Merge branch 'main' into promote-jexl-injection

2026-04-28 10:15:14 +02:00 · 2021-06-03 11:10:56 +02:00
parent 607dcd4a27 ffad65be40
commit 56a429a5f9
674 changed files with 32825 additions and 8447 deletions
--- a/java/change-notes/2021-05-03-guava-first-non-null.md
+++ b/java/change-notes/2021-05-03-guava-first-non-null.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increase coverage of the Guava framework by adding support for `com.google.common.base.MoreObjects#firstNonNull`.
--- a/java/change-notes/2021-05-03-jackson-dataflow-deserialization.md
+++ b/java/change-notes/2021-05-03-jackson-dataflow-deserialization.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increase coverage of dataflow through Jackson JSON deserialized objects.
--- a/java/change-notes/2021-05-05-kryo-improvements.md
+++ b/java/change-notes/2021-05-05-kryo-improvements.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Add support for version 5 of the Kryo serialization/deserialization framework.
+* Add support for detecting safe uses of Kryo utilizing `KryoPool.Builder`. [#4992](https://github.com/github/codeql/issues/4992)
--- a/java/change-notes/2021-05-12-xxe-fp-fix.md
+++ b/java/change-notes/2021-05-12-xxe-fp-fix.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.
--- a/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
+++ b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries no longer confuse `java.io` classes such as `Reader` with others that happen to share the same base name. Additionally the number of false positives has been reduced by recognizing `CharArrayReader` and `CharArrayWriter` as types that don't need to be closed.
--- a/java/change-notes/2021-05-20-savedrequest-taintsources.md
+++ b/java/change-notes/2021-05-20-savedrequest-taintsources.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Invocations of methods from `org.springframework.security.web.savedrequest.SavedRequest`
+  have been added as sources of tainted data for all security queries.
--- a/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
+++ b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since Servlet API implementations generally already escape the error message, preventing script injection.