Merge pull request #4578 from aschackmull/java/changenotes

Java: Add missing change notes for 1.26
2025-12-16 16:53:25 +01:00 · 2020-10-29 13:32:28 -04:00
parent b3fe333957 5687b7c158
commit 5ac8475523
15 changed files with 48 additions and 1 deletions
--- a/change-notes/1.26/analysis-java.md
+++ b/change-notes/1.26/analysis-java.md
@@ -18,4 +18,3 @@ The following changes in version 1.26 affect Java analysis in all applications.

 ## Changes to libraries

-* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
--- a/java/change-notes/2020-05-21-mongodb-sql-injection-sinks.md
+++ b/java/change-notes/2020-05-21-mongodb-sql-injection-sinks.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The SQL injection queries have been improved to recognize MongoDB injection sinks.
--- a/java/change-notes/2020-05-21-websocket-taintsource.md
+++ b/java/change-notes/2020-05-21-websocket-taintsource.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Reads from `java.net.http.WebSocket` have been added as sources of tainted data for all
+  security queries.
--- a/java/change-notes/2020-06-30-jooq-sql-injection-sinks.md
+++ b/java/change-notes/2020-06-30-jooq-sql-injection-sinks.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The SQL injection queries have been improved to recognize unsafe jOOQ methods.
--- a/java/change-notes/2020-07-03-more-pathcreations.md
+++ b/java/change-notes/2020-07-03-more-pathcreations.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The query "Uncontrolled data used in path expression" (`java/path-injection`) has been
+  improved to recognize more path creation entry points.
--- a/java/change-notes/2020-07-09-untrusted-data-to-external-api.md
+++ b/java/change-notes/2020-07-09-untrusted-data-to-external-api.md
@@ -0,0 +1,9 @@
+lgtm,codescanning
+* Two new queries, "Untrusted data passed to external API" (`java/untrusted-data-to-external-api`)
+  and "Frequency counts for external APIs that are used with untrusted data"
+  (`java/count-untrusted-data-external-api`), have been added. These queries
+  should not be run by default as they are designed to have a low "true
+  positive" rate. However, they allow you to review the use of untrusted data
+  in an application to find new security vulnerabilities that are not found by
+  the default security queries, as well as identifying opportunities to improve
+  or add modeling of taint steps and sinks.
--- a/java/change-notes/2020-07-13-stacktraceexposure-fp-fix.md
+++ b/java/change-notes/2020-07-13-stacktraceexposure-fp-fix.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Information exposure through a stack trace" (`java/stack-trace-exposure`) has been
+  improved to report fewer false positives when `super.printStackTrace()` is called
+  in an overridden method.
--- a/java/change-notes/2020-08-11-printwriter-format-xss-sink.md
+++ b/java/change-notes/2020-08-11-printwriter-format-xss-sink.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The query "Cross-site scripting" (`java/xss`) has been improved to recognize
+  `PrintWriter.format` as an XSS sink.
--- a/java/change-notes/2020-08-14-dataflow-dispatch-instance-arg-ctx.md
+++ b/java/change-notes/2020-08-14-dataflow-dispatch-instance-arg-ctx.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Virtual dispatch in data flow has been improved to take call-context-specific type
+  improvements to instance arguments into account. This improves precision for certain
+  code patterns involving heavy virtual dispatch.
--- a/java/change-notes/2020-08-17-string-formatted.md
+++ b/java/change-notes/2020-08-17-string-formatted.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The string format queries now recognize the Java 14 `String.formatted` method.
--- a/java/change-notes/2020-08-24-records-flow.md
+++ b/java/change-notes/2020-08-24-records-flow.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data flow is now supported through Java 14 records.
--- a/java/change-notes/2020-08-31-extensible-security-queries.md
+++ b/java/change-notes/2020-08-31-extensible-security-queries.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Several security queries have been refactored to make them easier to extend with additional
+  sinks and/or taint steps. Sink definitions have generally been moved to importable libraries,
+  which can then be extended in `Customizations.qll`.
--- a/java/change-notes/2020-09-08-blockstmt.md
+++ b/java/change-notes/2020-09-08-blockstmt.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
--- a/java/change-notes/2020-09-17-exectainted-array.md
+++ b/java/change-notes/2020-09-17-exectainted-array.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Uncontrolled command line" (`java/command-line-injection`) has
+  been improved to better distinguish between command injection and safe
+  command arguments.
--- a/java/change-notes/2020-09-21-jhipster-gen-prng-query.md
+++ b/java/change-notes/2020-09-21-jhipster-gen-prng-query.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* A new query "Detect JHipster Generator Vulnerability CVE-2019-16303"
+  (`java/jhipster-prng`) has been added. This query finds weak random number generators
+  in security-sensitive methods generated by a vulnerable version of JHipster.