diff --git a/Changelog.md b/Changelog.md index e6be5c9a..416b26fe 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.82] - 2026-05-06 +### Fix +- Narrowed OpenSSL hardcoded TLS detection rule DS440010 to require standalone token matching, avoiding false positives when `DES` only appears as a substring in larger XML identifiers. +- Added a negative built-in self-test case for XML identifier `SCPDES_ANNO_SHAPE_1` to prevent regressions. + ## [1.0.81] - 2026-04-16 ### Pipeline - Updates to fix release pipeline for VSCode extension. @@ -440,4 +445,3 @@ New: `devskim analyze -I path/to/src -O path/to/out.sarif` ### Fixes - Rule improvements and DevSkim engine performance and reliablity improvements. - diff --git a/rules/default/security/cryptography/hardcoded_tls.json b/rules/default/security/cryptography/hardcoded_tls.json index 938a870f..0ed273cf 100644 --- a/rules/default/security/cryptography/hardcoded_tls.json +++ b/rules/default/security/cryptography/hardcoded_tls.json @@ -78,6 +78,9 @@ "severity": "important", "_comment": "Applies to all languages since many just wrap OpenSSL constructs.", "rule_info": "DS440000.md", + "must-not-match": [ + "" + ], "patterns": [ { "pattern": "SSLv2?3_method|D?TLSv1_([123]_)?(client_|server_)?method", @@ -127,7 +130,7 @@ "_comment": "OpenSSL extension / options" }, { - "pattern": "(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK|SSL|RSA|TLS)_?([A-Z0-9]+_)+((SHA[0-9]*)|(MD5)|(GOST)[[A-Z0-9\\-]*)", + "pattern": "(?