AWS logo
Amazon QDetector Library

March 2026 change log

This change log includes updates to detectors made in March 2026.

Added and updated rules

Java

  • os-command-injection-java-rule

    • Enhanced to improve detection coverage by:
      • Expanding detection to cover additional command execution libraries including Apache Commons Exec, Apache Ant, AWS SSM, Docker, Kubernetes, and SSH libraries (JSch, SSHJ, Apache SSHD)
      • Detecting command injection patterns where user input is set via setter methods before command execution
      • Reducing false positives by recognizing common sanitization and input validation patterns

  • java-code-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Expanding detection for Groovy code injection vulnerabilities including GroovyShell.evaluate(), GroovyShell.parse(), and GroovyClassLoader.parseClass() with user-controlled input
      • Recognizing SecurityManager configurations as a valid mitigation, reducing false positives when security controls are in place
      • Fixing false positives where String.valueOf() was incorrectly flagged as a code injection sink

  • java-code-Injection

    • Enhanced code injection detection by expanding rule coverage and reducing false positives. This change adds:
      • Expanded new code injection sinks including OGNL, MVEL, Groovy and Velocity etc.
      • Map-based allowlist validation patterns to prevent false positives
      • Comprehensive test cases covering new scenarios and false positive cases
      • Validators: matches method for regex validation

  • java-path-traversal-ide

    • Enhanced Java Path Traversal detection by reducing false positives and correcting improper source and sanitizer classifications. This change adds:
      • Type-constrained sources to prevent generic parameter matching
      • Expanded sink coverage and improved taint tracking alignment across path_traversal_java_rule and path_traversal_java_rule_exp with updated test validation

  • java-comprehensive-ssrf-ide

    • Enhanced Java SSRF detection by reducing false positives and improving sink coverage alignment between Semgrep and GQL rules. This change adds:
      • Added context-aware source handling to distinguish configuration data from request-controlled input
      • Expanded sink coverage (OkHttp, RestTemplate, WebClient, Retrofit, AsyncHttpClient, Apache HttpClient) and aligned detection with GQL SSRF rule coverage.

Python

  • python-no-sql-injection-ide

    • Enhanced to improve detection coverage and reduce false positives by:
      • Expanding detection to cover additional NoSQL databases including Elasticsearch and Redis alongside existing MongoDB and DynamoDB support
      • Detecting MongoDB operator injection vulnerabilities where user input controls query operators ($where, $regex, $expr)
      • Detecting dangerous Redis Lua script execution with user-controlled input
      • Reducing false positives by recognizing common input validation patterns including regex sanitization (re.sub), string validation methods (isdigit, isalnum, isalpha), and early return guards
      • Improving detection for JSON request body injection in Flask and Django applications

  • python-insecure-cookie

    • Enhanced to improve detection coverage by:
      • Detecting cookies missing the secure attribute entirely in Flask and Django applications, not just when explicitly set to False
      • Expanding detection for Flask set_cookie() and Django set_cookie()/set_signed_cookie() calls without proper security flags
      • Significantly improved detection rate while maintaining zero false positives

  • python-path-traversal-ide

    • Migrated Python Path Traversal IDE rule from Semgrep to GQL to reduce interprocedural false positives and improve detection accuracy. This change adds:
      • Implemented new GQL rule covering valid test cases from python-path-traversal-ide
      • Improved interprocedural taint tracking to eliminate Semgrep-related false positives
      • Stricter source and sink handling for more accurate path traversal detection.

JavaScript

  • javascript-cross-site-scripting

    • Enhanced to improve detection coverage and reduce false positives by:
      • Expanding detection to cover code execution sinks (eval, setTimeout, setInterval, Function constructor) with user-controlled input
      • Detecting XSS vulnerabilities in template rendering (res.render), email content (sendMail), React (dangerouslySetInnerHTML), and Angular security bypass methods (trustAs, bypassSecurityTrust)
      • Removing false positive detections for redirect operations (properly classified as Open Redirect CWE-601) and localStorage setItem (storage write, not rendering)
      • Reducing false positives by recognizing type conversion sanitizers (Number, parseInt, parseFloat) and MongoDB operations (insertOne, updateOne, etc.) as safe
      • Improving detection precision by excluding safe patterns such as jQuery .text() calls, hardcoded string literals, object literals in res.send(), and properly sanitized values

  • javascript-os-command-injection

    • Enhanced to improve detection coverage by:
      • Expanding detection to cover additional execa variants (execa.commandSync, execa.sync, bare execa() calls) with user-controlled input
      • Detecting command injection in Node.js child_process methods (execFile, execFileSync, fork) beyond the previously covered exec and spawn
      • Detecting command injection in ShellJS library (shell.exec, shelljs.exec, shelljs.execSync)
      • Adding support for Bun runtime command execution (spawn, spawnSync)
      • Reducing false positives by excluding safe array-based argument patterns where commands are not constructed from strings
      • Synchronizing TypeScript rule coverage to match JavaScript rule for consistent detection across both languages

TypeScript CDK

  • typescript-cdk-redshift-enable-user-activity-logging

    • Enhanced to improve detection coverage by:
      • Expanding detection across all CDK import styles (direct, multi-import, namespace, wildcard)
      • Adding case-insensitive parameter value handling ('true', 'TRUE') to reduce false positives
      • Validating both direct parameter group references and ref property access patterns
      • Updating metadata with CWE-778 mapping and improved remediation guidance

  • typescript-cdk-redshift-require-tls-ssl

    • Enhanced to improve detection coverage by:
      • Expanding from L1 CfnCluster only to include L2 Cluster constructs
      • Adding 7 import pattern variations (direct, multi-import, namespace, multi-namespace, wildcard, full CDK)
      • Detecting missing parameterGroup in L2 Cluster constructs
      • Detecting require_ssl set to 'false', 'off', or '0' in parameter groups
      • Detecting parameter groups that have other params but omit require_ssl
      • Adding focus-metavariable and metavariable-regex for precise error location

  • typescript-cdk-publicly-accessible-redshift-cluster

    • Enhanced to improve detection coverage by:
      • Expanding from L1 CfnCluster only to include L2 Cluster constructs
      • Adding 7 import pattern variations including @aws-cdk/aws-redshift legacy imports
      • Detecting publiclyAccessible: true across various expression types (boolean, variable, conditional, JSON.parse, array index, !false, Boolean(1))
      • Adding comprehensive pattern-not exclusions for false values in all forms
      • Using metavariable-regex to match both Cluster and CfnCluster construct types

  • typescript-cdk-redshift-cluster-maintenance-settings

    • Enhanced to improve detection coverage by:
      • Detecting Redshift clusters with disabled automatic version upgrades across all CDK import patterns
      • Adding CDK v2 (aws-cdk-lib) support with updated construct patterns
      • Handling boolean and string-based property values (false, 'false') for version upgrade settings
      • Updating metadata with CWE-399 mapping and AWS documentation references

  • typescript-cdk-redshift-cluster-in-vpc

    • Enhanced to improve detection coverage by:
      • Detecting Redshift clusters not provisioned within a VPC across all CDK import styles
      • Adding patterns for missing, undefined, and empty string subnetGroupName configurations
      • Validating both inline subnet group references and .ref property access patterns
      • Updating metadata with CWE-232 mapping and VPC security best practices

  • typescript-cdk-redshift-missing-encryption

    • Enhanced to improve detection coverage by:
      • Detecting Redshift clusters with encryption explicitly disabled (encrypted: false)
      • Expanding import pattern coverage (direct, aliased, namespace, wildcard)
      • Adding CDK v2 construct support with updated property detection
      • Updating metadata with CWE-311 mapping and encryption best practice references

  • typescript-cdk-redshift-cluster-audit-logging

    • Enhanced to improve detection coverage by:
      • Detecting Redshift clusters without audit logging enabled across all CDK import styles
      • Adding patterns for missing loggingProperties and disabled logging configurations
      • Validating both S3 bucket destination and prefix logging property patterns
      • Updating metadata with CWE-778 mapping and AWS audit logging documentation references

Disabled rules

No rules were disabled in March 2026.