisting. We recommend that you move these configuration values to agent.dotnet.app_pool_whitelist and agent.dotnet.app_pool_blacklist in the contrast_security.yaml. This change applies to all versions after 19.5.4.

.NET Core summary

The .NET Core agent for Windows is now available! The agent supports many of the same expansive Assess and Protect security policies as the .NET Framework agent, including detection of all the most important vulnerabilities and attacks. To start using the agent, check out the system requirements, and then download and install the agent from the Contrast UI.

Node.js summary

The Node.js team expanded rule coverage and better precision for our 2.4.0 release. We now support an Unsafe File Upload Protect rule (in Express and Koa) to block attacks or monitor at perimeter, as well as Server Side Request Forgery (SSRF) detection in Assess. We properly block Protect rules in Hapi by returning 403 not 500 in certain cases. Lastly, we've added support for multi-part form uploads in Koa.

Ruby summary

The Ruby team delivered expanded rule coverage and better performance for our 2.6.0 release. The agent now supports an Unsafe File Upload Protect rule to block attacks at perimeter as well as Server Side Request Forgery (SSRF) detection in Assess. We also enhanced our string instrumentation rewriting along with other under-the-hood performance improvements.

Python summary

The Python agent's 1.10.0 release introduces a few important changes. We're dropping support for Python 3.4 as it's reached its End of Life date. We also allow users to set Protect rule modes in the configuration YAML, which gives you more control over deployed instances of the agent without using the Contrast UI. We also improved response handling on SecurityExceptions: In the instance application code catches our exception during an attack, the agent will send the exception after application code has completed, if we need to block a request. Some minor bug fixes include the CSRF header used by the agent and improvements for the PyramidMiddleware with legacy Pyramid versions.

Contrast 3.6.4 - May 2019

Fixes

  • Auto-remediation settings did not immediately update vulnerability statuses.
  • Attack even data was not displayed properly in Diagnostics.
  • Clicking the server count in an application Overview page did not direct you to the correct servers.
  • Users weren't able to set up SSO with Azure.
  • Email notifications for compliance policy violations didn't include the correct link to the UI.

Improvements

Enable Server Messages to stay on top of agent updates. When your agent version is out of date, Contrast will send you an email with recommendations for updates. You can also check your notifications in the Contrast UI, or hover over the warning icon in the Servers grid and your server's Overview tab for a reminder. To enable Server Messages, go to the Notifications page from Your Account or Organization Settings.

Agent Updates

Java summary

Check back next release for more updates!

.NET summary

The .NET team improved the accuracy and performance of Protect Command Injection as well as the accuracy of Protect SQL-Injection and Reflected XSS. We implemented a Server Side Request Forgery (SSRF) rule for Assess. We also fixed a bug where the Tray would occasionally fail to update agent status.

Node.js summary

The Node team focused on broadening framework support. We added support for the Koa framework as well as Route Coverage support for Koa for applications using koa-router. We also added Route Coverage support for Hapi. We added agent.heap_dump configuration settings to allow periodic creation of heap dumps for debugging v8 crashes and memory issues. Bug fixes included:

  • Creating an Express router with no routes no longer causes an error
  • Passing an object to sequelize.query no longer causes the sensor to fail
  • The ast-types module no longer crashes when loaded with Assess enabled

Ruby summary

The Ruby team focused on expanding our feature offering for this release. We expanded our rule coverage to include support for several new Assess rules, with a focus on rules responsible for HTTP Session security evaluation. To improve our customer support, we also added the ability to generate heap dumps directly from the agent. Finally, to further our effort to improve our interoperability with other testing infrastructures, we've continued to transition our sensor weaving into C, and we've addressed bugs causing an incompatibility with the FactoryBot testing framework.

Python summary

The Python team refactored our middleware code to work better with the range of frameworks we support, including older versions of Django. Improvements to agent startup eliminated some noisy trackback logs from configuration and Route Coverage. Bug fixes include the XXE rule with SAX incorrectly patching and improperly setting Django headers in responses.

Contrast 3.6.3 - April 2019

Fixes

  • System Admins couldn't create users by CSV import when the Email Activation field was set to "false".
  • Super Admins couldn't save Library Compliance setting unless version requirements were enabled for "all libraries".
  • API documentation wasn't available for SaaS users.
  • Libraries displayed release dates from 1899.
  • Links from an application's Route Coverage page didn't direct users to the the correct list of vulnerabilities.
  • Editing a user profile without changing their Organization Role caused errors.
  • The Compliance Policy filter wasn't working correctly on the Applications grid.
  • Users with two-factor authentication enabled had issues with login redirects and loading application details.

Improvements

The Custom Agent Profile option in the Add Agent wizard is gone! Use the proxy properties in your Java or .NET agent's YAML file to set proxy credentials for communication with the Contrast UI.

Agent Updates

Java summary

The Java team improved the accuracy of Assess XSS, SQL injection rules as well as the accuracy of Protect command injection and SQL injection rules. We enabled Runtime Exploit Prevention (REP) by default for Protect users on SaaS and EOP. (You can also update the settings for individual REP rules in your agent's configuration file.) We also made the Java agent available on Maven Central. See the new documentation to learn more!

.NET summary

The .NET team fixed the following bugs:

  • In one limited scenario, Contrast could reject some vulnerability reports from the agent.
  • Parameter pollution vulnerabilities reported by the agent wouldn't be rendered correctly by Contrast.
  • The agent could cause ServerVariables to contain null values when accessed using different cased names.
  • The agent would fail to identify WCF as an architecture component.

Node.js summary

The Node team worked to provide support for two new web frameworks: Beta support for Koa, the predecessor to Express, as well as full support for Hapi 18 (the latest version). The team also added instrumentation support for the Multer middleware module, which allows the agent to track and analyze untrusted data from multipart form bodies. We resolved a bug that caused the agent to report Assess false positives for PostgreSQL database queries. We added support for the application code configuration option, and removed deprecated configuration options. The agent supports the piping of log messages to /dev/null. We also worked on removing Node 6 support, which has entered EOL. To top it all off, this release includes various enhancements that provide both breadth and accuracy in our Assess data-flow propagators.

Ruby summary

The Ruby team focused on improving performance of our Assess product. We refactored the way our Monkey Patching works to ensure namespace collisions no longer occur with existing methods, and updated lookups of these renamed methods to take advantage of better caching techniques. We also worked to isolate the processes in which the agent runs its instrumentation, which reduces impact to non-security related operations; this has improved our compatibility with common processes such as Rake and Sidekiq.

Python summary

The latest version of the Python agent includes a collection of product quality updates. To improve stability and agent quality, the team identified different aspects of the agent that needed improvements and updated them. This also helped us identify any small errors that could have occurred in the future. We also fixed several small bugs, like accidentally patching twice for certain libraries and a scenario in which the agent may retry to initialize itself.

Contrast 3.6.2 - March 2019

Fixes

  • A typo in the Windows sample for Automations Options caused some trouble when onboarding a Java agent.
  • Providing your own configuration file during agent onboarding caused errors.
  • All recommended Assess Rules weren't enabled by default in all environments for new organizations.
  • The Libraries grid displayed the number of vulnerabilities associated with the applications using it, not the individual library.
  • The library name tooltip wasn't properly displayed in the Libraries grid when the release date was "0".

Improvements

  • Enhancements to the Contrast Jenkins plugin make easier to work with your application in the post-build step. If you have access to multiple applications, the dropdown menu turns into a search-as-you-type field to help you find the right one. The application list also refreshes automatically in the background to stay in sync with the Contrast UI.
  • Enterprise-on-Premises (EOP) has been upgraded to Tomcat 7.0.92.

Agent Updates

Java summary

The Java team improved the accuracy of Protect command injection, SQL injection and XSS rules. We also fixed a bug where exclusions weren't applied for some Protect rules. We cleaned up and clarified the output of the agent’s diagnostic connection check, made minor improvements to agent startup time, and reduced redundant log messages.

.NET summary

The .NET team improved the accuracy of Assess path traversal as well as the performance of Assess data flow analysis. We fixed a bug where modifying the agent’s configuration file while the agent was running could cause an error in the agent’s background Windows service. We also reduced redundant log messages.

Node.js summary

The Node team focused on developing a new implementation for performing data flow analysis and string tracking. The changes introduced, which leverage native C++ add-ons, improve both agent stability and the accuracy of Assess findings. The team also focused on improving the accuracy of reporting propagation through specific String and Array methods, such as slice and join. We made additional improvements to strengthen the agent's ability to detect hard-coded passwords. We added Assess support for DynamoDB. Additionally, the agent now recognizes the CONTRAST_CONFIG_PATH environment variable, which you can use to specify the location of an agent’s configuration file.

Ruby summary

The Ruby team focused on updating support to align with the LTS versions of the Ruby language. As a result, the supported range of Ruby for agent 2.3.0 and greater has changed to 2.3.0-2.6.X. We also updated dynamic patching to utilize C methods instead of standard Ruby aliasing, which preserves method scope. Both of these changes improve the overall performance and stability of the Ruby agent.

Python summary

The Python agent team worked to improve our Pyramid and WSGI middlewares by refactoring response information. This includes Command Injection hardening for new lines and inline comments along with support for the PyYAML 5.1 release that broke a lot of open-source projects. We added better image response handling to remove a possible slow down or crash in the agent.

Contrast 3.6.1 - February 2019

Fixes

  • The Contrast UI loads correctly with Internet Explorer 11.
  • The Libraries grid loads correctly, even if you sent a library to a bugtracker.
  • Timestamps are back in the Vulnerabilities and Servers grids.
  • Custom banners are fixed at the bottom of the grids pages.
  • The Servers grid is immediately populated once you onboard your first application.
  • The Build Numbers filter has returned to each application's Vulnerabilities tab.
  • You can add an exclusion for a Protect Rule from an attack Overview page.
  • Java launchers can download a new Java agent.

Improvements

Check back next release!

Agent Updates

Java summary

The Java team improved memory usage of Assess analysis, reduced noise in data flow analysis against applications using logback, and added an Assess validator for the Spring framework. We fixed an issue in Assess data flow analysis involving unmodifiable lists as well as an issue where reporting of parameter names and values could be swapped under JaxRS applications.

.NET summary

The .NET team fixed race conditions when evaluating exclusions and capturing a stack trace, and improved performance of instrumentation. We also implemented Untrusted Deserialization for Protect covering all formatters with known exploits in the .NET Framework Base Class Library (BCL) as well as JSON.NET.

Node.js summary

The Node team resolved an issue where the asar library was causing an npm audit run to fail. We updated the NoSQL rule to catch a potential attack using the not equal operator. We also closed an issue where the agent couldn't be installed on a bare-bones Linux distribution due to a dependency of a dependency relying on the git executable being available.

Ruby summary

The Ruby team has focused on performance and security updates in the Assess features of the agent. We moved Regex, Kernel and Enumerator patching from the Ruby code to the underlying C level. We updated the policy to be more conservative about patching ancestors of methods. We also added a check for port in use before starting the Contrast Service.

Python summary

The Python agent team added support for the urllib3 and requests library for the SSRF Protect Rule. We made additional updates for performance and code stability in how Protect Rules are applied to sinks.

Contrast 3.6.0 - January 2019