Changelog | Fluid Attacks Help

Changelog

2025

August

Release 34

  1. (ASPM) Deleted "Download analytics" button: The feature to download a PNG image containing the graphs and figures in Analytics sections is no longer available.
  2. (ASPM) Replace weaknesses count with vulnerabilities count in Groups section: Clients can now view open vulnerabilities within their groups in the "Groups of your organization" section, providing immediate insight into which groups have more open vulnerabilities.
  3. (ASPM) Agent rename to CI Gate in emails: "CI Agent" was replaced with "CI Gate" in all platform notifications.
  4. (Criteria) Search feature: Clients can now use a search feature to help them navigate https://db.fluidattacks.com.
  5. (SAST) New methods:
    1. F016 Swift Weak TLS Configuration
    2. F008 Swift WebView LoadHTMLString XSS
    3. F060 JavaScript Insecure postMessage Wildcard
    4. F060 TypeScript Insecure postMessage Wildcard
    5. F014 Swift Deprecated WebView Usage
    6. F434 JavaScript Client-Side Template Injection
    7. F434 TypeScript Client-Side Template Injection

Release 33

  1. (ASPM) Remove "Weekly trend" from Compliance section: Weekly trends indicator was removed from Compliance to improve clarity.
  2. (ASPM) Agent rename to CI Gate: Now, under the DevSecOps section, the 'Agent' is called 'CI Gate' to align with its purpose and the security gates configuration.
  3. (SAST) New methods:
    1. F021 Kotlin XPath Injection
    2. F297 Kotlin SQL Injection
    3. F404 Kotlin Code Injection
    4. F096 Kotlin Insecure Deserialization
    5. F014 Ruby on Rails Mass Assignment
    6. F052 Swift Weak Hash Algorithm

    Release 32

    1. (ASPM) Updated empty states in vulnerabilities table: Update the empty states in the Vulnerabilities table columns to ensure they are consistent and easy to understand.
    2. (ASPM) Added Undeterminable to dependency type filters: Clients can now filter by the "Undeterminable" option in the dependency type filters of the vulnerabilities table.
    3. (ASPM) Added "Fix with AI" filter: Clients can now filter by the "Fix with AI" attribute in the Vulnerabilities sections, making it easy to find vulnerabilities that have an AI-generated fix available.
    4. (Criteria) Moved Criteria page to db.fluidattacks.com: To improve ease of use and consultation, all our vulnerability, security requirement, fixes, and standard details can now be found at db.fluidattacks.com.
    5. (SAST) New methods:
      1. F100 Kotlin SSRF From Untrusted URL
      2. F014 PHP Arbitrary File Read
      3. F404 Ruby Command Injection via Open3
      4. F008 Ruby Reflected Cross-Site Scripting
      5. F297 Ruby SQL Injection
      6. F404 Ruby Code Injection via eval
      7. F017 PHP Insecure Session Configuration (use_only_cookies)

    July

    Release 31

    1. (ASPM) Improved "How to fix" tab: Improved the design of the "How to fix" section and made the tab always visible for open vulnerabilities, added an "Auto-fix" button for supported cases, simplified the modal flow, and added guidance when Autofix is unavailable.
    2. (ASPM) Markdown inputs validations: The platform now runs validations in Group context and Disambiguation before submitting or closing Markdown inputs to shorten the feedback loop on entered text.
    3. (ASPM) New webhooks: Added notifications for confirmed zero risk vulnerabilities.
    4. (Reachability) New methods:
    5. (SAST) New methods:
      1. F063 Kotlin JAX-RS Path Traversal
      2. F100 PHP Server Side Request Forgery
      3. F021 PHP XPath Injection
      4. F404 PHP Preg Replace Code Injection
      5. F297 PHP SQL Injection
      6. F123 PHP Local File Inclusion
      7. F063 Ruby File Join Path Traversal

    Release 30

    1. (Fixes) Support for new files: Our Custom Fix and Autofix features now support Docker files.
    2. (IDE Plugin) Updated IntelliJ extension compatibility: Fluid Attacks' extension can now be used in the latest version of IntelliJ IDEA.
    3. (APK CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
    4. (CSPM CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
    5. (DAST CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
    6. (SAST CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4 field was added.
    7. (SCA CLI) Improvements in outputs: The CVSS3.1 field was deprecated and the CVSS4, direct/transitive status, and EPSS score fields were added.
    8. (Reachability) New methods:
      1. JS GHSA-9h6g-pr28-7cqp
      2. TS GHSA-9h6g-pr28-7cqp
    9. (SAST) New methods:
      1. F404 Ruby Kernel Command Injection
      2. F008 Go HTML Template XSS
      3. F146 Go Database SQL Injection
      4. F098 Go OS Rename File Manipulation
      5. F404 Go Exec Command Injection
      6. F004 JS Unsandboxed Iframe
      7. F004 TS Unsandboxed Iframe
      8. F063 Go Path Traversal
      9. F052 JS JSONWEBTOKEN Allow Invalid Key Types
      10. F052 TS JSONWEBTOKEN Allow Invalid Key Types

    Release 29

      1. (ASPM) Vulnerability and risk exposure summary: In vulnerabilities, added the number of open security issues, those that have available fixes with AI, and total risk exposure share of the group.
      2. (ASPM) UI improvements in Group status and Plan columns: Improved the Group status and Plan columns in the Groups section by using colored tags for better readability and quick recognition of statuses (i.e., subscribed, suspended, free trial) and active plan.
      3. (ASPM) Enable opening weaknesses in new tabs: Enhanced navigation in Vulnerabilities by allowing users to open individual weaknesses in a new tab.
      4. (Fixes) Support for new files: Our custom fix and suggested fix features now support the following file types: .html, .yaml (Helm, CloudFormation, Docker Compose), .xml (Android), and .json (ARM).
      5. (SAST CLI) Improvements in scanner output: Now the console output is much more legible and clear, and the CVSS v4 score has been added.
      6. (SAST) New methods:
        1. F100 Go Net HTTP SSRF
        2. F405 Go Insecure File Permissions
        3. F021 Go XMLPath XPath Injection
        4. F100 Python HTTP Request SSRF
        5. F405 Python Insecure File Permissions
        6. F020 Swift Insecure Data No File Protection

      Release 28

        1. (ASPM)  Added 'Copy' button in location column: Users can now copy the vulnerability URL directly from the Location column using a new "Copy" button.
        2. (ASPM) Editing of "connection types" and "production_environments?": Users can now edit the environment's connection type and production status after registration.
        3. (ASPM) Improved visibility of treatments: Added colors to treatments in the Locations table to help distinguish them more quickly.
        4. (ASPM) Improved readability and implemented brand colors in report: The Executive Summary chart was updated with larger font for readability and overall changed the colors to align with Fluid Attacks' chosen brand colors.
        5. (SCA) UV package manager support: Added support for UV package handler, allowing uv.lock dependencies to be detected and reported.
        6. (SAST) New methods:
          1. F106 Python PyMongo NoSQL Injection
          2. F008 Python Insecure MARKUP XSS
          3. F083 Java JAXP Insecure SAXTransformerFactory XXE
          4. F083 Java JDOM2 Insecure SaxBuilder XXE
          5. F083 Java DOM4J Insecure SaxReader XXE
          6. F083 Java Insecure XML Validator XXE
          7. F083 Java Insecure XSLT Transformer Factory
          8. F100 Java SSRF From Untrusted URL
          9. F004 Java EL Injection From HTTP Request
          10. F096 Swift Foundation Insecure NSKEYEDUNARCHIVER

        Release 27

          1. (ASPM) Persistent filters by default: Filters are saved in every table of the platform.
          2. (ASPM) Added Git root exceptions: Added specific exception handling when adding Git repositories to improve error flows.
          3. (SAST) New methods:
            1. F004 Java Script Engine Code Injection
            2. F268 Swift WebKit Unsafe Local File Access
            3. F372 Swift Network Framework Insecure TCP Connection
            4. F094 XML JS/TS CryptoJS Insecure Use Of CBC Mode
            5. F134 Yaml Spring Insecure Cors Wildcard

          June

          Release 26

            1. (ASPM) Queued Git root cloning: Re-enabled the 'Queued' status for Git roots within scope for clarity and to allow clients to use this status as a filter.
            2. (ASPM) OWASP Top 10 for LLMs report: Users can now include the OWASP Top 10 for LLMs standard in their reports of noncompliance from the Compliance section.
            3. (SAST) New methods:
              1. F372 Swift Insecure HTTP
              2. F097 JQuery Reverse Tabnabbing
              3. F134 YAML AWS SAM Insecure Cors
              4. F134 Properties Spring Insecure Cors Wildcard
              5. F447 Gradle Missing Checksum Verification
              6. F359 Dockerfile Hardcoded Credentials CHPASSWD
              7. F264 XML .NET Weak Encryption Algorithm
              8. F134 XML Java EE Insecure Cors Wildcard

            Release 25

            1. (ASPM) CVSS 4.0 is mandatory: All SAST, SCA, CSPM, and DAST reports include the CVSS 4.0 score from now on.
            2. (ASPM) Migrated tables to new design: Improved UX and usability for the following tables: Trusted devices, and Groups (in Portfolios).
            3. (MCP) Answering questions using Knowledge Base: Fluid Attacks' MCP server can now answer users' questions using the information in the Knowledge Base.
            4. (Criteria) OWASP Top 10 for LLMs verification: Fluid Attacks verifies that you comply with this new standard.
            5. (SAST) New methods:
              1. F264 Java Weak Crypto In SecretKeyFactory
              2. F094 Java Spring Weak CBC Cipher Suites
              3. F134 YAML Insecure Cors Header
              4. F405 YAML Insecure File Permissions for other
              5. F359 Build.Gradle Hardcoded Credentials
              6. F157 Terraform Azure NSG Allows Unrestricted SSH Access
              7. F157 Terraform Azure NSG Allows Unrestricted SMTP Access
              8. F157 Terraform Azure NSG Allows Unrestricted RPC Access
              9. F157 Terraform Azure NSG Allows Unrestricted PostgreSQL Database Access

            Release 24

            1. (ASPM) Migrated tables to new design: Improved UX and usability for the following tables: Execution details (in DevSecOps), Credentials management window, subentries to new entry (Mailmap section), Treatment acceptance (in Locations), Update verification (in Locations), API token window, Records preview (in Locations) and Update affected reattacks (in Locations).
            2. (SAST) New methods:
              1. F332 Java Spring Datasource No Encryption
              2. F359 Package.json NodeJS Git Credentials Exposure
              3. F380 Dockerfile Curl No Checksum
              4. F380 Dockerfile Wget No Checksum
              5. F183 Android Debuggable Enabled
              6. F134 Swift Vapor Insecure CORS Header
              7. F016 Nginx Insecure SSL Protocols
              8. F134 Ruby On Rails Insecure CORS Header
              9. F043 Nginx Insecure CSP Inline Script
              10. F135 Nginx Insecure Cors Header
              11. F129 Python Flask Insecure Cookie Samesite None
              12. F129 Python Django Insecure Cookie Samesite None
              13. F216 Log Exposed Username in Path
              14. F134 PHP Laravel Insecure Cors Configuration
              15. F037 Spring Prometheus Endpoint Exposure
              16. F359 Java Spring Hardcoded Credentials
              17. F149 Java Spring Insecure SMTP

            Release 23

            1. (ASPM) Enhanced the Surface table (Ports): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Ports).
            2. (SAST) New methods:
              1. F129 JS Express Insecure Cookie Samesite
              2. F129 TS Express Insecure Cookie Samesite
              3. F043 JS Insecure CSP Inline Script
              4. F313 JS Insecure TLS Reject Unauthorized in False
              5. F313 TS Insecure TLS Reject Unauthorized in False
              6. F043 Kotlin Insecure CSP Inline Script
              7. F134 JS Lambda Insecure Cors
              8. F134 TS Lambda Insecure Cors
              9. F338 Kotlin Hardcoded Salt Bytes
              10. F094 JS SSH2FTPClient CBC Cipher Used
              11. F094 TS SSH2FTPClient CBC Cipher Used
              12. F135 C Sharp Insecure SameSite Cookie Configuration 

              May

              Release 22

              1. (SCA)  Reporting Docker images vulnerabilities: Now vulnerabilities discovered in Docker images can be viewed in the Vulnerabilities table.
              2. (MCP) AI Agent to production. 
              3. (SAST) New methods:
                1. F395 Kotlin Hardcoded Init Vector
                2. F135 CSharp ASP.NET Insecure Cookie Samesite None
                3. F134 JS Express Insecure CORS Header with Wildcard Origin
                4. F134 TS Express Insecure CORS Header with Wildcard Origin
                5. F395 Java Static IV in Base64 Scenarios
                6. F134 CSharp Insecure Use of Wildcard CORS Configuration
                7. F134 CSharp Insecure Cors Header via HttpWebRequest
                8. F125 CSharp ASP.NET Directory Browsing Enabled
                9. F078 CSharp ASP.NET AllowInsecureHTTP in True
                10. F043 Java Insecure CSP Inline Script
                11. F368 Java Host Key Checking
                12. F134 Java Insecure Cors Modifier
                13. F134 Java Spring Insecure Cors
                14. F129 Java Spring Cookiegenerator SameSite
                15. F129 Java Spring Insecure Cookie Samesite None
                16. F130 Java Spring Cookiegenerator Secure
                17. F060 Java JSCH StrictHostKeyChecking Disabled
                18. F052 Java Insecure Cipher Mode
                19. F134 Dart Shelf Insecure CORS Header

              Release 21

              1. (ASPM)  Package details: Added a new section in the vulnerability modal with the fields 'Dependency'Dependency type', 'ID', '%EPSS', 'Stage', 'Reachability', 'Version status', 'Affected version', 'CPEs', 'Namespace' and 'Advisory URLs'.
              2. (ASPM) 'Potential' tag: Added the new 'Potential' tag to let customers identify the dependencies that are imported in their code but whose vulnerability is not confirmed to be reachable.
              3. (SAST) New methods:
                1. F134 Go Gin Insecure CORS Header
                2. F359 Python Hardcoded Credentials in PyMySQL

              Release 20

              1. (SCA)  Reachability label: When a dependency is reachable it appears as a tag in the inherited vulnerability.
              2. (ASPM) Enhanced tables in Organization Billing: Enhanced user experience with filtering, sorting, searching, and pagination in the Billing section.
              3. (ASPM) Enhanced the Surface table (Lines): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Lines).
              4. (ASPM) Enhanced the Members table (organization and groups): Enhanced user experience with filtering, sorting, searching, and pagination in the Members table at both the organization and group levels.
              5. (Design Map) Delete files from Design Map: Clients can now delete uploaded files from this section.
              6. (Design Map) UI Improvements: Renamed columns, added tooltips, and improved alignment, sorting, and layout.
              7. (Design Map) Multilingual classification support: Design Map now supports documents in both English and Spanish.

              Release 19

              1. (ASPM) Enhanced tables for IP roots and URL roots: Enhanced user experience with filtering, sorting, searching, and pagination in the Scope section.
              2. (ASPM) Enhanced the Surface table (Languages): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Languages).
              3. (ASPM) Authorization improvements: Permissions for the User role were updated so that it cannot remove environments from the scope, restricting this action to higher-level roles only: Group Manager and Vulnerability Manager.
              4. (ASPM) Inherited vulnerabilities filtering: 'Inherited' vulnerabilities can now be filtered by dependency type ('Direct' or 'Transitive'), EPSS, package manager, stage ('Run' or 'Build') and by whether they are reachable or not.
              5. (SAST) New methods:
                1. F006 C Sharp Token Validation Bypassed via Unsafe Delegates
                2. F061 C Sharp Insecure DLL loading

              April

              Release 18

              1. (Design Map) Correlate threats: Clients can now correlate threats identified in their security designs with vulnerabilities reported by Fluid Attacks.
              2. (IDE) Cursor IDE extension: Our clients' development teams can now check reported vulnerabilities, request reattacks, generate fixes using artificial intelligence, and request treatments, all without leaving the Cursor IDE.
              3. (ASPM) Enhanced the Integrations table: Enhanced user experience with filtering, sorting, searching, and pagination in the Integrations section.
              4. (ASPM) Enhanced the Surface table (Packages): Enhanced user experience with filtering, sorting, searching, and pagination in the Surface section (Packages).
              5. (ASPM) Enhanced Scope tables: Enhanced user experience with filtering, sorting, searching, and pagination in the Scope subsections.
              6. (MCP) Fluid Attacks' Model Context Protocol: Launched a new integration that enables users to query real-time security data from Fluid Attacks through natural language prompts in AI tools such as Claude or VS Code using Copilot as the agent. This is possible with minimal setup and no need for complex commands.
              7. (SAST)
                 Architecture improvements in Fluid Attacks' scanner: Aiming for a cleaner architecture and better separation of concerns, our APK scanner is now a separate CLI with its own Docker image.
              8. (SAST) New methods:
                1. F089 C Sharp Insecure Deserialization Of Untrusted XML in .NET DataTable
                2. F260 C Sharp Memory Corruption Risk Due to Serialization of Pointers
                3. F007 C Sharp Lack of ViewState association with session in ASP.NET Web Forms (CSRF)
                4. F115 C Sharp Insertion of Untrusted Certificate into Root Store
                5. F130 C Sharp Insecure Cookie Transmission via Unset Secure Flag in ASP.NET Core

              Release 17

              1. (ASPM) Upgrade plan flow from Talk to a Pentester: If clients with the Essential plan would like to use the 'Talk to a Pentester' feature, which is available only in the Advanced plan, they can easily request an upgrade from the dialog when attempting to access the feature.
              2. (ASPM) Upgrade plan flow from Reattack: Clients who downgraded to the Essential plan and want to reattack vulnerabilities previously found via RE, SCR, and PTaaS can easily request a plan upgrade from the dialog when attempting to access the feature.
              3. (ASPM) Enhanced the Vulnerabilities table: Enhanced user experience with filtering, sorting, searching, and pagination in the Vulnerabilities section.
              4. (ASPM) Enhanced Logs tables: Enhanced user experience with filtering, sorting, searching, and pagination in the Logs subsections.
              5. (SCA)
                Change displayed technique for types 431 and 120: Vulnerability types 431 and 120 now accurately display 'SAST' as the technique that detected them.
              6. (SAST) New methods:
                1. F056 JS/TS Insecure gRPC Communication via createInsecure
                2. F125 C Sharp Insecure Configuration: Directory Browser Middleware Exposes Filesystem
                3. F140 C Sharp Insecure Corrupted State Exception (CSE) Catching in .NET
                4. F204 JS/TS Mass Assignment via Object.assign in Express
                5. F323 C Sharp XML External Entity (XXE) via Insecure DTD Processing in XmlReaderSettings
                6. F422 C Sharp Server-Side Template Injection (SSTI) in Razor

              Release 16

              1. (SAST) New methods:
                1. F115 JS Improper CSRF Middleware Order
                2. F115 TS Improper CSRF Middleware Order
                3. F002 JS Uncontrolled Error Object Allocation via Ajv allErrors Option
                4. F002 TS Uncontrolled Error Object Allocation via Ajv allErrors Option
                5. F014 C Sharp Insecure Random Number Generator for Cryptographic Key Generation

              Release 15

              1. (ASPM)  Enhanced flow for upgrading to paid plans: Improved the flow to make it easier for free trial users to upgrade their plan.
              2. (ASPM)  Management options in credentials table: Options to edit and remove credentials are now accessible through a single button for a cleaner look.
              3. (ASPM)  Columns in Surface table: Added new filters and columns UI to ease data filtering.
              4. (SBOM) Support of packages.swift: packages.swift files now appear in SBOM.
              5. (SAST) New methods:
                1. F068 JS Missing Path In Session Cookie
                2. F068 TS Missing Path In Session Cookie
                3. F146 PHP Mysql Query Injection
                4. F134 Go Gin Framework Insecure CORS
                5. F006 JS JWT Token Forgery
                6. F006 TS JWT Token Forgery
                7. F134 Koa Framework Insecure CORS
                8. F431 Swift Package Missing Package Lock

              Release 14

              1. (ASPM) Improved Acceptance section in Policies: The process for requesting acceptance policies was simplified by improving the user interface, making treatment statuses, temporary and permanent acceptances, as well as the section’s functionality and tables, clearer.
              2. (ASPM)  Improved reattack flow and messages: Improved the user flow to request a reattack from three to two clicks and implemented detailed error messages.
              3. (ASPM) Updated PDF available in the free trial: Updated the PDF about plans and prices linked in the banner shown to free trial users.
              4. (Reachability) New methods: 
              5. (SAST) New methods:
                1. F085 Flutter Framework Sensitive Information Stored in SharedPreferences
                2. F332 Ruby OpenURI Request
                3. F130 PHP Laravel Cookie Insecure
                4. F183 JS Struts Debug Mode enabled in production
                5. F371 JS Angular Use Of Insecure InnerHtml
                6. F371 TS Angular Use Of Insecure InnerHtml
                7. F008 PHP Laravel Reflected XSS
                8. F151 Ruby NET Telnet Request

              March

              Release 13

              1. (ASPM) Moved existing filters to a new design: Implemented a new filter design in the organization's Logs and groups' Scope sections to ease data filtering.
              2. (Agent) Ignoring SCA findings when breaking the build: Now, our Agent receives a flag (--inherited) that allows users to decide whether they want to ignore vulnerabilities reported by the SCA scans when breaking the build, specifying if they are used in development (build), production (run), or any of those (all) stages.
              3. (Reachability) New methods: 
                1. Kotlin CVE-2021-43570
                2. Scala CVE-2021-41084
              4. (SAST) New methods:
                1. F157 Helm Insecure Ingress Egress
                2. F134 Ruby On Rails Insecure CORS
                3. F008 React Native WebView JS Enabled
                4. F097 Vue JS Reverse Tabnabbing

              Release 12

              1. (ASPM) Added Origin quick filter in Locations: Now vulnerabilities can be filtered by their origin ('Inherited', 'Injected'). 
              2. (ASPM) Moved existing filters to a new design in the organization's views: Implemented a new filter design in the organization's Billing, Mailmap and Members sections to ease data filtering.
              3. (SCA) Move SCA reports from general 011-393 findings to specific ones according to CVE: Now, our scanner reports SCA vulnerabilities to specific findings instead of grouping all reports together in the same general category.
              4. (Reachability) New methods: 
                1. PHP CVE-2021-3902
                2. Dart CVE-2023-39139
              5. (SAST) New methods:
                1. F372 Ruby Net HTTP Client Request
                2. F052 Scala JWT Generation Without Valid Signature
                3. F052 Scala Insecure Key Secret
                4. F134 Python Starlette Insecure CORS
                5. F052 Scala Insecure Hash Argument
                6. F052 Scala Insecure Key Secret

              Release 11

              1. (ASPM) Moved existing filters to new design in locations view: Implemented a new filters design inside the Locations section to ease data filtering.
              2. (ASPM) Testing multiple environments: Allow clients to indicate which registered environment corresponds to production, so Fluid Attacks can perform the proper assessments and prevent downtime due to security testing.
              3. (ASPM) Treatment acceptance button improvements: The treatment acceptance button is now grayed out when there are no pending approvals, preventing user confusion.
              4. (ASPM) Origin columns in the vulnerabilities table: Users can now quickly identify in the table if a vulnerability is in a dependency ('Inherited') or in code owned by them ('Injected').
              5. (ASPM) Vulnerabilities' modal improvements: Adjustments were made to facilitate viewing vulnerability information, including severity, Origin ('Injected', 'Inherited'), Technique ('CSPM', 'DAST', 'PTAAS', 'RE', 'SAST', 'SCA', 'SCR'), and Status ('Vulnerable', 'Safe').
              6. (Reachability) New methods:
                1. JS CVE-2019-10742
                2. TS CVE-2019-10742
                3. JS CVE-2023-45857
                4. TS CVE-2023-45857
                5. JS CVE-2024-39338
                6. TS CVE-2024-39338
                7. Python CVE-2025-27607
              7. (SAST) New methods:
                1. F052 Scala Insecure Cipher Mode
                2. F052 Scala Use of Insecure Password Encoder
                3. F097 Javascript NextJS Reverse Tabnabbing
                4. F097 Typescript NextJS Reverse Tabnabbing
                5. F157 Terraform Azure NSG Allows Unrestricted NetBIOS Access
                6. F157 Terraform Azure NSG Allows Unrestricted MongoDB Access
                7. F157 Terraform Azure NSG Allows Unrestricted MS SQL Server Access
                8. F157 Terraform Azure NSG Allows Unrestricted Oracle Database Access
                9. F016 ARM API Management back does not have minimum TLS version set
                10. F016 ARM API Management front does not have minimum TLS version set
                11. F148 Ruby NET FTP Request

              Release 10

              1. (ASPM) Updated the filter component: Adjustments to prevent the table header view from shifting and buttons from disappearing when there are a large number of filters applied.
              2. (ASPM) Signatures in executive reports and testing certificates: As part of the enhancements to obtain the CREST Penetration Testing accreditation, reports generated from our platform are now signed by our Head of Service and our VP of Hacking.
              3. (SCA) From general to specific categories in SCA reports: Vulnerabilities associated with CVE entries will be reported under the categories that match their specific descriptions.
              4. (SAST) New methods: 
                1. F101 Terraform Azure Storage Account Geo-Replication is Disabled
                2. F101 Terraform Azure Storage Account Blob Service Soft Delete is Disabled
                3. F101 Terraform Azure Key Vault Accidental Purge Prevention is Disabled
                4. F148 Terraform Azure App Service Allows FTP Deployments
                5. F134 Nest Insecure CORS Configuration
              5. (Reachability) New methods: 
                1. JS CVE-2024-21538
                2. TS CVE-2024-21538
                3. JS CVE-2021-3749
                4. TS CVE-2021-3749
                5. JS CVE-2024-43796
                6. TS CVE-2024-43796
                7. JS CVE-2024-10491
                8. TS CVE-2024-10491
                9. JS CVE-2018-1109
                10. TS CVE-2018-1109

              February

              Release 9

              1. (ASPM) More info for free trial users on paid plan features: Encourage free trial users to upgrade to a paid plan (Essential or Advanced) by highlighting the value of the features that interest them the most.
              2. (ASPM) Revert the Vuln Management button to 'Reattack' and 'Treatment acceptance': Return to the previous button configuration for Reattacks and Treatment Acceptance to improve user experience.
              3. (ASPM) Filters new UI and behavior: Existing filters have been upgraded to deliver more robust and precise performance. The interface has been streamlined by reorganizing components, enhancing clarity, and improving overall efficiency. This applies to the following sections: Groups, Supply chain, DevSecOps, (group-level) Members, and Authors.
              4. (ASPM) Organization Manager can access all groups within the organization: Now, when someone gains access to a platform as an Organization Manager, they automatically get access to all the groups within the corresponding organization.
              5. (IDE Plugin) Align severity scoring between platform and extension: Standardize the severity scoring by ensuring that the platform and the VS Code extension display the maxOpenSeverityScoreV4 value to maintain consistency across all interfaces. 
              6. (SAST) New method: 
                1. F372 Ruby HTTP Client Request

              Release 8

              1. (ASPM) Column management: Allow users to enable or disable columns based on preferences and reorganize them via drag-and-drop. Personalized configurations can be saved and persist in future use. Additionally, the first column is fixed and locked, ensuring it remains visible and cannot be disabled, proving consistent access to critical information.
              2. (ASPM) Rename user manager: The User Manager at the organization level became the Organization Manager, and that at the group level became the Group Manager to keep role names aligned with their corresponding scope.
              3. (Reachability) New method:
                1. Python CVE-2022-22817

              Release 7

              1. (ASPM) Centralized policies management: Policy management is now centralized at the organization-level section to simplify changes.
              2. (SAST) New methods: 
                1. F096 Python Insecure Serialization
                2. F266 Docker Socket Mount
              3. (Reachability) New methods:
                1. Python CVE-2020-13091
                2. Python CVE-2022-22817

              Release 6

              1. Fluid Attacks becomes an AWS partner: We are officially listed by AWS as leveraging AWS technologies in our processes for helping businesses secure their cloud environments.
              2. (ASPM) Updated terminology for vulnerabilities column: Instead of displaying "X types found" in the Groups section, now "X types open" is displayed to be accurate.
              3. (ASPM) Eliminated "Unauthorized access" window: Removed the window that appears when a user's session expires, and instead the users is redirected to the login page.
              4. (ASPM) Renamed Agent's executions report: Report name was renamed from "forces_execution.csv" to "FluidAttacks_DevSecOpsAgent.csv".
              5. (ASPM) Column management: Column customization in the Locations, Vulnerabilities and To do tables is now allowed, simplifying navigation.
              6. (ASPM) Added banner for free trial users: A banner now informs free trial users that automated tools typically detect 30% of a system's risk exposure.
              7. (ASPM) Testing your production environment: You can also add the production environment of your system under assessment as a second environment to undergo our continuous security testing. This option is only available in the Advanced plan.
              8. (SCA) Malware advisories: Updated the scanner to report malware advisories under finding F488 - Use of software with malware.
              9. (SAST) New methods: 
                1. F002 Python Asymmetric Denial of Service

              January

              Release 5

              1. (ASPM) Inherited to surface: The Inherited section, which contained all the package-related information, was renamed Packages and moved inside the Surface section.
              2. (ASPM) UI improvements for Treatment modals: Updated Treatment modals to have less intrusive alerts.
              3. (ASPM) Add policy information to DevSecOps and Members tab (Organization and Groups): Added informative banners that display the configured policies in the DevSecOps and Members sections.
              4. (SBOM) Amazon Elastic Container Registry (ECR): Our scanner now supports Docker images from AWS Elastic Container Registry (ECR).
              5. (SAST) New methods:
                1. F004 Javascript Arbitrary Command Injection
                2. F004 Typescript Arbitrary Command Injection
                3. Java CSFRHandler Hardcoded Password
                4. F183 Java Debug Mode Enabled
                5. F359 Java Hardcoded Password in SetPassword
                6. F359 Java Key Manager Factory Hardcoded Password
                7. F359 Java PBEKeySpec Kerberos Hardcoded Secret
                8. F359 Java KeyStore Hardcoded Password
                9. F390 Javascript Prototype Pollution
                10. F390 Typescript Prototype Pollution
              6. (Reachability) New method:
                1. Python CVE-2020-28975 

              Release 4

              1. (ASPM) Modified the maximum days limit for which a vulnerability can be temporarily accepted: The limit was 90 days, which was modified to 999 days.
              2. (ASPM) From "Inherited" to "Packages" and from "Injected" to "Vulnerabilities": Updated some of the platform's section names to improve clarity.
              3. (ASPM) Feedback modal for incomplete information to generate report: A new modal was implemented to inform users, when requesting reports, that they need to provide group information in the Scope section to generate the report.
              4. (SAST) New methods: 
                1. F002 Python Asymmetric Denial of Service
                2. F004 Typescript Arbitrary Command Injection
                3. F004 Javascript Arbitrary Command Injection
                4. F006 Java SAML Ignore Comments
                5. F016 Terraform Redis cache insecure port is enabled
                6. F096 Java RPC Enabled Extensions
                7. F101 Terraform Azure Postgres DB log retention days is set to less than 3 days
                8. F350 Java Ignore SSL Certificate Errors

              Release 3

              1. (ASPM) Added Type column in Packages: A new column was added to the Dependency Detail table to identify whether a dependency is direct or indirect.
              2. (ASPM) Added Environment column in PackagesA new column was added to the Dependency Detail table to identify when a dependency is used in the development ('Build') or production ('Run') stages.

              Release 2

              1. (SAST) New method: 
                1. F149 Java Insecure SMTP SSL

              Release 1

              1. (ASPM) Improved mutation to add CSPM environments: Previously, adding an environment to a Git root (APK, URL, or CSPM) was handled using the same mutation, which could lead to inconsistencies. A new mutation was created to handle adding CSPM environments specifically, making the process more precise and less prone to errors.
              2. (SAST) New methods: 
                1. F130 Java Cookie Serializer Secure
                2. F344 Java Wicket String Escaping
                3. F159 Java Dangerous Permission
              3. (SLA) Enhanced accuracy SLA: We now offer 90%+ F2 score involving risk exposure and 90%+ F0.5 score involving number of vulnerabilities.

              2024

              December

              Release 52

              1. (SAST) New methods: 
                1. F359 Java MongoDB Hardcoded Secret
                2. F359 Java MySQL Hardcoded Secret
                3. F359 Java OkHttp Hardcoded Secret

              Release 51

              1. (SCA) Malware packages tagged: Packages in Supply chain with detected malware are tagged.
              2. (SCA) Split environment dependencies: Identify whether dependencies are related with production or development environments.
              3. (SCA) SBOM export: Include Docker packages in SBOM export file.
              4. (ASPM) Environments migration: Migration modal has the option to lookup required root.
              5. (ASPM) Rename: change 'Vulnerabilities' to 'Injected' and 'Supply chain' to 'Inherited' for added clarity.

              Release 50

              1. (Integrations) Jira Security module: All the vulnerabilities are presented in the Security feature of Jira.
              2. (SAST) New Methods: 
                1. F332 Java Unsafe TLS Renegotiation.
                2. F151 Java Telnet Request.
                3. F372 Java Insecure HTTP Open Connection.
                4. F007 Java CSRF Unrestricted Request Mapping.
                5. F372 Java Insecure HTTP Request.
                6. F372 Java Insecure HTTP Components.
              3. (ASPM) Component improvements: Ghost buttons, section header, and tabs.
              4. (SCA) Docker packages in SBOM: Docker packages are included in SBOM file. 
              5. (ASPM) Zero risk column: An indicator of requested ZR is available in the Locations table.
              6. (ASPM) Scope table: Show what Roots and Environments has active events.

              Release 49

              1. (ASPM) Improved table exports names: Exported CSV files now have meaningful names, including organization or group name and timestamp.
              2. (ASPM) Country is deprecated: Country field is not required anymore to create an organization.
              3. (SAST) New Java SAST methods: 
                1. F016 Java Unsafe SSL/TLS Protocol.
                2. F148 Java Insecure FTP Client.
                3. F372 Java Insecure Spring HTTP Request.
                4. F007 Java Insecure FTP Session Factory.

              November

              Release 48

              1. (ASPM) Centralized report download: Access all your downloadable files through the new Downloads button in the platform header. This includes executive and technical vulnerability reports, with plans to add SBOMs and other resources soon. Track download progress and redownload files effortlessly.
              2. (ASPM) Improved CSV repos import: Add connection method and priority in the CSV file and get an example CSV file. Improved error messages.
              3. (ASPM) Custom priority: Use reachability attribute as a priorization criterion.
              4. (Reachability) New methods:
                1. CSharp CVE-2021-43045 
              5. (SAST) New methods:
                1. Java insecure channel.
                2. Java null cipher.
                3. Python hc aes key.
                4. Java anonymous ldap bind.

              Release 47

              1. (ASPM/CSPM) Status validation for cloud environments: A new Status column in the Environments table shows open events for AWS, Azure, or GCP environments, helping you address misconfigurations promptly.
              2. (ASPM/SBOM) Updated labels for vulnerable components: The label 'Issues identified' in Supply chain has been updated to 'Vulnerable' to clarify the presence of security risks.  vulnerabilities will display the 'Reachable' label.
              3. (SAST) New methods:
                1. Java unsafe default http client.

              Release 46

              1. (SBOM/SAST) Reachability analysis: A feature is available that examines direct dependencies in the Supply chain section to identify exploitable vulnerabilities. This helps prioritize remediation efforts for dependency issues.
              2. (ASPM) Custom vulnerability prioritization: Use the Priority feature in the Policies section to rank vulnerabilities by impact, exploitability, and more, tailored to your organization's needs.
              3. (ASPM) Enhanced event reporting: Events now specify affected environments and feature improved root and environment tables for better prioritization.
              4. (CSPM) New methods:
                1. AWS Document DB Cluster TLS Disabled.
                2. AWS EKS Unrestricted CIDR.
                3. AWS DAX Cluster Without Encryption at Rest.
                4. AWS Unencrypted ECR Repository.
                5. AWS RDS Unencrypted DB Cluster Snapshot.
                6. AWS RDS Unencrypted DB Snapshot.
                7. AWS ALB Does Not Drop Invalid Header Fields.
                8. AWS Public Accessible DMS Replication.
                9. AWS CloudFront Distribution Viewer Policy Allows HTTP.
                10. AWS ALB HTTP Not Redirected to HTTPS.
                11. AWS Document DB Without Audit Logs.
                12. AWS RDS DB Cluster Logs Disabled.
                13. AWS RDS DB Instance Logs Disabled.
                14. AWS Global Accelerator Flow Logs Disabled.
                15. AWS Neptune DB Instance Logs Disabled.
                16. AWS MSK Cluster Logging Disabled.
                17. AWS Workspaces Has Volume Encryption Disabled.
                18. AWS Route53 Transfer Lock Disabled.
                19. AWS SageMaker Training Job Intercontainer Encryption.
                20. AWS SageMaker Notebook Instance Encryption.
                21. AWS Athena Workgroup Query Results Not Encrypted.
              5. (SAST) New methods:
                1. Python flask log injection.
                2. JS express SSRF.
                3. TS express SSRF.
                4. Python insecure redirect.
                5. Python aws hardcoded credentials.
                6. CSharp sql conn hardcoded secret.
                7. CSharp insecure x509 cert 2.
                8. CSharp hardcoded credentials.
                9. Python flask hardcoded secret key.
              6. (Reachability) New methods:
                1. Java CVE-2021-37573

              Release 45

              1. (SCA) Docker image scanning: Scan Docker images from any standard registry, generating detailed SBOMs with associated security issues in the Supply chain section.
              2. (ASPM) Vulnerability closing reasons: View detailed reasons for closed vulnerabilities in the Tracking and Analytics sections.
              3. (ASPM) Expanded permissions for Events tab: User Managers and Vulnerability Managers now have access to the Events tab in the To do section, providing a comprehensive view of issues when managing multiple groups.
              4. (ASPM) Automatic filename formatting: Upon file upload, filename is formatted to avoid issues and vulnerabilities in the platform.
              5. (SAST) New methods:
                1. CSharp insecure fspickler des.
                2. CSharp dir entry hardcoded secret.

              October

              Release 44

              1. (SCA) Improved SBOMs: CycloneDX and SPDX SBOM exports now include component details like location, latest version, and associated security issues.
              2. (ASPM) New webhooks: Notifications added for closed events and vulnerabilities within groups.
              3. (ASPM) From MPT to PTaaS: Former 'MPT' technique is clarified and changed to 'PTaaS'.
              4. (ASPM) Event tab in To do: Granted Events tab access for additional roles: User Managers and Vulnerability Managers.
              5. (Reachability) New methods:
                1. JS CVE-2020-8203
                2. TS CVE-2020-8203
                3. JS CVE-2019-10744
                4. TS CVE-2019-10744
                5. JS CVE-2018-16487
                6. JS CVE-2018-16487
                7. JS CVE-2017-18214
                8. TS CVE-2017-18214
                9. JS CVE-2023-42282
                10. TS CVE-2023-42282
                11. JS CVE-2021-26540
                12. TS CVE-2021-26540
              6. (SAST) New methods:
                1. JS weak ssl tls protocol.
                2. TS weak ssl tls protocol.
                3. PHP insecure content  policy.
                4. CSharp weak rsa encrypt padding.
                5. CSharp http listener wildcard.
                6. Java spring concurrent sessions.
                7. PHP insecure referrer policy.
                8. CSharp insecure fastJSon des.
                9. CSharp memory marshal create span.
                10. JS express insec httponly.
                11. TS express insec httponly.
                12. JS express cookie secure.
                13. TS express cookie secure.
                14. Python django insecure cors.
                15. Python fastapi insecure cors.
                16. Python flask insecure cors.
                17. JS express debug mode enabled.
                18. Python django debug mode enabled.
                19. Python fastapi starlette debug on.
                20. Python flask debug mode enabled.
                21. TS express debug mode enabled.
                22. CSharp stacktrace disclosure.
                23. CSharp insecure ecb mode.
                24. Python django sql injection.
                25. Java hardcoded jwt secret.
                26. JS expressJS hardcoded sess secret.
                27. JS hardcoded jwt secret.
                28. Python django hardcoded creds.
                29. TS express hardcoded sess secret.
                30. TS hardcoded jwt secret.
                31. CSharp hardcoded init vector.

              Release 43

              1. (ASPM) Supply chain section:  Separated affected and unaffected third-party dependencies from the Vulnerabilities section for easier prioritization. Users can filter components by repository under evaluation.
              2. (ASPM) Temporary acceptance: Selected dates must comply with the established policies.
              3. (ASPM) New events in webhooks: Events and vulnerabilities closed added to webhooks.
              4. (CSPM) New methods:
                1. AWS RDS Instance TLS Disabled.
                2. AWS RDS Cluster TLS Disabled.
                3. AWS OpenSearch Domain Insecure TLS Version.
                4. AWS MSK Client Broker TLS Disabled.
                5. AWS MSK Broker Broker TLS Disabled.
                6. AWS Unrestricted Access to MSK Brokers.
                7. AWS ECR Repository Exposed.
                8. AWS OpenSearch Domain Exposed.
                9. AWS RDS Instance Backup Retention Period.
                10. AWS RDS Cluster Backup Retention Period.
                11. AWS ElastiCache Replication Group WO Auto Backups.
                12. AWS ElastiCache Replication Backup Retention Period.
                13. RDS Unrestricted Cluster Groups.
                14. Backup Vault Policy Allow Delete Recovery Points.
                15. AWS Bedrock Guardrails No Sensitive Info Filter.
                16. AWS Event Bridge Default Event Bus Exposed.
                17. AWS Lambda URL Without Authentication.
                18. AWS Lambda Function Exposed.
                19. AWS Comprehend Analysis Without Encryption.
                20. AWS EBS Public Snapshot.
                21. AWS EKS Unencrypted Secrets.
                22. AWS EMR Has Not Config.
                23. AWS OpenSearch Without Encryption at Rest.
                24. AWS OpenSearch Domain Node to Node Encryption.
                25. AWS Glue Catalog Without Encryption at Rest.
                26. AWS Kinesis Stream Without Encryption at Rest.
                27. AWS MQ Broker Publicly Accessible.
                28. AWS MSK Cluster Is Publicly Accessible.
                29. AWS Neptune DB Instance Without Encryption at Rest.
                30. AWS CloudFront Traffic Allows HTTP.
                31. AWS OpenSearch Domain Allows HTTP.
                32. AWS CloudFront Is Not Protected With WAF.
                33. AWS Cloud Trail Delivery Failing.
                34. AWS Config Referencing Missing S3 Bucket.
                35. AWS EKS Cluster Logging Disabled.
                36. AWS Beanstalk Persistent Logs.
                37. AWS OpenSearch Without Audit Logs.
                38. AWS MQ Broker Logs Disabled.
                39. AWS Route53 DNS Query Logging Disabled.
              5. (Reachability) New methods:
                1. JS CVE-2021-23771
                2. TS CVE-2021-23771
                3. JS CVE-2021-23566
                4. TS CVE-2021-23566
                5. JS CVE-2019-10775
                6. TS CVE-2019-10775
                7. JS CVE-2019-1010266
                8. TS CVE-2019-1010266
              6. (SAST) New methods:
                1. Apk unprotected exported receivers.
                2. Apk unprotected exported services.
                3. Docker insecure context directory.

              Release 42

              1. (ASPM) Transition to CVSS v4.0: CVSS v4.0 is now the default for Analytics data. A toggle is available for viewing data in CVSS v3.1.
              2. (ASPM) Prevent file deletion: Restrictions prevent deleting application files linked to environments to maintain manageability.
              3. (Reachability) New methods:
                1. JS CVE-2018-3721
                2. TS CVE-2018-3721
              4. (SAST) New methods:
                1. CSharp CSRF

              Release 41

              1. (IDE) IntelliJ IDEA extension: Developers can now identify reported vulnerabilities within IntelliJ IDEA, similar to existing support for VS Code.
              2. (ASPM) Improved unauthorized access message: Improved message, as users do not necessarily need to contact their administrator to access the platform.
              3. (ASPM) Repositories deactivation: Included vulnerabilities of all techniques in repository deactivation notifications.
              4. (Reachability) New methods:
                1. JS CVE-2023-25813
                2. TS CVE-2023-25813
                3. JS CVE-2022-23540
                4. TS CVE-2022-23540
                5. JS CVE-2020-15084
                6. TS CVE-2020-15084
                7. JS CVE-2023-32314
                8. TS CVE-2023-32314
                9. JS CVE-2023-37466
                10. TS CVE-2023-37466
                11. JS CVE-2023-37903
                12. TS CVE-2023-37903

              September

              Release 40

              1. (ASPM) Branch and URL management: Update branches or URLs for repositories without losing existing findings, ensuring consistent reporting.
              2. (ASPM) Vulnerabilities table: Added option to filter vulnerabilities by technique.
              3. (Reachability) New methods:
                1. JS CVE-2022-25881
                2. TS CVE-2022-25881
                3. JS CVE-2022-25887
                4. TS CVE-2022-25887
                5. JS CVE-2020-28500
                6. TS CVE-2020-28500

              Release 39

              1. (IDE) Custom fix and Autofix: Fluid Attacks' GenAI-based vulnerability remediation now supports all languages scanned by the SAST tool.
              2. (Reachability) New methods:
                1. TS CVE-2017-16016
                2. JS CVE-2016-1000237
                3. TS CVE-2016-1000237
                4. JS CVE-2021-26539
                5. TS CVE-2021-26539
                6. JS CVE-2024-29415
                7. TS CVE-2024-29415
                8. JS CVE-2023-28155
                9. TS CVE-2023-28155
              3. (SAST) New methods:
                1. Docker debugging enabled

              Release 38

              1. (ASPM) Mailmap management: Manage developer data directly within the platform to avoid billing issues
              2. (ASPM) Free trial restrictions: Users from existing client organizations can no longer initiate free trials to prevent confusion with reports.
              3. (Reachability) New methods:
                1. Python CVE-2024-39303
              4. (SAST) New methods:
                1. Improper certificate validation default

              Release 37

              August

              Release 36

              1. (ASPM) Free trial unavailable for clients: Un free trial for current clients, preventing new groups and organizations creation.
              2. (ASPM) Custom fix from the platform: Generate a custom fix inside platform. 
              3. (ASPM) Enhanced reattack requests for multiple vulnerabilities: Improved the vulnerabilities verification request flow. This also includes some UX improvements.
              4. (ASPM) Closing reasons: The reason why a vulnerability was closed is specified.
              5. (ASPM) Show relevant files for mobile environments: Hid files not related to mobile type ones from dropdown list on Add environment screen.
              6. (ASPM) Total types in Analytics: Enhanced information on total types of vulnerabilities in Analytics.
              7. (ASPM) Onboarding notifications: Updated free trial enrollment and abandonment emails.
              8. (ASPM) Mailmap management: Granted mailmap editing role to Customer Managers and view role to User Managers.
              9. (SAST) New methods:
                1. TS XSS pug from file precompiled.

              Release 35

              1. (CSPM) New methods:
                1. AWS API Gateway Insecure TLS Version.
                2. AWS ACM Certificate Expired.
                3. AWS API Gateway Cache Encryption Disabled.
                4. AWS App Mesh Virtual Gateway TLS Disabled.
                5. AWS App Mesh Virtual Gateway Access Logging Disabled.
              2. (SAST) New methods:
                1. Java insecure cors web view.
                2. Java declare insecure trust manager.
                3. Java insecure biometric auth.
                4. TS sequelize injection.
                5. JS jwt secret insecure source.
                6. TS jwt secret insecure source.
                7. Docker weak ssl TLS.
                8. Docker insecure builder sandbox.
                9. Docker insecure cleartext protocol.
                10. Docker weak hash algorithm.
                11. Docker insecure network host.

              Release 34

              1. (ASPM) First-letter search in dropdowns: Filter the available options of dropdown menus by typing the first letters of the name or identifier of the desired item.
              2. (ASPM) Branch and URL change: Implemented branch and URL change in roots for specific cases.
              3. (ASPM) Improved root moving notifications: Accurate messages to group members when roots are moved.
              4. (ASPM) Enhanced mailmap management: Multiple enhancements to the mailmap to prevent errors and improve alias management.
              5. (SAST) New methods:
                1. TS XSS pug from file.
                2. TS unvalidated xml parsed in vm.
                3. TS file unauthorized access.
                4. CSharp XXE resolver.
                5. CSharp insecure cbc iv.
                6. Docker sensitive mount.
                7. Curl insecure certificates.

              Release 33

              1. (ASPM) Compliance CSV export: New CSV report that shows the relationship between the unmet security requirement and the location where the non-compliance is occurring.
              2. (SAST) New methods:
                1. Android apk keyboard cache exposure.
                2. TS NoSql injection ternary.
                3. JS NoSql injection ternary.
                4. CSharp technical info leak.
                5. CSharp token validation checks.
                6. CSharp code injection.

              Release 32

              1. (CSPM) New methods:
                1. Azure app service mutual TLS is disabled.

              July

              Release 31

              1. (ASPM/SAST) Reattacking a machine vulnerability: Remove justification to request reattacks for automatic reported vulnerabilities.
              2. (ASPM) Group consulting: Feature is deprecated.
              3. (ASPM) Mobile environments: Preserve vulnerabilities for mobile apps, improving related environment(file) update.
              4. (ASPM) Compliance report notifications: An alert is shown when the user doesnt have a mobile number registered.
              5. (ASPM) SSH root cloning: Port configuration is required for non standart ports.
              6. (ASPM) Mailmap import: Add bulk import feature to mailmap.
              7. (SAST) New methods:
                1. CSharp insec direct write.

              Release 30

              1. (ASPM) CVSS migration: Transition entirely to version 4.
              2. (ASPM) AWS Marketplace: Enable integration.
              3. (CSPM) New methods:
                1. AWS S3 Log delivery write access.
                2. AWS EC2 Instance has multiple network interfaces.
              4. (SAST) New methods:
                1. JS/TS cookie service sensitive info.
                2. CSharp log injection.
                3. CSharp insecure elliptic curve.
                4. PHP insecure elliptic curve.

              Release 29

              1. (ASPM) CVSS Update: Transition from CVSS 3.1 to version 4 in policies.
              2. (ASPM) Root removal option: Allow users to remove a new root without returning to the previous step.
              3. (ASPM) Exposure column: Include "Exposure" in the Technical Report.
              4. (ASPM) Branch flexibility: Allow the same repository with a different branch in a group if one is deactivated.
              5. (CSPM) New methods:
                1. AWS EC2 Instance using IMDS V1.
              6. (SAST) New methods:
                1. PHP discloses server version.
                2. PHP insecure expiration time.
                3. PHP server leaks errors.
                4. PHP http only disabled.

              Release 28

              1. (ASPM) Access granted: Include the granted role in the notification.
              2. (CSPM) New methods:
                1. Azure SQL DB Transparent Encryption Is Disabled.
                2. Azure VM Scale Set Does Not Have Zonal Redundancy.
              3. (SAST) New methods:
                1. TF K8s Host IPC Enabled.
                2. TF K8s Host Network Enabled.
                3. TF K8s HostPID Enabled.
                4. TF K8s Host Path Volumes.
              4. (DAST) New methods:
                1. X permitted cross domain policies.

              Release 27

              1. (ASPM) Webhooks: Relocate to the Integrations Hub.
              2. (ASPM) New ASPM: Launch the platform's new design for external users.
              3. (SAST) New methods:
                1. TF K8s Container Without Context.
                2. TF K8s Host Process Enabled.
              4. (DAST) New methods:
                1. Unsafe http xframe options.
                2. CDN vulnerable element.
                3. Access control any origin.
                4. HTTP error in response.

              June

              Release 26

              1. (ASPM) Token management: Use SecretStorage to securely store tokens.
              2. (CSPM) New methods:
                1. Azure DB PSQL Flex Server Insecure TLS Version.
                2. Azure Redis Cache Allows Connections Without SSL.
                3. Azure DB PSQL Flex Server Firewall Allows Public Access.
                4. Azure DB PSQL Flex Server Connection Throttling Disabled.
              3. (SAST) New methods:
                1. TF K8s Check Run as User.
                2. TF K8s Check Privileged Used.
                3. TF K8s Check If Sys Admin Exists.
                4. JS hardcoded key hmac.
                5. TS hardcoded key hmac.
                6. TF K8s host network enabled.
                7. TF K8s hostpid enabled.
                8. TF K8s host process enabled.
                9. TF K8s host path volumes.
                10. PHP insecure ssl tls stream.
                11. PHP sensitive http sent.
                12. CSharp http only cookie.

              Release 25

              1. (SAST) New methods:
                1. TF K8s Check Add Capability.
                2. TF K8s Root Filesystem Read Only.
                3. TF K8s Check Seccomp Profile.
                4. TF K8s Check Drop Capability.
                5. TF K8s Check If Capability Exists.
                6. TF K8s SA Token Enabled.
                7. TF K8s SA Token Enabled.
                8. TF K8s Image Has Digest.
                9. TS nosql injection.
                10. JS nosql injection.
                11. PHP insecure SSL TLS HTTP.

              Release 24

              1. (ASPM) Migrate authors: Authors data is available in the platform.
              2. (ASPM) GitLab integration: Implement integration with GitLab.
              3. (ASPM) Azure DevOps integration: Implement integration with Azure DevOps.
              4. (CSPM) New methods:
                1. Azure API Mgmt Uses the Triple DES Cipher Algorithm.
                2. Azure MongoDB NSG Allows Unrestricted Access.
                3. Azure MS SQL Server NSG Allows Unrestricted Access.
                4. Azure MySQL NSG Allows Unrestricted Access.
                5. Azure NetBIOS NSG Allows Unrestricted Access.
                6. Azure Oracle Database NSG Allows Unrestricted Access.
                7. Azure PostgreSQL DB NSG Allows Unrestricted Access.
                8. Azure VMs NSG Allows Unrestricted Access.
                9. Azure RPC NSG Allows Unrestricted Access.
                10. Azure SMTP NSG Allows Unrestricted Access.
                11. Azure SSH NSG Allows Unrestricted Access.
                12. Azure UDP Ports NSG Allows Unrestricted Access.
              5. (SAST) New methods:
                1. TF K8s Allow Privilege Escalation Enabled.
                2. TF K8s Root Container.
                3. TF Kubernetes Insecure Port.
              6. (SCA) New methods:
                1. Poetry toml deps.
              7. (DAST) New methods:
                1. SSL certificate expired.
                2. SSL self signed certificate.
                3. SSL wrong cn.
                4. SSL wildcard certificate.

              Release 23

              1. (ASPM) Vulnerability remediation: Create a comprehensive guide for the remediation of vulnerabilities.
              2. (ASPM) Token workflow: Update the process for creating and renewing DevSecOps tokens.
              3. (CSPM) New methods:
                1. Azure API Mgmt SVC Does Not Use a Managed Identity.
                2. Azure Key Vault Admin Permissions on Keys.
                3. Azure Search Service Public Network Access Is Enabled.
              4. (SAST) New methods:
                1. PHP insecure mcrypt.
                2. PHP insecure openssl.

              May

              Release 22

              1. (ASPM) Safe vulnerabilities tracking: Enable tracking for safe vulnerabilities and specify the cause of their closure.
              2. (ASPM) VM permissions: Modify permissions assigned to vulnerability managers related to roots management.
              3. (AGENT) Specific path argument: Add an argument to define and analyze specific paths within a repository.
              4. (CSPM) New methods:
                1. Azure DB PSQL Flexible Server SSL Disabled.
                2. Azure Data Lake Allows Access from Any Source.
                3. Azure Synapse Firewall Allows Public Access.
                4. Azure Cosmos DB Public Network Access Is Enabled.
                5. Azure DataFactory Public Network Access Is Enabled.
                6. Azure API Mgmt SVC Public Network Access Is Enabled.
                7. Azure Key Vault Public Network Access Is Enabled.
              5. (SAST) New methods:
                1. C sharp sql injection request.
                2. PHP XML parser.

              Release 21

              1. (ASPM) Table sorting: Enable sorting options for items listed in the Jira table.
              2. (ASPM) Credentials table usage info: Indicate which credentials are currently in use within the credentials table.
              3. (SAST) New methods:
                1. PHP generates insecure token.
                2. PHP uses sha1 in query.

              Release 20

              1. (ASPM) WhatsApp OTP: Enable OTP delivery via WhatsApp when users add or update their mobile number.
              2. (CSPM) New methods:
                1. Azure API Mgmt Front Insecure TLS Version.
                2. Azure Subscription Does Not Have a Locking Resource Manager.
                3. Azure App Service HTTP2 Is Disabled.
                4. Azure Subscription Has at Least Two Owners.
                5. Azure Search Service Does Not Use a Managed Identity.
                6. Azure Search Service Insufficient Replicas Configured.
                7. Azure Search Service Has Insufficient Replicas Configured.
              3. (SAST) New methods:
                1. APK task hijacking.
                2. APK clear text traffic.
                3. PHP sql leak errors.
                4. PHP insecure file upload.
                5. PHP unsafe path traversal.
                6. PHP excessive access mode.
                7. PHP technical info leak.
                8. PHP weak random.
                9. PHP insecure deserialization.
              4. (DAST) New methods:
                1. Cont sec pol frame ancestors.
                2. Cont sec pol wild uri.
                3. Cont sec pol missing obj.
                4. Cont sec pol missing script.
                5. Cont sec pol unsafe line.
                6. Cont sec pol hosts jsonp.
                7. Missing referrer policy.
                8. Strict transport low max age.
                9. Strict transport include subdomains.
                10. X content type options nosniff.

              Release 19

              1. (ASPM) Expanded export columns: Add new columns to the DevSecOps view table and include them in the related CSV export.
              2. (ASPM) Nickname edition: Allow customers to edit the nicknames of Git roots.
              3. (ASPM) Vulnerability filters: Add filters to the API for sorting and categorizing vulnerabilities.
              4. (ASPM) Grouped vulnerabilities: Show summary of vulns grouped by technique on result log
              5. (CSPM) New methods:
                1. Azure Dev Portal Has Auth Methods Inactive.
              6. (SAST) New methods:
                1. JS hardcoded credentials in test.
                2. TS hardcoded credentials in test.

              April

              Release 18

              1. (SAST) CLI using parameters: Allow execution of the CLI using configurable parameters.
              2. (SAST) New methods:
                1. JS command injection serialize.
                2. JS exposed private key.
                3. TS exposed private key.
                4. JS sensitive info in endpoint.
                5. TS sensitive info in endpoint.
                6. TS xml parser inside context.
                7. PHP unsafe xss content.

              Release 17

              1. (ASPM/AGENT) Execution details: Include the final status indicating if the build was broken in the Execution details.
              2. (ASPM) Secrets management: Allow permissions to be granted to other users for managing secrets in environment URLs.
              3. (ASPM) Tables management: Add a marker to inform users when some columns are hidden.
              4. (ASPM) Environments management: Automatically close vulnerabilities when the associated environment is deleted.
              5. (CSPM) New methods:
                1. Azure DB for MySQL Flex Servers Insecure TLS Version.
                2. Azure Role-Based Access Control on Key Vault Is Not Enabled.
                3. Azure Function App with Admin Privileges.
                4. Azure Role Actions Is a Wildcard.
                5. Azure App Service Allows HTTP Traffic.
                6. Azure API Not Enforce HTTPS.
                7. AZ Subscription Not Allowed Resource Types Policy.
                8. Azure App Service Does Not Use a Managed Identity.
                9. Azure Function App Logging Is Disabled.
                10. Azure Keys Expiration Date Is Not Enabled.
                11. Azure Secret Expiration Date Is Not Enabled.
                12. Azure App Service Always On Is Not Enabled.
                13. Azure Batch Jobs Runs in Admin Mode.
                14. Azure Function App Use Not Host Keys.
                15. Azure Publicly Exposed Funct App.
              6. (SAST) New methods:
                1. TS express accepts any mime.
                2. JS express accepts any mime.
                3. JS insecure cors origin.
                4. TS insecure cors origin.
                5. Github actions without hash.

              Release 16

              1. (ASPM) Warning message: Display a warning message indicating the existence of environments associated with a root when it is deactivated.
              2. (CSPM) New methods:
                1. Azure db mysql firewall allows public access.
                2. Azure db mysql ssl disabled.
                3. Storage lifecycle is not defined.
                4. Azure db sql insecure audit retention period.
                5. Azure db sql extended audit disabled.
                6. Azure db sql firewall allows public access.
              3. (SAST) New methods:
                1. PHP hardcoded init vector.
                2. PHP harcoded password.
                3. PHP insecure hash.
                4. TS local file inclusion.
                5. TS open redirect.
                6. JS hardcoded password.
                7. TS hardcoded password.
                8. TS sensitive info in params.

              Release 15

              1. (IDE) Jira integration: Enable access to all vulnerability information directly within the IDE.
              2. (ASPM) Require OTP for login: Implement a security measure to reduce associated risks.
              3. (ASPM) Delete group: Send an email notification when a group is deleted.
              4. (CSPM) New methods:
                  1. Azure db postgresql connection throttling disabled.
                  2. Azure db postgresql ssl disabled.
                  3. Azure db postgresql insecure tls version.
                  4. Azure db postgresql log settings disabled.
                  5. Azure db postgresql log checkpoints disabled.
                  6. Azure db postgresql firewall allows public access.
                  7. Azure db postgresql insecure log retention.
                1. (SAST) New methods:
                  1. Html uses innerhtml.
                  2. JS file size limit missing.
                  3. TS file size limit missing.
                  4. JS directory listing.
                  5. TS directory listing.
                  6. JS error handler enabled.
                  7. TS error handler enabled.

                Release 14

                1. (ASPM) Simplify free trial: Reduce the steps required to start a free trial.
                2. (ASPM) Notifications subjects: Update notification subjects for improved clarity.
                3. (ASPM) Group created notifications: Add notifications to keep users updated on group creation events.
                4. (SCA) SCA reports in lock files: Publish SBOMs for Fluid Attacks components.
                5. (SCA) Fluid Attacks SBOMs: Publish SBOMs for Fluid Attacks components.
                6. (CSPM) New methods:
                  1. Azure vm encryption at host disabled.
                  2. Azure aks has rbac disabled.
                7. (SAST) New methods:
                  1. PHP insecure encrypt AES.
                  2. PHP remote command execution.
                  3. PHP has empty catch.

                March

                Release 13

                1. (ASPM/AGENT) Technical debt policy: Implement a grace period before the agent breaks the build due to new vulnerabilities.
                2. (SAST) Analyze PHP code: Add support for analyzing PHP code with the scanner.
                3. (CSPM) New methods:
                  1. Azure aks api server allows public access.
                  2. Azure aks has kubenet network plugin.
                  3. Azure storage not enabled infrastructure encryption.
                4. (SAST) New methods:
                  1. PHP basic authentication.
                5. (SCA) New methods:
                  1. Gradle wrapper properties.
                  2. CycloneDX JSON deps.
                  3. SPDX JSON deps.

                Release 12

                1. (SCA) Standard format: Ensure compliance with Fluid SBOM format requirements.
                2. (ASPM) Approve ZR: Address misuse of ZR requests by customers attempting to bypass build failures.
                3. (CSPM) New methods:
                  1. Azure aks has enable local accounts.
                  2. Azure aks is not using latest version.
                  3. Azure container registry is not using replication.
                4. (SAST) New methods:
                  1. PHP info leak errors.
                  2. Java insecure engine cipher ssl.
                  3. Docker compose ssh pass.
                5. (SCA) New methods:
                  1. Gemfile missing package lock.
                  2. Erlang missing package lock.
                  3. Cargo missing package lock.
                  4. Conan missing package lock.
                  5. Pipfile missing package lock.
                  6. Composer missing package lock.
                  7. Nuget missing package lock.

                Release 11

                1. (ASPM) Plans' names: Update and standardize the names of plans.
                2. (ASPM) Videos on evidences: Add an additional field to upload video file evidence into findings.
                3. (ASPM) Connector notifications: Send email alerts when a secure connector goes offline.
                4. (ASPM) Environment secrets: Add an indicator to show the existence of secrets on the Environment URL.
                5. (SCA) Lock files: Add support for lock files.
                6. (SCA) Gradle wrapper: Enable SCA support for gradle-wrapper.properties.
                7. (CSPM) New methods:
                  1. Azure blob soft deleted disabled.
                  2. Azure network app gateway waf is disabled.
                  3. Azure network watcher not enabled.
                  4. Azure network flow log insecure retention period.
                  5. Azure network  group using port ranges.
                  6. Azure firewall network rules unrestricted.
                  7. Azure network firewall app rules unrestricted.
                  8. Azure container registry admin user enabled.
                  9. Azure network out of date owasp rules.
                  10. Azure insecure TLS version.
                  11. Azure allows FTP deployments.
                  12. Azure key vault soft delete retention.
                  13. Azure remote debugging enabled.
                  14. Azure authentication is not enabled.
                8. (SAST) New methods:
                  1. PHP insecure cors.
                  2. DB credentials exposed in code.
                  3. Java credentials exposed in code.
                  4. Swift credentials exposed in code.
                  5. Python credentials exposed in code.
                9. (SCA) New methods:
                  1. Nuget pkgs lock json.

                Release 10

                1. (ASPM) Org/group policy: Update policy to address temporary acceptance of vulnerabilities based on CVSS scores.
                2. (ASPM) Vulnerabilities evidences: Increase the allowable size limit for supporting evidence submissions.
                3. (ASPM) Events alert: Implement a color-coded circle indicator to flag groups with pending events.
                4. (SCA) Vulnerabilities prioritization: Integrate EPSS scoring into SCA advisories and vulnerability assessments.
                5. (CSPM) New methods:
                  1. TF allows priv escalation by policies versions.
                  2. Azure network ftp ingress not restricted.
                  3. Azure network dns ingress not restricted.
                  4. Azure network cifs ingress not restricted.
                  5. Azure network rdp ingress not restricted.
                  6. Azure network ssh ingress not restricted.
                  7. Azure network  group allows public access.
                  8. Azure network telnet ingress not restricted.
                  9. Azure network icmp ingress not restricted.
                  10. Azure network https ingress not restricted.
                  11. Azure network http ingress not restricted.
                  12. Azure disabled accidental purge.
                6. (SAST) New methods:
                  1. PHP uses eval.
                7. (SCA) New methods:
                  1. Pipfile lock.
                  2. Pipfile deps.

                February

                Release 9

                1. (ASPM) Exclusions as Code: Enable EaC functionality for all SKIMS modules.
                2. (ASPM) Organization analytics: Ensure downloaded CSV files from Analytics graphics include complete and relevant information for all groups within the organization.
                3. (ASPM) Secrets modal: Replace the dropdown for "Secret Description" with a dedicated column inside the Secrets modal.
                4. (ASPM) Reattacks overhaul: Implement checks to prevent reattack reviews on outdated locations or files.
                5. (ASPM) Notifications: Update notification wording regarding resolved vulnerabilities for improved clarity
                6. (SAST) Multi-file scanning: for SAST methods.
                7. (CSPM) New methods:
                  1. Azure storage account not enforcing latest tls.
                  2. Azure storage account allows public network access.
                  3. Azure redis public network access enabled.
                  4. Azure redis authnotrequired enable.
                  5. Azure redis insecure tls version.
                  6. Azure redis insecure port.
                  7. Azure storage account microsoft bypass.
                  8. Azure containers soft deleted disabled.
                  9. Azure redis firewall allows public access.

                  Release 8

                  1. (ASPM) Closing date filter: Allow users to define a date range for closing dates when generating custom technical reports for groups.
                  2. (ASPM) Root nickname: Display the root nickname associated with a vulnerability.
                  3. (CSPM) New methods:
                    1. Azure blob containers are public.
                    2. Azure storage account allows public blobs.

                  Release 7

                  1. (ASPM) Webhooks: Enable integration with any application that supports the webhook standard.
                  2. (ASPM) Move roots in batch: Allow batch moving of roots to keep the ToE updated and organized.

                  Release 6

                  1. (ASPM) Vulnerabilities report: Ensure the vulnerabilities report is available 24/7.
                  2. (ASPM) AWS authentication for CodeCommit: Enable cloning of CodeCommit repositories using IAM credentials.
                  3. (ASPM) Import repositories: Allow importing multiple repositories into the platform using a CSV file.
                  4. (SAST/DAST/CSPM) Initialization time: Optimize CLI executions for improved speed.

                  January

                  Release 5

                  1. (IDE) Automatic extension restart: Automatically apply new changes without manual restarts.
                  2. (CSPM) GCP and Azure regions on CSPM module: Extend CSPM coverage to include more regions in GCP and Azure.
                  3. (ASPM) Display a cancel button when editing: Improve user experience by adding a cancel button when editing.
                  4. (ASPM) Organization column: Add an "Organization" column in the To Do and Events sections, including its export in the CSV file.
                  5. (CSPM) New methods:
                    1. Azure vm SSH key authentication.

                  Release 4

                  1. (ASPM) New support platform: Implement a seamless process for customer support.
                  2. (ASPM) Checkly and Statuspage integration: Provide more detailed information about Fluid Attacks service status.
                  3. (ASPM) Requirements descriptions: Add comprehensive descriptions for all requirements.
                    1. (ASPM) Improve Pop-ups: Display emergent messages for adding new API tokens and mobile numbers.
                    2. (CSPM) New methods:
                      1. AWS report inspector lambda vulns.

                    Release 3

                    1. (ASPM) Implement new status page: Implement a live status page to monitor service availability.
                    2. (ASPM) Describe Help process: Describe and explain the support process in the documentation.
                    3. (ASPM) Update OWASP MASVS: Update to the latest OWASP MASVS standard version.
                    4. (ASPM) Add new standard compliance FISMA: Add FISMA as a new standard in the compliance documentation.
                    5. (ASPM) Replace field in events: Replace the "Client" field with "Root" (nickname) in Events.
                    6. (ASPM) Last requested reattack in technical reports: Display the last requested reattack date for each location in technical reports.
                    7. (ASPM) Sbom linking lines to vulnerabilities: Provide direct links to vulnerabilities for more detailed information.
                    8. (ASPM) Exposure management over time (%): Add more decimal precision for improved understanding of percentages over time.
                    9. (CSPM) New methods:
                      1. AWS report inspector vulns.
                      2. AWS report inspector ecr vulns.

                    Release 2

                    1. (CSPM) Reducing F325 wildcards FP: Improve detection methods to reduce false positives for F325 wildcards.
                    2. (CSPM) AWS region in CSPM module: Run CSPM checks across all AWS regions.
                    3. (ASPM) Upgrade prices: Update and display the latest service prices on the platform.
                    4. (ASPM) Display secure connector logsMake secure connector logs available for viewing on the platform.
                    5. (ASPM/SAST/DAST) Egress support: Add more connection methods to clone repositories and access environments.

                    Release 1

                    1. (ASPM) Add links to breadcrumbs: Add links to breadcrumbs for easier navigation within the documentation

                    2023

                    December

                    Release 52

                    1. (SCA) Improved clarity of the Skims SCA output logs, including CVE details and safer versions.
                    2. (SCA) Integrated OSV vulnerability database as a new source for SCA.

                    Release 51

                    1. (CSPM) Updated CSPM configuration to comply with AWS cross-account role requirements.

                    Release 50

                    1. (ASPM) Improved snippet processing for reports.
                    2. (CSPM) New methods:
                      1. AWS rds cluster not inside a db subnet group
                      2. AWS rds has public cluster

                    Release 49

                    No features were delivered during this iteration.

                    November

                    Release 48

                    No features were delivered during this iteration.

                    Release 47

                    No features were delivered during this iteration.

                    Release 46

                    1. (SCA) New method:
                      1. Npm missing package lock

                    Release 45

                    1. (SAST) New method:
                      1. Java accepts any mimetype obj

                    October

                    Release 44

                    1. (SCA) SCA support was expanded to report malware cases.
                    2. (SAST) New method:
                      1. Go insecure query

                    Release 43

                    1. Implemented exclusion of vulnerabilities for Skims using NOFLUID directives.

                    Release 42

                    1. (CSPM) New method:
                      1. AWS ec2 has modify attribute

                    Release 41

                    1. (SCA) Added SCA support for .NET exe.config files.
                    2. (ASPM) Improved Skims usability by allowing execution without mandatory configuration.
                    3. (SCA) New method:
                      1. Net framework config
                    4. (SAST) New methods:
                      1. Cfn s3 buckets allow unauthorized public access
                      2. Tfm public buckets acl
                      3. Tfm s3 buckets allow unauthorized public access

                    September

                    Release 40

                    1. (ASPM) Updated Boto3 for AWS CSPM module in Skims.
                    2. (ASPM) Introduced handling for disputed SCA advisories in Skims.

                    Release 39

                    1. (ASPM) Ensured Skims compliance with SARIF 2.1 format.
                    2. (ASPM) Optimized CSPM module processing of ARN, URI, and ID values.
                    3. (SAST) New methods:
                      1. Cs stored password
                      2. Swift hc secret jwt

                    Release 38

                    1. (CSPM) New methods:
                      1. AWS cloudtrail not logging
                      2. Azure storage account not enforcing latest tls
                      3. Azure storage account not enforcing https
                      4. Azure storage account geo replication disabled
                      5. Azure storage account allows public traffic
                    2. (DAST) New methods:
                      1. Http x backend server header leaked
                      2. Http x aspnet mvc version header leaked
                      3. Http x aspnet version header leaked
                      4. Http permissions policy header not present
                    3. (SAST) New method:
                      1. Dotnetconfig asp version enabled

                    Release 37

                    1. (CSPM) New methods:
                      1. AWS s3 private buckets not blocking public acls
                      2. Gcp storage object versioning is not enabled
                      3. Gcp storage uniform bucket level access is disabled
                      4. Gcp storage retention policy is not configured
                      5. Gcp storage logging is not enabled on storage bucket
                      6. AWS apigateway allows anonymous access
                    2. (DAST) New methods:
                      1. Http access control allow methods insecure
                      2. Http x powered by header leaked
                    3. (SAST) New methods:
                      1. Cs override auth modifier
                      2. Cs has public cache header

                    August

                    Release 36

                    1. (CSPM) Standardized cloud security checks across CloudFormation, Terraform, and DAST AWS methods.
                    2. (CSPM) Enhanced readability of CSPM DAST method reports.
                    3. (SAST) Optimized Skims by ignoring node_modules during scans of Node.js projects.
                    4. (CSPM) New methods:
                      1. AWS iam policies attached to users
                      2. AWS ec2 vpc without flowlog
                      3. AWS iam admin policy attached
                      4. AWS s3 public buckets
                      5. Azure blob containers are public
                      6. Gcp storage public buckets
                      7. AWS iam allows priv escalation by attach policy
                      8. AWS cloudfront insecure protocols
                      9. AWS ec2 anyone admin ports
                      10. AWS ec2 unrestricted cidrs
                      11. AWS ec2 unrestricted ip protocols
                      12. AWS ec2 sec groups rfc1918
                      13. AWS ec2 unrestricted dns access
                      14. AWS ec2 unrestricted ftp access
                      15. AWS ec2 open all ports to the public
                      16. AWS ec2 default all trafic
                      17. AWS ec2 insecure port range
                      18. AWS ec2 acl allow egress traffic
                      19. AWS ec2 acl allow all ingress traffic
                      20. AWS ec2 vpc endpoints exposed
                      21. AWS iam group with inline policy
                      22. AWS iam user with inline policy
                      23. AWS iam open passrole
                      24. AWS iam has permissive role policy
                      25. AWS iam full access ssm
                      26. AWS iam negative statement
                      27. AWS elb2 insecure security policy
                      28. AWS rds has public instances
                      29. AWS s3 bucket policy encryption disable
                      30. AWS rds not inside a db subnet group
                      31. AWS iam user with multiple access keys
                      32. AWS ec2 has default security groups in use
                      33. AWS ec2 default security group
                      34. AWS s3 acl public buckets
                      35. AWS iam permissive policy
                      36. AWS iam min password len unsafe
                      37. AWS cloudtrail is trail bucket logging disabled
                    5. (DAST) New methods:
                      1. Http server header leaked
                      2. Http x xss protection enabled
                    6. (SAST) New methods:
                      1. Dotnetconfig anon auth enabled
                      2. Kt hc secret alg instance
                      3. Tfm redshift has encryption disabled
                      4. Cfn redshift has encryption disabled
                      5. Go hardcoded symmetric key
                    7. (SCA) New methods:
                      1. Poetry lock deps
                      2. Maven gradle kts

                    Release 35

                    1. (SCA) Added support for Erlang and Swift package managers in Skims SCA.
                    2. (CSPM) Implemented a unified workflow for adding GCP accounts.
                    3. (SCA) Added SCA vulnerability reporting for dependencies in GitHub Actions YAML files.
                    4. (SCA) Introduced support for Rust's Cargo package manager in Skims.
                    5. (SAST) New methods:
                      1. Python insecure jwt key
                      2. Cfn sqs has encryption disabled
                      3. Tfm sqs has encryption disabled
                      4. Tfm sns has server side encryption disabled
                      5. Cfn sns has server side encryption disabled
                      6. Cs hardcoded symmetric key
                    6. (SCA) New methods:
                      1. Swift packages dev
                      2. Erlang mix deps dev
                      3. Github actions deps
                      4. Erlang mix lock deps
                      5. Erlang mix deps
                      6. Cargo toml deps dev

                    Release 34

                    1. (SCA) Added support for pnpm-lock.yaml in dependency analysis.
                    2. (SAST) New methods:
                      1. Cfn redshift has user activity log disabled
                      2. Tfm redshift has user activity log disabled
                      3. Tfm elasticache transit encryption disabled
                      4. Cfn elasticache transit encryption disabled
                      5. Tfm elasticache uses default port
                      6. Cfn aws elb listener on http
                      7. Cfn elasticache uses default port
                      8. Cfn redshift not requires ssl
                      9. Tfm redshift not requires ssl
                      10. Tfm redshift has public clusters
                      11. Cfn redshift has public clusters
                      12. Tfm aws elb listener on http
                      13. Tfm rds not uses iam authentication
                      14. Cfn rds not uses iam authentication
                      15. Tfm eks has endpoints publicly accessible
                      16. Cfn eks has endpoints publicly accessible
                    3. (SCA) New methods:
                      1. Cargo lock deps
                      2. Cargo toml deps
                      3. Html script dependencies
                      4. Pnpm package lock dev
                      5. Pnpm package lock

                    Release 33

                    1. (CSPM) Defined the foundational structure for GCP DAST checks.
                    2. (SAST) New methods:
                      1. Cfn redshift has audit logs disabled
                      2. Tfm redshift has audit logs disabled
                      3. Java jwt unsafe decode
                      4. Java jwt without proper sign
                      5. Tfm cognito has mfa disabled
                      6. Cfn cognito has mfa disabled
                      7. Cfn sqs is public
                      8. Python insecure cipher mode
                      9. Tfm sqs is public
                      10. Java hostname verification off
                      11. Java insecure cipher mode
                      12. Kt insecure cipher mode
                      13. JS regex injection
                      14. TS regex injection
                      15. Python regex injection
                      16. Cfn allows priv escalation by attach policy

                    Release 32

                    1. (SAST) New methods:
                      1. Cfn allows priv escalation by policies versions
                      2. Tfm allows priv escalation by policies versions
                      3. Tfm allows priv escalation by attach policy

                    July

                    Release 31

                    No features were delivered during this iteration.

                    Release 30

                    1. (SAST) New method:
                      1. Python exposed auth token

                    Release 29

                    1. (SAST) New methods:
                      1. Kubernetes uses http server
                      2. Kubernetes uses http
                      3. K8s check host pid
                      4. K8s check if sys admin exists
                      5. Python insecure authentication

                    Release 28

                    1. (SAST) New method:
                      1. K8s check if capability exists

                    Release 27

                    1. (SAST) New methods:
                      1. Cfn aws sec group using tcp
                      2. Tfm s3 versioning disabled
                      3. Tfm iam trust policy wildcard action

                    June

                    Release 26

                    1. (SCA) Added support for Conan.
                    2. (SAST) New methods:
                      1. Tfm iam policy apply to users
                      2. Cfn iam policy apply to users
                      3. Tfm iam permissions policy not resource
                      4. Tfm iam permissions policy not action
                      5. Tfm iam trust policy not principal
                      6. Tfm iam trust policy not action
                      7. Tfm policy server encryp disabled
                      8. Tfm rds pub accessible
                      9. Tfm api all http methods enabled
                      10. Cfn http methods enabled
                      11. Tfm http methods enabled
                      12. Cfn iam excessive role policy
                    3. (SCA) New methods:
                      1. Conan lock dev
                      2. Conan lock

                    Release 25

                    No features were delivered during this iteration.

                    Release 24

                    No features were delivered during this iteration.

                    Release 23

                    1. (ASPM) Implemented severity and CWE reporting at the location level.
                    2. (SCA) Added support for SCA in Go.

                    May

                    Release 22

                    No features were delivered during this iteration.

                    Release 21

                    1. (SAST) New method:
                      1. Tfm aws sec group using tcp

                    Release 20

                    No features were delivered during this iteration.

                    Release 19

                    1. (ASPM) Implemented exit codes in CLI to indicate vulnerability detection status.
                    2. (ASPM) Added CVSS 3.1 Exploit Code Maturity metric to vulnerability reports.
                    3. (ASPM) Started documentation for scanner (Skims) output to clarify results interpretation.

                    April

                    Release 18

                    No features were delivered during this iteration.

                    Release 17

                    1. (ASPM) Integrated documentation URLs in vulnerability reports for better understanding.
                    2. (ASPM) Updated standalone scanner configuration file syntax for better usability.

                    Release 16

                    1. (ASPM) Created official Skims documentation to explain usage as a SAST scanner.
                    2. (SAST) New method:
                      1. Xml header allow danger methods
                    3. (CSPM) New method:
                      1. AWS sns can anyone subscribe

                    Release 15

                    1. (CSPM) New methods:
                      1. AWS sns can anyone publish
                      2. AWS sqs is public
                      3. AWS sqs has encryption disabled
                      4. AWS sns has server side encryption disabled
                    2. (SAST) New methods:
                      1. Cfn server ssl disabled
                      2. Java insec sign algorithm
                      3. Python insec hash library
                      4. Kotlin accepts any mime type

                    Release 14

                    1. (SAST) Enhanced Dart's SAST flow to enable more sophisticated logic analysis.
                    2. (SAST) New methods:
                      1. Container disabled ssl
                      2. Go accepts any mime type
                      3. Java basic authentication
                      4. Cfn insecure certificate
                    3. (CSPM) New methods:
                      1. AWS elasticache rest encryption disabled
                      2. AWS elasticache transit encryption disabled

                    March

                    Release 13

                    1. (SAST) Enhanced infrastructure files analysis (HCL and YAML).
                    2. (CSPM) New methods:
                      1. AWS redshift not requires ssl
                      2. AWS redshift has audit logs disabled
                      3. AWS redshift has user activity log disabled
                      4. AWS redshift has encryption disabled
                      5. AWS elasticache uses default port
                      6. AWS dynamodb not del protec
                    3. (SAST) New methods:
                      1. Kotlin vuln regex
                      2. Dotnetconfig excessive auth privileges
                      3. Kt xml parser
                      4. Python accepts any mime
                      5. Python http only cookie
                      6. JS debugger enabled
                      7. TS debugger enabled
                      8. Python secure cookie

                    Release 12

                    1. (SAST) Extended secret detection to analyze more configuration files.
                    2. (SAST) New methods:
                      1. Kotlin secure cookie
                      2. Kt default http client deprecated
                      3. C sharp plain text keys
                      4. Cs insecure authentication
                      5. Kt remote command execution
                      6. Kt anonymous ldap
                    3. (CSPM) New methods:
                      1. AWS secrets has automatic rotation disabled
                      2. AWS redshift has public clusters

                    Release 11

                    1. (SAST) New methods:
                      1. Kotlin http only cookie
                      2. Tfm dynamo not del protec
                      3. Javascript accepts any mime default
                      4. Typescript accepts any mime default
                      5. Java secure cookie
                      6. Python unsafe certificate validation
                      7. Java http only cookie
                      8. Python unsafe ssl hostname
                      9. Kt insecure encription key
                      10. Javascript accepts any mime method
                      11. Typescript accepts any mime method
                      12. Kt insecure key pair gen
                    2. (CSPM) New methods:
                      1. AWS rds unrestricted db security groups
                      2. AWS rds not uses iam authentication
                      3. AWS rds has public snapshots

                    Release 10

                    1. (SAST) New methods:
                      1. Kt insecure parameter spec
                      2. Cfn dynamo not del protec
                      3. Kt insecure key gen
                      4. Kt insecure certificate validation
                      5. Kt insecure host verification
                      6. C sharp accepts any mimetype
                      7. Kt insecure init vector

                    February

                    Release 9

                    1. (SCA) Enhanced support for Pub (Dart) and Packagist (PHP) package managers.
                    2. (SAST) New methods:
                      1. Java accepts any mimetype chain
                      2. Python unsafe cipher
                      3. Java xml parser
                      4. Python regex dos
                      5. Python ldap conn auth
                      6. Java http req accepts any mimetype
                      7. Python unsafe temp file
                      8. Kt weak random
                      9. Python remote command execution
                      10. Swift insecure cryptor
                      11. Swift insecure cipher
                    3. (CSPM) New method:
                      1. AWS eks has endpoints publicly accessible

                    Release 8

                    1. (SAST) Added support for analyzing Python files in Skims.
                    2. (SAST) New methods:
                      1. Python io path traversal
                      2. Python session fixation
                      3. JS jwt insec sign algo async
                      4. TS jwt insec sign algo async
                      5. JS insec msg auth mechanism
                      6. TS insec msg auth mechanism
                      7. Cs cert validation disabled
                      8. Python ldap injection
                      9. Python deserialization injection
                    3. (CSPM) New methods:
                      1. AWS elbv2 insecure ssl cipher
                      2. AWS dynamodb encrypted with aws master keys

                    Release 7

                    1. (SAST) Improved Symbolic Evaluation logic for better accuracy in detecting vulnerabilities.
                    2. (SAST) New methods:
                      1. JS salt is hardcoded
                      2. TS salt is hardcoded
                      3. Java salt is hardcoded
                      4. Kotlin salt is hardcoded
                      5. Go salt is hardcoded
                      6. Dart salt is hardcoded
                      7. Xml allows all domains
                      8. JS jwt insec sign algorithm
                      9. TS jwt insec sign algorithm
                      10. Yml serverless cors
                      11. Dart insecure logging
                      12. Python xml parser
                    3. (CSPM) New methods:
                      1. AWS elbv2 insecure protocols
                      2. AWS cognito has mfa disabled
                    4. (SCA) New methods:
                      1. Conan conanfile py dev
                      2. Conan conanfile txt dev

                    Release 6

                    1. (SAST) New methods:
                      1. JSx lack of validation event listener
                      2. JS local storage sens data assignment
                      3. TS local storage sens data assignment
                      4. Xml header allow all methods

                    January

                    Release 5

                    1. (CSPM) New methods:
                      1. AWS iam users with password and access keys
                      2. AWS iam mfa disabled for users with console passwd
                    2. (SCA) New methods:
                      1. Conan conanfile py
                      2. Conan conanfile txt

                    Release 4

                    1. Improved support for Go and Kotlin.
                    2. (CSPM) New methods:
                      1. AWS iam has root active signing certificates
                      2. AWS iam has old ssh public keys
                      3. AWS has publicly shared amis
                      4. AWS iam allows priv escalation by policies versions
                    3. (SAST) New methods:
                      1. TSx lack of validation event listener
                      2. JS json parse unvalidated data
                      3. TS json parse unvalidated data

                    Release 3

                    1. (CSPM) New methods:
                      1. AWS iam has old creds enabled
                      2. AWS iam has old access keys
                      3. AWS iam root has access keys
                    2. (SAST) New methods:
                      1. JS local storage with sensitive data
                      2. TS local storage with sensitive data

                    Release 2

                    1. (ASPM) Use colors to identify vulnerabilities' criticality: Add colored markers based on the severity of the vulnerability to facilitate identification.
                    2. (ASPM)  Add Risk Exposure (CVSSF) to our platform: Add a new column called "% Risk Exposure" that ranges from 0% to 100% in the findings and vulnerabilities tables.
                    3. (ASPM) Update of the statuses in ARM reports: Update the technical report's status column by changing the words "open" and "closed" to "safe" and "vulnerable".
                    4. (ASPM) Update treatment status: Replace the treatment status "New" with "Untreated" to improve clarity for users.
                    5. (ASPM) Organize Vulnerabilities by Risk Exposure (CVSSF): Organize vulnerabilities by default according to CVSSF and status "vulnerable".
                    6. (CSPM) New methods:
                      1. AWS iam root has mfa disabled
                    7. (SAST) New methods:
                      1. Cfn iam permissions policy not resource
                      2. Cfn iam permissions policy not action
                      3. Cfn iam trust policy not principal
                      4. Cfn iam trust policy not action
                      5. Cfn iam permissions policy wildcard resources
                      6. Cfn iam permissions policy wildcard actions
                      7. Cfn iam trust policy wildcard action
                      8. JS insecure compression algorithm
                      9. TS insecure compression algorithm
                    8. (SCA) New methods:
                      1. Pub pubspec yaml dev
                      2. Pub pubspec yaml

                    Release 1

                    1. (ASPM) Delete inactive users after 90 days: Automatically delete users from our platform after 90 days of inactivity.
                    2. (ASPM) Talk to a Hacker modal improvements: Add a new field named "ARM Group Name" with autofill to request only unknown information from users.
                    3. (ASPM) Congratulations message in compliance report: Add a congratulation message in the compliance report if the group does not have unfulfilled standards.
                    4. (CSPM) New methods:
                      1. AWS iam has mfa disabled
                      2. AWS iam not requires uppercase
                      3. AWS iam not requires lowercase
                      4. AWS iam not requires symbols
                      5. AWS iam not requires numbers
                      6. AWS iam password reuse unsafe
                      7. AWS iam password expiration unsafe
                    5. (SCA) New methods:
                      1. Composer lock dev
                      2. Composer lock
                      3. Composer json dev
                    6. (SAST) New method:
                      1. Tfm admin managed policies
                    Free trial
                    Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.