Skip to main content

Release 4.10.0 - 07-12-2022

rules
  • Updated

Features

  • [ARCH-260] - Component shapes are not available for browser js
  • [ARCH-292] - Fix threadlocal management in hibernate context interceptor for quartz
  • [DRA-599] - Update Selenium library to 4.3.0
  • [DRA-601] - Remove Insert CSV functionality
  • [DRA-648] - Improve performance in cloning process
  • [DRA-775] - Rename component and usecase 'General Product Threats'
  • [DRA-787] - Move hardware, network, virtual icons to right shape files
  • [DRA-792] - Check if project's diagram is empty after removing all the components
  • [DRA-806] - Associate icons to the new Azure components definitions (bundles 31-34)
  • [DRA-810] - Associate icons to the new database CIS benchmarks
  • [INR-463] - Use permission ANALYTICS_SETTINGS_UPDATE instead of ROLE_ADMIN to access as sso_manager to Analytics Module
  • [MSR-345] - Solve technical issues to use rules engine with different inputs
  • [MSR-746] - Fix bottleneck detected when removing weaknesses during library update
  • [MSR-811] - Update External Library with new revision - CWE- 2022/10/26
  • [MSR-845] - Fix vulnerability on com.google.protobuf_protobuf-java
  • [OPT-395] - Allow .template to be a valid extension for CloudFormation Template files
  • [OPT-532] - Update 'swagger-parser' core dependency (vulnerability)
  • [OPT-566] - Prepare files for the next Startleft release testing
  • [RT-681] - Create indexes to improve versioning/cloning process
  • [RT-686] - Improve cloneScanControlsFromControlsToControls in versioning/cloning process
  • [SIN-649] - Allow users without SYSTEM_SETTINGS_UPDATE to modify analytics setting
  • [SIN-650] - New VIEW_USERS_ALL permission
  • [INR-281] - Countermeasure status and Implemented countermeasure widgets
  • [PT-400] - Startleft component identifier generation
  • [RT-604] - Offer an Expand All button for threats & countermeasures
  • [DRA-789] - Fix languages wrapped on one key
  • [RT-747] - The icon is overlapping text on the ApiToken popup
  • [SIN-672] - Analytics config missing header and not selecting section
  • [ARCH-207] - Grails 3 Migration - Phase 2 - Remove Grails Framework
  • [DRA-365] - Create a project version in a job (background)

Bug Fixes

  • [DRA-641] - Project's version banner not displaying well on mobile view
  • [DRA-760] - Template import issues (nesting and layers orders out of place)
  • [DRA-763] - Unable to reset diagram changes (on templates)
  • [DRA-813] - The info message while restoring a previous version does not disappear
  • [INR-442] - Improve the error message of the Knowi client when a role does not exist
  • [INR-459] - Change page event triggers multiple times
  • [MSR-375] - Add ... from existing... window lists Standard instead of Project as option on type selector
  • [MSR-858] - Unexpected error deleting RiskPattern/Library upon deleting a use case with Component rules that import RiskPatterns/Threats/Use Cases
  • [RT-611] - Countermeasures with same Reference ID
  • [RT-656] - Threats bulk actions in Tree View do not do anything if a parent category is not expanded
  • [RT-683] - Cannot see full comments on Countermeasure
  • [RT-684] - Display the user who has added the comment
  • [RT-695] - Mitigation value not correctly updated on all occurrences of threat_model table
  • [RT-712] - Auto sync execution for issue trackers fails and projects are not being updated
  • [RT-725] - WORKFLOW_ALL_CHANGE and WORKFLOW_CHANGE permission are not working properly
  • [RT-752] - Bad code format in vulnerability form
  • [SIN-696] - Authentication failed count is not updated when APIv2 login fails

Security Fixes

  • [ARCH-291] - Fix vulnerability in library com.fasterxml.jackson.core:jackson-databind
  • [ARCH-361] - Fix vulnerability in dependency com.fasterxml.woodstox:woodstox-core
  • [DRA-657] - Secure ProjectHeaderComponent callbacks
  • [DRA-658] - Secure ProjectMobileHeaderComponent callbacks
  • [DRA-663] - Secure TemplateMobileHeaderComponent callbacks
  • [DRA-665] - Secure TemplateNavigationSideBarComponent callbacks

API Changes

New Knowledge-base Content

Updated security standards:

  • [CON-1068] - OWASP ASVS security standard updated to v4.0.3.

  • [CON-1260] - OWASP MASVS security standard to v1.4.2.

  • [CON-1357] - CIS AWS Foundations Benchmark security standard updated to v1.5.0.

  • [CON-982] - CWE Top 25 Most Dangerous Software Weaknesses security standard to its latest version (2022).

Cloud components:

  • [CON-1358], [CON-1374] & [CON-1369] - New components for Azure

    • Azure App Config

    • Azure Datadog

    • Azure SQL Managed Instance

    • Azure Cognitive Services

    • Azure Citrix DaaS Standard for Azure

    • Azure Backup

    • Azure Table Storage

    • Azure Virtual Desktop

    • Azure Purview

    • Azure Cache for Redis

    • Azure Data Lake Storage

  • [CON-1365] - Fixed outdated AWS countermeasures:

    • Hydras-AWS-S3-7.4: Description changed and references removed from DynamoDB component

    • AWS-API-GW2:Description, test steps and references updated

    • Hydras-AWS-Network-5.1: Removed from Kinesis components

    • Hydras-AWS-EC2-6.1: Deleted from DynamoDB component

Content Updates:

  • [CON-1306] - Added 5 new database components (MariaDB, IBM Db2, Neo4j, CouchDB, and Hazelcast) to the CS-Default library

  • [CON-1370] - Added C-Arm component to Hardware library

  • [CON-1375] - Removed rule “ControlApplied: Authentication - Service - Stored Sensitive Data & Authenticated Required“ from CS-Default since it was not working

Detailed changelog ([N]ew/[E]dited/[D]eleted):

  • Component Definitions

    • [N] CD-C-ARM

    • [N] CD-MICROSOFT-AZURE-APP-CONFIG

    • [N] CD-MICROSOFT-AZURE-BACKUP

    • [N] CD-MICROSOFT-AZURE-CACHE-REDIS

    • [N] CD-MICROSOFT-AZURE-CITRIX-DAAS

    • [N] CD-MICROSOFT-AZURE-COG-SER

    • [N] CD-MICROSOFT-AZURE-DATA-LAKE-STORAGE

    • [N] CD-MICROSOFT-AZURE-DATADOG

    • [N] CD-MICROSOFT-AZURE-PURVIEW

    • [N] CD-MICROSOFT-AZURE-SQL-MI

    • [N] CD-MICROSOFT-AZURE-TABLE-STORAGE

    • [N] CD-MICROSOFT-AZURE-VIRTUAL-DESKTOP

    • [E] CD-MICROSOFT-AZURE-BLOB-STORAGE ["riskPatterns"]

    • [E] CD-MICROSOFT-AZURE-QUEUE-STORAGE ["riskPatterns"]

    • [N] CD-COUCHDB

    • [N] CD-HAZELCAST

    • [N] CD-IBM-DB2

    • [N] CD-MARIADB

    • [N] CD-NEO4J

  • Controls

    • [D] AZ-S01

    • [D] AZ-S02

    • [D] AZ-S04

    • [N] C-AZURE-COG-SER1

    • [N] C-AZURE-COG-SER2

    • [N] C-AZURE-RLS

    • [N] C-AZURE-ALWAYS-ENCRYPT

    • [N] C-AZURE-APP-CONFIG2

    • [N] C-AZURE-APP-CONFIG1

    • [N] C-AZURE-STORAGE4

    • [N] C-AZURE-STORAGE3

    • [N] C-AZURE-STORAGE2

    • [N] C-AZURE-STORAGE1

    • [N] C-AZURE-SQL-MI1

    • [N] C-AZURE-DATADOG5

    • [N] C-AZURE-DATADOG4

    • [N] C-AZURE-DATADOG3

    • [N] C-AZURE-DATADOG2

    • [N] C-AZURE-DATADOG1

    • [N] C-AZURE-BACKUP2

    • [N] C-AZURE-BACKUP1

    • [E] Hydras-AWS-S3-7.4 ["name","desc"]

    • [E] aws-tier-6.30 ["name"]

    • [E] AWS-API-GW2 ["desc","steps"]

    • [E] Hydras-AWS-Network-5.5 ["name","desc"]

    • [N] C-AWS-SEC-HUB2

  • RiskPattern

    • [E] AZURE-STORAGE ["desc"]

    • [N] RP-AZURE-APP-CONFIG

    • [N] RP-AZURE-BACKUP

    • [N] RP-AZURE-CACHE-REDIS

    • [N] RP-AZURE-CITRIX-DAAS

    • [N] RP-AZURE-COG-SER

    • [N] RP-AZURE-DATADOG

    • [N] RP-AZURE-PURVIEW

    • [N] RP-AZURE-SQL-MI

    • [N] RP-AZURE-TABLE-STORAGE

    • [N] RP-AZURE-VIRTUAL-DESKTOP

  • Rules

    • [D] ControlApplied: Authentication - Service - Stored Sensitive Data & Authenticated Required

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk