hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.23.5
codeql/java/ql/lib/change-notes/released/3.0.0.md
github-actions[bot] 019da8c287 Release preparation for version 2.18.2
2024-08-07 14:02:38 +00:00

1.6 KiB
Raw Permalink Blame History

3.0.0

Breaking Changes

  • The Java and Kotlin extractors no longer support the SOURCE_ARCHIVE and TRAP_FOLDER legacy environment variable.

New Features

  • Java support for build-mode: none is now out of beta, and generally available.

Major Analysis Improvements

  • We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.

Minor Analysis Improvements

  • Added flow through some methods of the class java.net.URL by ensuring that the fields of a URL are tainted.
  • Added path-injection sinks for org.apache.tools.ant.taskdefs.Property.setFile and org.apache.tools.ant.taskdefs.Property.setResource.
  • Adds models for request handlers using the org.lastaflute.web web framework.