Releases: SonarSource/sonar-iac
1.26.0.8471
Release notes - SonarIac - 1.26
Bug
SONARIAC-1258 ".Capabilities.APIVersions.Has" should be evaluated correctly
SONARIAC-1267 Should not throw ClassCastException when Helm evaluated template contains literal style and empty lines
SONARIAC-1268 Should not throw NullPointerException Cannot read field "originalLineSize"
SONARIAC-1270 Should not throw IllegalArgumentException: 23 is not a valid line for pointer
SONARIAC-1271 Should not fail parsing unquoted text
SONARIAC-1276 Should discover root directory for deeply nested template files
SONARIAC-1279 Shouldn't fail the analysis on an architecture not supported by sonar-helm-for-iac
SONARIAC-1282 Shouldn't try to raise PraseExceptions with invalid text pointer
SONARIAC-1283 Should not throw exception "-1 is not a valid line offset for a file"
SONARIAC-1285 Fix aggregation of additional helm files for windows
SONARIAC-1286 Should not fail parsing when literal style at the end of evaluated template
False-Positive
SONARIAC-1143 ARM rules should not check attributes on `existing` resources
New Feature
SONARIAC-1134 Evaluate loops in Helm files
SONARIAC-1190 S6864: Memory limits should be enforced
SONARIAC-1200 S6865: Service account tokens should not be mounted in pods
SONARIAC-1203 S6867: Wildcards should not be used to define RBAC permissions
SONARIAC-1205 S6868: Allowing command execution is security sensitive
SONARIAC-1211 S6869: CPU limits should be enforced
SONARIAC-1226 S5332: Using clear-text protocols is security-sensitive
SONARIAC-1227 S6870: Storage limits should be enforced
SONARIAC-1229 S6473: Exposing administration services is security-sensitive
SONARIAC-1263 Detect ConfigMaps, Secrets and other Kubernetes files for analysis
SONARIAC-1274 Improve template processing by adding missing Sprig function
Improvement
SONARIAC-1202 Helm files should be detected even if they don't satisfy KubernetesFilePredicate
SONARIAC-1250 Update golang.org/x/crypto to 0.17.0
SONARIAC-1261 Unblock reading helm process error stream
SONARIAC-1287 Reduce logging level of known parse exceptions
1.25.0.8192
Release notes - SonarIac - 1.25
Bug
SONARIAC-1256 Fix incorrect transfer of files between Java and Go Code
SONARIAC-1257 `.Chart` object's keys should be capitalized
SONARIAC-1262 Should support "join" function in Helm charts
SONARIAC-1264 Helm analysis should not fail if repository contains empty file
SONARIAC-1266 Should not throw ClassCastException when Helm template contains multiple documents
New Feature
SONARIAC-1176 Implement "include" function for Helm template evaluation
SONARIAC-1177 Implement "tpl" function for Helm template evaluation
SONARIAC-1201 Support built-in Helm objects in template evaluation
SONARIAC-1231 Evaluate all files of Chart directory in Go Engine
SONARIAC-1232 Evaluate dependent files in Go Engine
Improvement
SONARIAC-1185 Values file should be found for templates in subfolders
SONARIAC-1219 Create a Docker Image to build go binaries
SONARIAC-1225 Pass all files of the Helm project directory to HelmEvaluator
SONARIAC-1248 Fix code coverage after migration to Gradle
SONARIAC-1254 Files from `templates/` directory should be prefixed with chart name before evaluation
1.24.0.7839
Release notes - SonarIac - 1.24
Bug
SONARIAC-1183 HelmPreprocessor crashes on some files
SONARIAC-1187 KubernetesHighlightVisitor doesn't match lines with only comments
SONARIAC-1224 Bicep files should be belonging to AzureResourceManager for SonarCloud AutoScan
New Feature
SONARIAC-1146 Preprocessing Helm add trailing comments with line numbers
SONARIAC-1147 Kubernetes sensor should not ignore file with Helm Directive
SONARIAC-1148 Issue on helm file should be raised at the right location
SONARIAC-1149 Evaluate Helm templates in Go
SONARIAC-1164 Evaluate simple Helm Charts and raise Kubernetes issues
SONARIAC-1182 Build Go binaries as executables and get data from stdout
SONARIAC-1184 Support "default" function in Helm template evaluation
SONARIAC-1186 Support "toYaml" function in Helm template evaluation
Improvement
SONARIAC-1198 Allow users to deactivate Helm analysis
SONARIAC-1223 Improve error handling in Go exceptions
SONARIAC-1230 Align AzureResourceManager property keys and deprecate old key format
1.23.0.7263
Release notes - SonarIac - 1.23
Bug
SONARIAC-1142 S6329 should report only one issue for the same location
Improvement
SONARIAC-1076 Use Java 17 to build project
SONARIAC-1168 Register JSON and YAML language
1.22.0.7057
Release notes - SonarIac - 1.22
- Update rule descriptions to include Learn as You Code changes
SonarIaC 1.21.0.5999
Release notes - SonarIac - 1.21
Bug
SONARIAC-1103 `ArgumentSplitter` shouldn't split command by separator inside quotes
SONARIAC-1105 Dockerfile as a symbol link in a repository should not cause IllegalStateException
False-Positive
SONARIAC-1097 S6597 should not raise an issue when using HEREDOC
SONARIAC-1106 S6500 should not raise an issue when `--no-install-recommends` option is after the `install` command
SONARIAC-1118 S6470 should not raise an issue when COPY Instruction contains HereDoc
False Negative
SONARIAC-771 S6505 should raise an issue for standalone yarn commands
SONARIAC-1092 S6506 should raise an issue if sensitive https request is encapsulated in quotes
New Feature
SONARIAC-583 S6437: RUN instructions containing hardcoded secrets
SONARIAC-720 S6570: Detect missing double quote to prevent globbing and word splitting
SONARIAC-721 S6574: A space before the equal sign in key-value pair may lead to unintended behavior
SONARIAC-728 S6579: Access variable which is not available in the current scope
SONARIAC-729 S6573: Expanded filenames should not become options
SONARIAC-730 S6581: Environment variables should not be unset on a different layer than they were set
SONARIAC-732 S6584: Consent flag should be set to avoid manual input
SONARIAC-733 S6586: Deprecated instruction should not be used
SONARIAC-736 S6587: Cache should be cleaned after package installation
SONARIAC-740 S6595: Update cache and install packages in single RUN instruction
SONARIAC-741 S6589: Dockerfile should only have one ENTRYPOINT and CMD instruction
SONARIAC-744 S6596: Specific version tag for image should be used
SONARIAC-747 S6597: WORKDIR instruction should be used instead of cd command
SONARIAC-1069 Allow users to define their own Dockerfile pattern
Improvement
SONARIAC-1075 Remove S6497 from SonarWay
SONARIAC-1079 `ArgumentDetector` should be able to separate different commands of a single instruction
1.20.0.5654
Release notes - SonarIac - 1.20
Improvement
SONARIAC-1074 ArmSensor Not Analyzing Files Independently Resulting in Unnecessary File Analysis
1.19.0.5623
Release notes - SonarIac - 1.19
Bug
SONARIAC-917 Whitespace line is counted as code when prefixed with code
SONARIAC-1057 Fix `YamlMetricsVisitor` to accurately differentiate between regular comments and `NOSONAR` comments
SONARIAC-1061 The location of resource type is misaligned in bicep files
New Feature
SONARIAC-857 ARM Bicep support: create targetScope
SONARIAC-858 ARM Bicep support: create importDecl
SONARIAC-859 ARM Bicep support: create metadataDecl
SONARIAC-860 ARM Bicep support: create typeDecl
SONARIAC-861 ARM Bicep support: create moduleDecl
SONARIAC-862 ARM Bicep support: create functionDecl
SONARIAC-863 ARM Bicep support: create Decorator
SONARIAC-864 ARM Bicep support: create SyntaxToken
SONARIAC-865 ARM Bicep support: create parameterDecl
SONARIAC-866 ARM Bicep support: add 'existing' boolean in resources
SONARIAC-867 ARM Bicep support: add support for forExpression
SONARIAC-869 ARM Bicep support: extends Expression implementation to reflect Bicep grammar
SONARIAC-871 ARM Bicep support: create typeExpression grammar element
SONARIAC-885 Rule S6379: ARM Enabling Azure resource-specific admin accounts is security-sensitive
SONARIAC-889 Rule S6378: Disabling Managed Identities for Azure resources is security-sensitive
SONARIAC-896 Rule S6648 for ARM: Secure strings and objects should not have default values
SONARIAC-899 Rule S6380: Authorizing anonymous access to Azure resources is security-sensitive
SONARIAC-907 ARM Bicep S6364 ARM Defining a short backup retention duration is security-sensitive
SONARIAC-918 ARM Bicep S6387 Azure role assignments that grant access to all resources of a subscription are security-sensitive
SONARIAC-925 ARM Bicep S4423 ARM Weak SSL/TLS protocols should not be used
SONARIAC-926 ARM Bicep S6385 Azure custom roles should not grant subscription Owner capabilities
SONARIAC-930 Rule S6656: ARM Template evaluation should not expose secure values
SONARIAC-931 ARM Bicep support: Create basic File Statement and Expression
SONARIAC-933 ARM Resource names are case-insensitive
SONARIAC-935 ARM Bicep support: create simplified resourceDecl
SONARIAC-936 ARM Bicep support: handle variableDecl
SONARIAC-939 ARM Bicep support: create outputDecl
SONARIAC-940 ARM Bicep support: create interpString
SONARIAC-941 ARM Bicep support: add support for ifCondition
SONARIAC-942 ARM Bicep support: object - add support for interpString
SONARIAC-943 ARM Bicep support: add support for typedLambdaExpression
SONARIAC-944 ARM Bicep support: create IDENTIFIER(name)
SONARIAC-946 ARM Bicep setup Ruling tests
SONARIAC-947 ARM Bicep support: add support for functionCall
SONARIAC-955 Arm Sensor should analyze bicep files
SONARIAC-995 Update values of Bicep keywords
SONARIAC-1012 Parsing error when arrayItem contains underscore in name
SONARIAC-1024 ARM Bicep replace with PRIMARY_TYPE_EXPRESSION in expected places
SONARIAC-1025 ARM Bicep parsing error for param
SONARIAC-1027 ARM Bicep ResourceDeclaration properties should return empty list for ternary expression
SONARIAC-1054 Add highlighting for Bicep syntax
SONARIAC-1055 Add metrics for Bicep files
SONARIAC-1063 Rule S1135: Track uses of "TODO" tags
Improvement
SONARIAC-959 ARM Json : Change copyInput in OutputDeclaration from StringLiteral to Expression
SONARIAC-972 ARM Bicep: add decorator to resourceDecl
SONARIAC-973 ARM Bicep add ifCondition to resourceDecl
SONARIAC-981 ARM Bicep add forCondition to resourceDecl
SONARIAC-997 ARM Bicep extend parameterDecl to accept param as keyword
SONARIAC-1000 ARM Bicep primaryExpression should accept string complete instead of alpha numeral string
SONARIAC-1001 ARM Bicep parse error for resource
SONARIAC-1002 ARM Bicep param parse error when array of objects
SONARIAC-1045 ARM Bicep S6382 Disabling certificate-based authentication is security-sensitive
SONARIAC-1046 ARM Bicep S5332 Using clear-text protocols is security-sensitive
SONARIAC-1047 ARM Bicep S6381 Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
SONARIAC-1048 ARM Bicep S6321 Administration services access should be restricted to specific IP addresses
SONARIAC-1049 ARM Bicep S6413 Defining a short log retention duration is security-sensitive
SONARIAC-1050 ARM Bicep S6329 Allowing public network access to cloud resources is security-sensitive
SONARIAC-1051 ARM Bicep S6383 Disabling Role-Based Access Control on Azure resources is security-sensitive
SONARIAC-1052 ARM Bicep S6388 Using unencrypted cloud storages is security-sensitive
1.18.0.4757
Release notes - SonarIac - 1.18
Bug
SONARIAC-888 Fix textRange for an empty ObjectExpression
Documentation
SONARIAC-833 Add Azure Resource Manager Documentation
New Feature
SONARIAC-772 Rule S6385: ARM Azure custom roles should not grant subscription Owner capabilities
SONARIAC-773 Rule S5332: ARM Using clear-text protocols is security-sensitive
SONARIAC-781 Rule S4423: ARM Weak SSL/TLS protocols should not be used
SONARIAC-786 Rule S6413: ARM Defining a short log retention duration is security-sensitive
SONARIAC-790 Rule S6329: ARM Allowing public network access to cloud resources is security-sensitive
SONARIAC-797 Rule S6387: ARM Azure role assignments that grant access to all resources of a subscription are security-sensitive
SONARIAC-800 Rule S6383: ARM Disabling Role-Based Access Control on Azure resources is security-sensitive
SONARIAC-806 Rule S6388: ARM Using unencrypted cloud storages is security-sensitive
SONARIAC-807 Rule S6381: ARM Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
SONARIAC-810 Rule S6364: ARM Defining a short backup retention duration is security-sensitive (JSON)
SONARIAC-814 Rule S6382: ARM Disabling certificate-based authentication is security-sensitive
SONARIAC-828 Add Azure Resource Manager Extensions
SONARIAC-829 Convert JSON to Minimal ARM AST Model
SONARIAC-834 Add required Azure Resource Manager Infrastructure
SONARIAC-842 Rule S6321 ARM: Simplified positive cases for sourceAddressPrefix
SONARIAC-923 Add targetScope in File
1.17.0.3976
Release notes - SonarIac - 1.17
Bug
SONARIAC-782 Invalid line offset while issue reporting should not lead to analysis failure
SONARIAC-783 S6504 crashes by specific filename in shell commands
False-Positive
SONARIAC-738 Rule S6504: Group is not considered
SONARIAC-753 S6505 should not raise issue if `yarn` is used as command option
Improvement
SONARIAC-731 Rule S6500: Improve issue message
SONARIAC-734 Rule S2612: Add more precision to the issue message
SONARIAC-737 Rule S6472: Improve wordlists
SONARIAC-742 Rule S6437: Improve the ssh-keygen command detection logic
SONARIAC-743 Rule S6437: Improve the message for secret generation
SONARIAC-749 Review content of rules/cfn-lint/rules.json (Severity, Type, Message)
SONARIAC-750 Rule S6506: Add wget support
SONARIAC-752 Log filename when file identifier does not match in YamlSensor