codeql/java/ql/src/change-notes/released/1.1.2.md

1.1.2

Minor Analysis Improvements

• Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the java/sensitive-log query. They normally relate to things like java.util.StringTokenizer, which are not sensitive information. This should fix some false positive alerts.
• The query "Unused classes and interfaces" (java/unused-reference-type) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with @test.
• Alerts about exposing exception.getMessage() in servlet responses are now split out of java/stack-trace-exposure into its own query java/error-message-exposure.
• Added the extensible abstract class SensitiveLoggerSource. Now this class can be extended to add more sources to the java/sensitive-log query or for customizations overrides.