mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
27 lines
1.8 KiB
Markdown
27 lines
1.8 KiB
Markdown
# Improvements to JavaScript analysis
|
|
|
|
## General improvements
|
|
|
|
* Support for the following frameworks and libraries has been improved:
|
|
- [firebase](https://www.npmjs.com/package/firebase)
|
|
|
|
* The call graph has been improved to resolve method calls in more cases. This may produce more security alerts.
|
|
|
|
## New queries
|
|
|
|
| **Query** | **Tags** | **Purpose** |
|
|
|---------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
|
|
|
|
|
## Changes to existing queries
|
|
|
|
| **Query** | **Expected impact** | **Change** |
|
|
|--------------------------------|------------------------------|---------------------------------------------------------------------------|
|
|
| Incomplete string escaping or encoding (`js/incomplete-sanitization`) | Fewer false-positive results | This rule now recognizes additional ways delimiters can be stripped away. |
|
|
| Client-side cross-site scripting (`js/xss`) | More results | More potential vulnerabilities involving functions that manipulate DOM attributes are now recognized. |
|
|
| Prototype pollution (`js/prototype-pollution`) | Same results | The results are now shown on LGTM by default. |
|
|
|
|
## Changes to QL libraries
|
|
|
|
* `Expr.getDocumentation()` now handles chain assignments.
|