Prepare for OSS release v0.0.1
Version updates: - Set version to 0.0.1 across all files - Update CLI banner, SARIF output, and documentation New files: - LICENSE: MIT license - CHANGELOG.md: Initial changelog with all features - CONTRIBUTING.md: Contribution guidelines composer.json enhancements: - Add version, keywords, homepage, support URLs - Add authors section - Add require-dev for PHPUnit README.md updates: - Update repository URLs to security-linter/php-laravel - Update Docker image references Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
77
CHANGELOG.md
Normal file
77
CHANGELOG.md
Normal file
@@ -0,0 +1,77 @@
|
||||
# Changelog
|
||||
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [0.0.1] - 2024-01-31
|
||||
|
||||
### Added
|
||||
|
||||
#### Core Features
|
||||
- Recursive taint analysis for tracking user input through function calls
|
||||
- Multi-language support (Japanese/English)
|
||||
- Syntax highlighting in terminal output
|
||||
- Multiple output formats: text, JSON, HTML, SARIF, Markdown
|
||||
- Docker support for easy deployment
|
||||
- Configuration file support (.security-lint.json)
|
||||
|
||||
#### Vulnerability Detection
|
||||
|
||||
**XSS (Cross-Site Scripting)**
|
||||
- Blade `{!! !!}` raw output detection
|
||||
- JavaScript context XSS
|
||||
- Event handler attribute XSS
|
||||
- URL context XSS (javascript: URLs)
|
||||
- Style injection
|
||||
- Template injection
|
||||
- Escape bypass function detection
|
||||
- Dangerous hardcoded HTML detection
|
||||
|
||||
**SQL Injection**
|
||||
- Laravel Query Builder raw methods
|
||||
- PDO/MySQLi direct queries
|
||||
- String concatenation in queries
|
||||
- Sanitizer bypass detection
|
||||
|
||||
**Command Injection**
|
||||
- Shell execution functions (exec, shell_exec, system, etc.)
|
||||
- Code execution functions (eval, create_function, etc.)
|
||||
- Dynamic file includes
|
||||
- Symfony Process usage
|
||||
|
||||
**Path Traversal**
|
||||
- File operation functions
|
||||
- Laravel Storage operations
|
||||
- File download/upload
|
||||
|
||||
**Authentication Security**
|
||||
- Weak hash algorithms (MD5, SHA1)
|
||||
- Hardcoded credentials detection
|
||||
- Timing-vulnerable comparisons
|
||||
|
||||
**CSRF/Session Security**
|
||||
- Missing CSRF tokens
|
||||
- Insecure session configuration
|
||||
- Session fixation
|
||||
|
||||
**Configuration Security**
|
||||
- Debug output (phpinfo, var_dump, dd)
|
||||
- Insecure unserialize
|
||||
- Sensitive information logging
|
||||
|
||||
**Laravel-Specific Security**
|
||||
- Mass Assignment (missing $fillable/$guarded)
|
||||
- Raw SQL injection (DB::raw, whereRaw without bindings)
|
||||
- CSRF protection (forms without @csrf)
|
||||
- File upload validation (extensions-only without mimes)
|
||||
- Route authentication middleware
|
||||
- Rate limiting for auth routes
|
||||
|
||||
### Security
|
||||
- Safe pattern recognition for Laravel helpers (route(), url(), action())
|
||||
- Value-based credential detection to reduce false positives
|
||||
- Escape function recognition (htmlspecialchars, e(), etc.)
|
||||
|
||||
[0.0.1]: https://github.com/security-linter/php-laravel/releases/tag/v0.0.1
|
||||
Reference in New Issue
Block a user