v1.3.8

This release fixes an issue with Struts parsing on UNIX-based hosts (issue #10) and updates the Jsoup dependency.

v1.3.7

This release updates the log4j dependency from 1.2.17 to 2.17.1.

v1.3.6

This release updates Spring MVC and replaces a vulnerable dependency:

• Adds support for @RequestBody annotation in Spring MVC projects
• Allow multiple endpoint declarations via @RequestMapping annotation in Spring MVC projects
• Relaxed requirements for model object expansion/enumeration in Spring MVC projects
• Replace JSON parsing libraries to remove the vulnerable dependency on jackson-mapper-asl

v1.3.5

This release contains bugfixes for Rails projects:

• NullPointerException occurred under certain conditions
• Fix regex parse error for endpoints containing ({param})-like content
• Routes may fail to detect if comments in routes.rb contained scoping operators ie (, [, etc.
• Controllers would not be detected if they contained an inner class

v1.3.4

This release contains bugfixes and performance improvements.

Improvements:

• More accurate assignment of ASP.NET MVC/API/Core parameter types
• Minimize redundant disk access during file search operations
• Better parameter detection in Struts when checking for parameters referenced by an endpoint
• More comprehensive expansion of composite parameter types

Bugfixes:

• Exception occasionally thrown by internationalized DjangoEndpoint when calling compareRelevance
• ASP.NET MVC/API/Core parameters were included from unrelated routes
• Occasional duplication of composite parameter data types
• Multiple ASP.NET Web Forms endpoints referencing different files with the same name would be overwritten/ignored
• Struts endpoints could be generated from methods inherited from Struts-framework base-types ie ActionSupport.input
• Struts endpoint parameters could be over-culled when checking for references within the endpoint

v1.3.3

This release adds further support for ASP.NET Core by considering 2.1-specific APIs.

Improvements:

• Detect "Microsoft.AspNetCore.App" package references for ASP.NET Core detection
• Support ControllerBase as a valid base type for controllers
• Support for [ApiController] attribute on controllers
• Classes inherit attributes from their base types
• Support for ASP.NET Core parameter attributes - [FromQuery], [FromFile], [FromRoute], [FromForm], [FromServices]

v1.3.2

This release contains bugfixes primarily improving line number detection for endpoint source code.

Improvements:

• Better web.xml detection for struts projects
• Struts actions deferring to ActionSupport class have line numbers set to the result HTML/JSP/etc file
• Files and line numbers for Struts will map to execute method automatically if an action class is defined without a method
• Rails endpoints generated by recognized third-party routers have (lib) attached to source file names to indicate that the source code is not available but the endpoint is valid
• Better line range detection for Django endpoints
• JSP getLineNumberForParameter now returns first line occurrence of a parameter

Bugfixes:

• Struts actions deferring to JSP files no longer use endLine + 1 for source code end line
• Struts result file detection respects package namespacing
• Rails parsing detects module names embedded in class names while resolving route controllers
• JSP file extension checks no longer case-sensitive
• JSPF files are now ignored
• Fix occasional NullPointerException when parsing ASP.NET Core projects
• Fix exception in JSP parsing on case-sensitive file systems

v1.3.1

This release modifies the Endpoint.Info.fromEndpoint utility method to optionally clean source code information from Endpoint.Info objects.

v1.3.0

This release simplifies the contents of the Endpoint data types to minimize JSON footprint, and contains some small bugfixes.

JSON generated via com.denimgroup.threadfix.framework.engine.full.EndpointSerialization is incompatible with previous versions. This version cannot parse JSON pre-1.3.0, and previous versions are not guaranteed to parse JSON from this version.

Improvements:

• Remove redundant internal data from Endpoint implementations that may contain absolute file paths to the source code on the machine that generated the Endpoints
• Apply variant detection for ASP.NET MVC projects

Bugfixes:

• Fix NullPointerException when parsing an ASP.NET MVC project with a MapRoute call whose template string could not be determined

v1.2.18

This release contains improvements for ASP.NET MVC endpoint detection in the Hybrid Analysis Mapping (HAM) endpoint detection module.

ASP.NET MVC endpoint detection has undergone a significant refactor to support Web API, ASP.NET Core, and provide more accurate and complete results.

Improvements:

• Support multi-attribute attachments (ie [HttpGet, HttpDelete])
• Detect endpoints routed via naming conventions for Web API projects
• Convention-based routing supports methods with default parameter values (ie Get(int? id = 10) maps to / and /{id})
• Detect attribute parameters with and without explicit variable names (ie [Bind(Include = "...")] vs [Bind("...")])
• Generally more robust ASP.NET Core/Standard MVC/WebAPI endpoint detection
• Ignore methods with [NonAction] attached
• Support .UseMvcWithDefaultRoute() in ASP.NET Core
• Support for convention-based routing in ASP.NET Core
• Support for controller classes that do not directly inherit from Controller or ApiController, but have a base class that does
• Controller classes inherit actions from their base types, if available
• Detect parameter types by route constraints, if available
• Support [AcceptVerbs] attribute
• Support [RoutePrefix] and [Route] attributes for Web API

Bugfixes:

• Detect string interpolation and verbatim strings to avoid parsing errors
• Fix exception during endpoint matching that include wildcards
• Relax requirements on detection of MapRoute calls
• Change comments detection to work with interpolated strings
• Support default actions that are not named Index