Highlights
This is a performance-focused release. Scans of large projects previously accumulated multi-gigabyte heap usage in the detection engine; this release brings that down by orders of magnitude.
Performance
- Engine: call-stack entries no longer pin the full AST of already-analyzed files — ASTs are detached at
leaveFilewhile keeping cross-file hook resolution intact. On a full Keycloak scan this reduces the call-stack heap footprint from multiple GB to a few MB, and scans that previously exhausted a 6 GB heap now complete comfortably. - Java: the BouncyCastle detection rule graph is memoized instead of being rebuilt per file, cutting rule-construction heap churn.
- A self-contained JUnit heap harness (
CallStackHeapPerfTest) and a performance testing guide (docs/PERFORMANCE_TESTING.md) were added to keep these numbers verifiable.
Quality & maintenance
- Dependency and toolchain bumps, incl.
sonar-python5.25,cyclonedx-core-java12.2.0, JUnit BOM 6.0.3, Guava 33.6.0, Mockito 5.23.0, and Maven plugin updates.
What's Changed
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.43.0 to 2.44.2 by @dependabot[bot] in #208
- Bump org.cyclonedx:cyclonedx-core-java from 9.1.0 to 10.1.0 by @dependabot[bot] in #203
- Bump com.google.guava:guava from 33.3.1-jre to 33.4.0-jre by @dependabot[bot] in #210
- Bump org.assertj:assertj-core from 3.26.3 to 3.27.3 by @dependabot[bot] in #211
- Bump com.google.googlejavaformat:google-java-format from 1.25.0 to 1.25.2 by @dependabot[bot] in #213
- Bump com.google.code.gson:gson from 2.11.0 to 2.12.1 by @dependabot[bot] in #215
- Bump sonar.python.version from 4.24.0.18631 to 4.26.0.19456 by @dependabot[bot] in #205
- fix issue 214, add test case by @n1ckl0sk0rtge in #216
- Bump org.junit.platform:junit-platform-launcher from 1.11.3 to 1.11.4 by @dependabot[bot] in #218
- Add support for MLKEM and MLDSA by @n1ckl0sk0rtge in #219
- Add SHA1 oid by @n1ckl0sk0rtge in #220
- Bump sonar.java.version from 8.8.0.37665 to 8.9.0.37768 by @dependabot[bot] in #204
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.1.0.102122 to 25.2.0.102705 by @dependabot[bot] in #217
- Bump sonar.plugin.api.version from 10.14.0.2599 to 11.1.0.2693 by @dependabot[bot] in #206
- update sonar api version, update rules meta data, update docker compose by @n1ckl0sk0rtge in #221
- Fix stack overflow error by @n1ckl0sk0rtge in #228
- Bump org.apache.maven.plugins:maven-compiler-plugin from 3.13.0 to 3.14.0 by @dependabot[bot] in #226
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.2 to 2.44.3 by @dependabot[bot] in #223
- Bump sonar.java.version from 8.9.0.37768 to 8.10.0.38194 by @dependabot[bot] in #222
- Add gcm parameter spec and tag related crypto assets by @n1ckl0sk0rtge in #229
- Add iv parameter spec by @n1ckl0sk0rtge in #230
- Update JcaPBEKeySpec, update test case for password output by @n1ckl0sk0rtge in #231
- update junit by @n1ckl0sk0rtge in #232
- fix pbe keylength interpretation; update tests by @n1ckl0sk0rtge in #233
- Add HMAC enricher, update test cases by @n1ckl0sk0rtge in #234
- Add gcm mode as part of detection for gcm parameter spec by @n1ckl0sk0rtge in #235
- Fix key type specification by @n1ckl0sk0rtge in #237
- add support for HSS and LMS for JCA by @n1ckl0sk0rtge in #239
- Update README.md by @n1ckl0sk0rtge in #242
- Fix missing message digest rules by @n1ckl0sk0rtge in #245
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.2.0.102705 to 25.3.0.104237 by @dependabot[bot] in #244
- Bump sonar.plugin.api.version from 11.1.0.2693 to 11.2.0.2797 by @dependabot[bot] in #240
- Fix CallStack exception by @n1ckl0sk0rtge in #246
- Update PythonSemantic by @n1ckl0sk0rtge in #247
- Update python plugin version by @n1ckl0sk0rtge in #250
- Bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot[bot] in #248
- Bump sonar.plugin.api.version from 11.2.0.2797 to 11.3.0.2824 by @dependabot[bot] in #249
- Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabot[bot] in #254
- Bump org.junit.platform:junit-platform-launcher from 1.12.0 to 1.12.1 by @dependabot[bot] in #252
- Bump junit.jupiter.version from 5.12.0 to 5.12.1 by @dependabot[bot] in #251
- Bump com.google.guava:guava from 33.4.5-jre to 33.4.7-jre by @dependabot[bot] in #260
- Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.2 to 3.5.3 by @dependabot[bot] in #259
- Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 by @dependabot[bot] in #258
- Bump com.google.code.gson:gson from 2.12.1 to 2.13.1 by @dependabot[bot] in #266
- Bump junit.jupiter.version from 5.12.1 to 5.12.2 by @dependabot[bot] in #264
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.3 to 2.44.4 by @dependabot[bot] in #261
- Bump org.junit.platform:junit-platform-launcher from 1.12.1 to 1.12.2 by @dependabot[bot] in #269
- Bump com.google.guava:guava from 33.4.7-jre to 33.4.8-jre by @dependabot[bot] in #267
- Move to PQCA by @san-zrl in #276
- Update GitHub actions permission to push packages by @n1ckl0sk0rtge in #277
- Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 by @dependabot[bot] in #273
- Update permissions to create mvn dependency graph by @n1ckl0sk0rtge in #278
- Replace IBM with PQCA in license header by @n1ckl0sk0rtge in #281
- chore: update CODEOWNERS by @ryjones in #282
- Bump sonar.python.version from 5.1.0.20567 to 5.4.0.22255 by @dependabot[bot] in #272
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.3.0.104237 to 25.5.0.107428 by @dependabot[bot] in #275
- Bump sonar.plugin.api.version from 11.3.0.2824 to 12.0.0.2960 by @dependabot[bot] in #280
- Bump advanced-security/maven-dependency-submission-action from 4 to 5 by @dependabot[bot] in #285
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.5.1 by @dependabot[bot] in #287
- Bump sonar.java.version from 8.10.0.38194 to 8.15.0.39343 by @dependabot[bot] in #288
- Bump junit.jupiter.version from 5.12.2 to 5.13.0 by @dependabot[bot] in #289
- Bump org.junit:junit-bom from 5.13.0 to 5.13.1 by @dependabot[bot] in #293
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.4 to 2.44.5 by @dependabot[bot] in #290
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.5.0.107428 to 25.6.0.109173 by @dependabot[bot] in #291
- Bump sonar.python.version from 5.4.0.22255 to 5.5.0.23291 by @dependabot[bot] in #298
- Bump org.bouncycastle:bcprov-jdk18on from 1.80 to 1.81 by @dependabot[bot] in #292
- Bump sonar.plugin.api.version from 12.0.0.2960 to 13.0.0.3026 by @dependabot[bot] in #303
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #307
- Bump org.junit:junit-bom from 5.13.1 to 5.13.4 by @dependabot[bot] in #308
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.6.0.109173 to 25.8.0.112029 by @dependabot[bot] in #312
- Bump actions/checkout from 4 to 5 by @dependabot[bot] in #313
- Bump sonar.python.version from 5.5.0.23291 to 5.8.0.24785 by @dependabot[bot] in #314
- Bump sonar.java.version from 8.15.0.39343 to 8.18.0.40025 by @dependabot[bot] in #315
- Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 by @dependabot[bot] in #316
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.5 to 2.46.1 by @dependabot[bot] in #317
- Bump actions/setup-java from 4 to 5 by @dependabot[bot] in #320
- Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 by @dependabot[bot] in #318
- Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 by @dependabot[bot] in #319
- Remove vulnerabilities by @san-zrl in #321
- Chore/manage vulnerabilities by @san-zrl in #322
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #323
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #324
- upgrade sonar-java to 8.18.0.40025 and sonar-pyhthon to 5.8.0.24785 by @san-zrl in #325
- Fix NumberFormatException by @san-zrl in #332
- Generate CBOM by @san-zrl in #329
- Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.8.0.112029 to 25.9.0.112764 by @dependabot[bot] in #326
- Bump sonar.python.version from 5.8.0.24785 to 5.9.0.25193 by @dependabot[bot] in #327
- Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in #328
- Bump sonar.plugin.api.version from 13.0.0.3026 to 13.1.0.3124 by @dependabot[bot] in #330
- Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 by @dependabot[bot] in #331
- updated deprecated checkClasses functions by @san-zrl in #333
- Fix issue 297 by @n1ckl0sk0rtge in #299
- fixed CCM8 encoding by @san-zrl in #341
- Added headless check to avoid failing test in hl env by @san-zrl in #345
- Fix: enrich asset collections by @san-zrl in #344
- chore/updated links to cbomkit org by @san-zrl in #347
- Bump actions/checkout from 5 to 6 by @dependabot[bot] in #351
- Bump the maven group across 10 directories with 2 updates by @dependabot[bot] in #350
- Bump cbomkit/cbomkit-action from 2.1.1 to 2.1.2 by @dependabot[bot] in #349
- Bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #342
- Bump sonar.python.version from 5.9.0.25193 to 5.10.0.25429 by @dependabot[bot] in #334
- Update/cyclonedx 11.0.1 and sonar python 5.10.0.25429 by @san-zrl in #354
- Bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 by @dependabot[bot] in #335
- Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #336
- Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 by @dependabot[bot] in #337
- Bump sonar.plugin.api.version from 13.1.0.3124 to 13.2.0.3137 by @dependabot[bot] in #338
- Add support for Golang (gocrypto) by @n1ckl0sk0rtge in #361
- Bump org.junit:junit-bom from 5.13.4 to 6.0.2 by @dependabot[bot] in #360
- Bump sonar.plugin.api.version from 13.2.0.3137 to 13.4.3.4290 by @dependabot[bot] in #359
- Bump com.diffplug.spotless:spotless-maven-plugin from 2.46.1 to 3.2.0 by @dependabot[bot] in #358
- Bump org.codehaus.mojo:exec-maven-plugin from 3.5.1 to 3.6.3 by @dependabot[bot] in #357
- Bump sonar.python.version from 5.10.0.25429 to 5.16.0.29940 by @dependabot[bot] in #356
- Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #355
- Add Go AES-GCM cipher mode detection rules by @n1ckl0sk0rtge in #363
- refactored CryptoGoSensor to support integration wit CBOMkit by @san-zrl in #372
- feat: C# support (System.Security.Cryptography) - initial draft by @fynnth in #376
- Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0 by @dependabot[bot] in #364
- Bump sonar.java.version from 8.18.0.40025 to 8.22.0.41895 by @dependabot[bot] in #366
- Bump org.cyclonedx:cyclonedx-core-java from 11.0.1 to 12.0.1 by @dependabot[bot] in #367
- Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.26 by @dependabot[bot] in #368
- Bump org.assertj:assertj-core from 3.27.4 to 3.27.7 by @dependabot[bot] in #369
- Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #370
- Bump cbomkit/cbomkit-action from 2.1.2 to 2.2.0 by @dependabot[bot] in #373
- Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #375
- test(java): add regression test for MD5 detection in JCA MessageDigest by @sachin9058 in #393
- integrate csharp scanner with cbomkit-lib by @san-zrl in #405
- Fixed obsolete license statements by @san-zrl in #416
- test(java): add RSADigestSigner constructor edge-case coverage by @sachin9058 in #410
- feat(pbes1): add OID mappings for PBES1 combinations by @Ayush-Patel-56 in #389
- added c# parser sources by @san-zrl in #454
- Fixes issue of empty CBOM creation when no SonarQube rule is activated by @medha-14 in #388
- improved handling and testing of empty CBOMs by @san-zrl in #455
- test(python): verify detection inside custom functions (part of #9) by @sachin9058 in #394
- test(java): verify occurrence locations for issue #339 by @sachin9058 in #430
- fix: detect pyca stream ciphers with mode=None by @Truty424 in #460
- Fix resolution of parameterized dictionary subscriptions by @somiljain2006 in #457
- Ed25519 and Ed448 generate() rules were matching too broadly by @Arijit429 in #429
- fixes handling of *args and **kwargs by @san-zrl in #466
- fix correct method name in ChaCha20Poly1305 ENCRYPT detection rule by @vishnudathks in #459
- Fix asset deduplication logic by @somiljain2006 in #465
- Remove csharp by @san-zrl in #467
- fix(python): detect standalone PyCA hash constructions by @sachin9058 in #464
- Enable DuplicateDependingFindingsTest by @somiljain2006 in #468
- Update algorithm names to match CycloneDX schema by @n1ckl0sk0rtge in #362
- perf(java): memoize BouncyCastle rule graph to cut construction heap (#476) by @n1ckl0sk0rtge in #477
- perf(engine): detach call-stack ASTs at leaveFile + self-contained heap harness by @n1ckl0sk0rtge in #481
- Bump the maven group across 11 directories with 2 updates by @dependabot[bot] in #479
- Bump actions/checkout from 6 to 7 by @dependabot[bot] in #473
- Bump org.junit:junit-bom from 6.0.2 to 6.0.3 by @dependabot[bot] in #380
- Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2 by @dependabot[bot] in #379
- Bump org.apache.maven.plugins:maven-resources-plugin from 3.3.1 to 3.5.0 by @dependabot[bot] in #378
- Bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.15.0 by @dependabot[bot] in #382
- Bump sonar.python.version from 5.16.0.29940 to 5.20.0.32295 by @dependabot[bot] in #381
- Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 by @dependabot[bot] in #488
- Bump sonar.python.version from 5.20.0.32295 to 5.25.0.34794 by @dependabot[bot] in #487
- Bump org.mockito:mockito-core from 5.17.0 to 5.23.0 by @dependabot[bot] in #486
- Bump org.cyclonedx:cyclonedx-core-java from 12.0.1 to 12.2.0 by @dependabot[bot] in #485
- Bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre by @dependabot[bot] in #484
- Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #483
New Contributors
- @san-zrl made their first contribution in #276
- @ryjones made their first contribution in #282
- @fynnth made their first contribution in #376
- @sachin9058 made their first contribution in #393
- @Ayush-Patel-56 made their first contribution in #389
- @medha-14 made their first contribution in #388
- @Truty424 made their first contribution in #460
- @somiljain2006 made their first contribution in #457
- @Arijit429 made their first contribution in #429
- @vishnudathks made their first contribution in #459
Full Changelog: 1.3.7...1.6.1