Add change note and fix some QLDocs

2026-04-30 19:26:02 +02:00 · 2021-05-06 13:13:23 +02:00
parent e14294a2f7
commit 1f1f85aeb5
3 changed files with 4 additions and 2 deletions
--- a/java/change-notes/2021-05-06-unsafe-android-access-query.md
+++ b/java/change-notes/2021-05-06-unsafe-android-access-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Unsafe resource fetching in Android webview" (`java/android/unsafe-android-webview-fetch`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/3706)
--- a/java/ql/src/semmle/code/java/security/UnsafeAndroidAccess.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -8,7 +8,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow

 /**
- * A sink that represents a method that fetches a web resource.
+ * A sink that represents a method that fetches a web resource in Android.
 *
 * Extend this class to add your own Unsafe Resource Fetching sinks.
 */
--- a/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql
+++ b/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql
@@ -5,7 +5,7 @@ import TestUtilities.InlineExpectationsTest
 import semmle.code.java.security.UnsafeAndroidAccess

 class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:cwe:jexl-injection" }
+  Conf() { this = "qltest:cwe:unsafe-android-access" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }