This versions biggest addition is the security and quality analysis of Java source code. Find out more about the major changes in the chapters below.
Java Application Security Testing
At RIPS we take a unique approach for static code analysis of modern web applications. Instead of building one generic analyzer for fundamentally different programming languages, such as static Java and dynamic PHP, we strongly believe that complex security bugs in modern applications can only be accurately detected with language-specific analysis engines that simulate all the language’s subtlenesses, libraries, and pitfalls. After all, these nifty details account for today’s security vulnerabilities.
Hence, we did not simply add a Java parser to our leading PHP engine which lately uncovered exploitable security issues in WordPress, Magento and phpBB3. We built a completely new code analysis engine that adopts our awarded static analysis algorithms to the Java programming language, paired with Java-specific innovations. Our Java engine is able to parse all kind of Java code, up to the latest Java version 11, and to realize automated security analysis of millions of code lines within only minutes. Although still being in an early stage, it already checks for over 60 security vulnerability types, 20 code quality issues with security relevance, and has detected multiple previously unknown security vulnerabilities in popular CMS software. We will disclose the details of these vulnerabilities as soon as they are patched by the affected vendors. Of course the separation of our different analysis engines is invisible to the user and all of our integrations, user interface, and REST API can also be used for Java.
New Manager Dashboard
The most visual improvement in RIPS 3.0 is our new manager dashboard that appears directly after login. We grouped the latest scan statistics for each application into application cards that enable you to easily see which of your applications is improving or worsening lately in terms of exploitable security, code quality or misconfiguration issues. For this purpose a high-level score from 1 (good) to 5 (bad) was added. You can also track which of your application’s scans are connected to our plenty integration options, e.g. a CI/CD tool, IDE, or bug tracker.
Improved Code Summary
We constantly improve our code summary that is displayed for each detected security issue and that groups only the affected code lines for a particular issue. In order to improve the efficient review of our code summary, we added highlighting for the exact taint positions in markup. This helps, for example, when reviewing a SQL injection issue in a dynamic SQL query that has multiple variables. The vulnerable variable is easily spotted with our red highlights.
Advanced Patch Guide
Next to our issue description and references that help to understand the root cause and consequences of each vulnerability, we advanced our patch guide for an easy problem resolution. We extended our instructions that are different for each vulnerability context and added actionable code samples to support quick drafting of patch code.
Revised Analysis Profiles
RIPS works very well out of the box for any kind of code and there is no need for application specific configurations. Hence RIPS is very easy to use for beginners. To get the most out of static analysis, advanced users can fine-tune analysis parameters with the help of our analysis profiles. We revised the configuration masks and added dynamic code examples that will automatically adjust to your inputs. With these, your advanced configurations and their effects will become more intuitive.
We added support for three more integrations that are mostly relevant in the Java world:
There were many more changes in this release and you can find a more detailed list on each of our components release pages.