codeql/java/ql/lib/change-notes/released/0.6.0.md

0.6.0

Deprecated APIs

• The execTainted predicate in CommandLineQuery.qll has been deprecated and replaced with the predicate execIsTainted.
• The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
• The WebViewDubuggingQuery library has been renamed to WebViewDebuggingQuery to fix the typo in the file name. WebViewDubuggingQuery is now deprecated.

New Features

• Predicates Compilation.getExpandedArgument and Compilation.getAnExpandedArgument has been added.

Minor Analysis Improvements

• Fixed a bug in the regular expression used to identify sensitive information in SensitiveActions::getCommonSensitiveInfoRegex. This may affect the results of the queries java/android/sensitive-communication, java/android/sensitive-keyboard-cache, and java/sensitive-log.
• Added a summary model for the java.lang.UnsupportedOperationException(String) constructor.
• The filenames embedded in Compilation.toString() now use / as the path separator on all platforms.
• Added models for the following packages:
  • java.lang
  • java.net
  • java.nio.file
  • java.io
  • java.lang.module
  • org.apache.commons.httpclient.util
  • org.apache.commons.io
  • org.apache.http.client
  • org.eclipse.jetty.client
  • com.google.common.io
  • kotlin.io
• Added the TaintedPathQuery.qll library to provide the TaintedPathFlow and TaintedPathLocalFlow taint-tracking modules to reason about tainted path vulnerabilities.
• Added the ZipSlipQuery.qll library to provide the ZipSlipFlow taint-tracking module to reason about zip-slip vulnerabilities.
• Added the InsecureBeanValidationQuery.qll library to provide the BeanValidationFlow taint-tracking module to reason about bean validation vulnerabilities.
• Added the XssQuery.qll library to provide the XssFlow taint-tracking module to reason about cross site scripting vulnerabilities.
• Added the LdapInjectionQuery.qll library to provide the LdapInjectionFlow taint-tracking module to reason about LDAP injection vulnerabilities.
• Added the ResponseSplittingQuery.qll library to provide the ResponseSplittingFlow taint-tracking module to reason about response splitting vulnerabilities.
• Added the ExternallyControlledFormatStringQuery.qll library to provide the ExternallyControlledFormatStringFlow taint-tracking module to reason about externally controlled format string vulnerabilities.
• Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by java/index-out-of-bounds and java/constant-comparison.
• A new models as data sink kind command-injection has been added.
• The queries java/command-line-injection and java/concatenated-command-line now can be extended using the command-injection models as data sink kind.
• Added more sink and summary dataflow models for the following packages:
  • java.net
  • java.nio.file
  • javax.imageio.stream
  • javax.naming
  • javax.servlet
  • org.geogebra.web.full.main
  • hudson
  • hudson.cli
  • hudson.lifecycle
  • hudson.model
  • hudson.scm
  • hudson.util
  • hudson.util.io
• Added the extensible abstract class JndiInjectionSanitizer. Now this class can be extended to add more sanitizers to the java/jndi-injection query.
• Added a summary model for the nativeSQL method of the java.sql.Connection interface.
• Added sink and summary dataflow models for the Jenkins and Netty frameworks.
• The Models as Data syntax for selecting the qualifier has been changed from -1 to this (e.g. Argument[-1] is now written as Argument[this]).
• Added sources and flow step models for the Netty framework up to version 4.1.
• Added more dataflow models for frequently-used JDK APIs.

Bug Fixes

• Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular DataFlow::hasFlowPath, DataFlow::hasFlow, DataFlow::hasFlowTo, and DataFlow::hasFlowToExpr were accidentally exposed in a single version.