codeql/java/ql/lib/change-notes/released/0.4.0.md

0.4.0

Breaking Changes

• The Member.getQualifiedName() predicate result now includes the qualified name of the declaring type.

Deprecated APIs

• The predicate Annotation.getAValue() has been deprecated because it might lead to obtaining the value of the wrong annotation element by accident. getValue(string) (or one of the value type specific predicates) should be used to explicitly specify the name of the annotation element.
• The predicate Annotation.getAValue(string) has been renamed to getAnArrayValue(string).
• The predicate SuppressWarningsAnnotation.getASuppressedWarningLiteral() has been deprecated because it unnecessarily restricts the result type; getASuppressedWarning() should be used instead.
• The predicates TargetAnnotation.getATargetExpression() and RetentionAnnotation.getRetentionPolicyExpression() have been deprecated because getting the enum constant read expression is rarely useful, instead the corresponding predicates for getting the name of the referenced enum constants should be used.

New Features

• Added a new predicate, allowsBackup, in the AndroidApplicationXmlElement class. This predicate detects if the application element does not disable the android:allowBackup attribute.
• The predicates of the CodeQL class Annotation have been improved:
  • Convenience value type specific predicates have been added, such as getEnumConstantValue(string) or getStringValue(string).
  • Convenience predicates for elements with array values have been added, such as getAnEnumConstantArrayValue(string). While the behavior of the existing predicates has not changed, usage of them should be reviewed (or replaced with the newly added predicate) to make sure they work correctly for elements with array values.
  • Some internal CodeQL usage of the Annotation predicates has been adjusted and corrected; this might affect the results of some queries.
• New predicates have been added to the CodeQL class Annotatable to support getting declared and associated annotations. As part of that, hasAnnotation() has been changed to also consider inherited annotations, to be consistent with hasAnnotation(string, string) and getAnAnnotation(). The newly added predicate hasDeclaredAnnotation() can be used as replacement for the old functionality.
• New predicates have been added to the CodeQL class AnnotationType to simplify getting information about usage of JDK meta-annotations, such as @Retention.

Major Analysis Improvements

• The virtual dispatch relation used in data flow now favors summary models over source code for dispatch to interface methods from java.util unless there is evidence that a specific source implementation is reachable. This should provide increased precision for any projects that include, for example, custom List or Map implementations.

Minor Analysis Improvements

• Added new sinks to the query java/android/implicit-pendingintents to take into account the classes androidx.core.app.NotificationManagerCompat and androidx.core.app.AlarmManagerCompat.
• Added new flow steps for androidx.core.app.NotificationCompat and its inner classes.
• Added flow sinks, sources and summaries for the Kotlin standard library.
• Added flow summary for org.springframework.data.repository.CrudRepository.save().
• Added new flow steps for the following Android classes:
  • android.content.ContentResolver
  • android.content.ContentProviderClient
  • android.content.ContentProviderOperation
  • android.content.ContentProviderOperation$Builder
  • android.content.ContentProviderResult
  • android.database.Cursor
• Added taint flow models for the java.lang.String.(charAt|getBytes) methods.
• Improved taint flow models for the java.lang.String.(replace|replaceFirst|replaceAll) methods. Additional results may be found where users do not properly sanitize their inputs.

Bug Fixes

• Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.