Skip to main content

Snyk Code: July Release, C++ rules, Java library coverage, and JavaScript Insecure Transmission

Improved

The July release expands Snyk Code coverage for C++ with several new rules and broader native C++ detection, improves detection for several popular Java libraries, and adds a new Insecure Transmission rule for JavaScript and TypeScript. These changes arrive with the July release on 13 July 2026

What's changing

New rules

  • Log Forging, C++ (CWE-117, high): flags untrusted user input reaching a logging sink, which can let an attacker forge or corrupt log entries.

  • Improper Privilege Management, C++ (CWE-269, high): flags a privilege-dropping call whose result is not verified; a failed call can leave the process running with elevated privileges.

  • Missing Authorization, C++ (CWE-862, CWE-732): flags overly permissive file permissions (world-writable or world-executable), and calls that pass root (UID or GID 0) to privilege-escalation or file-ownership functions.

  • SSL/TLS Certificate Verification Bypass, C++ (CWE-295, medium): detects disabled certificate verification across seven TLS frameworks (OpenSSL, Qt, mbedTLS, libcurl, Boost.Asio, libpq, libpqxx), which exposes connections to man-in-the-middle attacks.

  • Insecure TLS Configuration, C++ (CWE-327, high): detects insecure TLS configuration, such as enabling outdated TLS versions.

  • Sensitive Cookie Without Secure Attribute, C++ (CWE-614, low): flags cookies that omit the Secure attribute, either by default or explicitly set to false, leaving them exposed to man-in-the-middle attacks.

  • Insecure Transmission, JavaScript (CWE-319): detects cleartext transmission over insecure transports beyond HTTP. Initial coverage targets Redis clients (@redis/client, ioredis, redis) connecting over a non-TLS redis:// URL. New rule-key, separate from HttpToHttps.

New C++ coverage

Detection now extended to native C++ for:

  • Code Injection (CWE-94): across six framework modules: dlopen, LoadLibrary, Lua, CPython, Duktape, QuickJS.

  • Insecure Storage (CWE-922, info): sqlite, realm, leveldb, rocksdb, lmdb, Qt.

  • Insecure Cipher (CWE-327): broader native C++ crypto coverage (OpenSSL, Botan, libsodium, libtomcrypt, libgcrypt, Crypto++, mbedTLS).

Expanded Java library coverage

Improved detection for code using these popular Java libraries:

  • Azure SDK for Java (com.azure:azure-core)

  • Logback (ch.qos.logback:logback-classic)

  • Reactor Netty HTTP (io.projectreactor.netty:reactor-netty-http)

  • Apache Kafka clients (org.apache.kafka:kafka-clients)

  • Jackson (com.fasterxml.jackson.core: jackson-databind and jackson-core)

Important details to note

  • C++ customers may see new findings after the July release, in particular from the new rules above.

  • TLS rule reclassification: the existing TLS rule (Inadequate Encryption Strength) is moving from CWE-326 to CWE-327 across C++, Groovy, Java, Kotlin, Python, Scala and Swift. Customers with policies or ignores tied to the TLS rule under CWE-326 should review them. The TLS detection has also been refactored, so customers may see a change in the volume of TLS-related findings.

  • The C++ Insecure Storage rule is info-level and may increase findings, including some false positives (early triage sampled 50 of 491 new findings: 47 true positives, 3 false positives).

  • The JavaScript Insecure Transmission rule ships as a new rule-key, separate from HttpToHttps, so ignore and policy scoping stays clean.

To learn more, visit our Snyk User Documentation.

Nina Kanti | Senior Product Manager

Tags:
SAST