CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.0.1] - 2024-01-31

### Added

#### Core Features
- Recursive taint analysis for tracking user input through function calls
- Multi-language support (Japanese/English)
- Syntax highlighting in terminal output
- Multiple output formats: text, JSON, HTML, SARIF, Markdown
- Docker support for easy deployment
- Configuration file support (.security-lint.json)

#### Vulnerability Detection

**XSS (Cross-Site Scripting)**
- Blade `{!! !!}` raw output detection
- JavaScript context XSS
- Event handler attribute XSS
- URL context XSS (javascript: URLs)
- Style injection
- Template injection
- Escape bypass function detection
- Dangerous hardcoded HTML detection

**SQL Injection**
- Laravel Query Builder raw methods
- PDO/MySQLi direct queries
- String concatenation in queries
- Sanitizer bypass detection

**Command Injection**
- Shell execution functions (exec, shell_exec, system, etc.)
- Code execution functions (eval, create_function, etc.)
- Dynamic file includes
- Symfony Process usage

**Path Traversal**
- File operation functions
- Laravel Storage operations
- File download/upload

**Authentication Security**
- Weak hash algorithms (MD5, SHA1)
- Hardcoded credentials detection
- Timing-vulnerable comparisons

**CSRF/Session Security**
- Missing CSRF tokens
- Insecure session configuration
- Session fixation

**Configuration Security**
- Debug output (phpinfo, var_dump, dd)
- Insecure unserialize
- Sensitive information logging

**Laravel-Specific Security**
- Mass Assignment (missing $fillable/$guarded)
- Raw SQL injection (DB::raw, whereRaw without bindings)
- CSRF protection (forms without @csrf)
- File upload validation (extensions-only without mimes)
- Route authentication middleware
- Rate limiting for auth routes

### Security
- Safe pattern recognition for Laravel helpers (route(), url(), action())
- Value-based credential detection to reduce false positives
- Escape function recognition (htmlspecialchars, e(), etc.)

[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1
Prepare for OSS release v0.0.1 Version updates: - Set version to 0.0.1 across all files - Update CLI banner, SARIF output, and documentation New files: - LICENSE: MIT license - CHANGELOG.md: Initial changelog with all features - CONTRIBUTING.md: Contribution guidelines composer.json enhancements: - Add version, keywords, homepage, support URLs - Add authors section - Add require-dev for PHPUnit README.md updates: - Update repository URLs to security-linter/php-laravel - Update Docker image references Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-02 11:57:18 +09:00			`# Changelog`

			`All notable changes to this project will be documented in this file.`

			`The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),`
			`and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).`

			`## [0.0.1] - 2024-01-31`

			`### Added`

			`#### Core Features`
			`- Recursive taint analysis for tracking user input through function calls`
			`- Multi-language support (Japanese/English)`
			`- Syntax highlighting in terminal output`
			`- Multiple output formats: text, JSON, HTML, SARIF, Markdown`
			`- Docker support for easy deployment`
			`- Configuration file support (.security-lint.json)`

			`#### Vulnerability Detection`

			`XSS (Cross-Site Scripting)`
			- Blade `{!! !!}` raw output detection
			`- JavaScript context XSS`
			`- Event handler attribute XSS`
			`- URL context XSS (javascript: URLs)`
			`- Style injection`
			`- Template injection`
			`- Escape bypass function detection`
			`- Dangerous hardcoded HTML detection`

			`SQL Injection`
			`- Laravel Query Builder raw methods`
			`- PDO/MySQLi direct queries`
			`- String concatenation in queries`
			`- Sanitizer bypass detection`

			`Command Injection`
			`- Shell execution functions (exec, shell_exec, system, etc.)`
			`- Code execution functions (eval, create_function, etc.)`
			`- Dynamic file includes`
			`- Symfony Process usage`

			`Path Traversal`
			`- File operation functions`
			`- Laravel Storage operations`
			`- File download/upload`

			`Authentication Security`
			`- Weak hash algorithms (MD5, SHA1)`
			`- Hardcoded credentials detection`
			`- Timing-vulnerable comparisons`

			`CSRF/Session Security`
			`- Missing CSRF tokens`
			`- Insecure session configuration`
			`- Session fixation`

			`Configuration Security`
			`- Debug output (phpinfo, var_dump, dd)`
			`- Insecure unserialize`
			`- Sensitive information logging`

			`Laravel-Specific Security`
			`- Mass Assignment (missing $fillable/$guarded)`
			`- Raw SQL injection (DB::raw, whereRaw without bindings)`
			`- CSRF protection (forms without @csrf)`
			`- File upload validation (extensions-only without mimes)`
			`- Route authentication middleware`
			`- Rate limiting for auth routes`

			`### Security`
			`- Safe pattern recognition for Laravel helpers (route(), url(), action())`
			`- Value-based credential detection to reduce false positives`
			`- Escape function recognition (htmlspecialchars, e(), etc.)`

			`[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1`