hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
9d65b5f85c2c1027ca89250ac7bea9f7f8f4668c
codeql/java/ql/lib/change-notes/released/7.1.2.md
Jon Janego b9841dccfb Fixing more upstream typos
2025-05-19 16:45:08 -05:00

1.6 KiB
Raw Blame History

7.1.2

Minor Analysis Improvements

  • Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
  • Added a path injection sanitizer for calls to java.lang.String.matches, java.lang.String.replace, and java.lang.String.replaceAll that make sure /, \\, .. are not in the path.

Bug Fixes

  • In build-mode: none where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
  • Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
  • Java build-mode none no longer fails when a required version of Gradle cannot be downloaded using the gradle wrapper command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
  • Java build-mode none no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
  • Java build-mode none now correctly uses Maven dependency information on Windows platforms.