Release News

Contrast 3.6.3 - April 2019

Fixes

  • System Admins couldn't create users by CSV import when the Email Activation field was set to "false".
  • Super Admins couldn't save Library Compliance setting unless version requirements were enabled for "all libraries".
  • API documentation wasn't available for SaaS users.
  • Libraries displayed release dates from 1899.
  • Links from an application's Route Coverage page didn't direct users to the the correct list of vulnerabilities.
  • Editing a user profile without changing their Organization Role caused errors.
  • The Compliance Policy filter wasn't working correctly on the Applications grid.
  • Users with two-factor authentication enabled had issues with login redirects and loading application details.

Improvements

The Custom Agent Profile option in the Add Agent wizard is gone! Use the proxy properties in your Java or .NET agent's YAML file to set proxy credentials for communication with the Contrast UI.

Agent Updates

Java summary

The Java team improved the accuracy of Assess XSS, SQL injection rules as well as the accuracy of Protect command injection and SQL injection rules. We enabled Runtime Exploit Prevention (REP) by default for Protect users on SaaS and EOP. (You can also update the settings for individual REP rules in your agent's configuration file.) We also made the Java agent available on Maven Central. See the new documentation to learn more!

.NET summary

The .NET team fixed the following bugs:

  • In one limited scenario, Contrast could reject some vulnerability reports from the agent.
  • Parameter pollution vulnerabilities reported by the agent wouldn't be rendered correctly by Contrast.
  • The agent could cause ServerVariables to contain null values when accessed using different cased names.
  • The agent would fail to identify WCF as an architecture component.

Node.js summary

The Node team worked to provide support for two new web frameworks: Beta support for Koa, the predecessor to Express, as well as full support for Hapi 18 (the latest version). The team also added instrumentation support for the Multer middleware module, which allows the agent to track and analyze untrusted data from multipart form bodies. We resolved a bug that caused the agent to report Assess false positives for PostgreSQL database queries. We added support for the application code configuration option, and removed deprecated configuration options. The agent supports the piping of log messages to /dev/null. We also worked on removing Node 6 support, which has entered EOL. To top it all off, this release includes various enhancements that provide both breadth and accuracy in our Assess data-flow propagators.

Ruby summary

The Ruby team focused on improving performance of our Assess product. We refactored the way our Monkey Patching works to ensure namespace collisions no longer occur with existing methods, and updated lookups of these renamed methods to take advantage of better caching techniques. We also worked to isolate the processes in which the agent runs its instrumentation, which reduces impact to non-security related operations; this has improved our compatibility with common processes such as Rake and Sidekiq.

Python summary

The latest version of the Python agent includes a collection of product quality updates. To improve stability and agent quality, the team identified different aspects of the agent that needed improvements and updated them. This also helped us identify any small errors that could have occurred in the future. We also fixed several small bugs, like accidentally patching twice for certain libraries and a scenario in which the agent may retry to initialize itself.

Contrast 3.6.2 - March 2019

Fixes

  • A typo in the Windows sample for Automations Options caused some trouble when onboarding a Java agent.
  • Providing your own configuration file during agent onboarding caused errors.
  • All recommended Assess Rules weren't enabled by default in all environments for new organizations.
  • The Libraries grid displayed the number of vulnerabilities associated with the applications using it, not the individual library.
  • The library name tooltip wasn't properly displayed in the Libraries grid when the release date was "0".

Improvements

  • Enhancements to the Contrast Jenkins plugin make easier to work with your application in the post-build step. If you have access to multiple applications, the dropdown menu turns into a search-as-you-type field to help you find the right one. The application list also refreshes automatically in the background to stay in sync with the Contrast UI.
  • Enterprise-on-Premises (EOP) has been upgraded to Tomcat 7.0.92.

Agent Updates

Java summary

The Java team improved the accuracy of Protect command injection, SQL injection and XSS rules. We also fixed a bug where exclusions weren't applied for some Protect rules. We cleaned up and clarified the output of the agent’s diagnostic connection check, made minor improvements to agent startup time, and reduced redundant log messages.

.NET summary

The .NET team improved the accuracy of Assess path traversal as well as the performance of Assess data flow analysis. We fixed a bug where modifying the agent’s configuration file while the agent was running could cause an error in the agent’s background Windows service. We also reduced redundant log messages.

Node.js summary

The Node team focused on developing a new implementation for performing data flow analysis and string tracking. The changes introduced, which leverage native C++ add-ons, improve both agent stability and the accuracy of Assess findings. The team also focused on improving the accuracy of reporting propagation through specific String and Array methods, such as slice and join. We made additional improvements to strengthen the agent's ability to detect hard-coded passwords. We added Assess support for DynamoDB. Additionally, the agent now recognizes the CONTRAST_CONFIG_PATH environment variable, which you can use to specify the location of an agent’s configuration file.

Ruby summary

The Ruby team focused on updating support to align with the LTS versions of the Ruby language. As a result, the supported range of Ruby for agent 2.3.0 and greater has changed to 2.3.0-2.6.X. We also updated dynamic patching to utilize C methods instead of standard Ruby aliasing, which preserves method scope. Both of these changes improve the overall performance and stability of the Ruby agent.

Python summary

The Python agent team worked to improve our Pyramid and WSGI middlewares by refactoring response information. This includes Command Injection hardening for new lines and inline comments along with support for the PyYAML 5.1 release that broke a lot of open-source projects. We added better image response handling to remove a possible slow down or crash in the agent.

Contrast 3.6.1 - February 2019

Fixes

  • The Contrast UI loads correctly with Internet Explorer 11.
  • The Libraries grid loads correctly, even if you sent a library to a bugtracker.
  • Timestamps are back in the Vulnerabilities and Servers grids.
  • Custom banners are fixed at the bottom of the grids pages.
  • The Servers grid is immediately populated once you onboard your first application.
  • The Build Numbers filter has returned to each application's Vulnerabilities tab.
  • You can add an exclusion for a Protect Rule from an attack Overview page.
  • Java launchers can download a new Java agent.

Improvements

Check back next release!

Agent Updates

Java summary

The Java team improved memory usage of Assess analysis, reduced noise in data flow analysis against applications using logback, and added an Assess validator for the Spring framework. We fixed an issue in Assess data flow analysis involving unmodifiable lists as well as an issue where reporting of parameter names and values could be swapped under JaxRS applications.

.NET summary

The .NET team fixed race conditions when evaluating exclusions and capturing a stack trace, and improved performance of instrumentation. We also implemented Untrusted Deserialization for Protect covering all formatters with known exploits in the .NET Framework Base Class Library (BCL) as well as JSON.NET.

Node.js summary

The Node team resolved an issue where the asar library was causing an npm audit run to fail. We updated the NoSQL rule to catch a potential attack using the not equal operator. We also closed an issue where the agent couldn't be installed on a bare-bones Linux distribution due to a dependency of a dependency relying on the git executable being available.

Ruby summary

The Ruby team has focused on performance and security updates in the Assess features of the agent. We moved Regex, Kernel and Enumerator patching from the Ruby code to the underlying C level. We updated the policy to be more conservative about patching ancestors of methods. We also added a check for port in use before starting the Contrast Service.

Python summary

The Python agent team added support for the urllib3 and requests library for the SSRF Protect Rule. We made additional updates for performance and code stability in how Protect Rules are applied to sinks.

Contrast 3.6.0 - January 2019

Fixes

  • Access Reports from the user menu without errors.
  • Language-specific Assess rules display the correct applications to which they apply.
  • Windows and Linux filepaths for Java configuration in the Add Agent wizard are straightened out.
  • Successfully delete an IP address you added in Organization Settings > Security tab.
  • Clone Profiles with Proxy properties in the Add Agent wizard.
  • The Vulnerabilities page successfully displays vulnerability data.

Improvements

Check back next release!

Agent Updates

Java summary

The Java team improved accuracy of Protect SQL-Injection, XSS and Expression Language Injection rules, as well as the Assess SQL-Injection rule. We fixed several errors that don't affect analysis, but would cause noise within agent logs:

  • NullPointerException when observing certain database technologies as an architecture component
  • NullPointerException when observing a web service without a port as an architecture component
  • NullPointerException when reflecting over SaxParser

We also fixed an error that could occur under the Play framework, and reduced log severity when the agent can't determine the database type of a database architecture component. We added support for using contrast namespace for command line and system property YAML configuration properties (e.g., contrast.application.name).

Java 1.5 support

Java 1.5 is no longer supported as of version 3.6.0 of the Java agent. The Java agent supports most Java runtimes for version 1.6 - 1.8. For a complete list of supported Java runtimes, see Supported Technologies.

.NET summary

The .NET team fixed an issue where the agent could cause an error when ASPX pages are used to generate CSS files.

Node.js summary

The Node team released the last 1.x agent before we migrate to the new dataflow tracking technology in the 2.0 version of the agent, which we plan to release in February. The latest version of the agent has updates to prevent side effects in data flow through ternary statements as well as updates to the Syslog support.

Ruby summary

The Ruby team added support for server names that contain non-UTF8 characters, and fixed a defect where the agent couldn't send activity messages when the path segment of the URI was nil. In Assess mode, the agent includes updates to better handle edge cases with frozen strings.

Python summary

The Python team added support for Python 3.7. We added additional support for the metadata feature by sending metadata in the application startup message. The agent also includes support for a configuration to disable automatic startup of the service in environments where the service is being launched by and external runner.

Contrast 3.5.9 - December 2018

Our gift to you: completely revamped grids for all your applications, servers and vulnerabilities!

Fixes

  • Use the toggles in the grid to enable or disable Protect on Python servers.
  • Filter Assess Rules by language and see the correct results.
  • Use the Save button to make modifications to your Server Defaults policy.
  • Use corrected instructions and YAML configuration properties for the Proxy agent in the Add Agent wizard.
  • Multiselect fields work correctly for Library Policy configurations.
  • The Vulnerabilities grid shows information for parent applications only, and immediately reflects changes to vulnerability status.
  • Links to grepcode.com are replaced with links to searchcode in vulnerability Details.
  • Save changes to Library Policy in System Settings without errors.
  • Set up automatic ticket creation in Jira integrations.
  • Filter counts match results in the Applications grid.
  • Set up an LDAP configuration with the best Base DN for you.

Improvements

  • Redesigned and enhanced grids for applications, servers, and vulnerabilities make the most important data easier to find and streamline your daily tasks. Improvements include, but are certainly not limited to, filters per column, enhanced search functions, instantly visible tags and easier access to row actions. If you have questions or suggestions for more improvements, use the Give Us Feedback button above any of the grids.

  • Assign key:value pairs to applications during onboarding for better organization and tracking. Go to Organization Settings > Applications to define custom fields - such as such as Application ID, Business Unit and Point of Contact - for new and existing applications. Contrast even provides a preformatted configuration property to copy and use in your own files.

  • Configure your VSTS integration to send tickets to a specific backlog for a subproject.

Agent Updates

Java summary

The Java team expanded coverage of the Protect Expression Language Injection rule to also cover RichFaces CVEs, including CVE-2018-14667. We improved the accuracy of a Regular Expression DoS rule as well as the reliability of a Protect CSRF rule. We also fixed an issue where the agent could fail to enable Assess rules if all rules were enabled.

.NET summary

The .NET agent installer no longer requires a DotnetAgentSettings.ini file; it now requires a contrast_security.yaml file. Unlike the .ini file, the YAML file supports all of the .NET agent’s configuration options.

The agent now detects new values for application version, group and tags in re-deployed web.config files without requiring a restart of the agent. Changes in Protect rule modes take effect without requiring a restart of the agent. The .NET team also completed the following bug fixes:

  • Profiler logs respect log level configuration
  • The agent respects application version, group and tags values in web.config in IIS-Express-hosted applications
  • A false positive where the agent would report cross-site scripting vulnerabilities from HTTP cookie sources
  • The agent no longer reports WCF client methods as routes for an application

Node.js summary

In version 1.36.0, the Node team improved the accuracy of our hard-coded keys vulnerability detection. We fixed a bug that caused some vulnerability reports to be rejected due to having an invalid data type set for the server's port value. We also fixed a bug in the agent's startup process that, under certain policy conditions, prevented the agent from discovering route coverage information for Express.js applications.

Ruby summary

For the 2.0.10 release, Ruby team worked to enhance the agent's Assess functionality. We moved several method patches to C and refactored how extensions are generated to more reliably instrument applications in Assess mode. We also resolved a bug around parameter tracking in Assess, which allows for more accurate dataflow detection.

Python summary

Version 1.4.0 brings new Protect enhancements for XSS, Path Traversal and Command Injection. The Python team also improved our library analysis architecture to be more memory efficient and use less processes. We made configuration updates to include backward compatibility of existing YAML files.