SmartDec Scanner 3.5.0 Release Notes
Overview
SmartDec Scanner 3.5.0 is already released! This time we’ve worked on analysis modules, added Rust support, implemented integration with Subversion, and tinkered some UI imperfections.
What’s New
Analysis Modules
Rust: We’ve added Rust language support. This is the 33rd language we support.
Configuration files analysis works as a full-fledged module now.
- Analysis settings: instead of the Analyze configuration files option, use the Config files checkbox in the list of languages.
- Overview: we’ve added analysis module statistics: progress, time, number of analyzed code lines, number of vulnerabilities. Previously, analysis statistics for configuration files were implicitly included in overall analysis results. That was not obvious.
- Detailed results: you can show/hide vulnerabilities found in configuration files using the corresponding filter.
Java, Scala, Kotlin, Android:
- Standard libraries list has been supplemented. It is helpful when processing a long list of vulnerabilities. Use the filter in Detailed results to hide vulnerabilities found in standard libraries. The full list of supported libraries can be found in the user guide.
- Module optimization. We know that analyzing an application can take hours. But quality is more valuable. Thus we are constantly working on analysis time reduction without compromising quality. As a result of our warm work, now, on average, applications are analyzed faster.
Python: Version 2 or 3? Now it’s determined automatically. You no longer have to choose a version of Python when starting analysis.
C/C ++: Makefile support. It’s a new level. Now you can analyze codebases that are built using Makefile.
Vulnerability traces. Do you use these ones representing data flow graphs?
We added trace elements for
- method declarations
- method parameters
This should have made results more readable.
User Interface
Jira task ID. We’ve added Jira task ID in Detailed Results. Now you can see it in the list of created tasks. Click ID to go to Jira and view the task details.
Export templates copying. Remember those flexible report settings we have? For convenience, we have predefined and custom templates. Now you can create a new export template as a copy of an existing one.
Multiple selections from drop-down lists have been added. Previously, when giving access to users or user groups, you needed to choose projects one at a time. We resolved this issue. Creating new users and user groups have become faster.
Quick action buttons in the Projects section. One small change and you now can open pages in new browser tabs.
Report
Number of vulnerabilities. We added a number of vulnerabilities in Vulnerability Table and Comparison Table: the total number and the number of actually included vulnerabilities.
Jira information. Now you can include brief Jira tasks information in the report: ID, parent task, task type, priority, and assignee.
Integrations
Subversion: Implemented integration. Now you can start analysis using a link to your Subversion repository.
Git, Subversion: Private repositories settings. We added credentials input fields (Username and Password) for private repositories code analysis. It’s up to you whether to securely save your credentials for rescanning or specify them every time you launch a new scan.
Jenkins, Azure DevOps Server, TeamCity plugins: Updated report settings. All export settings implemented in UI 3.4.0 version are now available in plugins. The same updates were made for CLT (Command Line Tool) export settings.
Distributions
PostgreSQL. We implemented experimental support for the PostgreSQL database.
Vulnerability Scanning Rule Base
Vulnerability search algorithms have been improved. We do it constantly to reduce false positives and false negatives. We also added new vulnerability search rules and supplemented vulnerability descriptions.
See full statistics on added vulnerability search rules:
- Apex: 1
- C/C++: 10
- C#: 3
- COBOL: 1
- Config files: 8
- Delphi: 1
- Go: 1
- Java/Scala/Kotlin/Android: 1
- Javascript: 20
- Objective C: 32
- Perl: 7
- PHP: 11
- PL/SQL: 1
- Ruby: 1
- Rust: 17
- T-SQL: 1
- TypeScript: 1
- VB.NET: 30
- VB6: 1
- VBA: 1
- VBScript: 1
- 1С: 1
What’s Been Fixed
User Interface
- Breadcrumbs wrapping. They were not placed where they were supposed to. It was a small thing, but unpleasant.
- Example tab editing in Rule Management. It was impossible to save changes in vulnerability examples. Now it’s possible.
- Make as default template option in the Export Report settings. The problem occurred when changing the default template.
- Sorting user groups by number of users. There used to be weird sorting logic.
- Work with project groups for all users role didn’t work properly. Now the role allows creating project groups that are accessible for all users. If the role is not assigned, only private groups can be created.
Report
- Graph axes. We returned the missing graph axes in Scan History.
- Report downloading without selecting scans. Attempting to download a report with no scans selected would show an error. Now it works and you can export a project summary without scan details.
- Option to include/exclude Table of Contents and Scan Information. You were not able to exclude this helpful information, even having disabled the options in report settings. Despite that the information is helpful, now you can exclude it from the resulting report if you need it.
Integrations
- LDAP: User registration date. The date was incorrect, and we fixed it.
Feel free to send us your feedback.
To request SmartDec Scanner trial, contact us at sdscanner-sale@smartdec.com.
This article was created by SmartDec, a security team specialized in static code analysis, decompilation and secure development.
Feel free to use SmartCheck, our smart contract security tool for Solidity and Vyper, and follow us on Medium, Telegram and Twitter. We are also available for smart contract development and auditing work.
