Merge pull request #5881 from haby0/java/UnsafeDeserialization

Java: CWE-502 Add UnsafeDeserialization sinks
2026-04-26 17:25:19 +02:00 · 2021-06-17 12:36:34 +02:00
parent 8fe2f4a554 363ad5b470
commit 6ca8d69b26
39 changed files with 2073 additions and 3 deletions
--- a/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
+++ b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `Castor`, `Hessian` and `Burlap` deserialization.