Release Notes 2024.7.0.
New features and enhancements in Seeker 2024.7.0
Usability Improvements
The Sanitizers configuration page has been significantly updated to make it easier to understand the current configuration and its impact. New search widgets enable filtering of configured sanitizers by technology, by the specific risk associated with the sanitizer, by the checkers impacted by the sanitizer, or by matching the name in a text search.
Related information: Configure Sanitizers and Validators.
General Improvements
It is now possible to exclude endpoints from the Endpoints Risk page by HTTP verb (e.g. GET, POST, OPTIONS, TRACE etc) in addition to the URL. This enables the exclusion of handlers for specific endpoints such as POST /api/v1/users.
Related information: Configure Endpoint Discovery
The JVM included with the Seeker server application has been upgraded from JVM version 11 to JVM version 17.
It is now possible to enable the Data Flow Map feature without enabling the Cross-Project Analysis feature. With this configuration the Seeker Agent will not add any headers to outgoing HTTP(S) requests. The Data Flow Map will still display the individual Seeker Projects and the incoming and outgoing communications for each of them but will not be able to track communications between them.
API
It is now possible to retrieve the Data Flow steps including type, data value, and stack trace for vulnerabilities via /rest/api/vulnerabilities and /rest/api/vulnerabilities/{key}. This is enabled by setting the request parameter includeDataFlow to true.
Agents
| Technologies | Features |
| Node.js | The Node.js agent now recognizes MarsDB as a NoSQL database. This enables checkers such as CSRF, NoSQL Injection, and Sensitive Data Stored Unencrypted when using this database. MarsDB instances will also appear as databases on the Data Flow Map. |
| Python | Note: Support for Python 3.6 is removed in this release. |
| .NET Framework, .NET Core | Regular expressions in path parameters are now treated as sanitizers by default. The types treated as sanitizers can be controlled by the environment variable SEEKER_AGENT_PATH_SANITIZERS. See Advanced Agent Settings. |
Checkers
The following vulnerability checkers have been added, enhanced, or changed:
| Technologies | Name | New/Enhanced/Changed |
| Java, Python | Missing Authentication Check |
A new checker that reports when no valid authentication method is called when the application processes a request. The valid authentication methods should be defined as validators for the AUTH risk under Advanced Settings for the Project or Project Template in use. This checker is not enabled by default. To enable it, turn on the Authentication Validation feature at the Project or Project Template level. Exclusions for Endpoints that are not expected to be authenticated can be configured under the Configuration option for the Authentication Validation feature. |
| .NET Framework, .NET Core | Unsafe Deserialization, Unsafe Deserialization (Second-Order) | Enhanced with updated logic to improve accuracy with the latest versions of System.Text.Json and Newsoft.Json libraries used for deserialization. |
| Java | Insecure Spring MVC Auto-Binding | Enhanced to display the name of the method that handles the request. |
| Java | Insufficient Cookie Protection (Misconfigured ‘SameSite’) | A new checker that reports weak or dangerous configurations of the SameSite cookie attribute. |