## 0.0.13 ## 0.0.12 ### Breaking Changes * The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead. ### Deprecated APIs * Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias. ### New Features * The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states. ### Minor Analysis Improvements * Added new guards `IsWindowsGuard`, `IsSpecificWindowsVariant`, `IsUnixGuard`, and `IsSpecificUnixVariant` to detect OS specific guards. * Added a new predicate `getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc.). * Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC. * Re-removed support for `CharacterLiteral` from `CompileTimeConstantExpr.getStringValue()` to restore the convention that that predicate only applies to `String`-typed constants. * All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted. ## 0.0.11 ### New Features * Added `hasDescendant(RefType anc, Type sub)` * Added `RefType.getADescendant()` * Added `RefType.getAStrictAncestor()` ### Minor Analysis Improvements * Add support for `CharacterLiteral` in `CompileTimeConstantExpr.getStringValue()` ## 0.0.10 ### New Features * Added predicates `ClassOrInterface.getAPermittedSubtype` and `isSealed` exposing information about sealed classes. ## 0.0.9 ## 0.0.8 ### Deprecated APIs * The `codeql/java-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/java-all` CodeQL pack. ## 0.0.7 ## 0.0.6 ### Major Analysis Improvements * Data flow now propagates taint from remote source `Parameter` types to read steps of their fields (e.g. `tainted.publicField` or `tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively. ## 0.0.5 ### Bug Fixes * `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates. * The `RangeAnalysis` module now properly handles comparisons with Unicode surrogate character literals. ## 0.0.4 ### Bug Fixes * `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates. * The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals. * The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.