Releases: CROSSINGTUD/CryptoAnalysis
4.1.0
4.0.1
Release Notes:
4.0.0
Restructured project:
- CryptoAnalysis now contains only the analysis components for CogniCryptSAST
- HeadlessJavaScanner contains the "Front-End" for analyzing Java applications
- HeadlessAndroidScanner contains the "Front-End" for analyzing Android applications
Running CryptoAnalysis 4.0.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis.jar, the HeadlessJavaScanner.jar, the HeadlessAndroidScanner.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.2.1
Changes:
-Fix a bug related to RequiredPredicateErrors
-Update Tink dependency
Running CryptoAnalysis 3.2.1 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.2.0
Changes:
- Integrate SPDS 3.1.2 into the project.
- Add --timeout flag to determine the timeout for SPDS queries
Running CryptoAnalysis 3.2.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.2
Changes:
- Updated dependencies
- Pre-Release version for minor update to 3.2.0
Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.1
Changes:
-Updated dependencies
-Added GitHub-Annotation Reporter and Action
-Fix a IncompleteOperationErrors for multiple dataflow paths
Running CryptoAnalysis 3.1.1 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.0
Add basic support for subsequent error detection. Each error references preceding and subsequent errors, which improves the overall error detection, and which allows comprehending errors. In addition to that, the analysis is able to parse and deal with predicates that contain the keyword this. An example could look like this:
KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.initialize(64); // constraint error
SecretKey key = kg.generateKey(); // the key is not generated securely
A key size of 64
is not allowed. Therefore, the analysis reports a ConstraintError
for KeyGenerator
and kg
is not secure. Hence, the returned key from generateKey()
is not secure, too, and a RequiredPredicateError
is reported. This RequiredPredicateError
references the previous ConstraintError
and allows reasoning that the RequiredPredicateError
is caused by the ConstraintError
(and vice versa: the ConstraintError
references the RequiredPredicateError
, that is, the ConstraintError
causes the RequiredPredicateError
).
Note: Currently, preceding and subsequent errors are not included in the reports, yet. They are only stored internally, which still allows testing the functionality.
Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.0.3
Changes:
- Provide a Github action to run CogniCryptSAST in workflows
- Add a CLI option that allows ignoring specific sections (packages, classes and methods) of the target application during the analysis
- Fix a bug, where RequiredPredicateErrors are not reported correctly
- Fix a bug related to multiple negated RequiredPredicates
Running CryptoAnalysis 3.0.3 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.
CryptoAnalysis 3.0.2
Changes:
-Fix a bug, where the same method calls from different classes are not parsed correctly
-Updated dependencies
Running CryptoAnalysis 3.0.2 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.