hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-21 18:34:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3bfcf0bf461b153cb67e2157f080434b4e9bd793
codeql/change-notes/1.24/analysis-java.md
yo-h 563be9f817 Merge pull request #2719 from aschackmull/java/deprecate-parexpr 
Java: Deprecate ParExpr
2020-01-30 18:23:13 -05:00

3.2 KiB
Raw Blame History

Improvements to Java analysis

The following changes in version 1.24 affect Java analysis in all applications.

General improvements

  • Alert suppression can now be done with single-line block comments (/* ... */) as well as line comments (// ...).

New queries

Query Tags Purpose
Disabled Spring CSRF protection (java/spring-disabled-csrf-protection) security, external/cwe/cwe-352 Finds disabled Cross-Site Request Forgery (CSRF) protection in Spring.
Failure to use HTTPS or SFTP URL in Maven artifact upload/download (java/maven/non-https-url) security, external/cwe/cwe-300, external/cwe/cwe-319, external/cwe/cwe-494, external/cwe/cwe-829 Finds use of insecure protocols during Maven dependency resolution. Results are shown on LGTM by default.
Left shift by more than the type width (java/lshift-larger-than-type-width) correctness Finds left shifts of ints by 32 bits or more and left shifts of longs by 64 bits or more. Results are shown on LGTM by default.
Suspicious date format (java/suspicious-date-format) correctness Finds date format patterns that use placeholders that are likely to be incorrect.

Changes to existing queries

Query Expected impact Change
Dereferenced variable may be null (java/dereferenced-value-may-be-null) Fewer false positives Final fields with a non-null initializer are no longer reported.
Expression always evaluates to the same value (java/evaluation-to-constant) Fewer false positives Expressions of the form 0 * x are usually intended and no longer reported. Also left shift of ints by 32 bits and longs by 64 bits are no longer reported as they are not constant, these results are instead reported by the new query java/lshift-larger-than-type-width.
Useless null check (java/useless-null-check) More true positives Useless checks on final fields with a non-null initializer are now reported.

Changes to libraries

  • The data-flow library has been improved when flow through methods needs to be combined with both taint tracking and flow through fields allowing more flow to be tracked. This affects and improves most security queries, which may report additional results.
  • Identification of test classes has been improved. Previously, one of the match conditions would classify any class with a name containing the string "Test" as a test class, but now this matching has been replaced with one that looks for the occurrence of actual unit-test annotations. This affects the general file classification mechanism and thus suppression of alerts, and also any security queries using taint tracking, as test classes act as default barriers stopping taint flow.
  • Parentheses are now no longer modelled directly in the AST, that is, the ParExpr class is empty. Instead, a parenthesized expression can be identified with the Expr.isParenthesized() member predicate.