hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3a89f43cd6e7ec537ee5d938ce766fed8ab3a6ea
codeql/change-notes/1.25/analysis-javascript.md
Erik Krogh Kristensen ffdbe31a30 change-note
2020-05-04 09:08:46 +02:00

2.5 KiB
Raw Blame History

Improvements to JavaScript analysis

General improvements

  • Support for the following frameworks and libraries has been improved:

New queries

Query Tags Purpose
Cross-site scripting through DOM (js/xss-through-dom) security, external/cwe/cwe-079, external/cwe/cwe-116 Highlights potential XSS vulnerabilities where existing text from the DOM is used as HTML. Results are not shown on LGTM by default.
Incomplete HTML attribute sanitization (js/incomplete-html-attribute-sanitization) security, external/cwe/cwe-20, external/cwe/cwe-079, external/cwe/cwe-116 Highlights potential XSS vulnerabilities due to incomplete sanitization of HTML meta-characters. Results are shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Misspelled variable name (js/misspelled-variable-name) Message changed The message for this query now correctly identifies the misspelled variable in additional cases.
Uncontrolled data used in path expression (js/path-injection) More results This query now recognizes additional file system calls.
Uncontrolled command line (js/command-line-injection) More results This query now recognizes additional command execution calls.
Expression has no effect (js/useless-expression) Less results This query no longer flags an expression when that expression is the only content of the containing file.

Changes to libraries

  • Added data flow for Map and Set, and added matching type-tracking steps that can accessed using the CollectionsTypeTracking module.