Releases: SonarSource/sonar-iac
SonarIaC 1.21.0.5999
Release notes - SonarIac - 1.21
Bug
SONARIAC-1103 `ArgumentSplitter` shouldn't split command by separator inside quotes
SONARIAC-1105 Dockerfile as a symbol link in a repository should not cause IllegalStateException
False-Positive
SONARIAC-1097 S6597 should not raise an issue when using HEREDOC
SONARIAC-1106 S6500 should not raise an issue when `--no-install-recommends` option is after the `install` command
SONARIAC-1118 S6470 should not raise an issue when COPY Instruction contains HereDoc
False Negative
SONARIAC-771 S6505 should raise an issue for standalone yarn commands
SONARIAC-1092 S6506 should raise an issue if sensitive https request is encapsulated in quotes
New Feature
SONARIAC-583 S6437: RUN instructions containing hardcoded secrets
SONARIAC-720 S6570: Detect missing double quote to prevent globbing and word splitting
SONARIAC-721 S6574: A space before the equal sign in key-value pair may lead to unintended behavior
SONARIAC-728 S6579: Access variable which is not available in the current scope
SONARIAC-729 S6573: Expanded filenames should not become options
SONARIAC-730 S6581: Environment variables should not be unset on a different layer than they were set
SONARIAC-732 S6584: Consent flag should be set to avoid manual input
SONARIAC-733 S6586: Deprecated instruction should not be used
SONARIAC-736 S6587: Cache should be cleaned after package installation
SONARIAC-740 S6595: Update cache and install packages in single RUN instruction
SONARIAC-741 S6589: Dockerfile should only have one ENTRYPOINT and CMD instruction
SONARIAC-744 S6596: Specific version tag for image should be used
SONARIAC-747 S6597: WORKDIR instruction should be used instead of cd command
SONARIAC-1069 Allow users to define their own Dockerfile pattern
Improvement
SONARIAC-1075 Remove S6497 from SonarWay
SONARIAC-1079 `ArgumentDetector` should be able to separate different commands of a single instruction
1.20.0.5654
Release notes - SonarIac - 1.20
Improvement
SONARIAC-1074 ArmSensor Not Analyzing Files Independently Resulting in Unnecessary File Analysis
1.19.0.5623
Release notes - SonarIac - 1.19
Bug
SONARIAC-917 Whitespace line is counted as code when prefixed with code
SONARIAC-1057 Fix `YamlMetricsVisitor` to accurately differentiate between regular comments and `NOSONAR` comments
SONARIAC-1061 The location of resource type is misaligned in bicep files
New Feature
SONARIAC-857 ARM Bicep support: create targetScope
SONARIAC-858 ARM Bicep support: create importDecl
SONARIAC-859 ARM Bicep support: create metadataDecl
SONARIAC-860 ARM Bicep support: create typeDecl
SONARIAC-861 ARM Bicep support: create moduleDecl
SONARIAC-862 ARM Bicep support: create functionDecl
SONARIAC-863 ARM Bicep support: create Decorator
SONARIAC-864 ARM Bicep support: create SyntaxToken
SONARIAC-865 ARM Bicep support: create parameterDecl
SONARIAC-866 ARM Bicep support: add 'existing' boolean in resources
SONARIAC-867 ARM Bicep support: add support for forExpression
SONARIAC-869 ARM Bicep support: extends Expression implementation to reflect Bicep grammar
SONARIAC-871 ARM Bicep support: create typeExpression grammar element
SONARIAC-885 Rule S6379: ARM Enabling Azure resource-specific admin accounts is security-sensitive
SONARIAC-889 Rule S6378: Disabling Managed Identities for Azure resources is security-sensitive
SONARIAC-896 Rule S6648 for ARM: Secure strings and objects should not have default values
SONARIAC-899 Rule S6380: Authorizing anonymous access to Azure resources is security-sensitive
SONARIAC-907 ARM Bicep S6364 ARM Defining a short backup retention duration is security-sensitive
SONARIAC-918 ARM Bicep S6387 Azure role assignments that grant access to all resources of a subscription are security-sensitive
SONARIAC-925 ARM Bicep S4423 ARM Weak SSL/TLS protocols should not be used
SONARIAC-926 ARM Bicep S6385 Azure custom roles should not grant subscription Owner capabilities
SONARIAC-930 Rule S6656: ARM Template evaluation should not expose secure values
SONARIAC-931 ARM Bicep support: Create basic File Statement and Expression
SONARIAC-933 ARM Resource names are case-insensitive
SONARIAC-935 ARM Bicep support: create simplified resourceDecl
SONARIAC-936 ARM Bicep support: handle variableDecl
SONARIAC-939 ARM Bicep support: create outputDecl
SONARIAC-940 ARM Bicep support: create interpString
SONARIAC-941 ARM Bicep support: add support for ifCondition
SONARIAC-942 ARM Bicep support: object - add support for interpString
SONARIAC-943 ARM Bicep support: add support for typedLambdaExpression
SONARIAC-944 ARM Bicep support: create IDENTIFIER(name)
SONARIAC-946 ARM Bicep setup Ruling tests
SONARIAC-947 ARM Bicep support: add support for functionCall
SONARIAC-955 Arm Sensor should analyze bicep files
SONARIAC-995 Update values of Bicep keywords
SONARIAC-1012 Parsing error when arrayItem contains underscore in name
SONARIAC-1024 ARM Bicep replace with PRIMARY_TYPE_EXPRESSION in expected places
SONARIAC-1025 ARM Bicep parsing error for param
SONARIAC-1027 ARM Bicep ResourceDeclaration properties should return empty list for ternary expression
SONARIAC-1054 Add highlighting for Bicep syntax
SONARIAC-1055 Add metrics for Bicep files
SONARIAC-1063 Rule S1135: Track uses of "TODO" tags
Improvement
SONARIAC-959 ARM Json : Change copyInput in OutputDeclaration from StringLiteral to Expression
SONARIAC-972 ARM Bicep: add decorator to resourceDecl
SONARIAC-973 ARM Bicep add ifCondition to resourceDecl
SONARIAC-981 ARM Bicep add forCondition to resourceDecl
SONARIAC-997 ARM Bicep extend parameterDecl to accept param as keyword
SONARIAC-1000 ARM Bicep primaryExpression should accept string complete instead of alpha numeral string
SONARIAC-1001 ARM Bicep parse error for resource
SONARIAC-1002 ARM Bicep param parse error when array of objects
SONARIAC-1045 ARM Bicep S6382 Disabling certificate-based authentication is security-sensitive
SONARIAC-1046 ARM Bicep S5332 Using clear-text protocols is security-sensitive
SONARIAC-1047 ARM Bicep S6381 Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
SONARIAC-1048 ARM Bicep S6321 Administration services access should be restricted to specific IP addresses
SONARIAC-1049 ARM Bicep S6413 Defining a short log retention duration is security-sensitive
SONARIAC-1050 ARM Bicep S6329 Allowing public network access to cloud resources is security-sensitive
SONARIAC-1051 ARM Bicep S6383 Disabling Role-Based Access Control on Azure resources is security-sensitive
SONARIAC-1052 ARM Bicep S6388 Using unencrypted cloud storages is security-sensitive
1.18.0.4757
Release notes - SonarIac - 1.18
Bug
SONARIAC-888 Fix textRange for an empty ObjectExpression
Documentation
SONARIAC-833 Add Azure Resource Manager Documentation
New Feature
SONARIAC-772 Rule S6385: ARM Azure custom roles should not grant subscription Owner capabilities
SONARIAC-773 Rule S5332: ARM Using clear-text protocols is security-sensitive
SONARIAC-781 Rule S4423: ARM Weak SSL/TLS protocols should not be used
SONARIAC-786 Rule S6413: ARM Defining a short log retention duration is security-sensitive
SONARIAC-790 Rule S6329: ARM Allowing public network access to cloud resources is security-sensitive
SONARIAC-797 Rule S6387: ARM Azure role assignments that grant access to all resources of a subscription are security-sensitive
SONARIAC-800 Rule S6383: ARM Disabling Role-Based Access Control on Azure resources is security-sensitive
SONARIAC-806 Rule S6388: ARM Using unencrypted cloud storages is security-sensitive
SONARIAC-807 Rule S6381: ARM Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
SONARIAC-810 Rule S6364: ARM Defining a short backup retention duration is security-sensitive (JSON)
SONARIAC-814 Rule S6382: ARM Disabling certificate-based authentication is security-sensitive
SONARIAC-828 Add Azure Resource Manager Extensions
SONARIAC-829 Convert JSON to Minimal ARM AST Model
SONARIAC-834 Add required Azure Resource Manager Infrastructure
SONARIAC-842 Rule S6321 ARM: Simplified positive cases for sourceAddressPrefix
SONARIAC-923 Add targetScope in File
1.17.0.3976
Release notes - SonarIac - 1.17
Bug
SONARIAC-782 Invalid line offset while issue reporting should not lead to analysis failure
SONARIAC-783 S6504 crashes by specific filename in shell commands
False-Positive
SONARIAC-738 Rule S6504: Group is not considered
SONARIAC-753 S6505 should not raise issue if `yarn` is used as command option
Improvement
SONARIAC-731 Rule S6500: Improve issue message
SONARIAC-734 Rule S2612: Add more precision to the issue message
SONARIAC-737 Rule S6472: Improve wordlists
SONARIAC-742 Rule S6437: Improve the ssh-keygen command detection logic
SONARIAC-743 Rule S6437: Improve the message for secret generation
SONARIAC-749 Review content of rules/cfn-lint/rules.json (Severity, Type, Message)
SONARIAC-750 Rule S6506: Add wget support
SONARIAC-752 Log filename when file identifier does not match in YamlSensor
1.16.0.3845
Release notes - SonarIac - 1.16
New Feature
SONARIAC-41 Execute SonarIaC in SonarLint context
SONARIAC-688 Import issues from tflint report
SONARIAC-692 Import issues from Hadolint report
1.15.0.3752
Release notes - SonarIac - 1.15
Bug
SONARIAC-651 Complete omitted test case in CopyInstructionImplTest with the necessary annotation
SONARIAC-685 Add support for identifier starting with _
New Feature
SONARIAC-573 Rule S4790: Using weak hashing algorithms is security-sensitive
SONARIAC-578 Rule S4830: Server certificates should be verified during SSL/TLS connections
SONARIAC-589 Rule S6504: Having executables not owned by root is security-sensitive
SONARIAC-599 Rule S4423: Weak SSL/TLS protocols should not be used
SONARIAC-600 Rule S6505: Allowing shell scripts execution during package installation is security-sensitive
SONARIAC-610 Rule S6437: Add secret generation detection
SONARIAC-623 Rule S6506: Allowing downgrades to a clear-text protocol is security-sensitive
Improvement
SONARIAC-639 Kubernetes Parser should not fail if it contains Helm syntax
SONARIAC-672 Rule S6500: Use new CommandDetector to improve check implementation
1.14.0.3657
Release notes - SonarIac - 1.14
Bug
SONARIAC-658 Docker comments of one file should not be associated with tokens of another file
False Negative
SONARIAC-439 S6303: Support all kinds of DB resource in Cloudformation
SONARIAC-518 S6428: Add Init Containers to the detection logic
New Feature
SONARIAC-182 Cfn-lint import error log should convey the reason
Sub-task
SONARIAC-609 Limit plugin visitors in SonarLint context
SONARIAC-636 Add wrapper to AnalysisWarnings to allow Sensor initialization in SonarLint context
SONARIAC-638 External reports should not be imported in SonarLint context
SONARIAC-653 S6317 [Cloudformation] Update message and supports secondary locations
SONARIAC-654 S6317 [Terraform] Update message and supports secondary locations
SONARIAC-663 Necessary extension should be annotated for SonarLint
Task
SONARIAC-673 Provide default profile path to RuleMetadataLoader
Improvement
SONARIAC-384 S6317: Update message and supports secondary locations
SONARIAC-608 Prepare all IaC Sensors for SonarLint context
SONARIAC-637 Don't use Plugin's API TextPointer and TextRange in Trees
1.13.0.3464
Release notes - SonarIac - 1.13
Bug
SONARIAC-632 Global ARG variable should be accessible to any FROM instruction
SONARIAC-635 Invalid textrange for heredoc argument
False-Positive
SONARIAC-440 [CF, TF] FP on rule S6304: "Granting access to all resources" should not be raised on actions without resource-level permissions
New Feature
SONARIAC-560 Rule S6500: Installing unnecessary packages is security-sensitive
SONARIAC-564 Rule S6474: Sharing the host’s network namespace is security-sensitive
SONARIAC-567 Rule S6497: Using a container image based on its digest is security-sensitive
SONARIAC-569 Rule S6502: Disabling builder sandboxes is security-sensitive
SONARIAC-570 Rule S2612: Dangerous chmod options on COPY, ADD and RUN instructions
SONARIAC-577 Rule S6472: Add ARG secret handling detection
SONARIAC-617 Track ENV arguments similar to ARG arguments when resolving variables
SONARIAC-618 Rule S1135: Track uses of "TODO" tags in comments
False Negative
SONARIAC-438 S6303: Support all kinds of DB resource in Terraform for AWS
Improvement
SONARIAC-473 S6303: Update message to target the resource type
SONARIAC-516 S6470: Improve the message of to make the issue clearer
SONARIAC-520 S6258: Incorrect path of code for Azure
SONARIAC-566 Rule S4507: Delivering code in production with debug features activated is security-sensitive
SONARIAC-622 Rework Log Message of Parsing Error
SONARIAC-631 Improve ArgumentResultions to provide valuable data
SONARIAC-641 Clean DockerLexicalGrammar
1.12.0.3222
Release notes - SonarIac - 1.12
Bug
SONARIAC-576 Unquoted string literals should allow escaped quotes
SONARIAC-591 S6470 cause NullPointerException when ADD src is environment variable
SONARIAC-592 StringIndexOutOfBoundsException when parsing empty comment
SONARIAC-598 Kubernetes & CloudFormation slow check if the file should be scanned for big files
SONARIAC-601 Stack Overflow when resolving variable which directs to itself
SONARIAC-612 Should parse curly braces in double quoted string
SONARIAC-613 Parsing errors should be mapped to the real code
SONARIAC-614 Should parse `$` not followed by variable identifier as a regular string
SONARIAC-620 S6472 should not raise NPE on missing `ENV` value
New Feature
SONARIAC-581 Track value of variables of the different scopes and instructions of a Dockerfile
SONARIAC-590 Implement a fail fast mechanism
SONARIAC-595 TransferInstruction should relay on Arguments not on SyntaxTokens
Improvement
SONARIAC-538 Modify top syntax elements File / Body
SONARIAC-539 Create Argument syntax element
SONARIAC-541 Modify ShellForm implementation
SONARIAC-542 Adapt ExecForm implementation
SONARIAC-543 Change ParamTree to Flag and change its implementation to use Argument for value
SONARIAC-544 Modify StopSignalInstruction implementation to use Argument
SONARIAC-545 Modify WorkdirInstruction implementation to use Argument
SONARIAC-546 Modify ExposeInstruction implementation to use Argument
SONARIAC-547 Modify UserInstruction implementation to use Argument
SONARIAC-548 Modify LabelInstruction implementation to use KeyValuePair equals or single forms
SONARIAC-549 Modify EnvInstruction implementation to use KeyValuePair equals or single forms
SONARIAC-550 Modify ArgInstruction implementation to use KeyValuePairEqualsOptional form
SONARIAC-553 Modify FromTree implementation to use Argument and Flag
SONARIAC-556 Modify HealthcheckInstruction implementation to use Flag
SONARIAC-557 Create an Utils to evaluate Argument and replace variable with their values
SONARIAC-565 Allow `.dockerfile` as file suffix for DockerSensor
SONARIAC-588 Symbol usage should know about its scope
SONARIAC-602 Move test classes from iac-common to dedicated module