hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/java/ql/lib/change-notes/released/0.6.3.md
Jeroen Ketema bff11c3d23 Apply suggestions from code review
2023-06-08 22:33:50 +02:00

58 lines
2.7 KiB
Markdown
Raw Permalink Blame History

## 0.6.3
### New Features
* Kotlin versions up to 1.9.0 are now supported.
### Minor Analysis Improvements
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
* Added models for the following packages:
* com.alibaba.druid.sql
* com.fasterxml.jackson.databind
* com.jcraft.jsch
* io.netty.handler.ssl
* okhttp3
* org.antlr.runtime
* org.fusesource.leveldbjni
* org.influxdb
* org.springframework.core.io
* org.yaml.snakeyaml
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
* Added models for the following packages:
* java.lang
* java.nio.file
* Added dataflow models for the Gson deserialization library.
* Added models for the following packages:
* okhttp3
* Added more dataflow models for the Play Framework.
* Modified the models related to `java.nio.file.Files.copy` so that generic `[Input|Output]Stream` arguments are not considered file-related sinks.
* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
* `sql` to `sql-injection`
* `url-redirect` to `url-redirection`
* `xpath` to `xpath-injection`
* `ssti` to `template-injection`
* `logging` to `log-injection`
* `groovy` to `groovy-injection`
* `jexl` to `jexl-injection`
* `mvel` to `mvel-injection`
* `xslt` to `xslt-injection`
* `ldap` to `ldap-injection`
* `pending-intent-sent` to `pending-intents`
* `intent-start` to `intent-redirection`
* `set-hostname-verifier` to `hostname-verification`
* `header-splitting` to `response-splitting`
* `xss` to `html-injection` and `js-injection`
* `write-file` to `file-system-store`
* `create-file` and `read-file` to `path-injection`
* `open-url` and `jdbc-url` to `request-forgery`
Reference in New Issue View Git Blame Copy Permalink