Releases: SonarSource/sonar-iac
1.35.0.12330
Release notes - SonarIac - 1.35
Bug
SONARIAC-1574 Rule id's of cfn-lint issues should be correctly imported
False-Positive
SONARIAC-976 S6249 should not raise when the Resource field of the bucket policy is a list
SONARIAC-1083 S6380 should not raise an issue when a child resource defined outside of its parent resource makes it compliant
SONARIAC-1084 S6648 should not raise an issue for expression
SONARIAC-1120 S6595 shouldn't raise when "install" command is part of ARG
SONARIAC-1122 S6500 should not raise an issue if the option `--no-install-recommends` is present anywhere in the command
SONARIAC-1295 S6504 should raise an issue independently from the file extension
SONARIAC-1482 S6270 should not raise when conditions are set
SONARIAC-1491 S6949 should not raise for "Global" location
SONARIAC-1595 S6505 should not raise an issue when `--ignore-script` is missing but env variable `YARN_ENABLE_SCRIPTS` is `false`
SONARIAC-1596 ARM rules should use ContextualResource in order to properly check existing resource
SONARIAC-1605 S6865: Change the detection logic to a more realistic one
SONARIAC-1607 S7026 should not raise an issue on wget/curl when specific request elements are precised
SONARIAC-1608 S7031 should not raise if consecutive RUN instructions have different options
SONARIAC-1610 S6587 should not raise if a cache mount is used
SONARIAC-1611 S117 should not raise an issue on variable name $ (dollar)
SONARIAC-1614 Improve precision of S1874 to reduce the FP rate
New Feature
SONARIAC-1272 S6333 should raise an issue for APIGatewayV2 HTTP API
False Negative
SONARIAC-1014 S6413 should raise an issue for AWS CloudWatch resource
SONARIAC-1099 S6388 detection logic for `virtualMachine` resource should be adapted
SONARIAC-1100 S6388 detection logic for `virtualMachineScaleSet` resource should be adapted
SONARIAC-1104 S5332 should raise if isHttpAllowed is set to true on Cdns/profiles/endpoints
Improvement
SONARIAC-402 Missing properties in issue/hotspot message should be surrounded with double quotes
SONARIAC-748 Improve "Why is this an issue?" for external CFNLint issues
SONARIAC-1006 S6382 should handle both old name `client_cert` and new name `client_certificate` in impacted resources
SONARIAC-1077 External Reports should adopt the new Clean Code Taxonomy
SONARIAC-1487 Implement syntax highlighting for keys in YAML files
SONARIAC-1619 Reporting an issue on a resource in bicep should highlight the symbolic name instead of the name attribute
1.34.0.12019
Release notes - SonarIac - 1.34
Bug
SONARIAC-1604 JvmFramework commentVisitor should not crash on empty array
New Feature
SONARIAC-1488 S6437: Support detection of Hardcoded Secrets for Micronaut configuration
SONARIAC-1493 S4423: Support detection of TLS Protocol Downgrades for Micronaut configuration
SONARIAC-1494 S4830: Support detection of insecure-trust-all-certificates in Micronaut configuration
SONARIAC-1505 S3330: Support detection of HttpOnly flag in Micronaut configuration
SONARIAC-1506 S2092: Support detection of Secure flag in Micronaut configuration
SONARIAC-1592 Modify spring-config extension to handle both Spring and Micronaut framework
Improvement
SONARIAC-706 External importers should accept wildcards in properties
1.33.1.11833
Release notes - SonarIac - 1.33.1
Bug
SONARIAC-1581 Issue is reported on incorrect line with Go variable declaration
SONARIAC-1585 Filter shouldn't be pre-filtered from SonarLint module file system
1.33.0.11761
Release notes - SonarIac - 1.33
Bug
SONARIAC-1541 Docker parser should parse file with comments only
SONARIAC-1542 Docker parser should not crash on empty interpolation or other formats
SONARIAC-1543 Docker parser should not crash when heredoc is connected to another program
SONARIAC-1545 Docker parser should support special double-quotes
SONARIAC-1547 Docker parser should not crash when characters are positioned after EXEC form
SONARIAC-1566 Docker parser should consider Exec form with characters behind as Shell form
False-Positive
SONARIAC-1554 S6587 should not report RUN instructions with cache mount
SONARIAC-1559 S7018 should not report shell redirects
SONARIAC-1565 S7021 should not raise on special locations such as ~ (unix) or %location% (windows)
SONARIAC-1577 S7030 should not raise on Exec form that contain an empty string
SONARIAC-1578 S7030 should not raise an issue if there is no quotes between brackets and characters behind
New Feature
SONARIAC-593 Handle the value of variables set by ENV instruction
SONARIAC-1538 S7018: Arguments in multi-line RUN instructions should be sorted
SONARIAC-1539 S7020: Too long RUN instruction should be split
SONARIAC-1540 S7021: WORKDIR instruction should only be used with absolute path
SONARIAC-1546 S7019: Prefer Exec form for ENTRYPOINT and CMD instructions
SONARIAC-1548 S7023: Use digest to pin versions of base images
SONARIAC-1550 S7026: Use ADD to retrieve remote resources
SONARIAC-1552 S7028: Descriptive labels are mandatory
SONARIAC-1553 S7029: Prefer COPY over ADD for copying local resources
SONARIAC-1555 S7031: Reduce the amount of consecutive RUN instruction
SONARIAC-1556 Make Helm analyzer compatible with SonarLint part 2
SONARIAC-1567 S7030: Malformed JSON in Exec form leads to unexpected behavior
SONARIAC-1579 Add STIG metadata support
Improvement
SONARIAC-1391 Deprecate S6497
SONARIAC-1551 Docker parser should support instruction `CROSS_BUILD_COPY`
1.32.0.11383
Release notes - SonarIac - 1.32
Bug
SONARIAC-1523 Location shifting should be invoked for secondary locations in other Helm files
False-Positive
SONARIAC-1537 S6893 should not report an issue for comment in helm directive without spaces
False Negative
SONARIAC-1514 S6864 should be raised when pod contains multiple containers
New Feature
SONARIAC-1137 Support for Helm-specific rules
SONARIAC-1212 S6865: Should not raise an issue with an accompanied ServiceAccount
SONARIAC-1228 S6870: Should not raise with LimitRange in the same namespace setting Storage Limits
SONARIAC-1293 S117: Local variable and method parameter names should comply with a naming convention
SONARIAC-1296 S6873: Memory requests should be specified
SONARIAC-1298 S6892: CPU requests should be specified
SONARIAC-1304 S6893: Ensure whitespace in-between braces in template directives
SONARIAC-1310 S1874: Deprecated code should not be used
SONARIAC-1311 S6897: Storage requests should be specified
SONARIAC-1323 S6596: Specific version tag for image should be used
SONARIAC-1325 S6907: Environment variables for a container should not be duplicated
SONARIAC-1326 S6907: Check for duplicate keys in ConfigMap and Secret used from `envFrom`
SONARIAC-1533 Make Kubernetes analyzer compatible with SonarLint
SONARIAC-1534 Make Helm analyzer compatible with SonarLint
Improvement
SONARIAC-1204 S6864: Should not raise with LimitRange in the same namespace setting Memory Limit
SONARIAC-1278 S6869: Should not raise with LimitRange in the same namespace setting CPU Limit
SONARIAC-1297 S6873: Should not raise with LimitRange in the same namespace setting Memory Requests
SONARIAC-1299 S6892: Should not raise with LimitRange in the same namespace setting CPU Requests
SONARIAC-1312 S6897: Should not raise with LimitRange in the same namespace setting Storage Requests
SONARIAC-1509 Print more data in Kubernetes Parsing Statistics
SONARIAC-1527 Calculate text ranges of the Go AST nodes lazily
SONARIAC-1529 Secondary locations on other files should be disabled with a specific option per rule
1.31.0.10579
Release notes - SonarIac - 1.31
Bug
SONARIAC-1322 Empty file suffixes are not substituted with defaults with SQ 10.4
SONARIAC-1392 Should not throw parse exception strconv.Atoi when read _resources.tpl
SONARIAC-1485 Docker parser should not create invalid offset on multiline bash script
False-Positive
SONARIAC-437 S6258 should not raise on Azure Storage Account logging
SONARIAC-789 Take dynamic blocks into account when detecting absence of properties
SONARIAC-855 S6437 Refine openssl secret generation command detection
SONARIAC-1008 S4423 Add support for Azure MSSQL
SONARIAC-1009 S4423 Weak SSL/TLS protocols should not be detected when using AWS API Gateway
SONARIAC-1030 S6330 Should consider correct default queue encryption (SSE-SQS)
SONARIAC-1035 S4423 should not report missing property for Azure resources with azurerm >= 3.0
SONARIAC-1096 S6380 ARM Detection logic needs to be adjusted
SONARIAC-1141 S6587 should not raise on apt-get when installing a local package
SONARIAC-1260 S6596 should not raise an issue on docker special image `scratch`
SONARIAC-1418 S6596 should not raise on references to previous build stages when previous stage is unresolvable
SONARIAC-1465 S1192 should not raise on strings that are formatted
SONARIAC-1467 S6380 should not raise on storageAccounts when allowBlobPublicAccess is not set
SONARIAC-1468 S1192 should not raise on module path
False Negative
SONARIAC-784 S6413 should be raised when insights block is missing or disabled
SONARIAC-1022 S6506 Detection should not be thwarted by addition of parameters
SONARIAC-1023 S6245 Checking AWS::S3::Bucket should not rely on properties
Improvement
SONARIAC-1489 Deprecate S6869: CPU limits should be enforced
1.30.0.10357
Release notes - SonarIac - 1.30
Bug
SONARIAC-1451 Properties grammar should accept key that contains comments indicators
SONARIAC-1459 Resolve Parsing Issues on Spring Configuration Files
New Feature
SONARIAC-1393 S6437: Support detection of Hardcoded Secrets for Spring configuration
SONARIAC-1394 S5693: Support detection of Excessive File Upload Size Limit for Spring configuration
SONARIAC-1395 S4507: Support detection of enabled Debug Features in Spring configuration
SONARIAC-1396 S4423: Support detection of TLS Protocol Downgrades for Spring configuration
SONARIAC-1397 S2092: Support detection of misconfigured "Secure" cookie flags in Spring configuration
SONARIAC-1398 S3330: Support detection of misconfigured "HttpOnly" cookie flags in Spring configuration
SONARIAC-1430 Implement "SpringConfigSensor"
SONARIAC-1431 Convert parsed properties file to "SpringConfigTree"
SONARIAC-1432 Onboard the "spring-config" extension into the sonar-iac plugin
SONARIAC-1435 Generate Parser and Visitor with ANTLR for properties file
SONARIAC-1437 Implement metrics and highlighting visitors for .properties files
SONARIAC-1438 Implement "SpringConfig"
SONARIAC-1439 Implement a converter from YAML tree to "SpringConfig"
SONARIAC-1446 Implement "SpringConfigParser"
SONARIAC-1448 S2260: Java parsing failure
SONARIAC-1449 S1135: Track uses of TODO tags in Spring configuration files
Improvement
SONARIAC-1458 Narrow the scope of YAML files considered by the spring-config sensor
1.29.0.10169
Release notes - SonarIac - 1.29
Improvement
SONARIAC-1419 JSON filenames containing compile_commands should be excluded
1.28.0.9889
Release notes - SonarIac - 1.28
Bug
SONARIAC-882 ARM JSON Support Template expressions
SONARIAC-1360 Shouldn't throw Exceptions when highlighting issue location
False-Positive
SONARIAC-1429 S1192: String literals should be raised less often
New Feature
SONARIAC-1370 S117: Parameter and variable names should comply with a naming convention
SONARIAC-1371 S6874: Use a hard-coded value for the apiVersion
SONARIAC-1372 S6949: Don't hardcode resource locations
SONARIAC-1373 S6952: Redundant explicit dependencies between resources should be removed
SONARIAC-1374 S1481: Unused local variables should be removed
SONARIAC-1375 S1192: String literals should not be duplicated
SONARIAC-1376 S6953: Don't use "allowedValues" for a location parameter
SONARIAC-1379 S6955: Unused parameters should be removed
SONARIAC-1380 S6954: Elements should not be empty or null
SONARIAC-1381 S6956: The properties and elements inside a template should appear in the recommended order
SONARIAC-1382 S4507: Delivering code in production with debug features activated is security-sensitive
SONARIAC-1384 S6437: Credentials should not be hard-coded
SONARIAC-1400 Logic for Tracking Variable Usage in Azure Resource Manager Templates and Bicep Files
SONARIAC-1401 Logic for Tracking Parameter Usage in Azure Resource Manager Templates and Bicep Files
Improvement
SONARIAC-1410 Improve Logic for Tracking Symbol Usage in Azure Resource Manager Templates and Bicep files
SONARIAC-1425 Split S6956 implementation into 2 rules
1.27.0.9518
Release notes - SonarIac - 1.27
Bug
SONARIAC-1290 Highlighting an issue directly before {{- end -}} results in highlighting the wrong line
SONARIAC-1308 Shouldn't include next line into shifted issue's text range
SONARIAC-1319 Should not evaluate templates when Chart.yaml is missing
SONARIAC-1383 Bicep parsing shouldn't fail if a string literal starts with a comment
New Feature
SONARIAC-1131 Report secondary locations in values.yaml for existing Kubernetes checks
SONARIAC-1154 Resolve values locations in values.yaml
SONARIAC-1301 Provide metrics of Helm Chart files
SONARIAC-1343 Publish values file to SQ
SONARIAC-1345 Highlight precise simple value in Helm expression in primary location
SONARIAC-1346 Highlight precise array values in Helm expression in primary location
SONARIAC-1347 Highlight precise loops in Helm expression in primary location
SONARIAC-1351 Precise primary location for "include" function in Helm expression
SONARIAC-1353 Highlight precise simple not-evaluated value in Helm file in primary location
SONARIAC-1355 Enable parsing of comment nodes in the Go template AST
SONARIAC-1356 Provide precise node lengths in the Go template AST
SONARIAC-1357 Raise Kubernetes issues on yaml values instead of key-value pairs
Improvement
SONARIAC-703 Add custom assertion for ExternalIssues
SONARIAC-1363 Comment at the end of YAML files should be assigned to the root node
SONARIAC-1385 Catch IllegalArgumentException when reporting issues to SensorContext
SONARIAC-1386 Do not raise issue for K8s limit rules when LimitRange is detected