mirror of
https://github.com/github/codeql.git
synced 2025-12-17 17:23:36 +01:00
20 lines
1.6 KiB
Markdown
20 lines
1.6 KiB
Markdown
## 3.0.0
|
|
|
|
### Breaking Changes
|
|
|
|
* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
|
|
|
|
### New Features
|
|
|
|
* Java support for `build-mode: none` is now out of beta, and generally available.
|
|
|
|
### Major Analysis Improvements
|
|
|
|
* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
|
|
|
|
### Minor Analysis Improvements
|
|
|
|
* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
|
|
* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
|
|
* Adds models for request handlers using the `org.lastaflute.web` web framework.
|