Skip to content

Releases: CROSSINGTUD/CryptoAnalysis

4.1.0

20 Dec 09:33
b4148e6
Compare
Choose a tag to compare

Release notes:
-Due to important dependencies, CogniCryptSAST requires now Java 17 for builds and executions
-All CrySL related code has been transferred to the original CrySL repository

4.0.1

16 Sep 16:38
030dfbb
Compare
Choose a tag to compare

Release Notes:

4.0.0

10 Sep 12:22
7042486
Compare
Choose a tag to compare

Restructured project:

  • CryptoAnalysis now contains only the analysis components for CogniCryptSAST
  • HeadlessJavaScanner contains the "Front-End" for analyzing Java applications
  • HeadlessAndroidScanner contains the "Front-End" for analyzing Android applications

Running CryptoAnalysis 4.0.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.

Attached you can find the CryptoAnalysis.jar, the HeadlessJavaScanner.jar, the HeadlessAndroidScanner.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.2.1

26 Jul 13:59
4247bd6
Compare
Choose a tag to compare

Changes:
-Fix a bug related to RequiredPredicateErrors
-Update Tink dependency

Running CryptoAnalysis 3.2.1 requires at least Java 11 and rulesets with version 3.0.0 or higher.

Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.2.0

26 Jul 13:53
3105469
Compare
Choose a tag to compare

Changes:

  • Integrate SPDS 3.1.2 into the project.
  • Add --timeout flag to determine the timeout for SPDS queries

Running CryptoAnalysis 3.2.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.

Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.1.2

26 Jul 13:47
e66170b
Compare
Choose a tag to compare

Changes:

  • Updated dependencies
  • Pre-Release version for minor update to 3.2.0

Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).

Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.1.1

26 Jul 13:41
3776bee
Compare
Choose a tag to compare

Changes:
-Updated dependencies
-Added GitHub-Annotation Reporter and Action
-Fix a IncompleteOperationErrors for multiple dataflow paths
Running CryptoAnalysis 3.1.1 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).

Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.1.0

07 Feb 08:56
e5820a1
Compare
Choose a tag to compare

Add basic support for subsequent error detection. Each error references preceding and subsequent errors, which improves the overall error detection, and which allows comprehending errors. In addition to that, the analysis is able to parse and deal with predicates that contain the keyword this. An example could look like this:

KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.initialize(64);                    // constraint error
SecretKey key = kg.generateKey();     // the key is not generated securely

A key size of 64 is not allowed. Therefore, the analysis reports a ConstraintError for KeyGenerator and kg is not secure. Hence, the returned key from generateKey() is not secure, too, and a RequiredPredicateError is reported. This RequiredPredicateError references the previous ConstraintError and allows reasoning that the RequiredPredicateError is caused by the ConstraintError (and vice versa: the ConstraintError references the RequiredPredicateError, that is, the ConstraintError causes the RequiredPredicateError).

Note: Currently, preceding and subsequent errors are not included in the reports, yet. They are only stored internally, which still allows testing the functionality.

Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).

Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.

3.0.3

18 Jan 09:26
fd942eb
Compare
Choose a tag to compare

Changes:

  • Provide a Github action to run CogniCryptSAST in workflows
  • Add a CLI option that allows ignoring specific sections (packages, classes and methods) of the target application during the analysis
  • Fix a bug, where RequiredPredicateErrors are not reported correctly
  • Fix a bug related to multiple negated RequiredPredicates

Running CryptoAnalysis 3.0.3 requires at least Java 11 and rulesets with version 3.0.0 or higher.

Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.

CryptoAnalysis 3.0.2

11 Jan 08:23
20c66c5
Compare
Choose a tag to compare

Changes:
-Fix a bug, where the same method calls from different classes are not parsed correctly
-Updated dependencies

Running CryptoAnalysis 3.0.2 requires at least Java 11 and rulesets with version 3.0.0 or higher.

Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.