From 5be8576ee2901059155f913a31191dbfe1c5cb0e Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Thu, 6 Jun 2019 18:48:23 +0100 Subject: [PATCH] Minor text updates --- change-notes/1.21/analysis-java.md | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/change-notes/1.21/analysis-java.md b/change-notes/1.21/analysis-java.md index 2b71148b3a4..b3ccee73c78 100644 --- a/change-notes/1.21/analysis-java.md +++ b/change-notes/1.21/analysis-java.md @@ -1,10 +1,5 @@ # Improvements to Java analysis -## New queries - -| **Query** | **Tags** | **Purpose** | -|-----------------------------|-----------|--------------------------------------------------------------------| - ## Changes to existing queries | **Query** | **Expected impact** | **Change** | @@ -19,14 +14,13 @@ `checkArgument` and `checkState` methods in `com.google.common.base.Preconditions`, the `isTrue` and `validState` methods in `org.apache.commons.lang3.Validate`, as well as any similar custom - methods. This means that more guards are recognized yielding precision - improvements in a number of queries including `java/index-out-of-bounds`, + methods. This means that more guards are recognized which improves the precision of a number of queries including `java/index-out-of-bounds`, `java/dereferenced-value-may-be-null`, and `java/useless-null-check`. * The default sanitizer in taint tracking has been made more precise. The - sanitizer works by looking for guards that inspect tainted strings, and it - used to work at the level of individual variables. This has been changed to - use the `Guards` library, such that only guarded variable accesses are - sanitized. This may give additional results in the security queries. -* Spring framework support is enhanced by taking into account additional + sanitizer works by looking for guards that inspect tainted strings. It + previously worked at the level of individual variables. Now it + uses the `Guards` library, such that only guarded variable accesses are + sanitized. This may give additional results for security queries. +* Spring framework support now takes into account additional annotations that indicate remote user input. This affects all security - queries, which may yield additional results. + queries, which may give additional results.