Releases: CROSSINGTUD/CryptoAnalysis
3.2.0
Changes:
- Integrate SPDS 3.1.2 into the project.
- Add --timeout flag to determine the timeout for SPDS queries
Running CryptoAnalysis 3.2.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.2
Changes:
- Updated dependencies
- Pre-Release version for minor update to 3.2.0
Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.1
Changes:
-Updated dependencies
-Added GitHub-Annotation Reporter and Action
-Fix a IncompleteOperationErrors for multiple dataflow paths
Running CryptoAnalysis 3.1.1 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.1.0
Add basic support for subsequent error detection. Each error references preceding and subsequent errors, which improves the overall error detection, and which allows comprehending errors. In addition to that, the analysis is able to parse and deal with predicates that contain the keyword this. An example could look like this:
KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.initialize(64); // constraint error
SecretKey key = kg.generateKey(); // the key is not generated securely
A key size of 64 is not allowed. Therefore, the analysis reports a ConstraintError for KeyGenerator and kg is not secure. Hence, the returned key from generateKey() is not secure, too, and a RequiredPredicateError is reported. This RequiredPredicateError references the previous ConstraintError and allows reasoning that the RequiredPredicateError is caused by the ConstraintError (and vice versa: the ConstraintError references the RequiredPredicateError, that is, the ConstraintError causes the RequiredPredicateError).
Note: Currently, preceding and subsequent errors are not included in the reports, yet. They are only stored internally, which still allows testing the functionality.
Running CryptoAnalysis 3.1.0 requires at least Java 11 and rulesets with version 3.0.0 or higher (recommended JCA 3.1.0).
Attached you can find the CryptoAnalysis.jar, the CryptoAnalysis-Android.jar and the JavaCryptographicArchitecture version 3.1.0 ruleset. The Examples.jar contains the example programs from here.
3.0.3
Changes:
- Provide a Github action to run CogniCryptSAST in workflows
- Add a CLI option that allows ignoring specific sections (packages, classes and methods) of the target application during the analysis
- Fix a bug, where RequiredPredicateErrors are not reported correctly
- Fix a bug related to multiple negated RequiredPredicates
Running CryptoAnalysis 3.0.3 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.
CryptoAnalysis 3.0.2
Changes:
-Fix a bug, where the same method calls from different classes are not parsed correctly
-Updated dependencies
Running CryptoAnalysis 3.0.2 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.
CryptoAnalysis 3.0.1
Changes:
- Improved the negated predicates mechanism
- Fixed a bug, where similar violations are not reported correctly
Running CryptoAnalysis 3.0.1 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset. The Examples.jar contains the example programs from here.
CryptoAnalysis 3.0.0
Major version update to include the changes from CrySL 3.0.0 and to improve the analysis overall.
Changes:
- Support Exception handling: CryptoAnalysis reports an 'UncaughtExceptionError' if there is a method that may throw an exception that is not catched, but the CrySL rule specifies a required exception handling.
- Inherited methods are now considered in the analysis: Previously, if only the superclass of a class defines a method, the method was not part of the typestate computation, that is, the analysis reported a false positive TypestateError
- All sections (except SPEC) are now optional
- Validation of CrySL rules: If a CrySL contains any errors, CryptoAnalysis reports the error and ignores the rule.
- Further small changes to increase the precision of the analysis
Running CryptoAnalysis 3.0.0 requires at least Java 11 and rulesets with version 3.0.0 or higher.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 3.0.2 ruleset.
CryptoAnalysis 2.8.1
Changes:
- Update dependencies
With this version, Java 11 is required to build and run the project.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 1.5.2 ruleset.
Release 2.8.0
Changes:
- Refactored reporters
- Updated tests
Note that CryptoAnalysis 2.8.0 is the last version, which can be built with Java 8. After that, Java 11 is required. Moreover, CryptoAnalysis 2.8.0 is only compatible with CrySL 2.0.2.
Attached you can find the CryptoAnalysis jar, the CryptoAnalysis-Android jar and the JavaCryptographicArchitecture version 1.5.2 ruleset.