java-cross-site-scripting-extended-ide
- Created new rule to detect XSS through indirect and framework-specific input paths not covered by the baseline rule:
- Covers AWS Lambda API Gateway inputs and Play Framework request data flowing into HTTP response output
- Flags user input routed through helper methods before reaching a vulnerable output point
java-deprecated-finalize-resource-cleanup
- Created new rule to detect improper resource cleanup via the deprecated finalize() method (CWE-404):
- Flags Java classes that call close() inside finalize() without implementing AutoCloseable or Closeable
- Resources managed this way rely on non-deterministic garbage collection; the fix is to use try-with-resources instead
java-ffm-information-exposure
- Created new rule to detect reads from uninitialized native memory segments allocated via the Java Foreign Function & Memory API (CWE-908):
- Flags MemorySegment read operations - get, getAtIndex, toArray - on memory returned by Arena.allocate() before any initialization, which may expose residual sensitive data such as cryptographic keys or passwords from prior allocations
- Recognizes safe initialization through fill, set, copyFrom, and foreign function writes, suppressing findings when memory is properly prepared before accessing
java-ffm-use-after-free
- Created new rule to detect use-after-free vulnerabilities (CWE-416) in the Java Foreign Function & Memory API (Java 19+):
- Flags MemorySegment operations - get(), set(), getAtIndex(), setAtIndex(), asSlice() — performed after the owning Arena has been closed
java-hardcoded-secrets-library-api-ide
- Created new rule to detect API credentials hardcoded directly into third-party client constructors and builders:
- Covers AWS (BasicAWSCredentials), Azure (ClientSecretCredentialBuilder, BlobServiceClientBuilder, CosmosClientBuilder, QueueServiceClientBuilder), OpenAI, Twitter OAuth, Facebook, Stripe, PayPal, and GitHub integrations
- Also covers Git/JGit (UsernamePasswordCredentialsProvider), Jenkins, JSch, and OAuth2 client configurations
java-hardcoded-secrets-library-auth-ide
- Created new rule to detect authentication credentials hardcoded into authentication and messaging framework APIs:
- Covers Spring Security inMemoryAuthentication, JWT builders (Jwts.builder, Jwts.parserBuilder), javax.mail.PasswordAuthentication, and JavaMailSender
java-hardcoded-secrets-library-crypto-ide
- Created new rule to detect cryptographic keys and passwords hardcoded into cryptographic API constructors:
- Covers SecretKeySpec, KeyStore, BCrypt, PBEKeySpec, SecureRandom, PKCS8EncodedKeySpec, and X509 key constructors
java-improper-input-validation-simple-web-server
- Created new rule to detect XSS and path traversal vulnerabilities in applications using the Java Simple Web Server API (CWE-20):
- Flags unvalidated input from HttpExchange — via getQuery(), getPath(), and getFirst() - flowing into HTML responses or file path operations
- Covers output through OutputStream.write(), Paths.get(), Path.of(), and java.io.File constructors
java-resource-exhaustion-dos
- Created new rule to detect user-controlled values flowing into memory-allocating APIs inside HTTP request handlers (CWE-770):
- Covers Spring MVC handlers annotated with @RequestParam, @RequestBody, and @PathVariable, as well as raw servlet input via HttpServletRequest.getParameter(), getInputStream(), getReader(), and HttpExchange.getRequestBody()
- Applies across both javax and jakarta namespaces
java-unnamed-variable-exception-suppression
- Created new rule to detect Java 22+ catch blocks that use the unnamed variable (_) to silently discard exceptions (CWE-390):
- Flags suppressed exceptions in security-sensitive code paths - authentication, cryptography, and authorization - where silent failure can create exploitable blind spots
- Excludes benign exceptions such as NumberFormatException, IllegalArgumentException, UnsupportedOperationException, and ClassNotFoundException
java-virtual-thread-deadlock
- Created new rule to detect deadlock vulnerabilities (CWE-833) in Java Virtual Threads and Structured Concurrency:
- Flags Lock.lock() called without a timeout inside code using Thread.startVirtualThread or StructuredTaskScope.fork, where deadlock cannot be automatically recovered
java-xss-response-injection-ide
- Created new rule to detect XSS through HTTP response headers and cookies set via Jakarta/Java Servlet and Spring MVC APIs:
- Flags unsanitized user input flowing into setHeader(), addHeader(), Cookie.setValue(), and addCookie()
java-code-injection-ide
- Enhanced to improve detection coverage by:
- Adding detection for user input flowing into com.sun.tools.javac.Main.compile(), which enables programmatic Java compilation and allows an attacker to inject and execute arbitrary source files (CWE-94)
java-code-injection-java
- Enhanced to improve detection coverage by:
- Adding groovy.lang.GroovyClassLoader.parseClass as a code injection output point, covering dynamic class loading through the Groovy class loader API
java-cross-site-scripting-ide
- Enhanced to improve detection coverage by:
- Adding Spring MVC model output points - Model.addAttribute(), ModelMap.put(), and ModelAndView.addObject() - to detect XSS when user input populates server-side model data
- Extending coverage to Java String Templates (JEP 459): adding ResponseEntity.ok().body() and ResponseEntity.status().body() as XSS output points, and @RequestBody as a recognized input source
java-ffm-race-condition
- Enhanced to improve performance by:
- Resolving timeout failures on large files while preserving detection of race conditions in Java Foreign Function & Memory API usage
java-hardcoded-secrets-library-ide
- Enhanced to improve performance and reduce scope by:
- Refocusing the rule on database credential detection via DriverManager, Hibernate, MongoDB, DataSource, and ConnectionString, resolving timeout failures caused by the previously broader scope
java-unsafe-memory-segment-access-no-bounds-check
- Enhanced to reduce false positives by:
- Fixing false positives where memory segment accesses bounded by computed loop bounds from byteSize() division and native function results (e.g., strlen) were incorrectly flagged as unsafe, findings are now correctly suppressed when access is probably within segment bounds
java-insecure-deserialization-library-config
- Enhanced to improve performance by:
- Resolving timeout failures affecting detection of insecure deserialization of library configurations
java-insecure-deserialization-serialization-utils
- Enhanced to improve performance by:
- Resolving timeout failures affecting detection of insecure deserialization via serialization utilities
java-insecure-dns-resolution-java
- Enhanced to improve detection accuracy by:
- Fixing lookupByName output point detection to correctly identify insecure DNS resolution calls regardless of method name casing
java-ldap-injection-string-template
- Enhanced to improve detection coverage by:
- Adding Filter.createApproximateMatchFilter(), createExtensibleMatchFilter(), createANDFilter(), createORFilter(), and createNOTFilter() as LDAP injection output points, covering filter construction APIs previously not detected
java-os-command-injection-ide
- Enhanced to improve performance by:
- Resolving timeout failures on large Java files while preserving full OS command injection detection coverage
java-path-traversal-classloader
- Enhanced to reduce false positives by:
- Fixing false positives caused by incorrect handling of Path.getFileName(), Path.of(...).getFileName(), and Paths.get(...).getFileName() - findings are now correctly suppressed when paths are reduced to the filename component only
- Coordinated this fix across java-path-traversal-fileio, java-path-traversal-fileutils, java-path-traversal-hb, java-path-traversal-ide, and java-path-traversal-specialized
java-path-traversal-nio
- Enhanced to improve detection coverage and reduce false positives by:
- Removing overly broad validation checks that caused false positives, replacing them with direct Pattern.matches() and FilenameUtils/StringUtils coverage
- Adding Files.createTempFile, Files.write, Files.writeString, and Paths.get as new output points, and getFileName(), getName(), getCanonicalFile() as recognized safe path normalization calls
java-simple-web-server-information-exposure
- Enhanced to improve performance by:
- Resolving timeout failures on large files while preserving detection of information exposure via Java's simple web server APIs
java-virtual-thread-race-condition
- Enhanced to reduce false positives by:
- Eliminating false positives by excluding local variable increment and compound assignment operations (++, +=) inside forked lambdas that do not represent shared-state race conditions
java-insecure-format-string
- Enhanced to improve performance by:
- Resolving timeout failures on large files while preserving detection of Java format string vulnerabilities caused by untrusted input
java-os-command-injection
- Enhanced to reduce false positives by:
- Excluding inputs that pass through validation methods (isValid, validate, Validate*) before command execution, preserving detection of genuine injection vectors while recognizing legitimate sanitization patterns
java-ffm-type-confusion
- Enhanced to improve detection coverage by:
- Adding narrowing cast detection for FFM API reads — catching long→int truncation, double→float precision loss, pointer narrowing, and VarHandle cast chains
java-log-injection
- Enhanced to reduce false positives by:
- Removing User.getUsername() as a taint source, updating the corresponding test case, and adding a new request.getParameter()-based positive test to maintain sink coverage
java-os-command-injection-hb
- Enhanced to improve detection coverage by:
- Adding detection for 10 additional command execution libraries, improving taint propagation and sanitization support, and adding comprehensive vulnerable and safe test coverage