Skip to content

1.6.1

Latest

Choose a tag to compare

@n1ckl0sk0rtge n1ckl0sk0rtge released this 13 Jul 13:33
7174e60

Highlights

This is a performance-focused release. Scans of large projects previously accumulated multi-gigabyte heap usage in the detection engine; this release brings that down by orders of magnitude.

Performance

  • Engine: call-stack entries no longer pin the full AST of already-analyzed files — ASTs are detached at leaveFile while keeping cross-file hook resolution intact. On a full Keycloak scan this reduces the call-stack heap footprint from multiple GB to a few MB, and scans that previously exhausted a 6 GB heap now complete comfortably.
  • Java: the BouncyCastle detection rule graph is memoized instead of being rebuilt per file, cutting rule-construction heap churn.
  • A self-contained JUnit heap harness (CallStackHeapPerfTest) and a performance testing guide (docs/PERFORMANCE_TESTING.md) were added to keep these numbers verifiable.

Quality & maintenance

  • Dependency and toolchain bumps, incl. sonar-python 5.25, cyclonedx-core-java 12.2.0, JUnit BOM 6.0.3, Guava 33.6.0, Mockito 5.23.0, and Maven plugin updates.

What's Changed

  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.43.0 to 2.44.2 by @dependabot[bot] in #208
  • Bump org.cyclonedx:cyclonedx-core-java from 9.1.0 to 10.1.0 by @dependabot[bot] in #203
  • Bump com.google.guava:guava from 33.3.1-jre to 33.4.0-jre by @dependabot[bot] in #210
  • Bump org.assertj:assertj-core from 3.26.3 to 3.27.3 by @dependabot[bot] in #211
  • Bump com.google.googlejavaformat:google-java-format from 1.25.0 to 1.25.2 by @dependabot[bot] in #213
  • Bump com.google.code.gson:gson from 2.11.0 to 2.12.1 by @dependabot[bot] in #215
  • Bump sonar.python.version from 4.24.0.18631 to 4.26.0.19456 by @dependabot[bot] in #205
  • fix issue 214, add test case by @n1ckl0sk0rtge in #216
  • Bump org.junit.platform:junit-platform-launcher from 1.11.3 to 1.11.4 by @dependabot[bot] in #218
  • Add support for MLKEM and MLDSA by @n1ckl0sk0rtge in #219
  • Add SHA1 oid by @n1ckl0sk0rtge in #220
  • Bump sonar.java.version from 8.8.0.37665 to 8.9.0.37768 by @dependabot[bot] in #204
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.1.0.102122 to 25.2.0.102705 by @dependabot[bot] in #217
  • Bump sonar.plugin.api.version from 10.14.0.2599 to 11.1.0.2693 by @dependabot[bot] in #206
  • update sonar api version, update rules meta data, update docker compose by @n1ckl0sk0rtge in #221
  • Fix stack overflow error by @n1ckl0sk0rtge in #228
  • Bump org.apache.maven.plugins:maven-compiler-plugin from 3.13.0 to 3.14.0 by @dependabot[bot] in #226
  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.2 to 2.44.3 by @dependabot[bot] in #223
  • Bump sonar.java.version from 8.9.0.37768 to 8.10.0.38194 by @dependabot[bot] in #222
  • Add gcm parameter spec and tag related crypto assets by @n1ckl0sk0rtge in #229
  • Add iv parameter spec by @n1ckl0sk0rtge in #230
  • Update JcaPBEKeySpec, update test case for password output by @n1ckl0sk0rtge in #231
  • update junit by @n1ckl0sk0rtge in #232
  • fix pbe keylength interpretation; update tests by @n1ckl0sk0rtge in #233
  • Add HMAC enricher, update test cases by @n1ckl0sk0rtge in #234
  • Add gcm mode as part of detection for gcm parameter spec by @n1ckl0sk0rtge in #235
  • Fix key type specification by @n1ckl0sk0rtge in #237
  • add support for HSS and LMS for JCA by @n1ckl0sk0rtge in #239
  • Update README.md by @n1ckl0sk0rtge in #242
  • Fix missing message digest rules by @n1ckl0sk0rtge in #245
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.2.0.102705 to 25.3.0.104237 by @dependabot[bot] in #244
  • Bump sonar.plugin.api.version from 11.1.0.2693 to 11.2.0.2797 by @dependabot[bot] in #240
  • Fix CallStack exception by @n1ckl0sk0rtge in #246
  • Update PythonSemantic by @n1ckl0sk0rtge in #247
  • Update python plugin version by @n1ckl0sk0rtge in #250
  • Bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot[bot] in #248
  • Bump sonar.plugin.api.version from 11.2.0.2797 to 11.3.0.2824 by @dependabot[bot] in #249
  • Bump com.google.guava:guava from 33.4.0-jre to 33.4.5-jre by @dependabot[bot] in #254
  • Bump org.junit.platform:junit-platform-launcher from 1.12.0 to 1.12.1 by @dependabot[bot] in #252
  • Bump junit.jupiter.version from 5.12.0 to 5.12.1 by @dependabot[bot] in #251
  • Bump com.google.guava:guava from 33.4.5-jre to 33.4.7-jre by @dependabot[bot] in #260
  • Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.2 to 3.5.3 by @dependabot[bot] in #259
  • Bump com.google.googlejavaformat:google-java-format from 1.25.2 to 1.26.0 by @dependabot[bot] in #258
  • Bump com.google.code.gson:gson from 2.12.1 to 2.13.1 by @dependabot[bot] in #266
  • Bump junit.jupiter.version from 5.12.1 to 5.12.2 by @dependabot[bot] in #264
  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.3 to 2.44.4 by @dependabot[bot] in #261
  • Bump org.junit.platform:junit-platform-launcher from 1.12.1 to 1.12.2 by @dependabot[bot] in #269
  • Bump com.google.guava:guava from 33.4.7-jre to 33.4.8-jre by @dependabot[bot] in #267
  • Move to PQCA by @san-zrl in #276
  • Update GitHub actions permission to push packages by @n1ckl0sk0rtge in #277
  • Bump com.google.googlejavaformat:google-java-format from 1.26.0 to 1.27.0 by @dependabot[bot] in #273
  • Update permissions to create mvn dependency graph by @n1ckl0sk0rtge in #278
  • Replace IBM with PQCA in license header by @n1ckl0sk0rtge in #281
  • chore: update CODEOWNERS by @ryjones in #282
  • Bump sonar.python.version from 5.1.0.20567 to 5.4.0.22255 by @dependabot[bot] in #272
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.3.0.104237 to 25.5.0.107428 by @dependabot[bot] in #275
  • Bump sonar.plugin.api.version from 11.3.0.2824 to 12.0.0.2960 by @dependabot[bot] in #280
  • Bump advanced-security/maven-dependency-submission-action from 4 to 5 by @dependabot[bot] in #285
  • Bump org.codehaus.mojo:exec-maven-plugin from 3.5.0 to 3.5.1 by @dependabot[bot] in #287
  • Bump sonar.java.version from 8.10.0.38194 to 8.15.0.39343 by @dependabot[bot] in #288
  • Bump junit.jupiter.version from 5.12.2 to 5.13.0 by @dependabot[bot] in #289
  • Bump org.junit:junit-bom from 5.13.0 to 5.13.1 by @dependabot[bot] in #293
  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.4 to 2.44.5 by @dependabot[bot] in #290
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.5.0.107428 to 25.6.0.109173 by @dependabot[bot] in #291
  • Bump sonar.python.version from 5.4.0.22255 to 5.5.0.23291 by @dependabot[bot] in #298
  • Bump org.bouncycastle:bcprov-jdk18on from 1.80 to 1.81 by @dependabot[bot] in #292
  • Bump sonar.plugin.api.version from 12.0.0.2960 to 13.0.0.3026 by @dependabot[bot] in #303
  • Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #307
  • Bump org.junit:junit-bom from 5.13.1 to 5.13.4 by @dependabot[bot] in #308
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.6.0.109173 to 25.8.0.112029 by @dependabot[bot] in #312
  • Bump actions/checkout from 4 to 5 by @dependabot[bot] in #313
  • Bump sonar.python.version from 5.5.0.23291 to 5.8.0.24785 by @dependabot[bot] in #314
  • Bump sonar.java.version from 8.15.0.39343 to 8.18.0.40025 by @dependabot[bot] in #315
  • Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0 by @dependabot[bot] in #316
  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.44.5 to 2.46.1 by @dependabot[bot] in #317
  • Bump actions/setup-java from 4 to 5 by @dependabot[bot] in #320
  • Bump org.assertj:assertj-core from 3.27.3 to 3.27.4 by @dependabot[bot] in #318
  • Bump com.google.googlejavaformat:google-java-format from 1.27.0 to 1.28.0 by @dependabot[bot] in #319
  • Remove vulnerabilities by @san-zrl in #321
  • Chore/manage vulnerabilities by @san-zrl in #322
  • Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #323
  • Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #324
  • upgrade sonar-java to 8.18.0.40025 and sonar-pyhthon to 5.8.0.24785 by @san-zrl in #325
  • Fix NumberFormatException by @san-zrl in #332
  • Generate CBOM by @san-zrl in #329
  • Bump org.sonarsource.sonarqube:sonar-plugin-api-impl from 25.8.0.112029 to 25.9.0.112764 by @dependabot[bot] in #326
  • Bump sonar.python.version from 5.8.0.24785 to 5.9.0.25193 by @dependabot[bot] in #327
  • Bump com.google.code.gson:gson from 2.13.1 to 2.13.2 by @dependabot[bot] in #328
  • Bump sonar.plugin.api.version from 13.0.0.3026 to 13.1.0.3124 by @dependabot[bot] in #330
  • Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 by @dependabot[bot] in #331
  • updated deprecated checkClasses functions by @san-zrl in #333
  • Fix issue 297 by @n1ckl0sk0rtge in #299
  • fixed CCM8 encoding by @san-zrl in #341
  • Added headless check to avoid failing test in hl env by @san-zrl in #345
  • Fix: enrich asset collections by @san-zrl in #344
  • chore/updated links to cbomkit org by @san-zrl in #347
  • Bump actions/checkout from 5 to 6 by @dependabot[bot] in #351
  • Bump the maven group across 10 directories with 2 updates by @dependabot[bot] in #350
  • Bump cbomkit/cbomkit-action from 2.1.1 to 2.1.2 by @dependabot[bot] in #349
  • Bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #342
  • Bump sonar.python.version from 5.9.0.25193 to 5.10.0.25429 by @dependabot[bot] in #334
  • Update/cyclonedx 11.0.1 and sonar python 5.10.0.25429 by @san-zrl in #354
  • Bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 by @dependabot[bot] in #335
  • Bump com.google.guava:guava from 33.4.8-jre to 33.5.0-jre by @dependabot[bot] in #336
  • Bump org.apache.maven.plugins:maven-surefire-plugin from 3.5.3 to 3.5.4 by @dependabot[bot] in #337
  • Bump sonar.plugin.api.version from 13.1.0.3124 to 13.2.0.3137 by @dependabot[bot] in #338
  • Add support for Golang (gocrypto) by @n1ckl0sk0rtge in #361
  • Bump org.junit:junit-bom from 5.13.4 to 6.0.2 by @dependabot[bot] in #360
  • Bump sonar.plugin.api.version from 13.2.0.3137 to 13.4.3.4290 by @dependabot[bot] in #359
  • Bump com.diffplug.spotless:spotless-maven-plugin from 2.46.1 to 3.2.0 by @dependabot[bot] in #358
  • Bump org.codehaus.mojo:exec-maven-plugin from 3.5.1 to 3.6.3 by @dependabot[bot] in #357
  • Bump sonar.python.version from 5.10.0.25429 to 5.16.0.29940 by @dependabot[bot] in #356
  • Bump the maven group across 10 directories with 1 update by @dependabot[bot] in #355
  • Add Go AES-GCM cipher mode detection rules by @n1ckl0sk0rtge in #363
  • refactored CryptoGoSensor to support integration wit CBOMkit by @san-zrl in #372
  • feat: C# support (System.Security.Cryptography) - initial draft by @fynnth in #376
  • Bump org.apache.commons:commons-lang3 from 3.18.0 to 3.20.0 by @dependabot[bot] in #364
  • Bump sonar.java.version from 8.18.0.40025 to 8.22.0.41895 by @dependabot[bot] in #366
  • Bump org.cyclonedx:cyclonedx-core-java from 11.0.1 to 12.0.1 by @dependabot[bot] in #367
  • Bump ch.qos.logback:logback-classic from 1.5.18 to 1.5.26 by @dependabot[bot] in #368
  • Bump org.assertj:assertj-core from 3.27.4 to 3.27.7 by @dependabot[bot] in #369
  • Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #370
  • Bump cbomkit/cbomkit-action from 2.1.2 to 2.2.0 by @dependabot[bot] in #373
  • Bump actions/upload-artifact from 5 to 7 by @dependabot[bot] in #375
  • test(java): add regression test for MD5 detection in JCA MessageDigest by @sachin9058 in #393
  • integrate csharp scanner with cbomkit-lib by @san-zrl in #405
  • Fixed obsolete license statements by @san-zrl in #416
  • test(java): add RSADigestSigner constructor edge-case coverage by @sachin9058 in #410
  • feat(pbes1): add OID mappings for PBES1 combinations by @Ayush-Patel-56 in #389
  • added c# parser sources by @san-zrl in #454
  • Fixes issue of empty CBOM creation when no SonarQube rule is activated by @medha-14 in #388
  • improved handling and testing of empty CBOMs by @san-zrl in #455
  • test(python): verify detection inside custom functions (part of #9) by @sachin9058 in #394
  • test(java): verify occurrence locations for issue #339 by @sachin9058 in #430
  • fix: detect pyca stream ciphers with mode=None by @Truty424 in #460
  • Fix resolution of parameterized dictionary subscriptions by @somiljain2006 in #457
  • Ed25519 and Ed448 generate() rules were matching too broadly by @Arijit429 in #429
  • fixes handling of *args and **kwargs by @san-zrl in #466
  • fix correct method name in ChaCha20Poly1305 ENCRYPT detection rule by @vishnudathks in #459
  • Fix asset deduplication logic by @somiljain2006 in #465
  • Remove csharp by @san-zrl in #467
  • fix(python): detect standalone PyCA hash constructions by @sachin9058 in #464
  • Enable DuplicateDependingFindingsTest by @somiljain2006 in #468
  • Update algorithm names to match CycloneDX schema by @n1ckl0sk0rtge in #362
  • perf(java): memoize BouncyCastle rule graph to cut construction heap (#476) by @n1ckl0sk0rtge in #477
  • perf(engine): detach call-stack ASTs at leaveFile + self-contained heap harness by @n1ckl0sk0rtge in #481
  • Bump the maven group across 11 directories with 2 updates by @dependabot[bot] in #479
  • Bump actions/checkout from 6 to 7 by @dependabot[bot] in #473
  • Bump org.junit:junit-bom from 6.0.2 to 6.0.3 by @dependabot[bot] in #380
  • Bump org.apache.maven.plugins:maven-shade-plugin from 3.6.1 to 3.6.2 by @dependabot[bot] in #379
  • Bump org.apache.maven.plugins:maven-resources-plugin from 3.3.1 to 3.5.0 by @dependabot[bot] in #378
  • Bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.15.0 by @dependabot[bot] in #382
  • Bump sonar.python.version from 5.16.0.29940 to 5.20.0.32295 by @dependabot[bot] in #381
  • Bump org.slf4j:slf4j-api from 2.0.17 to 2.0.18 by @dependabot[bot] in #488
  • Bump sonar.python.version from 5.20.0.32295 to 5.25.0.34794 by @dependabot[bot] in #487
  • Bump org.mockito:mockito-core from 5.17.0 to 5.23.0 by @dependabot[bot] in #486
  • Bump org.cyclonedx:cyclonedx-core-java from 12.0.1 to 12.2.0 by @dependabot[bot] in #485
  • Bump com.google.guava:guava from 33.5.0-jre to 33.6.0-jre by @dependabot[bot] in #484
  • Bump the maven group across 11 directories with 1 update by @dependabot[bot] in #483

New Contributors

Full Changelog: 1.3.7...1.6.1