June 2026 change log

This change log includes updates to detectors made in June 2026.


Added and updated rules

Feature Add

Java

  • java-cross-site-scripting-extended-ide

    • Created new rule to detect XSS through indirect and framework-specific input paths not covered by the baseline rule:
      • Covers AWS Lambda API Gateway inputs and Play Framework request data flowing into HTTP response output
      • Flags user input routed through helper methods before reaching a vulnerable output point

  • java-deprecated-finalize-resource-cleanup

    • Created new rule to detect improper resource cleanup via the deprecated finalize() method (CWE-404):
      • Flags Java classes that call close() inside finalize() without implementing AutoCloseable or Closeable
      • Resources managed this way rely on non-deterministic garbage collection; the fix is to use try-with-resources instead

  • java-ffm-information-exposure

    • Created new rule to detect reads from uninitialized native memory segments allocated via the Java Foreign Function & Memory API (CWE-908):
      • Flags MemorySegment read operations - get, getAtIndex, toArray - on memory returned by Arena.allocate() before any initialization, which may expose residual sensitive data such as cryptographic keys or passwords from prior allocations
      • Recognizes safe initialization through fill, set, copyFrom, and foreign function writes, suppressing findings when memory is properly prepared before accessing

  • java-ffm-use-after-free

    • Created new rule to detect use-after-free vulnerabilities (CWE-416) in the Java Foreign Function & Memory API (Java 19+):
      • Flags MemorySegment operations - get(), set(), getAtIndex(), setAtIndex(), asSlice() — performed after the owning Arena has been closed

  • java-hardcoded-secrets-library-api-ide

    • Created new rule to detect API credentials hardcoded directly into third-party client constructors and builders:
      • Covers AWS (BasicAWSCredentials), Azure (ClientSecretCredentialBuilder, BlobServiceClientBuilder, CosmosClientBuilder, QueueServiceClientBuilder), OpenAI, Twitter OAuth, Facebook, Stripe, PayPal, and GitHub integrations
      • Also covers Git/JGit (UsernamePasswordCredentialsProvider), Jenkins, JSch, and OAuth2 client configurations

  • java-hardcoded-secrets-library-auth-ide

    • Created new rule to detect authentication credentials hardcoded into authentication and messaging framework APIs:
      • Covers Spring Security inMemoryAuthentication, JWT builders (Jwts.builder, Jwts.parserBuilder), javax.mail.PasswordAuthentication, and JavaMailSender

  • java-hardcoded-secrets-library-crypto-ide

    • Created new rule to detect cryptographic keys and passwords hardcoded into cryptographic API constructors:
      • Covers SecretKeySpec, KeyStore, BCrypt, PBEKeySpec, SecureRandom, PKCS8EncodedKeySpec, and X509 key constructors

  • java-improper-input-validation-simple-web-server

    • Created new rule to detect XSS and path traversal vulnerabilities in applications using the Java Simple Web Server API (CWE-20):
      • Flags unvalidated input from HttpExchange — via getQuery(), getPath(), and getFirst() - flowing into HTML responses or file path operations
      • Covers output through OutputStream.write(), Paths.get(), Path.of(), and java.io.File constructors

  • java-resource-exhaustion-dos

    • Created new rule to detect user-controlled values flowing into memory-allocating APIs inside HTTP request handlers (CWE-770):
      • Covers Spring MVC handlers annotated with @RequestParam, @RequestBody, and @PathVariable, as well as raw servlet input via HttpServletRequest.getParameter(), getInputStream(), getReader(), and HttpExchange.getRequestBody()
      • Applies across both javax and jakarta namespaces

  • java-unnamed-variable-exception-suppression

    • Created new rule to detect Java 22+ catch blocks that use the unnamed variable (_) to silently discard exceptions (CWE-390):
      • Flags suppressed exceptions in security-sensitive code paths - authentication, cryptography, and authorization - where silent failure can create exploitable blind spots
      • Excludes benign exceptions such as NumberFormatException, IllegalArgumentException, UnsupportedOperationException, and ClassNotFoundException

  • java-virtual-thread-deadlock

    • Created new rule to detect deadlock vulnerabilities (CWE-833) in Java Virtual Threads and Structured Concurrency:
      • Flags Lock.lock() called without a timeout inside code using Thread.startVirtualThread or StructuredTaskScope.fork, where deadlock cannot be automatically recovered

  • java-xss-response-injection-ide

    • Created new rule to detect XSS through HTTP response headers and cookies set via Jakarta/Java Servlet and Spring MVC APIs:
      • Flags unsanitized user input flowing into setHeader(), addHeader(), Cookie.setValue(), and addCookie()


Bug Fixes / Enhancement

C#

  • csharp-code-injection-ide

    • Enhanced to improve detection accuracy and reduce false positives by:
      • Removing DateTime.Parse and similar non-execution parsers as code injection output points, eliminating a class of false positives
      • Removing Expression.Property as an output point; detection now scopes to the template argument only, preventing false positives when Razor model data is passed in a non-executing position
      • Adding Contains ternary checks and Regex.IsMatch conditional blocks as recognized input validation guards

  • use-ecb-mode-csharp-rule

    • Enhanced to improve remediation guidance by:
      • Updating guidance for ECB cipher mode findings to recommend modern authenticated encryption modes, replacing outdated CBC-only recommendations


Java

  • java-code-injection-ide

    • Enhanced to improve detection coverage by:
      • Adding detection for user input flowing into com.sun.tools.javac.Main.compile(), which enables programmatic Java compilation and allows an attacker to inject and execute arbitrary source files (CWE-94)

  • java-code-injection-java

    • Enhanced to improve detection coverage by:
      • Adding groovy.lang.GroovyClassLoader.parseClass as a code injection output point, covering dynamic class loading through the Groovy class loader API

  • java-cross-site-scripting-ide

    • Enhanced to improve detection coverage by:
      • Adding Spring MVC model output points - Model.addAttribute(), ModelMap.put(), and ModelAndView.addObject() - to detect XSS when user input populates server-side model data
      • Extending coverage to Java String Templates (JEP 459): adding ResponseEntity.ok().body() and ResponseEntity.status().body() as XSS output points, and @RequestBody as a recognized input source

  • java-ffm-race-condition

    • Enhanced to improve performance by:
      • Resolving timeout failures on large files while preserving detection of race conditions in Java Foreign Function & Memory API usage

  • java-hardcoded-secrets-library-ide

    • Enhanced to improve performance and reduce scope by:
      • Refocusing the rule on database credential detection via DriverManager, Hibernate, MongoDB, DataSource, and ConnectionString, resolving timeout failures caused by the previously broader scope

  • java-unsafe-memory-segment-access-no-bounds-check

    • Enhanced to reduce false positives by:
      • Fixing false positives where memory segment accesses bounded by computed loop bounds from byteSize() division and native function results (e.g., strlen) were incorrectly flagged as unsafe, findings are now correctly suppressed when access is probably within segment bounds

  • java-insecure-deserialization-library-config

    • Enhanced to improve performance by:
      • Resolving timeout failures affecting detection of insecure deserialization of library configurations

  • java-insecure-deserialization-serialization-utils

    • Enhanced to improve performance by:
      • Resolving timeout failures affecting detection of insecure deserialization via serialization utilities

  • java-insecure-dns-resolution-java

    • Enhanced to improve detection accuracy by:
      • Fixing lookupByName output point detection to correctly identify insecure DNS resolution calls regardless of method name casing

  • java-ldap-injection-string-template

    • Enhanced to improve detection coverage by:
      • Adding Filter.createApproximateMatchFilter(), createExtensibleMatchFilter(), createANDFilter(), createORFilter(), and createNOTFilter() as LDAP injection output points, covering filter construction APIs previously not detected

  • java-os-command-injection-ide

    • Enhanced to improve performance by:
      • Resolving timeout failures on large Java files while preserving full OS command injection detection coverage

  • java-path-traversal-classloader

    • Enhanced to reduce false positives by:
      • Fixing false positives caused by incorrect handling of Path.getFileName(), Path.of(...).getFileName(), and Paths.get(...).getFileName() - findings are now correctly suppressed when paths are reduced to the filename component only
      • Coordinated this fix across java-path-traversal-fileio, java-path-traversal-fileutils, java-path-traversal-hb, java-path-traversal-ide, and java-path-traversal-specialized

  • java-path-traversal-nio

    • Enhanced to improve detection coverage and reduce false positives by:
      • Removing overly broad validation checks that caused false positives, replacing them with direct Pattern.matches() and FilenameUtils/StringUtils coverage
      • Adding Files.createTempFile, Files.write, Files.writeString, and Paths.get as new output points, and getFileName(), getName(), getCanonicalFile() as recognized safe path normalization calls

  • java-simple-web-server-information-exposure

    • Enhanced to improve performance by:
      • Resolving timeout failures on large files while preserving detection of information exposure via Java's simple web server APIs

  • java-virtual-thread-race-condition

    • Enhanced to reduce false positives by:
      • Eliminating false positives by excluding local variable increment and compound assignment operations (++, +=) inside forked lambdas that do not represent shared-state race conditions

  • java-insecure-format-string

    • Enhanced to improve performance by:
      • Resolving timeout failures on large files while preserving detection of Java format string vulnerabilities caused by untrusted input

  • java-os-command-injection

    • Enhanced to reduce false positives by:
      • Excluding inputs that pass through validation methods (isValid, validate, Validate*) before command execution, preserving detection of genuine injection vectors while recognizing legitimate sanitization patterns

  • java-ffm-type-confusion

    • Enhanced to improve detection coverage by:
      • Adding narrowing cast detection for FFM API reads — catching long→int truncation, double→float precision loss, pointer narrowing, and VarHandle cast chains

  • java-log-injection

    • Enhanced to reduce false positives by:
      • Removing User.getUsername() as a taint source, updating the corresponding test case, and adding a new request.getParameter()-based positive test to maintain sink coverage

  • java-os-command-injection-hb

    • Enhanced to improve detection coverage by:
      • Adding detection for 10 additional command execution libraries, improving taint propagation and sanitization support, and adding comprehensive vulnerable and safe test coverage


JavaScript

  • javascript-cross-site-scripting-ide

    • Enhanced to reduce false positives by:
      • Excluding responses with non-executable content types - text/plain, image/* - from XSS detection, since browsers render these formats without script execution

  • javascript-path-traversal-hb

    • Enhanced to improve detection accuracy and reduce false positives by:
      • Scoping writeFile and writeFileSync detection to the path argument only, removing false positives where file content was incorrectly flagged as a path traversal risk
      • Adding separate output point coverage for two-path methods rename, copy, and move to correctly detect path traversal in both source and destination arguments

  • javascript-server-side-request-forgery-hb

    • Enhanced to improve detection coverage and reduce false positives by:
      • Adding got.stream() as an SSRF output point
      • Replacing generic pipe detection with explicit coverage of http.get(), https.get(), request(), and got() chained with pipe(), eliminating false positives from local file stream operations


Python

  • python-cross-site-scripting-hb

    • Enhanced to reduce false positives by:
      • Removing HttpResponseRedirect and django.shortcuts.redirect as XSS output points - HTTP 302 redirect responses do not render HTML and are not vulnerable to cross-site scripting

  • python-url-instantiated

    • Enhanced to reduce false positives by:
      • Excluding URLs originating from DynamoDB runtime data sources (get_item, query, scan, batch_get_item) as insecure HTTP URL findings - URLs retrieved dynamically from DynamoDB service client responses are trusted runtime data, not hardcoded insecure endpoints


TypeScript

  • csrf-protection-missing-ts-rule

    • Enhanced to reduce false negatives by:
      • Removing the requirement for a res.render() call to trigger detection, fixing false negatives where CSRF-vulnerable routes without a render call were missed

  • monaco-sensitive-html-support-configuration-ts-rule

    • Enhanced to reduce false positives by:
      • Replacing an overly broad supportHtml detection pattern that caused false positives with a more precise match

  • typescript-llm-vector-embedding-weaknesses

    • Enhanced to improve detection accuracy by:
      • Adding document loader and text splitter detection as input sources for RAG pipelines
      • Removing Chroma collection, Pinecone, Weaviate, FAISS index, and embedding constructor detection that generated excessive noise

  • typescript-no-sql-injection-hb

    • Enhanced to improve performance by:
      • Resolving timeout failures on large files while preserving NoSQL injection detection via HarperDB APIs

  • typescript-os-command-injection-ide

    • Enhanced to improve performance by:
      • Resolving timeout failures on large TypeScript files while preserving full OS command injection detection coverage

  • typescript-path-traversal-hb

    • Enhanced to improve performance and reduce noise by:
      • Resolving timeout failures on large files by removing input sources that caused excessive noise, improving reliability without narrowing the set of vulnerable paths detected

  • typescript-react-unsanitized-property

    • Enhanced to improve detection coverage by:
      • Adding coverage for single-level direct property assignments, expanding detection beyond previously required two-level chains
      • Scoping detection to React component data flows via this.props, this.state, props, and state

Disabled rules

Disabled

TypeScript

  • typescript-react-insecure-request
    • Disabled due to a high false positive rate from localhost, test URLs, and legacy code patterns that do not represent active security risks