Releases: SonarSource/sonar-iac
1.40.0.13983
Release notes - SonarIac - 1.40
Bug
SONARIAC-1692 Dockerfile Jinja template should not be parsed
SONARIAC-1808 Bicep parser should not fail on union operator for array or variable declaration
SONARIAC-1816 Bicep parser should support extensions
SONARIAC-1845 ARM parser should not crash when parsing resources with symbolic name
False Negative
SONARIAC-1819 S6400: Update the list of resources that the Terraform analyzer detects
SONARIAC-1827 S6437 should raise on instructions part of the final image
False Positive
SONARIAC-1796 S6893 should not raise on Helm separators `{{`/`}}` in strings
SONARIAC-1817 S6400, S6302: Improve Terraform detection of Google Cloud roles
SONARIAC-1818 S6258: Improve S3 bucket logic
SONARIAC-1824 S117 should allow "$_" for ignored variables
SONARIAC-1840 S7031 Should only raise on instructions in the final image
SONARIAC-1865 S6893 should not raise on comment for specific case with dash
Improvement
SONARIAC-1188 Deprecate S6245
SONARIAC-1668 S6868: Change rule type to Security Hotspot
SONARIAC-1750 S6473 should be configurable for Kubernetes
SONARIAC-1776 Support resources with symbolic name
SONARIAC-1833 S6255: Remove rule from default quality profile "SonarWay"
SONARIAC-1837 S6433: Remove rule from default quality profile "SonarWay"
1.39.0.13718
Release notes - SonarIac - 1.39
Bug
SONARIAC-1558 Heredoc parser shouldn't crash on empty heredoc
SONARIAC-1629 Bicep parser should support spread operator
SONARIAC-1634 Parser should not fail on equality operator case insensitive
SONARIAC-1635 Parser should not fail on type references constructed from identifiers
SONARIAC-1674 Bicep parser should parse additional properties type suffix
SONARIAC-1793 Support nullable types in Bicep
SONARIAC-1794 Support array dereferenced via "[*]" syntax in Bicep
SONARIAC-1797 Bicep parser should support identifiers in types as suffix
SONARIAC-1802 All Kustomize files should be counted for telemetry
SONARIAC-1820 Bicep parser should support multiline string with quotes insides
SONARIAC-1821 S6584 should not raise on gdebi with --n option
New Feature
SONARIAC-1735 Share common logic between Kuberenetes and Ansible
SONARIAC-1799 S6584 should raise on gdebi command when -n and --non-interactive options are missing
False Negative
SONARIAC-376 S6249 should raise on the sensitive RSPEC example
SONARIAC-1087 The test case files should have a valid file identifier
SONARIAC-1623 SpringConfiguration sensor misses files
SONARIAC-1624 S4423: Support detection of coma-separated properties
SONARIAC-1625 S4423: Add support for Rsocket enabled protocols
False Positive
SONARIAC-1121 S6595 shouldn't raise on gdebi package manager frontend
SONARIAC-1678 S6579 should not raise an issue when args are used in other args
SONARIAC-1679 S6587 should not raise an issue when a cache mount is defined with a variable
SONARIAC-1718 Rule S6954 should ignore empty properties
SONARIAC-1720 S6294 should not raise an issue for alternative log group declaration
SONARIAC-1737 S6954 shouldn't flag "userAssignedIdentities"
SONARIAC-1759 S6870: Add additional conditions for read-only detection
SONARIAC-1772 S6587 should not raise when used in multistage build
SONARIAC-1780 S6573 should not raise on heredoc
SONARIAC-1795 S6587 should not raise when cache is removed
Improvement
SONARIAC-1761 "community.kubernetes.k8s" should be detected as a Kubernetes module
SONARIAC-1806 Expand AzureResourceManager FilePredicate with http schema url
SONARIAC-1810 Updating to SONAR Source-Available License v1.0 (SSALv1)
1.38.0.13264
Rules metadata update.
1.37.0.12742
Release notes - SonarIac - 1.37
Bug
SONARIAC-1631 Bicep parser should parse array types
SONARIAC-1672 Update snake-yaml-engine to newest version
SONARIAC-1689 Helm analyzer doesn't work in SonarLint when modifying file and restart
New Feature
SONARIAC-1628 Kubernetes analyzer should store telemetric data about the kind of analyzed files
SONARIAC-1652 S1135 Track uses of "TODO" tags
SONARIAC-1653 S2260 Track parsing failures
SONARIAC-1654 Create predicate in Ansible analyzer to detect yaml file
Improvement
SONARIAC-1702 Add logs with time measures about IaC file predicate execution
1.36.0.12431
Release notes - SonarIac - 1.36
Bug
SONARIAC-1475 Should not throw ClassCastException when decorator contains a dot
SONARIAC-1549 Bicep parser should support parsing object with comma-separated properties
SONARIAC-1587 Bicep parser should support safe-dereference operator
SONARIAC-1588 Bicep parser should support String starting with `#` and containing variable interpolation
SONARIAC-1618 Bicep parser should not fail on wildcard imports
SONARIAC-1632 Should not fail on array expressions with trailing commas
False-Positive
SONARIAC-1609 S7020 exception logic should be replaced with a more precise solution
1.35.0.12330
Release notes - SonarIac - 1.35
Bug
SONARIAC-1574 Rule id's of cfn-lint issues should be correctly imported
False-Positive
SONARIAC-976 S6249 should not raise when the Resource field of the bucket policy is a list
SONARIAC-1083 S6380 should not raise an issue when a child resource defined outside of its parent resource makes it compliant
SONARIAC-1084 S6648 should not raise an issue for expression
SONARIAC-1120 S6595 shouldn't raise when "install" command is part of ARG
SONARIAC-1122 S6500 should not raise an issue if the option `--no-install-recommends` is present anywhere in the command
SONARIAC-1295 S6504 should raise an issue independently from the file extension
SONARIAC-1482 S6270 should not raise when conditions are set
SONARIAC-1491 S6949 should not raise for "Global" location
SONARIAC-1595 S6505 should not raise an issue when `--ignore-script` is missing but env variable `YARN_ENABLE_SCRIPTS` is `false`
SONARIAC-1596 ARM rules should use ContextualResource in order to properly check existing resource
SONARIAC-1605 S6865: Change the detection logic to a more realistic one
SONARIAC-1607 S7026 should not raise an issue on wget/curl when specific request elements are precised
SONARIAC-1608 S7031 should not raise if consecutive RUN instructions have different options
SONARIAC-1610 S6587 should not raise if a cache mount is used
SONARIAC-1611 S117 should not raise an issue on variable name $ (dollar)
SONARIAC-1614 Improve precision of S1874 to reduce the FP rate
New Feature
SONARIAC-1272 S6333 should raise an issue for APIGatewayV2 HTTP API
False Negative
SONARIAC-1014 S6413 should raise an issue for AWS CloudWatch resource
SONARIAC-1099 S6388 detection logic for `virtualMachine` resource should be adapted
SONARIAC-1100 S6388 detection logic for `virtualMachineScaleSet` resource should be adapted
SONARIAC-1104 S5332 should raise if isHttpAllowed is set to true on Cdns/profiles/endpoints
Improvement
SONARIAC-402 Missing properties in issue/hotspot message should be surrounded with double quotes
SONARIAC-748 Improve "Why is this an issue?" for external CFNLint issues
SONARIAC-1006 S6382 should handle both old name `client_cert` and new name `client_certificate` in impacted resources
SONARIAC-1077 External Reports should adopt the new Clean Code Taxonomy
SONARIAC-1487 Implement syntax highlighting for keys in YAML files
SONARIAC-1619 Reporting an issue on a resource in bicep should highlight the symbolic name instead of the name attribute
1.34.0.12019
Release notes - SonarIac - 1.34
Bug
SONARIAC-1604 JvmFramework commentVisitor should not crash on empty array
New Feature
SONARIAC-1488 S6437: Support detection of Hardcoded Secrets for Micronaut configuration
SONARIAC-1493 S4423: Support detection of TLS Protocol Downgrades for Micronaut configuration
SONARIAC-1494 S4830: Support detection of insecure-trust-all-certificates in Micronaut configuration
SONARIAC-1505 S3330: Support detection of HttpOnly flag in Micronaut configuration
SONARIAC-1506 S2092: Support detection of Secure flag in Micronaut configuration
SONARIAC-1592 Modify spring-config extension to handle both Spring and Micronaut framework
Improvement
SONARIAC-706 External importers should accept wildcards in properties
1.33.1.11833
Release notes - SonarIac - 1.33.1
Bug
SONARIAC-1581 Issue is reported on incorrect line with Go variable declaration
SONARIAC-1585 Filter shouldn't be pre-filtered from SonarLint module file system
1.33.0.11761
Release notes - SonarIac - 1.33
Bug
SONARIAC-1541 Docker parser should parse file with comments only
SONARIAC-1542 Docker parser should not crash on empty interpolation or other formats
SONARIAC-1543 Docker parser should not crash when heredoc is connected to another program
SONARIAC-1545 Docker parser should support special double-quotes
SONARIAC-1547 Docker parser should not crash when characters are positioned after EXEC form
SONARIAC-1566 Docker parser should consider Exec form with characters behind as Shell form
False-Positive
SONARIAC-1554 S6587 should not report RUN instructions with cache mount
SONARIAC-1559 S7018 should not report shell redirects
SONARIAC-1565 S7021 should not raise on special locations such as ~ (unix) or %location% (windows)
SONARIAC-1577 S7030 should not raise on Exec form that contain an empty string
SONARIAC-1578 S7030 should not raise an issue if there is no quotes between brackets and characters behind
New Feature
SONARIAC-593 Handle the value of variables set by ENV instruction
SONARIAC-1538 S7018: Arguments in multi-line RUN instructions should be sorted
SONARIAC-1539 S7020: Too long RUN instruction should be split
SONARIAC-1540 S7021: WORKDIR instruction should only be used with absolute path
SONARIAC-1546 S7019: Prefer Exec form for ENTRYPOINT and CMD instructions
SONARIAC-1548 S7023: Use digest to pin versions of base images
SONARIAC-1550 S7026: Use ADD to retrieve remote resources
SONARIAC-1552 S7028: Descriptive labels are mandatory
SONARIAC-1553 S7029: Prefer COPY over ADD for copying local resources
SONARIAC-1555 S7031: Reduce the amount of consecutive RUN instruction
SONARIAC-1556 Make Helm analyzer compatible with SonarLint part 2
SONARIAC-1567 S7030: Malformed JSON in Exec form leads to unexpected behavior
SONARIAC-1579 Add STIG metadata support
Improvement
SONARIAC-1391 Deprecate S6497
SONARIAC-1551 Docker parser should support instruction `CROSS_BUILD_COPY`
1.32.0.11383
Release notes - SonarIac - 1.32
Bug
SONARIAC-1523 Location shifting should be invoked for secondary locations in other Helm files
False-Positive
SONARIAC-1537 S6893 should not report an issue for comment in helm directive without spaces
False Negative
SONARIAC-1514 S6864 should be raised when pod contains multiple containers
New Feature
SONARIAC-1137 Support for Helm-specific rules
SONARIAC-1212 S6865: Should not raise an issue with an accompanied ServiceAccount
SONARIAC-1228 S6870: Should not raise with LimitRange in the same namespace setting Storage Limits
SONARIAC-1293 S117: Local variable and method parameter names should comply with a naming convention
SONARIAC-1296 S6873: Memory requests should be specified
SONARIAC-1298 S6892: CPU requests should be specified
SONARIAC-1304 S6893: Ensure whitespace in-between braces in template directives
SONARIAC-1310 S1874: Deprecated code should not be used
SONARIAC-1311 S6897: Storage requests should be specified
SONARIAC-1323 S6596: Specific version tag for image should be used
SONARIAC-1325 S6907: Environment variables for a container should not be duplicated
SONARIAC-1326 S6907: Check for duplicate keys in ConfigMap and Secret used from `envFrom`
SONARIAC-1533 Make Kubernetes analyzer compatible with SonarLint
SONARIAC-1534 Make Helm analyzer compatible with SonarLint
Improvement
SONARIAC-1204 S6864: Should not raise with LimitRange in the same namespace setting Memory Limit
SONARIAC-1278 S6869: Should not raise with LimitRange in the same namespace setting CPU Limit
SONARIAC-1297 S6873: Should not raise with LimitRange in the same namespace setting Memory Requests
SONARIAC-1299 S6892: Should not raise with LimitRange in the same namespace setting CPU Requests
SONARIAC-1312 S6897: Should not raise with LimitRange in the same namespace setting Storage Requests
SONARIAC-1509 Print more data in Kubernetes Parsing Statistics
SONARIAC-1527 Calculate text ranges of the Go AST nodes lazily
SONARIAC-1529 Secondary locations on other files should be disabled with a specific option per rule