Merge branch 'main' into atorralba/promote-jndi-injection

2026-04-25 08:45:14 +02:00 · 2021-06-16 15:34:37 +02:00
parent 58aa25ddc2 0ddeb7a8c1
commit bf2be6ec7c
1047 changed files with 28727 additions and 9038 deletions
--- a/java/change-notes/2021-03-10-guava-base.md
+++ b/java/change-notes/2021-03-10-guava-base.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increased coverage of the Guava framework by modelling additional classes in the `com.google.common.base` package. This may result in more results for security queries on projects where the Guava framework is used. 
--- a/java/change-notes/2021-03-11-commons-strbuilder.md
+++ b/java/change-notes/2021-03-11-commons-strbuilder.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang and Commons Text StrBuilder class, and its successor TextStringBuilder.
--- a/java/change-notes/2021-03-18-commons-tostring-builder.md
+++ b/java/change-notes/2021-03-18-commons-tostring-builder.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for Apache Commons Lang's `ToStringBuilder` class. This may lead to more results from any data-flow query where ToStringBuilder operations fall between the relevant untrusted source and vulnerable sink.
--- a/java/change-notes/2021-05-04-jexl-injection-query.md
+++ b/java/change-notes/2021-05-04-jexl-injection-query.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Expression language injection (JEXL)" (`java/jexl-expression-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @artem-smotrakov](https://github.com/github/codeql/pull/4965)
--- a/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
+++ b/java/change-notes/2021-05-14-close-resource-leaks-improvements.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Potential input resource leak" (`java/input-resource-leak`) and "Potential output resource leak" (`java/output-resource-leak`) queries no longer confuse `java.io` classes such as `Reader` with others that happen to share the same base name. Additionally the number of false positives has been reduced by recognizing `CharArrayReader` and `CharArrayWriter` as types that don't need to be closed.
--- a/java/change-notes/2021-05-20-savedrequest-taintsources.md
+++ b/java/change-notes/2021-05-20-savedrequest-taintsources.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Invocations of methods from `org.springframework.security.web.savedrequest.SavedRequest`
+  have been added as sources of tainted data for all security queries.
--- a/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
+++ b/java/change-notes/2021-05-28-remove-senderror-xss-sink.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Cross-site scripting" (`java/xss`) has been improved to report fewer false positives by removing the `javax.servlet.http.HttpServletResponse.sendError` sink since Servlet API implementations generally already escape the error message, preventing script injection.
--- a/java/change-notes/2021-06-01-collection-flow.md
+++ b/java/change-notes/2021-06-01-collection-flow.md
@@ -0,0 +1,5 @@
+lgtm,codescanning
+* Data flow now tracks steps through collections and arrays more precisely.
+  That means that collection and array read steps are now matched up with
+  preceding store steps. This results in increased precision for all flow-based
+  queries, in particular most of the security queries.
--- a/java/change-notes/2021-06-01-statement-toString.md
+++ b/java/change-notes/2021-06-01-statement-toString.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The CodeQL predicate `toString()` has been overridden for subclasses of `Stmt` to be more descriptive.
--- a/java/change-notes/2021-06-11-tainted-key-read-steps.md
+++ b/java/change-notes/2021-06-11-tainted-key-read-steps.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data flow now propagates taint from tainted Maps to read steps of their keys (e.g. `tainted.keySet()`).