hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 07:15:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15446 from github/codeql-cli-2.16.1

Browse Source 
Merge `codeql-cli-2.16.1` back to `main`
This commit is contained in:
Henry Mercer
2024-01-26 15:52:56 +00:00
committed by GitHub
parent 7a50d7a95f 720d87391d
commit 452359f20e
27 changed files with 619 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/change-notes/released/0.8.6.md
View File

@@ -1,9 +1,5 @@
## 0.8.6
### Deprecated Queries
* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
### New Queries
* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations.
@@ -13,3 +9,7 @@
* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
### Bug Fixes
* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.