v1.2.17.1

This release contains bugfixes and small changes to improve support for ASP.NET Web APIs.

Improvements:

• Support for annotation-based explicit routing on methods via [Get("/path")], etc.
• Support for annotation-based explicit routing on controllers as base paths via [Route("/baseroute")]
• Support for controller methods returning IActionResult, Task<IActionResult>
• Support for detecting ASP.NET Core projects by detecting Microsoft.AspNetCore.Mvc namespace references

Bugfixes:

• Controller parsing would fail if a different class declaration preceded the controller definition in the same file
• Renormalize ASP.NET endpoints to start with /

v1.2.17

This release contains various bugfixes for the Hybrid Analysis Mapping (HAM) endpoint detection module. The threadfix-endpoint-cli project has been moved to a dedicated repository.

Improvements:

• ASP MVC route detection respects namespace restrictions
• Update ASP MVC root directory detection via .sln file
• Add project detection for JSP
• Re-introduce line-number/parameter mapping in endpoints
• Properly detect Rails parameter types
• Many changes to Rails route detection to improve robustness
• Rails parameter names normalized to ie {id} instead of :id
• Extend Java model type traversion when expanding model-type endpoint parameters
• Struts adds endpoint parameters from action properties

Bug fixes:

• Make Web Forms ASCX control matching case-insensitive
• Fix thread pool leak after running Django parser in parallel
• Django no longer produces duplicate routes in some cases
• Fix serialization exception for Django endpoints due to invalid regex format
• Prevent endpoint over-matching in GeneratorBasedEndpointDatabase
• Remove Struts filtering of file paths containing 'test'
• Fix null reference exception in Struts default action mapper
• Fix duplication of Rails Resources entries when using concerns, fix concern copies not stored in hierarchy, stop concern from declaring endpoints on its own
• Fix incorrect MPL link in master pom
• Fix exception when using jsoup 1.11.3

v1.2.16

This release contains various improvements and bugfixes for the Hybrid Analysis Mapping (HAM) endpoint detection module.

New Features:

• Add -output-file and -json/-simple-json parameters for direct JSON output to a file

Improvements:

• Add multi-project detection for Web Forms projects
• ASP MVC endpoints properly return parametric endpoint parameters
• Assign endpoint line numbers for JSP servlets
• Assign endpoint line numbers and parameters for Rails projects
• Add JSON serialization for endpoint collections

Bug fixes:

• ASP MVC As*x parsing now ignores \ as an escape character
• Fix for ASP MVC default routes
• Fix for Rails controller file resolution in some cases
• Fix for incorrect Rails framework detection

v1.2.13

This release contains various improvements and bugfixes for the Hybrid Analysis Mapping (HAM) endpoint detection module.

New Features:

• HAM module can detect multiple frameworks from a single project
• Add endpoint parsing support for Spring MVC Get/Post/Put/DeleteMappings annotations

Improvements:

• Improve framework detection between ASP.NET MVC and Web Forms
• Web Forms endpoints now report whole .aspx.cs file as line range, in absence of better alternative
• Ignore JSP files in WEB-INF folder
• Added proper detection of django project root directory
• Better endpoint line range detection in Struts projects

Bug fixes:

• ZIP endpoint detection now auto-deletes the temporary output folder
• Fix incorrect file paths for ASP Web Forms projects
• Occasional exception for Web Forms projects
• Change default HAM log level from DEBUG to WARN
• Fix exception for Spring MVC endpoint parsing if an endpoint contains ** patterns
• Fix out-of-bounds exception in JSP parsing
• Fix JSP and Django occasional NullPointerExceptions

v1.2.11

This release includes various bugfixes, small improvements for the Hybrid Analysis Mapping (HAM) endpoint detection module, and removes the ZAP and Burp plugins from the repository. These plugins can now be found at the following links, respectively:

• https://github.com/secdec/attack-surface-detector-zap
• https://github.com/secdec/attack-surface-detector-burp

A new version numbering system is used to reflect the incremental changes in these updates.

New features:

• New class in HAM API for generating an endpoint structure tree
• HAM module can accept ZIP files containing source code and generate endpoints

Improvements:

• HAM endpoint serialization no longer requires specifying the framework type of the endpoint
• threadfix-endpoints-cli includes validation checks for endpoint source file paths
• Add wildcard endpoint mapping for .NET MVC and Spring MVC endpoints
• Add isRelevant to Endpoint interface for absolute relevancy checks during endpoint matching
• Struts endpoints inherit parameters from parent classes, if available
• Better best-match framework detection for unidentified projects
• Struts endpoint detection ignores non-web files for public resources

Bugfixes:

• Source file paths and endpoints would occasionally not be detected properly on Windows vs *NIX platforms
• Fix exception in JSP parsing under different platforms
• Normalize URL path separators to /
• Various misc. improvements/bugfixes for Struts parsing
• Endpoints are normalized to always start with /
• Struts endpoint method end line was incorrectly detected if the method throw exceptions
• JSP line counts not detected properly

Other:

• Replace Apache License with Mozilla Public License 2.0

v1.2.0

This release contains updates for the ZAP and Burp scanner plugins, and various updates for the Hybrid Analysis Mapping (HAM) endpoint detection module.

New features:

• ZAP plugin generates an Endpoints table
• The HAM module provides an API for serialization of whole Endpoint objects, enabling access to extra data and features over the original EndpointInfo type

Improvements:

• Organization of endpoint variants is improved
• Add getEndingLine to Endpoint interface
• Print more information from the threadfix-cli-endpoints utility

Bugfixes:

• Burp plugin removes old detected endpoints when new endpoints are imported
• Endpoint HTTP methods imported from a Spring MVC project would include the whole annotation name for the endpoint
• Django endpoint parsing would occasionally crash when parsing 3rd-party libraries
• Duplicate endpoints would occasionally be generated for Django projects

Other:

• Importing endpoints in ZAP and Burp from a threadfix server has been removed; only import from local source code is supported

v1.0.0

First release as a branch of the public Threadfix Community Edition.

This branch focuses on integration with the Application Security Threat Attack Modeling (ASTAM) project, sponsored by the Department of Homeland security.

These changes are accompanied by a release of the threadfix-ham module and its dependencies to Maven.

New features:

• Data model and pipeline for integration with the ASTAM Central Data Store to consolidate security findings across multiple software vulnerability management systems.
• Hybrid Analysis Mapping (HAM) supports merging findings in Django projects
• Various improvements to HAM endpoint detection for all supported frameworks
• ZAP and Burp integration provides parameter types for endpoints

Improvements:

• HAM detects endpoints in ASP.NET Core projects
• HAM supports Areas in ASP.NET MVC projects, attribute-based HTTP method bindings
• HAM supports Servlets in JSP projects via web.xml and annotations
• HAM endpoint mapping for a dynamic analysis result uses ranking to determine a best-match over exact matching
• HAM Spring MVC endpoint detection supports the Convention and REST plugins, multiple action mappers
• HAM Rails endpoint detection supports all major syntaxes for route declarations, includes Devise plugin
• HAM Django endpoint detection uses a custom, fault-tolerant Python interpreter to resolve indirect route declarations, supports DjangoAdmin API
• HAM endpoint parameter detection uses various methods to improve effectiveness and correctness
• Formal support in HAM for endpoint parametrics detection (ie /users/{userId})
• HAM endpoints formalize "variants", which are effective aliases for the same endpoint
• Burp plugin includes toggle for spidering after importing endpoints, shows more details for imported endpoints
• Burp and ZAP plugins show each HTTP request method as separate endpoints, so that parameters between ie GET and POST endpoints can be distinguished
• threadfix-endpoints-cli tool can accept a list of multiple project paths

Bugfixes:

• ASP.NET MVC route detection can use multiple route declerations, is no longer case-sensitive
• ASP.NET Web Forms route detection exports explicit and extensionless endpoints
• Burp extension no longer throws exception when importing an application address without a port

Other:

• Importing endpoints in ZAP and Burp from a threadfix server has been deprecated