In this release, we've focused on improvements to our security compliance solution and enhancements to Unit Test Assistant.
Extended Support for Java
We've added support for Java 11.
Extended Support for IDEs and Build Systems
We've added support for:
- Eclipse 4.9, 4.10, and 4.11
- IntelliJ 2018.3 and 2019.1
- Maven 3.6.0
Support for Platforms
We've added support for:
- Windows Server 2019
The following operating systems are no longer supported:
- Windows 8
- Windows Server 2008
Security Compliance Pack
In this release, we've introduced the Security Compliance Pack to give you instant access to test configurations that help you enforce compliance with security standards and practices. The Security Compliance Pack includes the following test configurations:
- CERT for Java
- CWE 3.2
- CWE SANS Top 25 2011
- CWE SANS Top 25 2011+On the Cusp
- OWASP Top 10-2017
- PCI DSS 3.2
- UL 2900
See Built-in Test Configurations: Security Compliance Pack for details.
Security Compliance Pack requires dedicated license features to be activated. Contact Parasoft Support for more details on licensing.
Unit Test Assistant Enhancements
In this release, we've enhanced the test creation process and improved the recommendations that appear after test execution.
New and Improved Recommendations
- We've added the NullPointerException Thrown recommendation type to help you prevent NullPointerException from being thrown; see NullPointerException Thrown.
- We've enhanced Exceptions and assertion errors recommendations to include action links that help you handle exceptions and automatically update your test code; see Exceptions and Assertion Errors.
- We've extended Uncovered code recommendations to be displayed for exception catch blocks that are not covered by any tests; see Uncovered Code.
Enhanced Unit Test Creation
You can now:
- create either standard JUnit tests or tests that use the Spring framework when creating tests for Spring classes; see Creating a Spring Unit Test and Creating Multiple Unit Tests.
- create tests for additional Spring components: @Component, @Controller, @RestController, @Repository, and @Service; see Creating a Spring Unit Test.
- configure UTA to initialize mocks by adding the @InjectMocks and @Mock annotations at the class level ; Configuring Mock Initialization.
We've also improved the deep initialization mode to automatically initialize inaccessible fields and fields in parent classes when the tests are created.
Test Impact Analysis Improvements
- Information about correlations between tests and code now persists between restarts of the IDE.
- You can now use the context menu in the Impacted Unit Tests view to navigate to the test code and run selected tests.
See Test Impact Analysis for details.
New and Updated Test Configurations
We've added the following test configurations:
- CWE 3.2
- CWE SANS Top 25 2011+On the Cusp
- CWE SANS Top 25 2011
- OWASP Top 10-2017
- PCI DSS 3.2
- UL 2900
The following test configuration has been moved from the Static Analysis category to the Security Compliance Pack category (see Security Compliance Pack):
- CERT for Java
The following test configurations have been updated to improve analysis results:
- Demo Configuration
- Flow Analysis Aggressive
See Built-in Test Configurations for the list of test configurations shipped with Jtest.
Deprecated Test Configurations
- CWE-SANS Top 25 2011 – deprecated and replaced with the new CWE SANS Top 25 2011 test configuration
PCI Data Security Standard – deprecated and replaced with the new PCI DSS 3.2 test configuration.
- UL 2900 – deprecated and replaced with the new UL 2900 test configuration that includes CWE SANS Top 25 2011 on the Cusp and OWASP Top 10 2017 rules.
- OWASP Top 10 2017 – deprecated and replaced with the new OWASP Top 10-2017
The deprecated test configurations are not available by default and can only be applied as user-defined test configuration. They are now shipped with Jtest in the following location: [INSTALL_DIR]\configs\Deprecated.
New Static Analysis Rules
We've added the following static analysis rules:
Rule ID | Header |
|---|---|
BD.PB.CHECKRET | Consistently check the returned value of non-void functions |
BD.PB.INTOVERF | Avoid integer overflows |
BD.SECURITY.TDPASSWD | Protect against using unprotected credentials |
CODSTA.ORG.TODOJAVA | Ensure that comments do not contain task tags |
CODSTA.ORG.TODOPROP | Ensure that comments do not contain task tags |
CODSTA.ORG.TODOXML | Ensure that comments do not contain task tags |
SECURITY.IBA.AUXD | Avoid parsing untrusted data with XMLDecoder |
SECURITY.IBA.DXXE | Disable XML external entity injection |
SECURITY.IBA.RUIM | Ensure proper session expiration |
SECURITY.IBA.SC | Disable LDAP deserialization |
SECURITY.UEC.STTL | Ensure that sessions are configured to time out in 'web.xml' files |
SECURITY.WSC.ACMD | Avoid using custom MessageDigest implementations |
SECURITY.WSC.AISSAJAVA | Avoid using insecure cryptographic algorithms for data encryption with Spring |
SECURITY.WSC.AISSAXML | Avoid using insecure cryptographic algorithms in Spring XML configurations |
SECURITY.WSC.AUNC | Avoid using the javax.crypto.NullCipher class in non-test classes |
SECURITY.WSC.DMDS | Avoid using the DriverManagerDataSource class in production code |
SECURITY.WSC.EWSSEC | Avoid debug information from Spring Security framework to logs |
SECURITY.WSC.HGRSI | Avoid using the 'getRequestedSessionId' method from the 'HttpServletRequest' class |
SECURITY.WSC.HV | Ensure the HostnameVerifier.verify() method validates the certificate |
SECURITY.WSC.MCMDU | MessageDigest objects must process the data with the 'update' method |
SECURITY.WSC.MDSALT | Use hash functions with a salt |
SECURITY.WSC.PBFA | Ensure sufficient protection against multiple failed authentication attempts |
SECURITY.WSC.SCHTTP | Mark cookies as HttpOnly |
SECURITY.WSC.SIKG | Initialize KeyGenerator instances |
SECURITY.WSC.VSI | Properly validate server identity |
Updated Static Analysis Rules
The output messages of the following rules have been updated, and as a result, suppressions associated with these rules on DTP may no longer be available:
- PB.IKICO
- PB.NUM.UBD
- SECURITY.ESD.SIO
- SECURITY.UEHL.LGE
- SECURITY.WSC.ICA
- SERIAL.RWAF
- SECURITY.WSC.UOSC
- PB.API.MASP
Resolved Bugs and FRs
Bug/FR ID | Description |
|---|---|
| JT-49237 | json test and resource paths does not exist |
| JT-70472 | 'Flow Analysis Aggressive' test configuration unable to be edited when duplicated locally |
| JT-70473 | PB.NUM.UBD considers only float or double variables |
| JT-70475 | PB.IKICO false positive |
| JT-70584 | jtest-monitor goal is failing to generate coverage.xml file on the attached project |
| JT-70618 | Not able to collect Application Coverage on the prospect's project |
JT-70653 | The type Spring Security appear after jtest run in html report |
JT-70653 | The type Spring Security appear after jtest run in html report |
| JT-70817 | Import javafx.application cannot be resolved during analysis from CLI |
| JT-70827 | Providing . as an argument for project.location parameter does not work as expected |
UTA-3675 | Mocking recommendation when using Mockito annotations. |
UTA-4019 | Method not mocked for parameterized Spring test |
XT-36321 | Empty PDF report created in various versions of IntelliJ. |
XT-36478 | Unable to obtain license for Jtest run from IntelliJ IDE. |
XT-36549 | Can user name set inside the IDE override system user? |
XT-36671 | JUnit view is garbled when executing impact test in Eclipse. |
XT-36705 | Change based testing doesn't work in Japanese locale. |
UTA-3675 | Mocking recommendation when using Mockito annotations. |
UTA-4019 | Method not mocked for parameterized Spring test |
