Merge branch 'main' into wild-crest-ql

2026-04-20 14:34:04 +02:00 · 2026-03-30 12:04:16 +02:00
parent 6fad5b823c 8349bd50ba
commit 1d028382da
246 changed files with 11552 additions and 3487 deletions
--- a/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
+++ b/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
+* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
--- a/java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
+++ b/java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.