Changelog

2025

October

Release 43

(SAST) New methods:

F100 Scala SSRF through unvalidated URL
F008 C# .config Request Validation Disabled
F100 Scala Unvalidated External URL Enables SSRF
F100 SSRF via urllib.request.urlopen in Django
F100 Python SSRF by interpolation of client input into URL
F039 C# Inexplicit Anonymous Access in .NET endpoint
F404 JavaScript Node JS Command Injection
F404 Java Command Injection
F016 Go SSL/TLS Insecure Encryption
F148 Go TLS Insecure Skip Verify
F008 C# Request Validation Disabled

(Reachability) New methods:

Release 42

(ASPM) Recognize active session: Users were prompted to log in again when accessing the root URL (https://app.fluidattacks.com). Now, active sessions are recognized and users are redirected to /home as expected.
(ASPM) CVSS 3.1 has been completely deprecated from our platform.
(SAST) New methods:

F128 Go HttpOnly Disabled
F130 Go Secure Cookie Disabled
F143 JS Implied Eval Injection
F143 TS Implied Eval Injection
F096 Scala Deserialization of Untrusted Data
F096 Ruby Yaml Load Insecure Deserialization
F008 Ruby XSS Insecure HTML Safe
F008 Dart Flutter Reflected XSS
F008 Scala Reflected XSS

(Reachability) New methods:

Release 41

(ASPM) Update plan changes notification: Emails sent when a client changes their plan are now more explanatory, detailing what was changed and the benefits or drawbacks of the change.
(ASPM) Filtered view to show Top 20 vulnerabilities by Priority: A filtered view, accessible with the click of a button, has been added to the weaknesses view to highlight the global Top 20 vulnerabilities with the highest remediation priority.
(All) From KB to db.fluidattacks.com: Now, all references to our criteria (advisories, weaknesses, fixes, requirements, standards) in our product point to db.fluidattacks.com, our new source of truth.
(SAST) New methods:

F027 Java Dangerous File Upload
F004 Java Unsafe Reflection
F100 C# HTTP Request SSRF
F021 C# XmlNode Xpath Injection
F148 Go SSH Accept Any Host Keys With InsecureIgnoreHostKey
F063 Swift Vapor Path Traversal
F134 Scala PlayFramework Insecure CORS Configuration
F309 Kotlin JWT Sign None
F148 Ruby OpenSSL verification mode None

(Reachability) New methods:

Release 40

(ASPM) Priority: Now, platform users can see a Priority column that combines multiple criteria, such as CVSSF, KEV, EPSS, Reachability, and fixing cost, among others, to help them determine which vulnerabilities to fix first.
(ASPM) Improve UX for multi-select filters with long option names: Improvements were made to prevent UI overflow when multiple filters with long option values are displayed.
(ASPM) Approval tables improvements: Rows now switch from action buttons to status tags, with clear undo options and feedback messages. Bulk actions are supported through checkboxes with ‘Approve All’ / ‘Reject All’ controls.
(Criteria) Fixes section UI improvements: Added Fixes landing, category, and internal pages with cards, filters, and breadcrumbs.
(Criteria) Compliance section UI improvements: Added Compliance landing, category, and internal pages with cards, filters, and breadcrumbs.
(IDE Plugin) From KB to db.fluidattacks.com: Every reference in our VSCode/Cursor extension to vulnerabilities' information now points to db.fluidattacks.com.
(SAST) New methods:

F096 Java ObjectMapper Insecure Deserialization
F008 Kotlin Spring Boot Reflected XSS
F156 Java Open Redirect
F027 Ruby Dangerous File Upload
F027 JS Express Dangerous File Upload
F027 TS Express Dangerous File Upload
F156 PHP Symfony Insecure Redirect
F027 Php Unsafe File Upload
F107 PHP LDAP injection
F183 PHP Debug Enable
F297 GORM SQL Injection
F130 PHP Cookies Secure Disabled

(Reachability) New methods:

September

Release 39

(Criteria) Homepage improvements: Added topbar, navigation, and homepage UI improvements.
(Criteria) Weaknesses section UI improvements: Added Weaknesses landing, category, and internal pages with cards, filters, and breadcrumbs.
(Criteria) Requirements UI improvements: Added Requirements landing, category, and internal pages with cards, filters, and breadcrumbs.
(SAST) New methods:

F297 Dart Raw SQL Injection
F297 PHP Laravel Raw SQL Injection
F297 Swift SQL Injection
F297 Scala Tainted SQL Injection
F297 Python SQL Injection
F008 Flask Reflected XSS
F404 Python Asyncio Subprocess command injection
F007 Scala CSRF Headers Bypass
F134 Kotlin Insecure CORS Origin

Release 38

(ASPM) Package imports view with transitivity grouping: Entering from the Locations column in Packages, a second view displays the detailed locations where each dependency was found, grouped by transitivity.
(IDE Plugin) Custom Fix in the IntelliJ integration: The IntelliJ plugin now supports Custom Fix, allowing developers to get tailored remediation guides generated with AI.
(ASPM) Integrated KEV Information into Package details: Details of vulnerabilities found with SCA now indicate whether a they are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and clients can filter by this parameter to better prioritize remediation.
(SAST) New methods:

F007 Ruby Missing CSRF Protection
F007 Python Django No CSRF
F007 PHP Symfony CSRF Protection
F007 Php WP Plugins CSRF Audit
F404 Python OS Command Injection
F100 Kubernetes Host Probes SSRF

Release 37

(ASPM) Added placeholders to table search bars: Reviewed all search bars across the platform and updated placeholders to help users understand which fields can be searched.
(ASPM) Not configured days to technical debt: The "Days to technical debt" column in Policies now displays “Not configured” when this policy has not been set.
(ASPM) Increased character limit for Key field: Values for "Key" in the secrets management window can now be longer, so the field can support full email addresses and extended identifiers.
(ASPM) "Manage Members" can be dismissed clicking outside or scrolling: The “Manage Members” dropdown now closes on outside clicks and adjusts or closes when scrolling.
(ASPM) Improved API error messages and whitespace handling: Enhanced API error messages for Docker image additions and now automatically trim leading/trailing whitespace in URIs.
(SCA) Malware advisories: Updated the scanner to report malware advisories for npm packages.

Release 36

(ASPM) GenAI fix support for SCA vulnerabilities : The "How to fix" button now generates a remediation guide for SCA vulnerabilities.
(ASPM) Organization vulnerabilities report: Now this report is generated asynchronously instead of once a day, allowing users to get updated information whenever a report is requested.
(ASPM) Enhanced “Packages” and improved SBOM export flow: Merged 'Docker images' tab into the 'Packages' tab and enhanced the SBOM export modal with clearer options, filtering, and validation.

August

Release 35

(ASPM) Renamed “Surface” section to “Inventory” : Renamed Surface to Inventory, moved Packages to the first tab in Inventory, and grouped technical attributes under a Surface tab.
(ASPM) Enhanced Last commit filter in Inventory: Now under the Inventory → Surface → Lines subtab, users can copy the entire commit hash from the Last commit column to filter using this parameter.
(ASPM) Deprecated "Black" service: Our platform no longer allows the creation of groups under the "Black" service (black-box testing) or the updating of existing ones to this service. Current clients using this service are not affected by the change.
(ASPM) Redesigned Packages section: Enhanced Packages as a new dependency inventory view with auditing, SBOM generation, risk insights, and compliance support, including updated columns and filters.
(SAST) New method:

F164 Swift Insecure KeyChain ACL

Release 34

(ASPM) Deleted "Download analytics" button: The feature to download a PNG image containing the graphs and figures in Analytics sections is no longer available.
(ASPM) Replace weaknesses count with vulnerabilities count in Groups section: Clients can now view open vulnerabilities within their groups in the "Groups of your organization" section, providing immediate insight into which groups have more open vulnerabilities.
(ASPM) Agent rename to CI Gate in emails: "CI Agent" was replaced with "CI Gate" in all platform notifications.
(Criteria) Search feature: Clients can now use a search feature to help them navigate https://db.fluidattacks.com.
(SAST) New methods:

F016 Swift Weak TLS Configuration
F008 Swift WebView LoadHTMLString XSS
F060 JavaScript Insecure postMessage Wildcard
F060 TypeScript Insecure postMessage Wildcard
F014 Swift Deprecated WebView Usage
F434 JavaScript Client-Side Template Injection
F434 TypeScript Client-Side Template Injection

Release 33

(ASPM) Remove "Weekly trend" from Compliance section: Weekly trends indicator was removed from Compliance to improve clarity.
(ASPM) Agent rename to CI Gate: Now, under the DevSecOps section, the 'Agent' is called 'CI Gate' to align with its purpose and the security gates configuration.
(SAST) New methods:

F021 Kotlin XPath Injection
F297 Kotlin SQL Injection
F404 Kotlin Code Injection
F096 Kotlin Insecure Deserialization
F014 Ruby on Rails Mass Assignment
F052 Swift Weak Hash Algorithm

Release 32

(ASPM) Updated empty states in vulnerabilities table: Update the empty states in the Vulnerabilities table columns to ensure they are consistent and easy to understand.
(ASPM) Added Undeterminable to dependency type filters: Clients can now filter by the "Undeterminable" option in the dependency type filters of the vulnerabilities table.
(ASPM) Added "Fix with AI" filter: Clients can now filter by the "Fix with AI" attribute in the Vulnerabilities sections, making it easy to find vulnerabilities that have an AI-generated fix available.
(Criteria) Moved Criteria page to db.fluidattacks.com: To improve ease of use and consultation, all our vulnerability, security requirement, fixes, and standard details can now be found at db.fluidattacks.com.
(SAST) New methods:

F100 Kotlin SSRF From Untrusted URL
F014 PHP Arbitrary File Read
F404 Ruby Command Injection via Open3
F008 Ruby Reflected Cross-Site Scripting
F297 Ruby SQL Injection
F404 Ruby Code Injection via eval
F017 PHP Insecure Session Configuration (use_only_cookies)

July

Release 31

(ASPM) Improved "How to fix" tab: Improved the design of the "How to fix" section and made the tab always visible for open vulnerabilities, added an "Auto-fix" button for supported cases, simplified the modal flow, and added guidance when Autofix is unavailable.
(ASPM) Markdown inputs validations: The platform now runs validations in Group context and Disambiguation before submitting or closing Markdown inputs to shorten the feedback loop on entered text.
(ASPM) New webhooks: Added notifications for confirmed zero risk vulnerabilities.
(Reachability) New methods:

(SAST) New methods:

F063 Kotlin JAX-RS Path Traversal
F100 PHP Server Side Request Forgery
F021 PHP XPath Injection
F404 PHP Preg Replace Code Injection
F297 PHP SQL Injection
F123 PHP Local File Inclusion
F063 Ruby File Join Path Traversal

Release 30

(Fixes) Support for new files: Our Custom Fix and Autofix features now support Docker files.
(IDE Plugin) Updated IntelliJ extension compatibility: Fluid Attacks' extension can now be used in the latest version of IntelliJ IDEA.
(APK CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
(CSPM CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
(DAST CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
(SAST CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
(SCA CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4, direct/transitive status, and EPSS score fields were added.
(Reachability) New methods:

(SAST) New methods:

F404 Ruby Kernel Command Injection
F008 Go HTML Template XSS
F146 Go Database SQL Injection
F098 Go OS Rename File Manipulation
F404 Go Exec Command Injection
F004 JS Unsandboxed Iframe
F004 TS Unsandboxed Iframe
F063 Go Path Traversal
F052 JS JSONWEBTOKEN Allow Invalid Key Types
F052 TS JSONWEBTOKEN Allow Invalid Key Types

Release 29

(ASPM) Vulnerability and risk exposure summary: In vulnerabilities, added the number of open security issues, those that have available fixes with AI, and total risk exposure share of the group.
(ASPM) UI improvements in Group status and Plan columns: Improved the Group status and Plan columns in the Groups section by using colored tags for better readability and quick recognition of statuses (i.e., subscribed, suspended, free trial) and active plan.
(ASPM) Enable opening weaknesses in new tabs: Enhanced navigation in Vulnerabilities by allowing users to open individual weaknesses in a new tab.
(Fixes) Support for new files: Our custom fix and suggested fix features now support the following file types: .html, .yaml (Helm, CloudFormation, Docker Compose), .xml (Android), and .json (ARM).
(SAST CLI) Improvements in scanner output: Now the console output is much more legible and clear, and the CVSS v4 score has been added.
(SAST) New methods:

F100 Go Net HTTP SSRF
F405 Go Insecure File Permissions
F021 Go XMLPath XPath Injection
F100 Python HTTP Request SSRF
F405 Python Insecure File Permissions
F020 Swift Insecure Data No File Protection

Release 28

(ASPM) Added 'Copy' button in location column: Users can now copy the vulnerability URL directly from the Location column using a new "Copy" button.
(ASPM) Editing of "connection types" and "production_environments?": Users can now edit the environment's connection type and production status after registration.
(ASPM) Improved visibility of treatments: Added colors to treatments in the Locations table to help distinguish them more quickly.
(ASPM) Improved readability and implemented brand colors in report: The Executive Summary chart was updated with larger font for readability and overall changed the colors to align with Fluid Attacks' chosen brand colors.
(SCA) UV package manager support: Added support for UV package handler, allowing uv.lock dependencies to be detected and reported.
(SAST) New methods:

F106 Python PyMongo NoSQL Injection
F008 Python Insecure MARKUP XSS
F083 Java JAXP Insecure SAXTransformerFactory XXE
F083 Java JDOM2 Insecure SaxBuilder XXE
F083 Java DOM4J Insecure SaxReader XXE
F083 Java Insecure XML Validator XXE
F083 Java Insecure XSLT Transformer Factory
F100 Java SSRF From Untrusted URL
F004 Java EL Injection From HTTP Request
F096 Swift Foundation Insecure NSKEYEDUNARCHIVER

Release 27

(ASPM) Persistent filters by default: Filters are saved in every table of the platform.
(ASPM) Added Git root exceptions: Added specific exception handling when adding Git repositories to improve error flows.
(SAST) New methods:

F004 Java Script Engine Code Injection
F268 Swift WebKit Unsafe Local File Access
F372 Swift Network Framework Insecure TCP Connection
F094 XML JS/TS CryptoJS Insecure Use Of CBC Mode
F134 Yaml Spring Insecure Cors Wildcard

June

Release 26

(ASPM) Queued Git root cloning: Re-enabled the 'Queued' status for Git roots within scope for clarity and to allow clients to use this status as a filter.
(ASPM) OWASP Top 10 for LLMs report: Users can now include the OWASP Top 10 for LLMs standard in their reports of noncompliance from the Compliance section.
(SAST) New methods:

F372 Swift Insecure HTTP
F097 JQuery Reverse Tabnabbing
F134 YAML AWS SAM Insecure Cors
F134 Properties Spring Insecure Cors Wildcard
F447 Gradle Missing Checksum Verification
F359 Dockerfile Hardcoded Credentials CHPASSWD
F264 XML .NET Weak Encryption Algorithm
F134 XML Java EE Insecure Cors Wildcard

Release 25

(ASPM) CVSS 4.0 is mandatory: All SAST, SCA, CSPM, and DAST reports include the CVSS 4.0 score from now on.
(ASPM) Migrated tables to new design: Improved UX and usability for the following tables: Trusted devices, and Groups (in Portfolios).
(MCP) Answering questions using Knowledge Base: Fluid Attacks' MCP server can now answer users' questions using the information in the Knowledge Base.
(Criteria) OWASP Top 10 for LLMs verification: Fluid Attacks verifies that you comply with this new standard.
(SAST) New methods:

F264 Java Weak Crypto In SecretKeyFactory
F094 Java Spring Weak CBC Cipher Suites
F134 YAML Insecure Cors Header
F405 YAML Insecure File Permissions for other
F359 Build.Gradle Hardcoded Credentials
F157 Terraform Azure NSG Allows Unrestricted SSH Access
F157 Terraform Azure NSG Allows Unrestricted SMTP Access
F157 Terraform Azure NSG Allows Unrestricted RPC Access
F157 Terraform Azure NSG Allows Unrestricted PostgreSQL Database Access

Release 24

(ASPM) Migrated tables to new design: Improved UX and usability for the following tables: Execution details (in DevSecOps), Credentials management window, subentries to new entry (Mailmap section), Treatment acceptance (in Locations), Update verification (in Locations), API token window, Records preview (in Locations) and Update affected reattacks (in Locations).
(SAST) New methods:

F332 Java Spring Datasource No Encryption
F359 Package.json NodeJS Git Credentials Exposure
F380 Dockerfile Curl No Checksum
F380 Dockerfile Wget No Checksum
F183 Android Debuggable Enabled
F134 Swift Vapor Insecure CORS Header
F016 Nginx Insecure SSL Protocols
F134 Ruby On Rails Insecure CORS Header
F043 Nginx Insecure CSP Inline Script
F135 Nginx Insecure Cors Header
F129 Python Flask Insecure Cookie Samesite None
F129 Python Django Insecure Cookie Samesite None
F216 Log Exposed Username in Path
F134 PHP Laravel Insecure Cors Configuration
F037 Spring Prometheus Endpoint Exposure
F359 Java Spring Hardcoded Credentials
F149 Java Spring Insecure SMTP

Release 23

(ASPM) Enhanced the Surface table (Ports): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Ports).
(SAST) New methods:

F129 JS Express Insecure Cookie Samesite
F129 TS Express Insecure Cookie Samesite
F043 JS Insecure CSP Inline Script
F313 JS Insecure TLS Reject Unauthorized in False
F313 TS Insecure TLS Reject Unauthorized in False
F043 Kotlin Insecure CSP Inline Script
F134 JS Lambda Insecure Cors
F134 TS Lambda Insecure Cors
F338 Kotlin Hardcoded Salt Bytes
F094 JS SSH2FTPClient CBC Cipher Used
F094 TS SSH2FTPClient CBC Cipher Used
F135 C Sharp Insecure SameSite Cookie Configuration

May

Release 22

(SCA) Reporting Docker images vulnerabilities: Now vulnerabilities discovered in Docker images can be viewed in the Vulnerabilities table.
(MCP) AI Agent to production.
(SAST) New methods:

F395 Kotlin Hardcoded Init Vector
F135 CSharp ASP.NET Insecure Cookie Samesite None
F134 JS Express Insecure CORS Header with Wildcard Origin
F134 TS Express Insecure CORS Header with Wildcard Origin
F395 Java Static IV in Base64 Scenarios
F134 CSharp Insecure Use of Wildcard CORS Configuration
F134 CSharp Insecure Cors Header via HttpWebRequest
F125 CSharp ASP.NET Directory Browsing Enabled
F078 CSharp ASP.NET AllowInsecureHTTP in True
F043 Java Insecure CSP Inline Script
F368 Java Host Key Checking
F134 Java Insecure Cors Modifier
F134 Java Spring Insecure Cors
F129 Java Spring Cookiegenerator SameSite
F129 Java Spring Insecure Cookie Samesite None
F130 Java Spring Cookiegenerator Secure
F060 Java JSCH StrictHostKeyChecking Disabled
F052 Java Insecure Cipher Mode
F134 Dart Shelf Insecure CORS Header

Release 21

(ASPM) Package details: Added a new section in the vulnerability modal with the fields 'Dependency'Dependency type', 'ID', '%EPSS', 'Stage', 'Reachability', 'Version status', 'Affected version', 'CPEs', 'Namespace' and 'Advisory URLs'.
(ASPM) 'Potential' tag: Added the new 'Potential' tag to let customers identify the dependencies that are imported in their code but whose vulnerability is not confirmed to be reachable.
(SAST) New methods:

F134 Go Gin Insecure CORS Header
F359 Python Hardcoded Credentials in PyMySQL

Release 20

(SCA) Reachability label: When a dependency is reachable it appears as a tag in the inherited vulnerability.
(ASPM) Enhanced tables in Organization Billing: Enhanced user experience with filtering, sorting, searching, and pagination in the Billing section.
(ASPM) Enhanced the Surface table (Lines): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Lines).
(ASPM) Enhanced the Members table (organization and groups): Enhanced user experience with filtering, sorting, searching, and pagination in the Members table at both the organization and group levels.
(Design Map) Delete files from Design Map: Clients can now delete uploaded files from this section.
(Design Map) UI Improvements: Renamed columns, added tooltips, and improved alignment, sorting, and layout.
(Design Map) Multilingual classification support: Design Map now supports documents in both English and Spanish.

Release 19

(ASPM) Enhanced tables for IP roots and URL roots: Enhanced user experience with filtering, sorting, searching, and pagination in the Scope section.
(ASPM) Enhanced the Surface table (Languages): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Languages).
(ASPM) Authorization improvements: Permissions for the User role were updated so that it cannot remove environments from the scope, restricting this action to higher-level roles only: Group Manager and Vulnerability Manager.
(ASPM) Inherited vulnerabilities filtering: 'Inherited' vulnerabilities can now be filtered by dependency type ('Direct' or 'Transitive'), EPSS, package manager, stage ('Run' or 'Build') and by whether they are reachable or not.
(SAST) New methods:

F006 C Sharp Token Validation Bypassed via Unsafe Delegates
F061 C Sharp Insecure DLL loading

April

Release 18

(Design Map) Correlate threats: Clients can now correlate threats identified in their security designs with vulnerabilities reported by Fluid Attacks.
(IDE) Cursor IDE extension: Our clients' development teams can now check reported vulnerabilities, request reattacks, generate fixes using artificial intelligence, and request treatments, all without leaving the Cursor IDE.
(ASPM) Enhanced the Integrations table: Enhanced user experience with filtering, sorting, searching, and pagination in the Integrations section.
(ASPM) Enhanced the Surface table (Packages): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Packages).
(ASPM) Enhanced Scope tables: Enhanced user experience with filtering, sorting, searching, and pagination in the Scope subsections.
(MCP) Fluid Attacks' Model Context Protocol: Launched a new integration that enables users to query real-time security data from Fluid Attacks through natural language prompts in AI tools such as Claude or VS Code using Copilot as the agent. This is possible with minimal setup and no need for complex commands.
(SAST)
Architecture improvements in Fluid Attacks' scanner: Aiming for a cleaner architecture and better separation of concerns, our APK scanner is now a separate CLI with its own Docker image.
(SAST) New methods:

F089 C Sharp Insecure Deserialization Of Untrusted XML in .NET DataTable
F260 C Sharp Memory Corruption Risk Due to Serialization of Pointers
F007 C Sharp Lack of ViewState association with session in ASP.NET Web Forms (CSRF)
F115 C Sharp Insertion of Untrusted Certificate into Root Store
F130 C Sharp Insecure Cookie Transmission via Unset Secure Flag in ASP.NET Core

Release 17

(ASPM) Upgrade plan flow from Talk to a Pentester: If clients with the Essential plan would like to use the 'Talk to a Pentester' feature, which is available only in the Advanced plan, they can easily request an upgrade from the dialog when attempting to access the feature.
(ASPM) Upgrade plan flow from Reattack: Clients who downgraded to the Essential plan and want to reattack vulnerabilities previously found via RE, SCR, and PTaaS can easily request a plan upgrade from the dialog when attempting to access the feature.
(ASPM) Enhanced the Vulnerabilities table: Enhanced user experience with filtering, sorting, searching, and pagination in the Vulnerabilities section.
(ASPM) Enhanced Logs tables: Enhanced user experience with filtering, sorting, searching, and pagination in the Logs subsections.
(SCA)
Change displayed technique for types 431 and 120: Vulnerability types 431 and 120 now accurately display 'SAST' as the technique that detected them.
(SAST) New methods:

F056 JS/TS Insecure gRPC Communication via createInsecure
F125 C Sharp Insecure Configuration: Directory Browser Middleware Exposes Filesystem
F140 C Sharp Insecure Corrupted State Exception (CSE) Catching in .NET
F204 JS/TS Mass Assignment via Object.assign in Express
F323 C Sharp XML External Entity (XXE) via Insecure DTD Processing in XmlReaderSettings

F422 C Sharp Server-Side Template Injection (SSTI) in Razor

Release 16

(SAST) New methods:

F115 JS Improper CSRF Middleware Order
F115 TS Improper CSRF Middleware Order

F002 JS Uncontrolled Error Object Allocation via Ajv allErrors Option
F002 TS Uncontrolled Error Object Allocation via Ajv allErrors Option
F014 C Sharp Insecure Random Number Generator for Cryptographic Key Generation

Release 15

(ASPM) Enhanced flow for upgrading to paid plans: Improved the flow to make it easier for free trial users to upgrade their plan.
(ASPM) Management options in credentials table: Options to edit and remove credentials are now accessible through a single button for a cleaner look.
(ASPM) Columns in Surface table: Added new filters and columns UI to ease data filtering.
(SBOM) Support of packages.swift: packages.swift files now appear in SBOM.
(SAST) New methods:

F068 JS Missing Path In Session Cookie
F068 TS Missing Path In Session Cookie
F146 PHP Mysql Query Injection
F134 Go Gin Framework Insecure CORS
F006 JS JWT Token Forgery
F006 TS JWT Token Forgery
F134 Koa Framework Insecure CORS
F431 Swift Package Missing Package Lock

Release 14

(ASPM) Improved Acceptance section in Policies: The process for requesting acceptance policies was simplified by improving the user interface, making treatment statuses, temporary and permanent acceptances, as well as the section’s functionality and tables, clearer.
(ASPM) Improved reattack flow and messages: Improved the user flow to request a reattack from three to two clicks and implemented detailed error messages.
(ASPM) Updated PDF available in the free trial: Updated the PDF about plans and prices linked in the banner shown to free trial users.
(Reachability) New methods:

(SAST) New methods:

F085 Flutter Framework Sensitive Information Stored in SharedPreferences
F332 Ruby OpenURI Request
F130 PHP Laravel Cookie Insecure
F183 JS Struts Debug Mode enabled in production
F371 JS Angular Use Of Insecure InnerHtml
F371 TS Angular Use Of Insecure InnerHtml
F008 PHP Laravel Reflected XSS
F151 Ruby NET Telnet Request

March

Release 13

(ASPM) Moved existing filters to a new design: Implemented a new filter design in the organization's Logs and groups' Scope sections to ease data filtering.
(Agent) Ignoring SCA findings when breaking the build: Now, our Agent receives a flag (--inherited) that allows users to decide whether they want to ignore vulnerabilities reported by the SCA scans when breaking the build, specifying if they are used in development (build), production (run), or any of those (all) stages.
(Reachability) New methods:

(SAST) New methods:

F157 Helm Insecure Ingress Egress
F134 Ruby On Rails Insecure CORS
F008 React Native WebView JS Enabled
F097 Vue JS Reverse Tabnabbing

Release 12

(ASPM) Added Origin quick filter in Locations: Now vulnerabilities can be filtered by their origin ('Inherited', 'Injected').
(ASPM) Moved existing filters to a new design in the organization's views: Implemented a new filter design in the organization's Billing, Mailmap and Members sections to ease data filtering.
(SCA) Move SCA reports from general 011-393 findings to specific ones according to CVE: Now, our scanner reports SCA vulnerabilities to specific findings instead of grouping all reports together in the same general category.
(Reachability) New methods:

(SAST) New methods:

F372 Ruby Net HTTP Client Request
F052 Scala JWT Generation Without Valid Signature
F052 Scala Insecure Key Secret
F134 Python Starlette Insecure CORS
F052 Scala Insecure Hash Argument
F052 Scala Insecure Key Secret

Release 11

(ASPM) Moved existing filters to new design in locations view: Implemented a new filters design inside the Locations section to ease data filtering.
(ASPM) Testing multiple environments: Allow clients to indicate which registered environment corresponds to production, so Fluid Attacks can perform the proper assessments and prevent downtime due to security testing.
(ASPM) Treatment acceptance button improvements: The treatment acceptance button is now grayed out when there are no pending approvals, preventing user confusion.
(ASPM) Origin columns in the vulnerabilities table: Users can now quickly identify in the table if a vulnerability is in a dependency ('Inherited') or in code owned by them ('Injected').
(ASPM) Vulnerabilities' modal improvements: Adjustments were made to facilitate viewing vulnerability information, including severity, Origin ('Injected', 'Inherited'), Technique ('CSPM', 'DAST', 'PTAAS', 'RE', 'SAST', 'SCA', 'SCR'), and Status ('Vulnerable', 'Safe').
(Reachability) New methods:

(SAST) New methods:

F052 Scala Insecure Cipher Mode
F052 Scala Use of Insecure Password Encoder
F097 Javascript NextJS Reverse Tabnabbing
F097 Typescript NextJS Reverse Tabnabbing
F157 Terraform Azure NSG Allows Unrestricted NetBIOS Access
F157 Terraform Azure NSG Allows Unrestricted MongoDB Access
F157 Terraform Azure NSG Allows Unrestricted MS SQL Server Access
F157 Terraform Azure NSG Allows Unrestricted Oracle Database Access
F016 ARM API Management back does not have minimum TLS version set
F016 ARM API Management front does not have minimum TLS version set
F148 Ruby NET FTP Request

Release 10

(ASPM) Updated the filter component: Adjustments to prevent the table header view from shifting and buttons from disappearing when there are a large number of filters applied.
(ASPM) Signatures in executive reports and testing certificates: As part of the enhancements to obtain the CREST Penetration Testing accreditation, reports generated from our platform are now signed by our Head of Service and our VP of Hacking.
(SCA) From general to specific categories in SCA reports: Vulnerabilities associated with CVE entries will be reported under the categories that match their specific descriptions.
(SAST) New methods:
1. F101 Terraform Azure Storage Account Geo-Replication is Disabled
2. F101 Terraform Azure Storage Account Blob Service Soft Delete is Disabled
3. F101 Terraform Azure Key Vault Accidental Purge Prevention is Disabled
4. F148 Terraform Azure App Service Allows FTP Deployments
5. F134 Nest Insecure CORS Configuration
(Reachability) New methods:

February

Release 9

(ASPM) More info for free trial users on paid plan features: Encourage free trial users to upgrade to a paid plan (Essential or Advanced) by highlighting the value of the features that interest them the most.
(ASPM) Revert the Vuln Management button to 'Reattack' and 'Treatment acceptance': Return to the previous button configuration for Reattacks and Treatment Acceptance to improve user experience.
(ASPM) Filters new UI and behavior: Existing filters have been upgraded to deliver more robust and precise performance. The interface has been streamlined by reorganizing components, enhancing clarity, and improving overall efficiency. This applies to the following sections: Groups, Supply chain, DevSecOps, (group-level) Members, and Authors.
(ASPM) Organization Manager can access all groups within the organization: Now, when someone gains access to a platform as an Organization Manager, they automatically get access to all the groups within the corresponding organization.
(IDE Plugin) Align severity scoring between platform and extension: Standardize the severity scoring by ensuring that the platform and the VS Code extension display the maxOpenSeverityScoreV4 value to maintain consistency across all interfaces.
(SAST) New method:

F372 Ruby HTTP Client Request

Release 8

(ASPM) Column management: Allow users to enable or disable columns based on preferences and reorganize them via drag-and-drop. Personalized configurations can be saved and persist in future use. Additionally, the first column is fixed and locked, ensuring it remains visible and cannot be disabled, proving consistent access to critical information.
(ASPM) Rename user manager: The User Manager at the organization level became the Organization Manager, and that at the group level became the Group Manager to keep role names aligned with their corresponding scope.
(Reachability) New method:

Python CVE-2022-22817

Release 7

(ASPM) Centralized policies management: Policy management is now centralized at the organization-level section to simplify changes.
(SAST) New methods:

F096 Python Insecure Serialization
F266 Docker Socket Mount

(Reachability) New methods:

Release 6

Fluid Attacks becomes an AWS partner: We are officially listed by AWS as leveraging AWS technologies in our processes for helping businesses secure their cloud environments.
(ASPM) Updated terminology for vulnerabilities column: Instead of displaying "X types found" in the Groups section, now "X types open" is displayed to be accurate.
(ASPM) Eliminated "Unauthorized access" window: Removed the window that appears when a user's session expires, and instead the users is redirected to the login page.
(ASPM) Renamed Agent's executions report: Report name was renamed from "forces_execution.csv" to "FluidAttacks_DevSecOpsAgent.csv".
(ASPM) Column management: Column customization in the Locations, Vulnerabilities and To do tables is now allowed, simplifying navigation.
(ASPM) Added banner for free trial users: A banner now informs free trial users that automated tools typically detect 30% of a system's risk exposure.
(ASPM) Testing your production environment: You can also add the production environment of your system under assessment as a second environment to undergo our continuous security testing. This option is only available in the Advanced plan.
(SCA) Malware advisories: Updated the scanner to report malware advisories under finding F488 - Use of software with malware.
(SAST) New methods:

F002 Python Asymmetric Denial of Service

January

Release 5

(ASPM) Inherited to surface: The Inherited section, which contained all the package-related information, was renamed Packages and moved inside the Surface section.
(ASPM) UI improvements for Treatment modals: Updated Treatment modals to have less intrusive alerts.
(ASPM) Add policy information to DevSecOps and Members tab (Organization and Groups): Added informative banners that display the configured policies in the DevSecOps and Members sections.
(SBOM) Amazon Elastic Container Registry (ECR): Our scanner now supports Docker images from AWS Elastic Container Registry (ECR).
(SAST) New methods:

F004 Javascript Arbitrary Command Injection
F004 Typescript Arbitrary Command Injection
Java CSFRHandler Hardcoded Password
F183 Java Debug Mode Enabled
F359 Java Hardcoded Password in SetPassword
F359 Java Key Manager Factory Hardcoded Password
F359 Java PBEKeySpec Kerberos Hardcoded Secret
F359 Java KeyStore Hardcoded Password
F390 Javascript Prototype Pollution
F390 Typescript Prototype Pollution

(Reachability) New method:

Python CVE-2020-28975

Release 4

(ASPM) Modified the maximum days limit for which a vulnerability can be temporarily accepted: The limit was 90 days, which was modified to 999 days.
(ASPM) From "Inherited" to "Packages" and from "Injected" to "Vulnerabilities": Updated some of the platform's section names to improve clarity.
(ASPM) Feedback modal for incomplete information to generate report: A new modal was implemented to inform users, when requesting reports, that they need to provide group information in the Scope section to generate the report.
(SAST) New methods:

F002 Python Asymmetric Denial of Service
F004 Typescript Arbitrary Command Injection
F004 Javascript Arbitrary Command Injection
F006 Java SAML Ignore Comments
F016 Terraform Redis cache insecure port is enabled
F096 Java RPC Enabled Extensions
F101 Terraform Azure Postgres DB log retention days is set to less than 3 days
F350 Java Ignore SSL Certificate Errors

Release 3

(ASPM) Added Type column in Packages: A new column was added to the Dependency Detail table to identify whether a dependency is direct or indirect.
(ASPM) Added Environment column in Packages: A new column was added to the Dependency Detail table to identify when a dependency is used in the development ('Build') or production ('Run') stages.

Release 2

(SAST) New method:

F149 Java Insecure SMTP SSL

Release 1

(ASPM) Improved mutation to add CSPM environments: Previously, adding an environment to a Git root (APK, URL, or CSPM) was handled using the same mutation, which could lead to inconsistencies. A new mutation was created to handle adding CSPM environments specifically, making the process more precise and less prone to errors.
(SAST) New methods:

F130 Java Cookie Serializer Secure
F344 Java Wicket String Escaping
F159 Java Dangerous Permission

(SLA) Enhanced accuracy SLA: We now offer 90%+ F2 score involving risk exposure and 90%+ F0.5 score involving number of vulnerabilities.

2024

December

Release 52

(SAST) New methods:

F359 Java MongoDB Hardcoded Secret
F359 Java MySQL Hardcoded Secret
F359 Java OkHttp Hardcoded Secret

Release 51

(SCA) Malware packages tagged: Packages in Supply chain with detected malware are tagged.
(SCA) Split environment dependencies: Identify whether dependencies are related with production or development environments.
(SCA) SBOM export: Include Docker packages in SBOM export file.
(ASPM) Environments migration: Migration modal has the option to lookup required root.
(ASPM) Rename: change 'Vulnerabilities' to 'Injected' and 'Supply chain' to 'Inherited' for added clarity.

Release 50

(Integrations) Jira Security module: All the vulnerabilities are presented in the Security feature of Jira.
(SAST) New Methods:

F332 Java Unsafe TLS Renegotiation.
F151 Java Telnet Request.
F372 Java Insecure HTTP Open Connection.
F007 Java CSRF Unrestricted Request Mapping.
F372 Java Insecure HTTP Request.
F372 Java Insecure HTTP Components.

(ASPM) Component improvements: Ghost buttons, section header, and tabs.
(SCA) Docker packages in SBOM: Docker packages are included in SBOM file.
(ASPM) Zero risk column: An indicator of requested ZR is available in the Locations table.
(ASPM) Scope table: Show what Roots and Environments has active events.

Release 49

(ASPM) Improved table exports names: Exported CSV files now have meaningful names, including organization or group name and timestamp.
(ASPM) Country is deprecated: Country field is not required anymore to create an organization.
(SAST) New Java SAST methods:

F016 Java Unsafe SSL/TLS Protocol.
F148 Java Insecure FTP Client.
F372 Java Insecure Spring HTTP Request.
F007 Java Insecure FTP Session Factory.

November

Release 48

(ASPM) Centralized report download: Access all your downloadable files through the new Downloads button in the platform header. This includes executive and technical vulnerability reports, with plans to add SBOMs and other resources soon. Track download progress and redownload files effortlessly.
(ASPM) Improved CSV repos import: Add connection method and priority in the CSV file and get an example CSV file. Improved error messages.
(ASPM) Custom priority: Use reachability attribute as a priorization criterion.
(Reachability) New methods:

CSharp CVE-2021-43045

(SAST) New methods:

Java insecure channel.
Java null cipher.
Python hc aes key.
Java anonymous ldap bind.

Release 47

(ASPM/CSPM) Status validation for cloud environments: A new Status column in the Environments table shows open events for AWS, Azure, or GCP environments, helping you address misconfigurations promptly.
(ASPM/SBOM) Updated labels for vulnerable components: The label 'Issues identified' in Supply chain has been updated to 'Vulnerable' to clarify the presence of security risks. vulnerabilities will display the 'Reachable' label.
(SAST) New methods:

Java unsafe default http client.

Release 46

(SBOM/SAST) Reachability analysis: A feature is available that examines direct dependencies in the Supply chain section to identify exploitable vulnerabilities. This helps prioritize remediation efforts for dependency issues.
(ASPM) Custom vulnerability prioritization: Use the Priority feature in the Policies section to rank vulnerabilities by impact, exploitability, and more, tailored to your organization's needs.
(ASPM) Enhanced event reporting: Events now specify affected environments and feature improved root and environment tables for better prioritization.
(CSPM) New methods:

AWS Document DB Cluster TLS Disabled.
AWS EKS Unrestricted CIDR.
AWS DAX Cluster Without Encryption at Rest.
AWS Unencrypted ECR Repository.
AWS RDS Unencrypted DB Cluster Snapshot.
AWS RDS Unencrypted DB Snapshot.
AWS ALB Does Not Drop Invalid Header Fields.
AWS Public Accessible DMS Replication.
AWS CloudFront Distribution Viewer Policy Allows HTTP.
AWS ALB HTTP Not Redirected to HTTPS.
AWS Document DB Without Audit Logs.
AWS RDS DB Cluster Logs Disabled.
AWS RDS DB Instance Logs Disabled.
AWS Global Accelerator Flow Logs Disabled.
AWS Neptune DB Instance Logs Disabled.
AWS MSK Cluster Logging Disabled.
AWS Workspaces Has Volume Encryption Disabled.
AWS Route53 Transfer Lock Disabled.
AWS SageMaker Training Job Intercontainer Encryption.
AWS SageMaker Notebook Instance Encryption.
AWS Athena Workgroup Query Results Not Encrypted.

(SAST) New methods:

Python flask log injection.
JS express SSRF.
TS express SSRF.
Python insecure redirect.
Python aws hardcoded credentials.
CSharp sql conn hardcoded secret.
CSharp insecure x509 cert 2.
CSharp hardcoded credentials.
Python flask hardcoded secret key.

(Reachability) New methods:

Java CVE-2021-37573

Release 45

(SCA) Docker image scanning: Scan Docker images from any standard registry, generating detailed SBOMs with associated security issues in the Supply chain section.
(ASPM) Vulnerability closing reasons: View detailed reasons for closed vulnerabilities in the Tracking and Analytics sections.
(ASPM) Expanded permissions for Events tab: User Managers and Vulnerability Managers now have access to the Events tab in the To do section, providing a comprehensive view of issues when managing multiple groups.
(ASPM) Automatic filename formatting: Upon file upload, filename is formatted to avoid issues and vulnerabilities in the platform.
(SAST) New methods:

CSharp insecure fspickler des.
CSharp dir entry hardcoded secret.

October

Release 44

(SCA) Improved SBOMs: CycloneDX and SPDX SBOM exports now include component details like location, latest version, and associated security issues.
(ASPM) New webhooks: Notifications added for closed events and vulnerabilities within groups.
(ASPM) From MPT to PTaaS: Former 'MPT' technique is clarified and changed to 'PTaaS'.
(ASPM) Event tab in To do: Granted Events tab access for additional roles: User Managers and Vulnerability Managers.
(Reachability) New methods:

(SAST) New methods:

JS weak ssl tls protocol.
TS weak ssl tls protocol.
PHP insecure content policy.
CSharp weak rsa encrypt padding.
CSharp http listener wildcard.
Java spring concurrent sessions.
PHP insecure referrer policy.
CSharp insecure fastJSon des.
CSharp memory marshal create span.
JS express insec httponly.
TS express insec httponly.
JS express cookie secure.
TS express cookie secure.
Python django insecure cors.
Python fastapi insecure cors.
Python flask insecure cors.
JS express debug mode enabled.
Python django debug mode enabled.
Python fastapi starlette debug on.
Python flask debug mode enabled.
TS express debug mode enabled.
CSharp stacktrace disclosure.
CSharp insecure ecb mode.
Python django sql injection.
Java hardcoded jwt secret.
JS expressJS hardcoded sess secret.
JS hardcoded jwt secret.
Python django hardcoded creds.
TS express hardcoded sess secret.
TS hardcoded jwt secret.
CSharp hardcoded init vector.

Release 43

(ASPM) Supply chain section: Separated affected and unaffected third-party dependencies from the Vulnerabilities section for easier prioritization. Users can filter components by repository under evaluation.
(ASPM) Temporary acceptance: Selected dates must comply with the established policies.
(ASPM) New events in webhooks: Events and vulnerabilities closed added to webhooks.
(CSPM) New methods:

AWS RDS Instance TLS Disabled.
AWS RDS Cluster TLS Disabled.
AWS OpenSearch Domain Insecure TLS Version.
AWS MSK Client Broker TLS Disabled.
AWS MSK Broker Broker TLS Disabled.
AWS Unrestricted Access to MSK Brokers.
AWS ECR Repository Exposed.
AWS OpenSearch Domain Exposed.
AWS RDS Instance Backup Retention Period.
AWS RDS Cluster Backup Retention Period.
AWS ElastiCache Replication Group WO Auto Backups.
AWS ElastiCache Replication Backup Retention Period.
RDS Unrestricted Cluster Groups.
Backup Vault Policy Allow Delete Recovery Points.
AWS Bedrock Guardrails No Sensitive Info Filter.
AWS Event Bridge Default Event Bus Exposed.
AWS Lambda URL Without Authentication.
AWS Lambda Function Exposed.
AWS Comprehend Analysis Without Encryption.
AWS EBS Public Snapshot.
AWS EKS Unencrypted Secrets.
AWS EMR Has Not Config.
AWS OpenSearch Without Encryption at Rest.
AWS OpenSearch Domain Node to Node Encryption.
AWS Glue Catalog Without Encryption at Rest.
AWS Kinesis Stream Without Encryption at Rest.
AWS MQ Broker Publicly Accessible.
AWS MSK Cluster Is Publicly Accessible.
AWS Neptune DB Instance Without Encryption at Rest.
AWS CloudFront Traffic Allows HTTP.
AWS OpenSearch Domain Allows HTTP.
AWS CloudFront Is Not Protected With WAF.
AWS Cloud Trail Delivery Failing.
AWS Config Referencing Missing S3 Bucket.
AWS EKS Cluster Logging Disabled.
AWS Beanstalk Persistent Logs.
AWS OpenSearch Without Audit Logs.
AWS MQ Broker Logs Disabled.
AWS Route53 DNS Query Logging Disabled.

(Reachability) New methods:

(SAST) New methods:

Apk unprotected exported receivers.
Apk unprotected exported services.
Docker insecure context directory.

Release 42

(ASPM) Transition to CVSS v4.0: CVSS v4.0 is now the default for Analytics data. A toggle is available for viewing data in CVSS v3.1.
(ASPM) Prevent file deletion: Restrictions prevent deleting application files linked to environments to maintain manageability.
(Reachability) New methods:

(SAST) New methods:

CSharp CSRF

Release 41

(IDE) IntelliJ IDEA extension: Developers can now identify reported vulnerabilities within IntelliJ IDEA, similar to existing support for VS Code.
(ASPM) Improved unauthorized access message: Improved message, as users do not necessarily need to contact their administrator to access the platform.
(ASPM) Repositories deactivation: Included vulnerabilities of all techniques in repository deactivation notifications.
(Reachability) New methods:

September

Release 40

(ASPM) Branch and URL management: Update branches or URLs for repositories without losing existing findings, ensuring consistent reporting.
(ASPM) Vulnerabilities table: Added option to filter vulnerabilities by technique.
(Reachability) New methods:

Release 39

(IDE) Custom fix and Autofix: Fluid Attacks' GenAI-based vulnerability remediation now supports all languages scanned by the SAST tool.
(Reachability) New methods:

(SAST) New methods:

Docker debugging enabled

Release 38

(ASPM) Mailmap management: Manage developer data directly within the platform to avoid billing issues
(ASPM) Free trial restrictions: Users from existing client organizations can no longer initiate free trials to prevent confusion with reports.
(Reachability) New methods:

Python CVE-2024-39303

(SAST) New methods:

Improper certificate validation default

Release 37

(ASPM) Mobile environment updates: Update mobile environments without losing dynamic findings from previous files, provided consistency validations are met.
(ASPM) Branch in technical report: Included repository branch names in technical reports.
(Reachability) New methods:

(SAST) New methods:

TS express insecure rate limit.
JS sql injection in sequelize.
TS sql injection in sequelize.
Docker hardcoded credentials.
Docker downgrade protocol.

August

Release 36

(ASPM) Free trial unavailable for clients: Un free trial for current clients, preventing new groups and organizations creation.
(ASPM) Custom fix from the platform: Generate a custom fix inside platform.
(ASPM) Enhanced reattack requests for multiple vulnerabilities: Improved the vulnerabilities verification request flow. This also includes some UX improvements.
(ASPM) Closing reasons: The reason why a vulnerability was closed is specified.
(ASPM) Show relevant files for mobile environments: Hid files not related to mobile type ones from dropdown list on Add environment screen.
(ASPM) Total types in Analytics: Enhanced information on total types of vulnerabilities in Analytics.
(ASPM) Onboarding notifications: Updated free trial enrollment and abandonment emails.
(ASPM) Mailmap management: Granted mailmap editing role to Customer Managers and view role to User Managers.
(SAST) New methods:

TS XSS pug from file precompiled.

Release 35

(CSPM) New methods:

AWS API Gateway Insecure TLS Version.
AWS ACM Certificate Expired.
AWS API Gateway Cache Encryption Disabled.
AWS App Mesh Virtual Gateway TLS Disabled.
AWS App Mesh Virtual Gateway Access Logging Disabled.

(SAST) New methods:

Java insecure cors web view.
Java declare insecure trust manager.
Java insecure biometric auth.
TS sequelize injection.
JS jwt secret insecure source.
TS jwt secret insecure source.
Docker weak ssl TLS.
Docker insecure builder sandbox.
Docker insecure cleartext protocol.
Docker weak hash algorithm.
Docker insecure network host.

Release 34

(ASPM) First-letter search in dropdowns: Filter the available options of dropdown menus by typing the first letters of the name or identifier of the desired item.
(ASPM) Branch and URL change: Implemented branch and URL change in roots for specific cases.
(ASPM) Improved root moving notifications: Accurate messages to group members when roots are moved.
(ASPM) Enhanced mailmap management: Multiple enhancements to the mailmap to prevent errors and improve alias management.
(SAST) New methods:

TS XSS pug from file.
TS unvalidated xml parsed in vm.
TS file unauthorized access.
CSharp XXE resolver.
CSharp insecure cbc iv.
Docker sensitive mount.
Curl insecure certificates.

Release 33

(ASPM) Compliance CSV export: New CSV report that shows the relationship between the unmet security requirement and the location where the non-compliance is occurring.
(SAST) New methods:

Android apk keyboard cache exposure.
TS NoSql injection ternary.
JS NoSql injection ternary.
CSharp technical info leak.
CSharp token validation checks.
CSharp code injection.

Release 32

(CSPM) New methods:

Azure app service mutual TLS is disabled.

July

Release 31

(ASPM/SAST) Reattacking a machine vulnerability: Remove justification to request reattacks for automatic reported vulnerabilities.
(ASPM) Group consulting: Feature is deprecated.
(ASPM) Mobile environments: Preserve vulnerabilities for mobile apps, improving related environment(file) update.
(ASPM) Compliance report notifications: An alert is shown when the user doesnt have a mobile number registered.
(ASPM) SSH root cloning: Port configuration is required for non standart ports.
(ASPM) Mailmap import: Add bulk import feature to mailmap.
(SAST) New methods:

CSharp insec direct write.

Release 30

(ASPM) CVSS migration: Transition entirely to version 4.
(ASPM) AWS Marketplace: Enable integration in the AWS Marketplace.
(CSPM) New methods:

AWS S3 Log delivery write access.
AWS EC2 Instance has multiple network interfaces.

(SAST) New methods:

JS/TS cookie service sensitive info.
CSharp log injection.
CSharp insecure elliptic curve.
PHP insecure elliptic curve.

Release 29

(ASPM) CVSS Update: Transition from CVSS 3.1 to version 4 in policies.
(ASPM) Root removal option: Allow users to remove a new root without returning to the previous step.
(ASPM) Exposure column: Include "Exposure" in the Technical Report.
(ASPM) Branch flexibility: Allow the same repository with a different branch in a group if one is deactivated.
(CSPM) New methods:

AWS EC2 Instance using IMDS V1.

(SAST) New methods:

PHP discloses server version.
PHP insecure expiration time.
PHP server leaks errors.
PHP http only disabled.

Release 28

(ASPM) Access granted: Include the granted role in the notification.
(CSPM) New methods:

Azure SQL DB Transparent Encryption Is Disabled.
Azure VM Scale Set Does Not Have Zonal Redundancy.

(SAST) New methods:

TF K8s Host IPC Enabled.
TF K8s Host Network Enabled.
TF K8s HostPID Enabled.
TF K8s Host Path Volumes.

(DAST) New methods:

X permitted cross domain policies.

Release 27

(ASPM) Webhooks: Relocate to the Integrations Hub.
(ASPM) New ASPM: Launch the platform's new design for external users.
(SAST) New methods:

TF K8s Container Without Context.
TF K8s Host Process Enabled.

(DAST) New methods:

Unsafe http xframe options.
CDN vulnerable element.
Access control any origin.
HTTP error in response.

June

Release 26

(ASPM) Token management: Use SecretStorage to securely store tokens.
(CSPM) New methods:

Azure DB PSQL Flex Server Insecure TLS Version.
Azure Redis Cache Allows Connections Without SSL.
Azure DB PSQL Flex Server Firewall Allows Public Access.
Azure DB PSQL Flex Server Connection Throttling Disabled.

(SAST) New methods:

TF K8s Check Run as User.
TF K8s Check Privileged Used.
TF K8s Check If Sys Admin Exists.
JS hardcoded key hmac.
TS hardcoded key hmac.
TF K8s host network enabled.
TF K8s hostpid enabled.
TF K8s host process enabled.
TF K8s host path volumes.
PHP insecure ssl tls stream.
PHP sensitive http sent.
CSharp http only cookie.

Release 25

(SAST) New methods:

TF K8s Check Add Capability.
TF K8s Root Filesystem Read Only.
TF K8s Check Seccomp Profile.
TF K8s Check Drop Capability.
TF K8s Check If Capability Exists.
TF K8s SA Token Enabled.
TF K8s SA Token Enabled.
TF K8s Image Has Digest.
TS nosql injection.
JS nosql injection.
PHP insecure SSL TLS HTTP.

Release 24

(ASPM) Migrate authors: Authors data is available in the platform.
(ASPM) GitLab integration: Implement integration with GitLab.
(ASPM) Azure DevOps integration: Implement integration with Azure DevOps.
(CSPM) New methods:

Azure API Mgmt Uses the Triple DES Cipher Algorithm.
Azure MongoDB NSG Allows Unrestricted Access.
Azure MS SQL Server NSG Allows Unrestricted Access.
Azure MySQL NSG Allows Unrestricted Access.
Azure NetBIOS NSG Allows Unrestricted Access.
Azure Oracle Database NSG Allows Unrestricted Access.
Azure PostgreSQL DB NSG Allows Unrestricted Access.
Azure VMs NSG Allows Unrestricted Access.
Azure RPC NSG Allows Unrestricted Access.
Azure SMTP NSG Allows Unrestricted Access.
Azure SSH NSG Allows Unrestricted Access.
Azure UDP Ports NSG Allows Unrestricted Access.

(SAST) New methods:

TF K8s Allow Privilege Escalation Enabled.
TF K8s Root Container.
TF Kubernetes Insecure Port.

(SCA) New methods:

Poetry toml deps.

(DAST) New methods:

SSL certificate expired.
SSL self signed certificate.
SSL wrong cn.
SSL wildcard certificate.

Release 23

(ASPM) Vulnerability remediation: Create a comprehensive guide for the remediation of vulnerabilities.
(ASPM) Token workflow: Update the process for creating and renewing DevSecOps tokens.
(CSPM) New methods:

Azure API Mgmt SVC Does Not Use a Managed Identity.
Azure Key Vault Admin Permissions on Keys.
Azure Search Service Public Network Access Is Enabled.

(SAST) New methods:

PHP insecure mcrypt.
PHP insecure openssl.

May

Release 22

(ASPM) Safe vulnerabilities tracking: Enable tracking for safe vulnerabilities and specify the cause of their closure.
(ASPM) VM permissions: Modify permissions assigned to vulnerability managers related to roots management.
(AGENT) Specific path argument: Add an argument to define and analyze specific paths within a repository.
(CSPM) New methods:

Azure DB PSQL Flexible Server SSL Disabled.
Azure Data Lake Allows Access from Any Source.
Azure Synapse Firewall Allows Public Access.
Azure Cosmos DB Public Network Access Is Enabled.
Azure DataFactory Public Network Access Is Enabled.
Azure API Mgmt SVC Public Network Access Is Enabled.
Azure Key Vault Public Network Access Is Enabled.

(SAST) New methods:

C sharp sql injection request.
PHP XML parser.

Release 21

(ASPM) Table sorting: Enable sorting options for items listed in the Jira table.
(ASPM) Credentials table usage info: Indicate which credentials are currently in use within the credentials table.
(SAST) New methods:

PHP generates insecure token.
PHP uses sha1 in query.

Release 20

(ASPM) WhatsApp OTP: Enable OTP delivery via WhatsApp when users add or update their mobile number.
(CSPM) New methods:

Azure API Mgmt Front Insecure TLS Version.
Azure Subscription Does Not Have a Locking Resource Manager.
Azure App Service HTTP2 Is Disabled.
Azure Subscription Has at Least Two Owners.
Azure Search Service Does Not Use a Managed Identity.
Azure Search Service Insufficient Replicas Configured.
Azure Search Service Has Insufficient Replicas Configured.

(SAST) New methods:

APK task hijacking.
APK clear text traffic.
PHP sql leak errors.
PHP insecure file upload.
PHP unsafe path traversal.
PHP excessive access mode.
PHP technical info leak.
PHP weak random.
PHP insecure deserialization.

(DAST) New methods:

Cont sec pol frame ancestors.
Cont sec pol wild uri.
Cont sec pol missing obj.
Cont sec pol missing script.
Cont sec pol unsafe line.
Cont sec pol hosts jsonp.
Missing referrer policy.
Strict transport low max age.
Strict transport include subdomains.
X content type options nosniff.

Release 19

(ASPM) Expanded export columns: Add new columns to the DevSecOps view table and include them in the related CSV export.
(ASPM) Nickname edition: Allow customers to edit the nicknames of Git roots.
(ASPM) Vulnerability filters: Add filters to the API for sorting and categorizing vulnerabilities.
(ASPM) Grouped vulnerabilities: Show summary of vulns grouped by technique on result log
(CSPM) New methods:

Azure Dev Portal Has Auth Methods Inactive.

(SAST) New methods:

JS hardcoded credentials in test.
TS hardcoded credentials in test.

April

Release 18

(SAST) CLI using parameters: Allow execution of the CLI using configurable parameters.
(SAST) New methods:

JS command injection serialize.
JS exposed private key.
TS exposed private key.
JS sensitive info in endpoint.
TS sensitive info in endpoint.
TS xml parser inside context.
PHP unsafe xss content.

Release 17

(ASPM/AGENT) Execution details: Include the final status indicating if the build was broken in the Execution details.
(ASPM) Secrets management: Allow permissions to be granted to other users for managing secrets in environment URLs.
(ASPM) Tables management: Add a marker to inform users when some columns are hidden.
(ASPM) Environments management: Automatically close vulnerabilities when the associated environment is deleted.
(CSPM) New methods:

Azure DB for MySQL Flex Servers Insecure TLS Version.
Azure Role-Based Access Control on Key Vault Is Not Enabled.
Azure Function App with Admin Privileges.
Azure Role Actions Is a Wildcard.
Azure App Service Allows HTTP Traffic.
Azure API Not Enforce HTTPS.
AZ Subscription Not Allowed Resource Types Policy.
Azure App Service Does Not Use a Managed Identity.
Azure Function App Logging Is Disabled.
Azure Keys Expiration Date Is Not Enabled.
Azure Secret Expiration Date Is Not Enabled.
Azure App Service Always On Is Not Enabled.
Azure Batch Jobs Runs in Admin Mode.
Azure Function App Use Not Host Keys.
Azure Publicly Exposed Funct App.

(SAST) New methods:

TS express accepts any mime.
JS express accepts any mime.
JS insecure cors origin.
TS insecure cors origin.
Github actions without hash.

Release 16

(ASPM) Warning message: Display a warning message indicating the existence of environments associated with a root when it is deactivated.
(CSPM) New methods:

Azure db mysql firewall allows public access.
Azure db mysql ssl disabled.
Storage lifecycle is not defined.
Azure db sql insecure audit retention period.
Azure db sql extended audit disabled.
Azure db sql firewall allows public access.

(SAST) New methods:

PHP hardcoded init vector.
PHP harcoded password.
PHP insecure hash.
TS local file inclusion.
TS open redirect.
JS hardcoded password.
TS hardcoded password.
TS sensitive info in params.

Release 15

(IDE) Jira integration: Enable access to all vulnerability information directly within the IDE.
(ASPM) Require OTP for login: Implement a security measure to reduce associated risks.
(ASPM) Delete group: Send an email notification when a group is deleted.
(CSPM) New methods:

Azure db postgresql connection throttling disabled.
Azure db postgresql ssl disabled.
Azure db postgresql insecure tls version.
Azure db postgresql log settings disabled.
Azure db postgresql log checkpoints disabled.
Azure db postgresql firewall allows public access.
Azure db postgresql insecure log retention.

(SAST) New methods:

Html uses innerhtml.
JS file size limit missing.
TS file size limit missing.
JS directory listing.
TS directory listing.
JS error handler enabled.
TS error handler enabled.

Release 14

(ASPM) Simplify free trial: Reduce the steps required to start a free trial.
(ASPM) Notifications subjects: Update notification subjects for improved clarity.
(ASPM) Group created notifications: Add notifications to keep users updated on group creation events.
(SCA) SCA reports in lock files: Publish SBOMs for Fluid Attacks components.
(SCA) Fluid Attacks SBOMs: Publish SBOMs for Fluid Attacks components.
(CSPM) New methods:

Azure vm encryption at host disabled.
Azure aks has rbac disabled.

(SAST) New methods:

PHP insecure encrypt AES.
PHP remote command execution.
PHP has empty catch.

March

Release 13

(ASPM/AGENT) Technical debt policy: Implement a grace period before the agent breaks the build due to new vulnerabilities.
(SAST) Analyze PHP code: Add support for analyzing PHP code with the scanner.
(CSPM) New methods:

Azure aks api server allows public access.
Azure aks has kubenet network plugin.
Azure storage not enabled infrastructure encryption.

(SAST) New methods:

PHP basic authentication.

(SCA) New methods:

Gradle wrapper properties.
CycloneDX JSON deps.
SPDX JSON deps.

Release 12

(SCA) Standard format: Ensure compliance with Fluid SBOM format requirements.
(ASPM) Approve ZR: Address misuse of ZR requests by customers attempting to bypass build failures.
(CSPM) New methods:

Azure aks has enable local accounts.
Azure aks is not using latest version.
Azure container registry is not using replication.

(SAST) New methods:

PHP info leak errors.
Java insecure engine cipher ssl.
Docker compose ssh pass.

(SCA) New methods:

Gemfile missing package lock.
Erlang missing package lock.
Cargo missing package lock.
Conan missing package lock.
Pipfile missing package lock.
Composer missing package lock.
Nuget missing package lock.

Release 11

(ASPM) Plans' names: Update and standardize the names of plans.
(ASPM) Videos on evidences: Add an additional field to upload video file evidence into findings.
(ASPM) Connector notifications: Send email alerts when a secure connector goes offline.
(ASPM) Environment secrets: Add an indicator to show the existence of secrets on the Environment URL.
(SCA) Lock files: Add support for lock files.
(SCA) Gradle wrapper: Enable SCA support for gradle-wrapper.properties.
(CSPM) New methods:

Azure blob soft deleted disabled.
Azure network app gateway waf is disabled.
Azure network watcher not enabled.
Azure network flow log insecure retention period.
Azure network group using port ranges.
Azure firewall network rules unrestricted.
Azure network firewall app rules unrestricted.
Azure container registry admin user enabled.
Azure network out of date owasp rules.
Azure insecure TLS version.
Azure allows FTP deployments.
Azure key vault soft delete retention.
Azure remote debugging enabled.
Azure authentication is not enabled.

(SAST) New methods:

PHP insecure cors.
DB credentials exposed in code.
Java credentials exposed in code.
Swift credentials exposed in code.
Python credentials exposed in code.

(SCA) New methods:

Nuget pkgs lock json.

Release 10

(ASPM) Org/group policy: Update policy to address temporary acceptance of vulnerabilities based on CVSS scores.
(ASPM) Vulnerabilities evidences: Increase the allowable size limit for supporting evidence submissions.
(ASPM) Events alert: Implement a color-coded circle indicator to flag groups with pending events.
(SCA) Vulnerabilities prioritization: Integrate EPSS scoring into SCA advisories and vulnerability assessments.
(CSPM) New methods:

TF allows priv escalation by policies versions.
Azure network ftp ingress not restricted.
Azure network dns ingress not restricted.
Azure network cifs ingress not restricted.
Azure network rdp ingress not restricted.
Azure network ssh ingress not restricted.
Azure network group allows public access.
Azure network telnet ingress not restricted.
Azure network icmp ingress not restricted.
Azure network https ingress not restricted.
Azure network http ingress not restricted.
Azure disabled accidental purge.

(SAST) New methods:

PHP uses eval.

(SCA) New methods:

Pipfile lock.
Pipfile deps.

February

Release 9

(ASPM) Exclusions as Code: Enable EaC functionality for all SKIMS modules.
(ASPM) Organization analytics: Ensure downloaded CSV files from Analytics graphics include complete and relevant information for all groups within the organization.
(ASPM) Secrets modal: Replace the dropdown for "Secret Description" with a dedicated column inside the Secrets modal.
(ASPM) Reattacks overhaul: Implement checks to prevent reattack reviews on outdated locations or files.
(ASPM) Notifications: Update notification wording regarding resolved vulnerabilities for improved clarity
(SAST) Multi-file scanning: for SAST methods.
(CSPM) New methods:

Azure storage account not enforcing latest tls.
Azure storage account allows public network access.
Azure redis public network access enabled.
Azure redis authnotrequired enable.
Azure redis insecure tls version.
Azure redis insecure port.
Azure storage account microsoft bypass.
Azure containers soft deleted disabled.
Azure redis firewall allows public access.

Release 8

(ASPM) Closing date filter: Allow users to define a date range for closing dates when generating custom technical reports for groups.
(ASPM) Root nickname: Display the root nickname associated with a vulnerability.
(CSPM) New methods:

Azure blob containers are public.
Azure storage account allows public blobs.

Release 7

(ASPM) Webhooks: Enable integration with any application that supports the webhook standard.
(ASPM) Move roots in batch: Allow batch moving of roots to keep the ToE updated and organized.

Release 6

(ASPM) Vulnerabilities report: Ensure the vulnerabilities report is available 24/7.
(ASPM) AWS authentication for CodeCommit: Enable cloning of CodeCommit repositories using IAM credentials.
(ASPM) Import repositories: Allow importing multiple repositories into the platform using a CSV file.
(SAST/DAST/CSPM) Initialization time: Optimize CLI executions for improved speed.

January

Release 5

(IDE) Automatic extension restart: Automatically apply new changes without manual restarts.
(CSPM) GCP and Azure regions on CSPM module: Extend CSPM coverage to include more regions in GCP and Azure.
(ASPM) Display a cancel button when editing: Improve user experience by adding a cancel button when editing.
(ASPM) Organization column: Add an "Organization" column in the To Do and Events sections, including its export in the CSV file.
(CSPM) New methods:

Azure vm SSH key authentication.

Release 4

(ASPM) New support platform: Implement a seamless process for customer support.
(ASPM) Checkly and Statuspage integration: Provide more detailed information about Fluid Attacks service status.
(ASPM) Requirements descriptions: Add comprehensive descriptions for all requirements.

(ASPM) Improve Pop-ups: Display emergent messages for adding new API tokens and mobile numbers.
(CSPM) New methods:

AWS report inspector lambda vulns.

Release 3

(ASPM) Implement new status page: Implement a live status page to monitor service availability.
(ASPM) Describe Help process: Describe and explain the support process in the documentation.
(ASPM) Update OWASP MASVS: Update to the latest OWASP MASVS standard version.
(ASPM) Add new standard compliance FISMA: Add FISMA as a new standard in the compliance documentation.
(ASPM) Replace field in events: Replace the "Client" field with "Root" (nickname) in Events.
(ASPM) Last requested reattack in technical reports: Display the last requested reattack date for each location in technical reports.
(ASPM) Sbom linking lines to vulnerabilities: Provide direct links to vulnerabilities for more detailed information.
(ASPM) Exposure management over time (%): Add more decimal precision for improved understanding of percentages over time.
(CSPM) New methods:

AWS report inspector vulns.
AWS report inspector ecr vulns.

Release 2

(CSPM) Reducing F325 wildcards FP: Improve detection methods to reduce false positives for F325 wildcards.
(CSPM) AWS region in CSPM module: Run CSPM checks across all AWS regions.
(ASPM) Upgrade prices: Update and display the latest service prices on the platform.
(ASPM) Display secure connector logs: Make secure connector logs available for viewing on the platform.
(ASPM/SAST/DAST) Egress support: Add more connection methods to clone repositories and access environments.

Release 1

(ASPM) Add links to breadcrumbs: Add links to breadcrumbs for easier navigation within the documentation

2023

December

Release 52

(SCA) Improved clarity of the Skims SCA output logs, including CVE details and safer versions.
(SCA) Integrated OSV vulnerability database as a new source for SCA.

Release 51

(CSPM) Updated CSPM configuration to comply with AWS cross-account role requirements.

Release 50

(ASPM) Improved snippet processing for reports.
(CSPM) New methods:
1. AWS rds cluster not inside a db subnet group
2. AWS rds has public cluster

Release 49

No features were delivered during this iteration.

November

Release 48

No features were delivered during this iteration.

Release 47

No features were delivered during this iteration.

Release 46

(SCA) New method:
1. Npm missing package lock

Release 45

(SAST) New method:
1. Java accepts any mimetype obj

October

Release 44

(SCA) SCA support was expanded to report malware cases.
(SAST) New method:
1. Go insecure query

Release 43

Implemented exclusion of vulnerabilities for Skims using NOFLUID directives.

Release 42

(CSPM) New method:
1. AWS ec2 has modify attribute

Release 41

(SCA) Added SCA support for .NET exe.config files.
(ASPM) Improved Skims usability by allowing execution without mandatory configuration.
(SCA) New method:
1. Net framework config
(SAST) New methods:
1. Cfn s3 buckets allow unauthorized public access
2. Tfm public buckets acl
3. Tfm s3 buckets allow unauthorized public access

September

Release 40

(ASPM) Updated Boto3 for AWS CSPM module in Skims.
(ASPM) Introduced handling for disputed SCA advisories in Skims.

Release 39

(ASPM) Ensured Skims compliance with SARIF 2.1 format.
(ASPM) Optimized CSPM module processing of ARN, URI, and ID values.
(SAST) New methods:
1. Cs stored password
2. Swift hc secret jwt

Release 38

(CSPM) New methods:
1. AWS cloudtrail not logging
2. Azure storage account not enforcing latest tls
3. Azure storage account not enforcing https
4. Azure storage account geo replication disabled
5. Azure storage account allows public traffic
(DAST) New methods:
1. Http x backend server header leaked
2. Http x aspnet mvc version header leaked
3. Http x aspnet version header leaked
4. Http permissions policy header not present
(SAST) New method:
1. Dotnetconfig asp version enabled

Release 37

(CSPM) New methods:
1. AWS s3 private buckets not blocking public acls
2. Gcp storage object versioning is not enabled
3. Gcp storage uniform bucket level access is disabled
4. Gcp storage retention policy is not configured
5. Gcp storage logging is not enabled on storage bucket
6. AWS apigateway allows anonymous access
(DAST) New methods:
1. Http access control allow methods insecure
2. Http x powered by header leaked
(SAST) New methods:
1. Cs override auth modifier
2. Cs has public cache header

August

Release 36

(CSPM) Standardized cloud security checks across CloudFormation, Terraform, and DAST AWS methods.
(CSPM) Enhanced readability of CSPM DAST method reports.
(SAST) Optimized Skims by ignoring node_modules during scans of Node.js projects.
(CSPM) New methods:
1. AWS iam policies attached to users
2. AWS ec2 vpc without flowlog
3. AWS iam admin policy attached
4. AWS s3 public buckets
5. Azure blob containers are public
6. Gcp storage public buckets
7. AWS iam allows priv escalation by attach policy
8. AWS cloudfront insecure protocols
9. AWS ec2 anyone admin ports
10. AWS ec2 unrestricted cidrs
11. AWS ec2 unrestricted ip protocols
12. AWS ec2 sec groups rfc1918
13. AWS ec2 unrestricted dns access
14. AWS ec2 unrestricted ftp access
15. AWS ec2 open all ports to the public
16. AWS ec2 default all trafic
17. AWS ec2 insecure port range
18. AWS ec2 acl allow egress traffic
19. AWS ec2 acl allow all ingress traffic
20. AWS ec2 vpc endpoints exposed
21. AWS iam group with inline policy
22. AWS iam user with inline policy
23. AWS iam open passrole
24. AWS iam has permissive role policy
25. AWS iam full access ssm
26. AWS iam negative statement
27. AWS elb2 insecure security policy
28. AWS rds has public instances
29. AWS s3 bucket policy encryption disable
30. AWS rds not inside a db subnet group
31. AWS iam user with multiple access keys
32. AWS ec2 has default security groups in use
33. AWS ec2 default security group
34. AWS s3 acl public buckets
35. AWS iam permissive policy
36. AWS iam min password len unsafe
37. AWS cloudtrail is trail bucket logging disabled
(DAST) New methods:
1. Http server header leaked
2. Http x xss protection enabled
(SAST) New methods:
1. Dotnetconfig anon auth enabled
2. Kt hc secret alg instance
3. Tfm redshift has encryption disabled
4. Cfn redshift has encryption disabled
5. Go hardcoded symmetric key
(SCA) New methods:
1. Poetry lock deps
2. Maven gradle kts

Release 35

(SCA) Added support for Erlang and Swift package managers in Skims SCA.
(CSPM) Implemented a unified workflow for adding GCP accounts.
(SCA) Added SCA vulnerability reporting for dependencies in GitHub Actions YAML files.
(SCA) Introduced support for Rust's Cargo package manager in Skims.
(SAST) New methods:
1. Python insecure jwt key
2. Cfn sqs has encryption disabled
3. Tfm sqs has encryption disabled
4. Tfm sns has server side encryption disabled
5. Cfn sns has server side encryption disabled
6. Cs hardcoded symmetric key
(SCA) New methods:
1. Swift packages dev
2. Erlang mix deps dev
3. Github actions deps
4. Erlang mix lock deps
5. Erlang mix deps
6. Cargo toml deps dev

Release 34

(SCA) Added support for pnpm-lock.yaml in dependency analysis.
(SAST) New methods:
1. Cfn redshift has user activity log disabled
2. Tfm redshift has user activity log disabled
3. Tfm elasticache transit encryption disabled
4. Cfn elasticache transit encryption disabled
5. Tfm elasticache uses default port
6. Cfn aws elb listener on http
7. Cfn elasticache uses default port
8. Cfn redshift not requires ssl
9. Tfm redshift not requires ssl
10. Tfm redshift has public clusters
11. Cfn redshift has public clusters
12. Tfm aws elb listener on http
13. Tfm rds not uses iam authentication
14. Cfn rds not uses iam authentication
15. Tfm eks has endpoints publicly accessible
16. Cfn eks has endpoints publicly accessible
(SCA) New methods:
1. Cargo lock deps
2. Cargo toml deps
3. Html script dependencies
4. Pnpm package lock dev
5. Pnpm package lock

Release 33

(CSPM) Defined the foundational structure for GCP DAST checks.
(SAST) New methods:
1. Cfn redshift has audit logs disabled
2. Tfm redshift has audit logs disabled
3. Java jwt unsafe decode
4. Java jwt without proper sign
5. Tfm cognito has mfa disabled
6. Cfn cognito has mfa disabled
7. Cfn sqs is public
8. Python insecure cipher mode
9. Tfm sqs is public
10. Java hostname verification off
11. Java insecure cipher mode
12. Kt insecure cipher mode
13. JS regex injection
14. TS regex injection
15. Python regex injection
16. Cfn allows priv escalation by attach policy

Release 32

(SAST) New methods:
1. Cfn allows priv escalation by policies versions
2. Tfm allows priv escalation by policies versions
3. Tfm allows priv escalation by attach policy

July

Release 31

No features were delivered during this iteration.

Release 30

(SAST) New method:
1. Python exposed auth token

Release 29

(SAST) New methods:
1. Kubernetes uses http server
2. Kubernetes uses http
3. K8s check host pid
4. K8s check if sys admin exists
5. Python insecure authentication

Release 28

(SAST) New method:
1. K8s check if capability exists

Release 27

(SAST) New methods:
1. Cfn aws sec group using tcp
2. Tfm s3 versioning disabled
3. Tfm iam trust policy wildcard action

June

Release 26

(SCA) Added support for Conan.
(SAST) New methods:
1. Tfm iam policy apply to users
2. Cfn iam policy apply to users
3. Tfm iam permissions policy not resource
4. Tfm iam permissions policy not action
5. Tfm iam trust policy not principal
6. Tfm iam trust policy not action
7. Tfm policy server encryp disabled
8. Tfm rds pub accessible
9. Tfm api all http methods enabled
10. Cfn http methods enabled
11. Tfm http methods enabled
12. Cfn iam excessive role policy
(SCA) New methods:
1. Conan lock dev
2. Conan lock

Release 25

No features were delivered during this iteration.

Release 24

No features were delivered during this iteration.

Release 23

(ASPM) Implemented severity and CWE reporting at the location level.
(SCA) Added support for SCA in Go.

May

Release 22

No features were delivered during this iteration.

Release 21

(SAST) New method:
1. Tfm aws sec group using tcp

Release 20

No features were delivered during this iteration.

Release 19

(ASPM) Implemented exit codes in CLI to indicate vulnerability detection status.
(ASPM) Added CVSS 3.1 Exploit Code Maturity metric to vulnerability reports.
(ASPM) Started documentation for scanner (Skims) output to clarify results interpretation.

April

Release 18

No features were delivered during this iteration.

Release 17

(ASPM) Integrated documentation URLs in vulnerability reports for better understanding.
(ASPM) Updated standalone scanner configuration file syntax for better usability.

Release 16

(ASPM) Created official Skims documentation to explain usage as a SAST scanner.
(SAST) New method:
1. Xml header allow danger methods
(CSPM) New method:
1. AWS sns can anyone subscribe

Release 15

(CSPM) New methods:
1. AWS sns can anyone publish
2. AWS sqs is public
3. AWS sqs has encryption disabled
4. AWS sns has server side encryption disabled
(SAST) New methods:
1. Cfn server ssl disabled
2. Java insec sign algorithm
3. Python insec hash library
4. Kotlin accepts any mime type

Release 14

(SAST) Enhanced Dart's SAST flow to enable more sophisticated logic analysis.
(SAST) New methods:
1. Container disabled ssl
2. Go accepts any mime type
3. Java basic authentication
4. Cfn insecure certificate
(CSPM) New methods:
1. AWS elasticache rest encryption disabled
2. AWS elasticache transit encryption disabled

March

Release 13

(SAST) Enhanced infrastructure files analysis (HCL and YAML).
(CSPM) New methods:
1. AWS redshift not requires ssl
2. AWS redshift has audit logs disabled
3. AWS redshift has user activity log disabled
4. AWS redshift has encryption disabled
5. AWS elasticache uses default port
6. AWS dynamodb not del protec
(SAST) New methods:
1. Kotlin vuln regex
2. Dotnetconfig excessive auth privileges
3. Kt xml parser
4. Python accepts any mime
5. Python http only cookie
6. JS debugger enabled
7. TS debugger enabled
8. Python secure cookie

Release 12

(SAST) Extended secret detection to analyze more configuration files.
(SAST) New methods:
1. Kotlin secure cookie
2. Kt default http client deprecated
3. C sharp plain text keys
4. Cs insecure authentication
5. Kt remote command execution
6. Kt anonymous ldap
(CSPM) New methods:
1. AWS secrets has automatic rotation disabled
2. AWS redshift has public clusters

Release 11

(SAST) New methods:
1. Kotlin http only cookie
2. Tfm dynamo not del protec
3. Javascript accepts any mime default
4. Typescript accepts any mime default
5. Java secure cookie
6. Python unsafe certificate validation
7. Java http only cookie
8. Python unsafe ssl hostname
9. Kt insecure encription key
10. Javascript accepts any mime method
11. Typescript accepts any mime method
12. Kt insecure key pair gen
(CSPM) New methods:
1. AWS rds unrestricted db security groups
2. AWS rds not uses iam authentication
3. AWS rds has public snapshots

Release 10

(SAST) New methods:
1. Kt insecure parameter spec
2. Cfn dynamo not del protec
3. Kt insecure key gen
4. Kt insecure certificate validation
5. Kt insecure host verification
6. C sharp accepts any mimetype
7. Kt insecure init vector

February

Release 9

(SCA) Enhanced support for Pub (Dart) and Packagist (PHP) package managers.
(SAST) New methods:
1. Java accepts any mimetype chain
2. Python unsafe cipher
3. Java xml parser
4. Python regex dos
5. Python ldap conn auth
6. Java http req accepts any mimetype
7. Python unsafe temp file
8. Kt weak random
9. Python remote command execution
10. Swift insecure cryptor
11. Swift insecure cipher
(CSPM) New method:
1. AWS eks has endpoints publicly accessible

Release 8

(SAST) Added support for analyzing Python files in Skims.
(SAST) New methods:
1. Python io path traversal
2. Python session fixation
3. JS jwt insec sign algo async
4. TS jwt insec sign algo async
5. JS insec msg auth mechanism
6. TS insec msg auth mechanism
7. Cs cert validation disabled
8. Python ldap injection
9. Python deserialization injection
(CSPM) New methods:
1. AWS elbv2 insecure ssl cipher
2. AWS dynamodb encrypted with aws master keys

Release 7

(SAST) Improved Symbolic Evaluation logic for better accuracy in detecting vulnerabilities.
(SAST) New methods:
1. JS salt is hardcoded
2. TS salt is hardcoded
3. Java salt is hardcoded
4. Kotlin salt is hardcoded
5. Go salt is hardcoded
6. Dart salt is hardcoded
7. Xml allows all domains
8. JS jwt insec sign algorithm
9. TS jwt insec sign algorithm
10. Yml serverless cors
11. Dart insecure logging
12. Python xml parser
(CSPM) New methods:
1. AWS elbv2 insecure protocols
2. AWS cognito has mfa disabled
(SCA) New methods:
1. Conan conanfile py dev
2. Conan conanfile txt dev

Release 6

(SAST) New methods:
1. JSx lack of validation event listener
2. JS local storage sens data assignment
3. TS local storage sens data assignment
4. Xml header allow all methods

January

Release 5

(CSPM) New methods:
1. AWS iam users with password and access keys
2. AWS iam mfa disabled for users with console passwd
(SCA) New methods:
1. Conan conanfile py
2. Conan conanfile txt

Release 4

Improved support for Go and Kotlin.
(CSPM) New methods:
1. AWS iam has root active signing certificates
2. AWS iam has old ssh public keys
3. AWS has publicly shared amis
4. AWS iam allows priv escalation by policies versions
(SAST) New methods:
1. TSx lack of validation event listener
2. JS json parse unvalidated data
3. TS json parse unvalidated data

Release 3

(CSPM) New methods:
1. AWS iam has old creds enabled
2. AWS iam has old access keys
3. AWS iam root has access keys
(SAST) New methods:
1. JS local storage with sensitive data
2. TS local storage with sensitive data

Release 2

(ASPM) Use colors to identify vulnerabilities' criticality: Add colored markers based on the severity of the vulnerability to facilitate identification.
(ASPM) Add Risk Exposure (CVSSF) to our platform: Add a new column called "% Risk Exposure" that ranges from 0% to 100% in the findings and vulnerabilities tables.
(ASPM) Update of the statuses in ARM reports: Update the technical report's status column by changing the words "open" and "closed" to "safe" and "vulnerable".
(ASPM) Update treatment status: Replace the treatment status "New" with "Untreated" to improve clarity for users.
(ASPM) Organize Vulnerabilities by Risk Exposure (CVSSF): Organize vulnerabilities by default according to CVSSF and status "vulnerable".
(CSPM) New methods:
1. AWS iam root has mfa disabled
(SAST) New methods:
1. Cfn iam permissions policy not resource
2. Cfn iam permissions policy not action
3. Cfn iam trust policy not principal
4. Cfn iam trust policy not action
5. Cfn iam permissions policy wildcard resources
6. Cfn iam permissions policy wildcard actions
7. Cfn iam trust policy wildcard action
8. JS insecure compression algorithm
9. TS insecure compression algorithm
(SCA) New methods:
1. Pub pubspec yaml dev
2. Pub pubspec yaml

Release 1

(ASPM) Delete inactive users after 90 days: Automatically delete users from our platform after 90 days of inactivity.
(ASPM) Talk to a Hacker modal improvements: Add a new field named "ARM Group Name" with autofill to request only unknown information from users.
(ASPM) Congratulations message in compliance report: Add a congratulation message in the compliance report if the group does not have unfulfilled standards.
(CSPM) New methods:
1. AWS iam has mfa disabled
2. AWS iam not requires uppercase
3. AWS iam not requires lowercase
4. AWS iam not requires symbols
5. AWS iam not requires numbers
6. AWS iam password reuse unsafe
7. AWS iam password expiration unsafe
(SCA) New methods:
1. Composer lock dev
2. Composer lock
3. Composer json dev
(SAST) New method:
1. Tfm admin managed policies

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Changelog | Fluid Attacks Help

Changelog

2025

October

Release 43

Release 42

Release 41

Release 40

September

Release 39

Release 38

Release 37

Release 36

August

Release 35

Release 34

Release 33

Release 32

July

Release 31

Release 30

Release 29

Release 28

Release 27

June

Release 26

Release 25

Release 24

Release 23

May

Release 22

Release 21

Release 20

Release 19

April

Release 18

Release 17

Release 16

Release 15

Release 14

March

Release 13

Release 12

Release 11

Release 10

February

Release 9

Release 8

Release 7

Release 6

January

Release 5

Release 4

Release 3

Release 2

Release 1

2024

December

Release 52

Release 51

Release 50

Release 49

November

Release 48

Release 47

Release 46

Release 45

October

Release 44

Release 43

Release 42

Release 41

September

Release 40

Release 39

Release 38

Release 37

August

Release 36

Release 35