Add new sink kind and change note

2026-04-25 08:45:14 +02:00 · 2023-08-01 14:43:37 -04:00
parent 0313f39229
commit 14fdfa4428
2 changed files with 10 additions and 4 deletions
--- a/java/ql/src/change-notes/2023-08-01-weak-randomness-query.md
+++ b/java/ql/src/change-notes/2023-08-01-weak-randomness-query.md
@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* Added the `java/weak-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations. 
+
--- a/shared/mad/codeql/mad/ModelValidation.qll
+++ b/shared/mad/codeql/mad/ModelValidation.qll
@@ -30,10 +30,11 @@ module KindValidation<KindValidationConfigSig Config> {
          "js-injection", "ldap-injection", "log-injection", "path-injection", "request-forgery",
          "sql-injection", "url-redirection",
          // Java-only currently, but may be shared in the future
-          "bean-validation", "fragment-injection", "groovy-injection", "hostname-verification",
-          "information-leak", "intent-redirection", "jexl-injection", "jndi-injection",
-          "mvel-injection", "ognl-injection", "pending-intents", "response-splitting",
-          "trust-boundary-violation", "template-injection", "xpath-injection", "xslt-injection",
+          "bean-validation", "crypto-parameter", "fragment-injection", "groovy-injection",
+          "hostname-verification", "information-leak", "intent-redirection", "jexl-injection",
+          "jndi-injection", "mvel-injection", "ognl-injection", "pending-intents",
+          "response-splitting", "trust-boundary-violation", "template-injection", "xpath-injection",
+          "xslt-injection",
          // JavaScript-only currently, but may be shared in the future
          "mongodb.sink", "nosql-injection", "unsafe-deserialization",
          // Swift-only currently, but may be shared in the future