Releases: cbomkit/sonar-cryptography
Releases · cbomkit/sonar-cryptography
Release list
1.6.0
Highlights
This release focuses on detection accuracy, CBOM correctness, and CycloneDX alignment.
Detection fixes & improvements
- Python (pyca/cryptography): detect stream ciphers with
mode=None, standalone PyCA hash constructions, and correctly resolve parameterized dictionary subscriptions and*args/**kwargs. - Java (JCA/BouncyCastle): fixed the
ChaCha20Poly1305ENCRYPT method-name matching, narrowed overly broadEd25519/Ed448generate()rules to prevent false positives, and added OID mappings for PBES1 combinations.
CBOM & CycloneDX correctness
- Algorithm names now match the CycloneDX Cryptography Registry.
- Fixed asset deduplication logic and enabled the duplicate-depending-findings check.
- Correct handling of empty CBOMs when no SonarQube rule is active.
Quality & maintenance
- Added regression tests across Java and Python (MD5 detection,
RSADigestSigneredge cases, occurrence locations, detection inside custom functions). - Dependency and toolchain bumps, incl.
sonar-java8.22 andcyclonedx-core-java12.0.1. - Initial C# scanner work was explored during this cycle but removed before release; C# support is not included in 1.6.0.
What's Changed
- feat: C# support (System.Security.Cryptography) - initial draft by @fynnth in #376
- Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0 by @dependabot[bot] in #364
- Bump sonar.java.version from 8.18.0.40025 to 8.22.0.41895 by @dependabot[bot] in #366
- Bump org.cyclonedx:cyclonedx-core-java from 11.0.1 to 12.0.1 by @dependabot[bot] in #367
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.26 by @dependabot[bot] in #368
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.7 by @dependabot[bot] in #369
- Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #370
- Bump cbomkit/cbomkit-action from 2.1.2 to 2.2.0 by @dependabot[bot] in #373
- Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #375
- test(java): add regression test for MD5 detection in JCA MessageDigest by @sachin9058 in #393
- integrate csharp scanner with cbomkit-lib by @san-zrl in #405
- Fixed obsolete license statements by @san-zrl in #416
- test(java): add RSADigestSigner constructor edge-case coverage by @sachin9058 in #410
- feat(pbes1): add OID mappings for PBES1 combinations by @Ayush-Patel-56 in #389
- added c# parser sources by @san-zrl in #454
- Fixes issue of empty CBOM creation when no SonarQube rule is activated by @medha-14 in #388
- improved handling and testing of empty CBOMs by @san-zrl in #455
- test(python): verify detection inside custom functions (part of #9) by @sachin9058 in #394
- test(java): verify occurrence locations for issue #339 by @sachin9058 in #430
- fix: detect pyca stream ciphers with mode=None by @Truty424 in #460
- Fix resolution of parameterized dictionary subscriptions by @somiljain2006 in #457
- Ed25519 and Ed448 generate() rules were matching too broadly by @Arijit429 in #429
- fixes handling of *args and **kwargs by @san-zrl in #466
- fix correct method name in ChaCha20Poly1305 ENCRYPT detection rule by @vishnudathks in #459
- Fix asset deduplication logic by @somiljain2006 in #465
- Remove csharp by @san-zrl in #467
- fix(python): detect standalone PyCA hash constructions by @sachin9058 in #464
- Enable DuplicateDependingFindingsTest by @somiljain2006 in #468
- Update algorithm names to match CycloneDX schema by @n1ckl0sk0rtge in #362
New Contributors
- @fynnth made their first contribution in #376
- @sachin9058 made their first contribution in #393
- @Ayush-Patel-56 made their first contribution in #389
- @medha-14 made their first contribution in #388
- @Truty424 made their first contribution in #460
- @somiljain2006 made their first contribution in #457
- @Arijit429 made their first contribution in #429
- @vishnudathks made their first contribution in #459
Full Changelog: 1.5.1...1.6.0
1.5.1
What's Changed
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.43.0 to 2.44.2 by @dependabot[bot] in #208
- Bump org.cyclonedx:cyclonedx-core-java from 9.1.0 to 10.1.0 by @dependabot[bot] in #203
- Bump com.google.guava:guava from 33.3.1-jre to 33.4.0-jre by @dependabot[bot] in #210
- Bump org.assertj:assertj-core from 3.26.3 to 3.27.3 by @dependabot[bot] in #211
- Bump com.google.googlejavaformat:google-java-format from 1.25.0 to 1.25.2 by @dependabot[bot] in #213
- Bump com.google.code.gson:gson from 2.11.0 to 2.12.1 by @dependabot[bot] in #215
- Bump sonar.python.version from 4.24.0.18631 to 4.26.0.19456 by @dependabot[bot] in #205
- fix issue 214, add test case by @n1ckl0sk0rtge in #216
- Bump org.junit.platform:junit-platform-launcher from 1.11.3 to 1.11.4 by @dependabot[bot] in #218
- Add support for MLKEM and MLDSA by @n1ckl0sk0rtge in #219
- Add SHA1 oid by @n1ckl0sk0rtge in #220
- Bump sonar.java.version from 8.8.0.37665 to 8.9.0.37768 by @dependabot[bot] in #204
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.1.0.102122 to 25.2.0.102705 by @dependabot[bot] in #217
- Bump sonar.plugin.api.version from 10.14.0.2599 to 11.1.0.2693 by @dependabot[bot] in #206
- update sonar api version, update rules meta data, update docker compose by @n1ckl0sk0rtge in #221
- Fix stack overflow error by @n1ckl0sk0rtge in #228
- Bump org.apache.maven.plugins:maven-compiler-plugin from 3.13.0 to 3.14.0 by @dependabot[bot] in #226
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.2 to 2.44.3 by @dependabot[bot] in #223
- Bump sonar.java.version from 8.9.0.37768 to 8.10.0.38194 by @dependabot[bot] in #222
- Add gcm parameter spec and tag related crypto assets by @n1ckl0sk0rtge in #229
- Add iv parameter spec by @n1ckl0sk0rtge in #230
- Update JcaPBEKeySpec, update test case for password output by @n1ckl0sk0rtge in #231
- update junit by @n1ckl0sk0rtge in #232
- fix pbe keylength interpretation; update tests by @n1ckl0sk0rtge in #233
- Add HMAC enricher, update test cases by @n1ckl0sk0rtge in #234
- Add gcm mode as part of detection for gcm parameter spec by @n1ckl0sk0rtge in #235
- Fix key type specification by @n1ckl0sk0rtge in #237
- add support for HSS and LMS for JCA by @n1ckl0sk0rtge in #239
- Update README.md by @n1ckl0sk0rtge in #242
- Fix missing message digest rules by @n1ckl0sk0rtge in #245
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.2.0.102705 to 25.3.0.104237 by @dependabot[bot] in #244
- Bump sonar.plugin.api.version from 11.1.0.2693 to 11.2.0.2797 by @dependabot[bot] in #240
- Fix CallStack exception by @n1ckl0sk0rtge in #246
- Update PythonSemantic by @n1ckl0sk0rtge in #247
- Update python plugin version by @n1ckl0sk0rtge in #250
- Bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot[bot] in #248
- Bump sonar.plugin.api.version from 11.2.0.2797 to 11.3.0.2824 by @dependabot[bot] in #249
- Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabot[bot] in #254
- Bump org.junit.platform:junit-platform-launcher from 1.12.0 to 1.12.1 by @dependabot[bot] in #252
- Bump junit.jupiter.version from 5.12.0 to 5.12.1 by @dependabot[bot] in #251
- Bump com.google.guava:guava from 33.4.5-jre to 33.4.7-jre by @dependabot[bot] in #260
- Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.2 to 3.5.3 by @dependabot[bot] in #259
- Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 by @dependabot[bot] in #258
- Bump com.google.code.gson:gson from 2.12.1 to 2.13.1 by @dependabot[bot] in #266
- Bump junit.jupiter.version from 5.12.1 to 5.12.2 by @dependabot[bot] in #264
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.3 to 2.44.4 by @dependabot[bot] in #261
- Bump org.junit.platform:junit-platform-launcher from 1.12.1 to 1.12.2 by @dependabot[bot] in #269
- Bump com.google.guava:guava from 33.4.7-jre to 33.4.8-jre by @dependabot[bot] in #267
- Move to PQCA by @san-zrl in #276
- Update GitHub actions permission to push packages by @n1ckl0sk0rtge in #277
- Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 by @dependabot[bot] in #273
- Update permissions to create mvn dependency graph by @n1ckl0sk0rtge in #278
- Replace IBM with PQCA in license header by @n1ckl0sk0rtge in #281
- chore: update CODEOWNERS by @ryjones in #282
- Bump sonar.python.version from 5.1.0.20567 to 5.4.0.22255 by @dependabot[bot] in #272
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.3.0.104237 to 25.5.0.107428 by @dependabot[bot] in #275
- Bump sonar.plugin.api.version from 11.3.0.2824 to 12.0.0.2960 by @dependabot[bot] in #280
- Bump advanced-security/maven-dependency-submission-action from 4 to 5 by @dependabot[bot] in #285
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.5.1 by @dependabot[bot] in #287
- Bump sonar.java.version from 8.10.0.38194 to 8.15.0.39343 by @dependabot[bot] in #288
- Bump junit.jupiter.version from 5.12.2 to 5.13.0 by @dependabot[bot] in #289
- Bump org.junit:junit-bom from 5.13.0 to 5.13.1 by @dependabot[bot] in #293
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.4 to 2.44.5 by @dependabot[bot] in #290
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.5.0.107428 to 25.6.0.109173 by @dependabot[bot] in #291
- Bump sonar.python.version from 5.4.0.22255 to 5.5.0.23291 by @dependabot[bot] in #298
- Bump org.bouncycastle:bcprov-jdk18on from 1.80 to 1.81 by @dependabot[bot] in #292
- Bump sonar.plugin.api.version from 12.0.0.2960 to 13.0.0.3026 by @dependabot[bot] in #303
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #307
- Bump org.junit:junit-bom from 5.13.1 to 5.13.4 by @dependabot[bot] in #308
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.6.0.109173 to 25.8.0.112029 by @dependabot[bot] in #312
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #313
- Bump sonar.python.version from 5.5.0.23291 to 5.8.0.24785 by @dependabot[bot] in #314
- Bump sonar.java.version from 8.15.0.39343 to 8.18.0.40025 by @dependabot[bot] in #315
- Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 by @dependabot[bot] in #316
- Bump com.diffplug.spotless:spotless-maven-plug...
1.5.0
What's Changed
- Bump actions/checkout from 5 to 6 by @dependabot[bot] in #351
- Bump the maven group across 10 directories with 2 updates by @dependabot[bot] in #350
- Bump cbomkit/cbomkit-action from 2.1.1 to 2.1.2 by @dependabot[bot] in #349
- Bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #342
- Bump sonar.python.version from 5.9.0.25193 to 5.10.0.25429 by @dependabot[bot] in #334
- Update/cyclonedx 11.0.1 and sonar python 5.10.0.25429 by @san-zrl in #354
- Bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 by @dependabot[bot] in #335
- Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #336
- Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 by @dependabot[bot] in #337
- Bump sonar.plugin.api.version from 13.1.0.3124 to 13.2.0.3137 by @dependabot[bot] in #338
- Add support for Golang (gocrypto) by @n1ckl0sk0rtge in #361
- Bump org.junit:junit-bom from 5.13.4 to 6.0.2 by @dependabot[bot] in #360
- Bump sonar.plugin.api.version from 13.2.0.3137 to 13.4.3.4290 by @dependabot[bot] in #359
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.46.1 to 3.2.0 by @dependabot[bot] in #358
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.1 to 3.6.3 by @dependabot[bot] in #357
- Bump sonar.python.version from 5.10.0.25429 to 5.16.0.29940 by @dependabot[bot] in #356
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #355
- Add Go AES-GCM cipher mode detection rules by @n1ckl0sk0rtge in #363
Full Changelog: 1.4.8...1.5.0
1.4.8
What's Changed
- Fix NumberFormatException by @san-zrl in #332
- Generate CBOM by @san-zrl in #329
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.8.0.112029 to 25.9.0.112764 by @dependabot[bot] in #326
- Bump sonar.python.version from 5.8.0.24785 to 5.9.0.25193 by @dependabot[bot] in #327
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in #328
- Bump sonar.plugin.api.version from 13.0.0.3026 to 13.1.0.3124 by @dependabot[bot] in #330
- Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 by @dependabot[bot] in #331
- updated deprecated checkClasses functions by @san-zrl in #333
- Fix issue 297 by @n1ckl0sk0rtge in #299
- fixed CCM8 encoding by @san-zrl in #341
- Added headless check to avoid failing test in hl env by @san-zrl in #345
- Fix: enrich asset collections by @san-zrl in #344
- chore/updated links to cbomkit org by @san-zrl in #347
Full Changelog: 1.4.7...1.4.8
1.4.7
1.4.6
What's Changed
- Update python plugin version by @n1ckl0sk0rtge in #250
- Bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot[bot] in #248
- Bump sonar.plugin.api.version from 11.2.0.2797 to 11.3.0.2824 by @dependabot[bot] in #249
- Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabot[bot] in #254
- Bump org.junit.platform:junit-platform-launcher from 1.12.0 to 1.12.1 by @dependabot[bot] in #252
- Bump junit.jupiter.version from 5.12.0 to 5.12.1 by @dependabot[bot] in #251
- Bump com.google.guava:guava from 33.4.5-jre to 33.4.7-jre by @dependabot[bot] in #260
- Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.2 to 3.5.3 by @dependabot[bot] in #259
- Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 by @dependabot[bot] in #258
- Bump com.google.code.gson:gson from 2.12.1 to 2.13.1 by @dependabot[bot] in #266
- Bump junit.jupiter.version from 5.12.1 to 5.12.2 by @dependabot[bot] in #264
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.3 to 2.44.4 by @dependabot[bot] in #261
- Bump org.junit.platform:junit-platform-launcher from 1.12.1 to 1.12.2 by @dependabot[bot] in #269
- Bump com.google.guava:guava from 33.4.7-jre to 33.4.8-jre by @dependabot[bot] in #267
- Move to PQCA by @san-zrl in #276
- Update GitHub actions permission to push packages by @n1ckl0sk0rtge in #277
- Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 by @dependabot[bot] in #273
- Update permissions to create mvn dependency graph by @n1ckl0sk0rtge in #278
- Replace IBM with PQCA in license header by @n1ckl0sk0rtge in #281
- chore: update CODEOWNERS by @ryjones in #282
- Bump sonar.python.version from 5.1.0.20567 to 5.4.0.22255 by @dependabot[bot] in #272
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.3.0.104237 to 25.5.0.107428 by @dependabot[bot] in #275
- Bump sonar.plugin.api.version from 11.3.0.2824 to 12.0.0.2960 by @dependabot[bot] in #280
- Bump advanced-security/maven-dependency-submission-action from 4 to 5 by @dependabot[bot] in #285
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.5.1 by @dependabot[bot] in #287
- Bump sonar.java.version from 8.10.0.38194 to 8.15.0.39343 by @dependabot[bot] in #288
- Bump junit.jupiter.version from 5.12.2 to 5.13.0 by @dependabot[bot] in #289
- Bump org.junit:junit-bom from 5.13.0 to 5.13.1 by @dependabot[bot] in #293
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.4 to 2.44.5 by @dependabot[bot] in #290
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.5.0.107428 to 25.6.0.109173 by @dependabot[bot] in #291
- Bump sonar.python.version from 5.4.0.22255 to 5.5.0.23291 by @dependabot[bot] in #298
- Bump org.bouncycastle:bcprov-jdk18on from 1.80 to 1.81 by @dependabot[bot] in #292
- Bump sonar.plugin.api.version from 12.0.0.2960 to 13.0.0.3026 by @dependabot[bot] in #303
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #307
- Bump org.junit:junit-bom from 5.13.1 to 5.13.4 by @dependabot[bot] in #308
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.6.0.109173 to 25.8.0.112029 by @dependabot[bot] in #312
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #313
- Bump sonar.python.version from 5.5.0.23291 to 5.8.0.24785 by @dependabot[bot] in #314
- Bump sonar.java.version from 8.15.0.39343 to 8.18.0.40025 by @dependabot[bot] in #315
- Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 by @dependabot[bot] in #316
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.5 to 2.46.1 by @dependabot[bot] in #317
- Bump actions/setup-java from 4 to 5 by @dependabot[bot] in #320
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 by @dependabot[bot] in #318
- Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 by @dependabot[bot] in #319
- Remove vulnerabilities by @san-zrl in #321
- Chore/manage vulnerabilities by @san-zrl in #322
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #323
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #324
New Contributors
Full Changelog: 1.4.5...1.4.6
1.4.5
1.4.4
What's Changed
- add support for HSS and LMS for JCA by @n1ckl0sk0rtge in #239
- Update README.md by @n1ckl0sk0rtge in #242
- Fix missing message digest rules by @n1ckl0sk0rtge in #245
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.2.0.102705 to 25.3.0.104237 by @dependabot in #244
- Bump sonar.plugin.api.version from 11.1.0.2693 to 11.2.0.2797 by @dependabot in #240
- Fix CallStack exception by @n1ckl0sk0rtge in #246
Full Changelog: 1.4.3...1.4.4
1.4.3
1.4.2
What's Changed
- fix pbe keylength interpretation; update tests by @n1ckl0sk0rtge in #233
- Add HMAC enricher, update test cases by @n1ckl0sk0rtge in #234
- Add gcm mode as part of detection for gcm parameter spec by @n1ckl0sk0rtge in #235
Full Changelog: 1.4.1...1.4.2