Release Notes 2023.10.0

New features and enhancements in Seeker 2023.10.0.

Detecting unsafe consumption of APIs

Seeker can now detect cases in which applications use responses received from external APIs without validating their safety. Seeker will treat such responses as unsafe data and report detections accordingly. This helps security teams to comply with the OWASP TOP 10 API Security Risks 2023, section API10:2023 - Unsafe Consumption of APIs standard.

This feature is configured on the project level. In addition to the Java Agent, it is now supported by the .NET Core, .NET Framework, and Python Agents.

Related Information: Configure Tracking Unsafe Data from External APIs

Usability improvements

To increase the user's awareness of vulnerabilities violating project compliance policies, Seeker now displays the compliance status banner in the Vulnerability details page, linked to the policy violation details. In addition, some API have been enhanced with new parameters to filter vulnerabilities by compliance with project policies.



General improvements

  • The Data Flow Map is now optimized by displaying database nodes aggregated by database logical names and types. Previously, database nodes were identified by their resolved hostnames, which could clutter the map with redundant nodes, as displayed below.



    Once you have installed the new version, this will work automatically. However, if you have multiple nodes collected by a previous version, you might need to aggregate them explicitly.

    Related Information: Aggregate Duplicate Endpoints

  • Seeker usernames in various UI pages and API parameters are now case-insensitive, which means usernames such as JohnDoe, johndoe, and jONHdoE are treated as the same name.

API

  • The new and enhanced APIs for managing custom tags for projects enable you to do the following:

    • Manage custom tags: /api/{ver}/customtags GET, POST, DELETE.

    • Create a project with custom tags:

      New customTags parameter added to /api/{ver}/projects POST.

    • Add/remove custom tags to/from a project: /api/{ver}/projects/{key}/customtags POST, DELETE

  • New compliance-related Vulnerabilities APIs return all major security compliance standards and their classifications:

    • GET /api​/{ver}​/compliances

    • GET /api​/{ver}​/compliances​/{complianceKey}​/classifications

  • New parameters and properties to filter vulnerabilities by policy compliance:

    • New onlyNotCompliant parameter added to /api/{ver}/vulnerabilities GET and /api/{ver}/reports/export GET.

    • New compliancePolicyConditions property added to /api/{ver}/projects/{projectId}/status.

Agents

The Seeker Agents have been enhanced with the following features:

Technologies Features
Java The Java Agent now supports Java 21.
.NET Core, .NET Framework, Node.js, Python You can now define custom API authentication headers for Active Inspection of untested endpoints using the SEEKER_ACTIVE_INSPECTION_AUTH_HEADERS environment variable.
Node.js As of this release, the support for Node.js 12.x and 13.x by the Agent is deprecated, and will be removed in one of the future releases.
Go The Connect Agent wizard now provides instructions on instrumenting your Go applications with the Agent as a Go plugin.
Python The Python Agent now supports Python 3.12.

Checkers

The following vulnerability checkers have been added, enhanced, or changed:

Technologies Name New/Enhanced/Changed
Node.js

Log Injection

Log Injection (Second-Order)

Sensitive Data Stored Unencrypted

Sensitive Data Stored Unencrypted (Second-Order)

 Enhanced by the support of NestJS logging.
Java, .NET Core, .NET Framework, Node.js, Python Missing Expect-CT Header Deprecated as of this release. Will be disabled by default in new projects.