Releases: SonarSource/sonar-iac
1.33.0.11761
Release notes - SonarIac - 1.33
Bug
SONARIAC-1541 Docker parser should parse file with comments only
SONARIAC-1542 Docker parser should not crash on empty interpolation or other formats
SONARIAC-1543 Docker parser should not crash when heredoc is connected to another program
SONARIAC-1545 Docker parser should support special double-quotes
SONARIAC-1547 Docker parser should not crash when characters are positioned after EXEC form
SONARIAC-1566 Docker parser should consider Exec form with characters behind as Shell form
False-Positive
SONARIAC-1554 S6587 should not report RUN instructions with cache mount
SONARIAC-1559 S7018 should not report shell redirects
SONARIAC-1565 S7021 should not raise on special locations such as ~ (unix) or %location% (windows)
SONARIAC-1577 S7030 should not raise on Exec form that contain an empty string
SONARIAC-1578 S7030 should not raise an issue if there is no quotes between brackets and characters behind
New Feature
SONARIAC-593 Handle the value of variables set by ENV instruction
SONARIAC-1538 S7018: Arguments in multi-line RUN instructions should be sorted
SONARIAC-1539 S7020: Too long RUN instruction should be split
SONARIAC-1540 S7021: WORKDIR instruction should only be used with absolute path
SONARIAC-1546 S7019: Prefer Exec form for ENTRYPOINT and CMD instructions
SONARIAC-1548 S7023: Use digest to pin versions of base images
SONARIAC-1550 S7026: Use ADD to retrieve remote resources
SONARIAC-1552 S7028: Descriptive labels are mandatory
SONARIAC-1553 S7029: Prefer COPY over ADD for copying local resources
SONARIAC-1555 S7031: Reduce the amount of consecutive RUN instruction
SONARIAC-1556 Make Helm analyzer compatible with SonarLint part 2
SONARIAC-1567 S7030: Malformed JSON in Exec form leads to unexpected behavior
SONARIAC-1579 Add STIG metadata support
Improvement
SONARIAC-1391 Deprecate S6497
SONARIAC-1551 Docker parser should support instruction `CROSS_BUILD_COPY`
1.32.0.11383
Release notes - SonarIac - 1.32
Bug
SONARIAC-1523 Location shifting should be invoked for secondary locations in other Helm files
False-Positive
SONARIAC-1537 S6893 should not report an issue for comment in helm directive without spaces
False Negative
SONARIAC-1514 S6864 should be raised when pod contains multiple containers
New Feature
SONARIAC-1137 Support for Helm-specific rules
SONARIAC-1212 S6865: Should not raise an issue with an accompanied ServiceAccount
SONARIAC-1228 S6870: Should not raise with LimitRange in the same namespace setting Storage Limits
SONARIAC-1293 S117: Local variable and method parameter names should comply with a naming convention
SONARIAC-1296 S6873: Memory requests should be specified
SONARIAC-1298 S6892: CPU requests should be specified
SONARIAC-1304 S6893: Ensure whitespace in-between braces in template directives
SONARIAC-1310 S1874: Deprecated code should not be used
SONARIAC-1311 S6897: Storage requests should be specified
SONARIAC-1323 S6596: Specific version tag for image should be used
SONARIAC-1325 S6907: Environment variables for a container should not be duplicated
SONARIAC-1326 S6907: Check for duplicate keys in ConfigMap and Secret used from `envFrom`
SONARIAC-1533 Make Kubernetes analyzer compatible with SonarLint
SONARIAC-1534 Make Helm analyzer compatible with SonarLint
Improvement
SONARIAC-1204 S6864: Should not raise with LimitRange in the same namespace setting Memory Limit
SONARIAC-1278 S6869: Should not raise with LimitRange in the same namespace setting CPU Limit
SONARIAC-1297 S6873: Should not raise with LimitRange in the same namespace setting Memory Requests
SONARIAC-1299 S6892: Should not raise with LimitRange in the same namespace setting CPU Requests
SONARIAC-1312 S6897: Should not raise with LimitRange in the same namespace setting Storage Requests
SONARIAC-1509 Print more data in Kubernetes Parsing Statistics
SONARIAC-1527 Calculate text ranges of the Go AST nodes lazily
SONARIAC-1529 Secondary locations on other files should be disabled with a specific option per rule
1.31.0.10579
Release notes - SonarIac - 1.31
Bug
SONARIAC-1322 Empty file suffixes are not substituted with defaults with SQ 10.4
SONARIAC-1392 Should not throw parse exception strconv.Atoi when read _resources.tpl
SONARIAC-1485 Docker parser should not create invalid offset on multiline bash script
False-Positive
SONARIAC-437 S6258 should not raise on Azure Storage Account logging
SONARIAC-789 Take dynamic blocks into account when detecting absence of properties
SONARIAC-855 S6437 Refine openssl secret generation command detection
SONARIAC-1008 S4423 Add support for Azure MSSQL
SONARIAC-1009 S4423 Weak SSL/TLS protocols should not be detected when using AWS API Gateway
SONARIAC-1030 S6330 Should consider correct default queue encryption (SSE-SQS)
SONARIAC-1035 S4423 should not report missing property for Azure resources with azurerm >= 3.0
SONARIAC-1096 S6380 ARM Detection logic needs to be adjusted
SONARIAC-1141 S6587 should not raise on apt-get when installing a local package
SONARIAC-1260 S6596 should not raise an issue on docker special image `scratch`
SONARIAC-1418 S6596 should not raise on references to previous build stages when previous stage is unresolvable
SONARIAC-1465 S1192 should not raise on strings that are formatted
SONARIAC-1467 S6380 should not raise on storageAccounts when allowBlobPublicAccess is not set
SONARIAC-1468 S1192 should not raise on module path
False Negative
SONARIAC-784 S6413 should be raised when insights block is missing or disabled
SONARIAC-1022 S6506 Detection should not be thwarted by addition of parameters
SONARIAC-1023 S6245 Checking AWS::S3::Bucket should not rely on properties
Improvement
SONARIAC-1489 Deprecate S6869: CPU limits should be enforced
1.30.0.10357
Release notes - SonarIac - 1.30
Bug
SONARIAC-1451 Properties grammar should accept key that contains comments indicators
SONARIAC-1459 Resolve Parsing Issues on Spring Configuration Files
New Feature
SONARIAC-1393 S6437: Support detection of Hardcoded Secrets for Spring configuration
SONARIAC-1394 S5693: Support detection of Excessive File Upload Size Limit for Spring configuration
SONARIAC-1395 S4507: Support detection of enabled Debug Features in Spring configuration
SONARIAC-1396 S4423: Support detection of TLS Protocol Downgrades for Spring configuration
SONARIAC-1397 S2092: Support detection of misconfigured "Secure" cookie flags in Spring configuration
SONARIAC-1398 S3330: Support detection of misconfigured "HttpOnly" cookie flags in Spring configuration
SONARIAC-1430 Implement "SpringConfigSensor"
SONARIAC-1431 Convert parsed properties file to "SpringConfigTree"
SONARIAC-1432 Onboard the "spring-config" extension into the sonar-iac plugin
SONARIAC-1435 Generate Parser and Visitor with ANTLR for properties file
SONARIAC-1437 Implement metrics and highlighting visitors for .properties files
SONARIAC-1438 Implement "SpringConfig"
SONARIAC-1439 Implement a converter from YAML tree to "SpringConfig"
SONARIAC-1446 Implement "SpringConfigParser"
SONARIAC-1448 S2260: Java parsing failure
SONARIAC-1449 S1135: Track uses of TODO tags in Spring configuration files
Improvement
SONARIAC-1458 Narrow the scope of YAML files considered by the spring-config sensor
1.29.0.10169
Release notes - SonarIac - 1.29
Improvement
SONARIAC-1419 JSON filenames containing compile_commands should be excluded
1.28.0.9889
Release notes - SonarIac - 1.28
Bug
SONARIAC-882 ARM JSON Support Template expressions
SONARIAC-1360 Shouldn't throw Exceptions when highlighting issue location
False-Positive
SONARIAC-1429 S1192: String literals should be raised less often
New Feature
SONARIAC-1370 S117: Parameter and variable names should comply with a naming convention
SONARIAC-1371 S6874: Use a hard-coded value for the apiVersion
SONARIAC-1372 S6949: Don't hardcode resource locations
SONARIAC-1373 S6952: Redundant explicit dependencies between resources should be removed
SONARIAC-1374 S1481: Unused local variables should be removed
SONARIAC-1375 S1192: String literals should not be duplicated
SONARIAC-1376 S6953: Don't use "allowedValues" for a location parameter
SONARIAC-1379 S6955: Unused parameters should be removed
SONARIAC-1380 S6954: Elements should not be empty or null
SONARIAC-1381 S6956: The properties and elements inside a template should appear in the recommended order
SONARIAC-1382 S4507: Delivering code in production with debug features activated is security-sensitive
SONARIAC-1384 S6437: Credentials should not be hard-coded
SONARIAC-1400 Logic for Tracking Variable Usage in Azure Resource Manager Templates and Bicep Files
SONARIAC-1401 Logic for Tracking Parameter Usage in Azure Resource Manager Templates and Bicep Files
Improvement
SONARIAC-1410 Improve Logic for Tracking Symbol Usage in Azure Resource Manager Templates and Bicep files
SONARIAC-1425 Split S6956 implementation into 2 rules
1.27.0.9518
Release notes - SonarIac - 1.27
Bug
SONARIAC-1290 Highlighting an issue directly before {{- end -}} results in highlighting the wrong line
SONARIAC-1308 Shouldn't include next line into shifted issue's text range
SONARIAC-1319 Should not evaluate templates when Chart.yaml is missing
SONARIAC-1383 Bicep parsing shouldn't fail if a string literal starts with a comment
New Feature
SONARIAC-1131 Report secondary locations in values.yaml for existing Kubernetes checks
SONARIAC-1154 Resolve values locations in values.yaml
SONARIAC-1301 Provide metrics of Helm Chart files
SONARIAC-1343 Publish values file to SQ
SONARIAC-1345 Highlight precise simple value in Helm expression in primary location
SONARIAC-1346 Highlight precise array values in Helm expression in primary location
SONARIAC-1347 Highlight precise loops in Helm expression in primary location
SONARIAC-1351 Precise primary location for "include" function in Helm expression
SONARIAC-1353 Highlight precise simple not-evaluated value in Helm file in primary location
SONARIAC-1355 Enable parsing of comment nodes in the Go template AST
SONARIAC-1356 Provide precise node lengths in the Go template AST
SONARIAC-1357 Raise Kubernetes issues on yaml values instead of key-value pairs
Improvement
SONARIAC-703 Add custom assertion for ExternalIssues
SONARIAC-1363 Comment at the end of YAML files should be assigned to the root node
SONARIAC-1385 Catch IllegalArgumentException when reporting issues to SensorContext
SONARIAC-1386 Do not raise issue for K8s limit rules when LimitRange is detected
1.26.0.8471
Release notes - SonarIac - 1.26
Bug
SONARIAC-1258 ".Capabilities.APIVersions.Has" should be evaluated correctly
SONARIAC-1267 Should not throw ClassCastException when Helm evaluated template contains literal style and empty lines
SONARIAC-1268 Should not throw NullPointerException Cannot read field "originalLineSize"
SONARIAC-1270 Should not throw IllegalArgumentException: 23 is not a valid line for pointer
SONARIAC-1271 Should not fail parsing unquoted text
SONARIAC-1276 Should discover root directory for deeply nested template files
SONARIAC-1279 Shouldn't fail the analysis on an architecture not supported by sonar-helm-for-iac
SONARIAC-1282 Shouldn't try to raise PraseExceptions with invalid text pointer
SONARIAC-1283 Should not throw exception "-1 is not a valid line offset for a file"
SONARIAC-1285 Fix aggregation of additional helm files for windows
SONARIAC-1286 Should not fail parsing when literal style at the end of evaluated template
False-Positive
SONARIAC-1143 ARM rules should not check attributes on `existing` resources
New Feature
SONARIAC-1134 Evaluate loops in Helm files
SONARIAC-1190 S6864: Memory limits should be enforced
SONARIAC-1200 S6865: Service account tokens should not be mounted in pods
SONARIAC-1203 S6867: Wildcards should not be used to define RBAC permissions
SONARIAC-1205 S6868: Allowing command execution is security sensitive
SONARIAC-1211 S6869: CPU limits should be enforced
SONARIAC-1226 S5332: Using clear-text protocols is security-sensitive
SONARIAC-1227 S6870: Storage limits should be enforced
SONARIAC-1229 S6473: Exposing administration services is security-sensitive
SONARIAC-1263 Detect ConfigMaps, Secrets and other Kubernetes files for analysis
SONARIAC-1274 Improve template processing by adding missing Sprig function
Improvement
SONARIAC-1202 Helm files should be detected even if they don't satisfy KubernetesFilePredicate
SONARIAC-1250 Update golang.org/x/crypto to 0.17.0
SONARIAC-1261 Unblock reading helm process error stream
SONARIAC-1287 Reduce logging level of known parse exceptions
1.25.0.8192
Release notes - SonarIac - 1.25
Bug
SONARIAC-1256 Fix incorrect transfer of files between Java and Go Code
SONARIAC-1257 `.Chart` object's keys should be capitalized
SONARIAC-1262 Should support "join" function in Helm charts
SONARIAC-1264 Helm analysis should not fail if repository contains empty file
SONARIAC-1266 Should not throw ClassCastException when Helm template contains multiple documents
New Feature
SONARIAC-1176 Implement "include" function for Helm template evaluation
SONARIAC-1177 Implement "tpl" function for Helm template evaluation
SONARIAC-1201 Support built-in Helm objects in template evaluation
SONARIAC-1231 Evaluate all files of Chart directory in Go Engine
SONARIAC-1232 Evaluate dependent files in Go Engine
Improvement
SONARIAC-1185 Values file should be found for templates in subfolders
SONARIAC-1219 Create a Docker Image to build go binaries
SONARIAC-1225 Pass all files of the Helm project directory to HelmEvaluator
SONARIAC-1248 Fix code coverage after migration to Gradle
SONARIAC-1254 Files from `templates/` directory should be prefixed with chart name before evaluation
1.24.0.7839
Release notes - SonarIac - 1.24
Bug
SONARIAC-1183 HelmPreprocessor crashes on some files
SONARIAC-1187 KubernetesHighlightVisitor doesn't match lines with only comments
SONARIAC-1224 Bicep files should be belonging to AzureResourceManager for SonarCloud AutoScan
New Feature
SONARIAC-1146 Preprocessing Helm add trailing comments with line numbers
SONARIAC-1147 Kubernetes sensor should not ignore file with Helm Directive
SONARIAC-1148 Issue on helm file should be raised at the right location
SONARIAC-1149 Evaluate Helm templates in Go
SONARIAC-1164 Evaluate simple Helm Charts and raise Kubernetes issues
SONARIAC-1182 Build Go binaries as executables and get data from stdout
SONARIAC-1184 Support "default" function in Helm template evaluation
SONARIAC-1186 Support "toYaml" function in Helm template evaluation
Improvement
SONARIAC-1198 Allow users to deactivate Helm analysis
SONARIAC-1223 Improve error handling in Go exceptions
SONARIAC-1230 Align AzureResourceManager property keys and deprecate old key format