hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7ef611e6dc6077aa26638acecae43c2f59083513
codeql/java/ql/lib/change-notes/released/0.8.7.md
github-actions[bot] 7ef611e6dc Release preparation for version 2.16.1
2024-01-23 19:45:16 +00:00

1.5 KiB
Raw Blame History

0.8.7

New Features

  • Added a new library semmle.code.java.security.Sanitizers which contains a new sanitizer class SimpleTypeSanitizer, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
  • Converted definitions of isBarrier and sanitizer classes to use SimpleTypeSanitizer instead of checking if node.getType() is PrimitiveType or BoxedType.

Minor Analysis Improvements

  • Deleted many deprecated predicates and classes with uppercase EJB, JMX, NFE, DNS etc. in their names. Use the PascalCased versions instead.
  • Deleted the deprecated semmle/code/java/security/OverlyLargeRangeQuery.qll, semmle/code/java/security/regexp/ExponentialBackTracking.qll, semmle/code/java/security/regexp/NfaUtils.qll, and semmle/code/java/security/regexp/NfaUtils.qll files.
  • Improved models for java.lang.Throwable and java.lang.Exception, and the valueOf method of java.lang.String.
  • Added taint tracking for the following GSON methods:
    • com.google.gson.stream.JsonReader constructor
    • com.google.gson.stream.JsonWriter constructor
    • com.google.gson.JsonObject.getAsJsonArray
    • com.google.gson.JsonObject.getAsJsonObject
    • com.google.gson.JsonObject.getAsJsonPrimitive
    • com.google.gson.JsonParser.parseReader
    • com.google.gson.JsonParser.parseString
  • Added a dataflow model for java.awt.Desktop.browse(URI).

Bug Fixes

  • Fixed regular expressions containing flags not being parsed correctly in some cases.