Release v0.0.32

What's Changed

• feature: 🍺 Support for AssertStmt Node statement by @shivasurya in #179
• feature: Support for ReturnStmt statement by @shivasurya in #180
• fix docker command by @opstoken in #182
• feature: 🍺 Support for BlockStmt statement by @shivasurya in #181
• doc: refresh documentation for latest statement support by @shivasurya in #183
• chore: update seo title by @shivasurya in #184
• doc: Update the documentation to include BreakStmt, LabeledStmt, YieldStmt and etc by @shivasurya in #185
• chore: fix title tag issue by @shivasurya in #186
• Bump nanoid from 3.3.7 to 3.3.8 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #188
• Bump astro from 4.16.3 to 4.16.18 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #189
• chore(upgrade): Bump golang dependencies and version by @shivasurya in #192
• Bump vite from 5.4.11 to 5.4.14 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #193
• feature: 🍺 Class with inheritance support by @shivasurya in #187
• blog: add closure table blog post 📰 by @shivasurya in #196
• chore: Update Website Navigation and Messaging by @shivasurya in #197
• build(deps): bump the npm_and_yarn group across 1 directory with 3 updates by @dependabot in #198
• feat: New Pathfinder Rules page (atlas) for docs by @shivasurya in #200
• chore: updated package-lock.json by @shivasurya in #201
• chore: added rollup optional dep by @shivasurya in #202
• chore: fix link in footer by @shivasurya in #203
• build(deps): bump prismjs from 1.29.0 to 1.30.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #204
• feature: Code-Pathfinder online hosted sandbox playground by @shivasurya in #205
• build(deps): bump @babel/runtime from 7.26.9 to 7.26.10 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #206
• build(deps): bump the go_modules group across 2 directories with 1 update by @dependabot in #208
• release: bump version to 0.0.32 by @shivasurya in #209

New Contributors

• @opstoken made their first contribution in #182 🎉

Full Changelog: v0.0.31...v0.0.32

Release v0.0.31

What's new?

This release has query support for BreakStmt, ContinueStmt, YieldStmt, IfStmt, DoStmt, WhileStmt, ForStmt statements in source code (java) ☕ 🎉

Read latest blog post about detecting Webview vulnerabilities using Code-Pathfinder

• feature: IfStmt, DoStmt, WhileStmt, ForStmt and Generic Statement support by @shivasurya in #173
• feature: 🍺 Support for BreakStmt by @shivasurya in #174
• feature: 🍺 Support for Continue statement by @shivasurya in #175
• feature: 🍺 Support for YieldStmt statement by @shivasurya in #176

What's Changed

• doc: added ci/cd integ pages and docker updates by @shivasurya in #167
• added blog post for targeting android framework by @shivasurya in #169
• fix query name issue in blog post 🐛 by @shivasurya in #170
• chore: improve doc site by @shivasurya in #171
• chore: added pr template by @shivasurya in #172
• release: bump version to v0.0.31 by @shivasurya in #177

Full Changelog: v0.0.30...v0.0.31

Release v0.0.30

What's Changed

• chore(release): fix npm publish by @shivasurya in #162
• feature: Add SARIF file generation from result by @shivasurya in #163
• 🐛 Fix command issue in GitHub action and support sarif file format by @shivasurya in #164
• release: bump to v0.0.30 by @shivasurya in #165

Full Changelog: v0.0.29...v0.0.30

Release v0.0.29

This release has exciting new features such as CI command to scan source code for vulnerabilities within CI/CD ♾️ pipeline, docker support, GitHub Action support. 🎉

What's New?

1. Code-Pathfinder is now available in docker hub. Give it a try by pulling shivasurya/code-pathfinder:stable-latest 🐳
2. GitHub Action is now supported and you can start scanning source code. 🎉

# add as step to github action yaml file
    - name: Code-Pathfinder SAST Scan
            uses: shivasurya/code-pathfinder@main
            with:
              command: 'ci'
              project: '.'
              output-file: 'output.json'
              output: 'json'
              ruleset: 'cpf/java'

3. Code-Pathfinder now supports CI command to scan for vulnerabilities in source code. ♾️

$ pathfinder ci --project /src/code-pathfinder/test-src --ruleset cpf/java --output json --output-file output.json
...
Executing in CI mode ♾️ 

Checkout Code-pathfinder rules registry here

What's Changed

• Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot in #151
• feature: Implement CI based pathfinder scan - part 1 by @shivasurya in #153
• feature: Implement CI scan using pathfinder rules by @shivasurya in #155
• Bump astro from 4.15.12 to 4.16.3 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #157
• ✨ Add GitHub Action template with action.yml by @shivasurya in #156
• fixed docker 🐳 tag mistake by @shivasurya in #158
• release: Bump/v0.0.29 by @shivasurya in #159

Full Changelog: v0.0.28...v0.0.29

Release v0.0.28

This release adds exciting new features such as support for querying ClassInstanceExpr where you could search for objects created with class. We have featured new blog post about codepathfinder. I have published various code pathfinder rules targeting generic java application

Code-Pathfinder Rules

• Usage of RC2/RC4 cipher
• Usage of deprecated DefaultHTTPClient
• Usage of SHA1 hash functions
• Usage of insecure Random functions for cryptographic purposes
• Usage of Blowfish crypt methods
• <More to come in next releases covering OWASP Top 10>

What's New?

• feature: Support for ClassInstanceExpr by @shivasurya in #142
• pathfinder rules: added unencrypted socket connection detection rule by @shivasurya in #143
• Blog #1 by @shivasurya in #144
• fixed unique id issue for generating unique id by @shivasurya in #146
• More pathfinder rules 🎸 by @shivasurya in #145

Chore

• Bump rollup from 4.21.3 to 4.22.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #140
• Improve blog post by @shivasurya in #147
• chore: improved blog post and seo by @shivasurya in #148
• chore: added blog listing by @shivasurya in #149
• release: Bump version to 0.0.28 by @shivasurya in #150

Full Changelog: v0.0.27...v0.0.28

Release v0.0.27

This release gives a huge boost to query structure and support by adding predicate support and SELECT entity keyword in code-pathfinder queries parity to CodeQL. 🚀

1. You can now declare predicates within the CQL query and invoke them within the query. It improves re-usability and puts us in better place to implement class and predicates in future release 🏅

   predicate isPublicOrProtected(method_declaration md) {
       md.getVisibility() == "public" || md.getVisibility() == "protected"
   }
   
   FROM method_declaration AS md
   WHERE isPublicOrProtected(md)
   SELECT md, "Listing all public or protected methods"

2. You can now use SELECT keyword to pick specific one from the bunch of result. ⛏️

   FROM method_invocation AS mi
   WHERE mi.getName() == "setJavaScriptEnabled" && "true" in mi.getArgumentName()
   SELECT mi, "Enabling JavaScript execution in a WebView can result in cross-site scripting attacks."

What's New?

• feature: add user defined predicate declaration and invocation support with CQL query by @shivasurya in #134
• feature: Add SELECT clause support for CQL query by @shivasurya in #137
• chore(docs): update documentation to include SELECT keyword by @shivasurya in #138

Chore

• chore(ci): added npm publish github action by @shivasurya in #130
• Bump dset from 3.1.3 to 3.1.4 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #131
• Bump path-to-regexp from 6.2.2 to 6.3.0 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #132
• Bump vite from 5.3.3 to 5.4.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #133
• release: Bump/v0.0.27 by @shivasurya in #139

Full Changelog: v0.0.26...v0.0.27

Release v0.0.26

What's New?

• You can now query multiple entities in a single query and compare with them in conditions and filter them like CodeQL 🚀
  Example:

  FIND method_declaration AS md, method_invocation AS mi
  WHERE md.getName() == mi.getName() &&
  md.getVisibility() != "private"

• The pathfinder cli now fresh look with code, line number, file name formatted
• If you make any mistakes in query, pathfinder cli advises you error message exactly line number and doesn't crash the program
• Posthog had issues in previous release due to breaking changes in golang sdk from posthog, which is now fixed.

Changelog

• moved to better output format ⭐ by @shivasurya in #120
• bug(posthog): upgrade posthog go version by @shivasurya in #121
• Bump actions/download-artifact from 3 to 4.1.7 in /.github/workflows in the github_actions group across 1 directory by @dependabot in #124
• Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot in #123
• Support multiple entity selection via cartesian product 📐 by @shivasurya in #116
• added better error handling for query parsing ⭐ by @shivasurya in #126
• Bump/v0.0.26 by @shivasurya in #127
• updated release upload action v4 by @shivasurya in #128

Full Changelog: v0.0.25...v0.0.26

Release v0.0.25

Code PathFinder 🥉 v0.0.25 (Quarter century 🏏 release)

This release has major improvements in cli capabilities, added extra core entities, able to execute queries as .cql file

1. Introduced BinaryExpr as core entity. You could now search for AddExpr, AndBitwiseExpr, ComparisonExpr, AndLogicalExpr, DivExpr, EqExpr, NEExpr , LeftShiftExpr, MulExpr, OrBitwiseExpr, OrLogicalExpr, RemExpr, RightShiftExpr, SubExpr, UnsignedRightShiftExpr, XorBitwiseExpr expressions in codebase. It has both LeftOperandString() and RightOperandString() as API

   Example:

     FIND add_expression AS ad WHERE ad.getBinaryExpr().GetLeftOperandString() != "int a"

2. Code Pathfinder queries now can be stored as .cql file and execute with pathfinder cli 💻

     $ pathfinder query --project ~/src/code-pathfinder/test-src/android --query-file ../pathfinder-rules/example.cql

3. Code Pathfinder command-line interface has been freshly revamped with spf13/cobra based library.

     Code Pathfinder is designed for identifying vulnerabilities in source code.
     Usage:
         pathfinder [command]
   
     Available Commands:
       ci          Scan a project for vulnerabilities with ruleset in ci mode
       completion  Generate the autocompletion script for the specified shell
       help        Help about any command
       query       Execute queries on the source code
       scan         Scan a project for vulnerabilities with ruleset
       version     Print the version and commit information
   
     Flags:
        --disable-metrics   Disable metrics collection
        -h, --help                 help for pathfinder
   
      Use "pathfinder [command] --help" for more information about a command.

4. Pathfinder queries (*.cql) will be available under pathfinder-rules directory in this repo.

What's New?

• Add posthog usage analytics log for cli tool by @shivasurya in #101
• feature(query): introduce to execute queries from CQL file 🚀 by @shivasurya in #102
• Refactor pathfinder cli to support cobra 🐍 cli format by @shivasurya in #104
• Bump micromatch from 4.0.7 to 4.0.8 in /docs in the npm_and_yarn group across 1 directory by @dependabot in #106
• cql(queries): Added Pathfinder CQL queries for WebView APIs 🏅 by @shivasurya in #112
• Added expr model and parsed basic binary expression by @shivasurya in #99

New Contributors

• @dependabot made their first contribution in #106

Full Changelog: v0.0.24...v0.0.25

Release v0.0.24

Method chaining is powerful feature to write models and expose methods to support runtime filtering instead of compile time/construction time of source code graph

from now on 🚀 you'll be able to chain methods for JavaDoc object and methods. More support for entities and methods coming soon in future releases.

FIND method_declaration AS md WHERE md.getDoc().GetCommentAuthor() == "shivasurya"

What's Changed

• Bump npm package version by @shivasurya in #88
• Move javadoc entity into primary core entity by @shivasurya in #92
• Support Method Chaining for Attributes and Entities by @shivasurya in #93
• Add more testcase by @shivasurya in #94
• v0.0.24 release by @shivasurya in #95

Full Changelog: v0.0.23...v0.0.24

Release v0.0.23

What's Changed 🚀

Introducing methods, alias and variety condition support (using expr-lang) in this release. From now on you could query the codebase, 🎉

FIND method_declaration AS md WHERE md.getName() == "main" && "@Override" in md.getAnnotation()

• Pathfinder now uses ANTLR for verifying queries, expr-lang to support variety of operators for condition based filtering support.
• Pathfinder now finds vulnerable configs in Android project codebase. Checkout pathfinder ruleset published in website
• Pathfinder is now available in npm. You could download using npm i codepathfinder

Detailed changes

• npm cleanup config and release by @shivasurya in #76
• Add version and git tag info into the release by @shivasurya in #77
• Fixed method invocation param by @shivasurya in #78
• Added query to find android webview setting by @shivasurya in #79
• Added posthog analytics to docs by @shivasurya in #80
• pathfinder queries: added few more webview api ruleset by @shivasurya in #81
• Add code coverage app by @shivasurya in #82
• Update issue and feature req templates by @shivasurya in #83
• Enhanced query parser: Added ANTLR parser for query lang by @shivasurya in #49
• Add codecov badge by @shivasurya in #84
• Fix in array query and documentation stuff by @shivasurya in #85
• Bump version to v0.0.23 by @shivasurya in #86
• fix(build): Fix windows powershell variables by @shivasurya in #87

Full Changelog: v0.0.22...v0.0.23