hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 14:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
f17afa8a11215308f736c67f82d07df893fb0803
codeql/java/ql/lib/CHANGELOG.md
Mathias Vorreiter Pedersen 1143b48338 Update java/ql/lib/CHANGELOG.md
2022-05-12 11:46:53 +01:00

189 lines
7.5 KiB
Markdown
Raw Blame History

## 0.2.1
### New Features
* A number of new classes and methods related to the upcoming Kotlin
support have been added. These are not yet stable, as Kotlin support
is still under development.
* `File::isSourceFile`
* `File::isJavaSourceFile`
* `File::isKotlinSourceFile`
* `Member::getKotlinType`
* `Element::isCompilerGenerated`
* `Expr::getKotlinType`
* `LambdaExpr::isKotlinFunctionN`
* `Callable::getReturnKotlinType`
* `Callable::getParameterKotlinType`
* `Method::isLocal`
* `Method::getKotlinName`
* `Field::getKotlinType`
* `Modifiable::isSealedKotlin`
* `Modifiable::isInternal`
* `Variable::getKotlinType`
* `LocalVariableDecl::getKotlinType`
* `Parameter::getKotlinType`
* `Parameter::isExtensionParameter`
* `Compilation` class
* `Diagnostic` class
* `KtInitializerAssignExpr` class
* `ValueEQExpr` class
* `ValueNEExpr` class
* `ValueOrReferenceEqualsExpr` class
* `ValueOrReferenceNotEqualsExpr` class
* `ReferenceEqualityTest` class
* `CastingExpr` class
* `SafeCastExpr` class
* `ImplicitCastExpr` class
* `ImplicitNotNullExpr` class
* `ImplicitCoercionToUnitExpr` class
* `UnsafeCoerceExpr` class
* `PropertyRefExpr` class
* `NotInstanceOfExpr` class
* `ExtensionReceiverAccess` class
* `WhenExpr` class
* `WhenBranch` class
* `ClassExpr` class
* `StmtExpr` class
* `StringTemplateExpr` class
* `NotNullExpr` class
* `TypeNullPointerException` class
* `KtComment` class
* `KtCommentSection` class
* `KotlinType` class
* `KotlinNullableType` class
* `KotlinNotnullType` class
* `KotlinTypeAlias` class
* `Property` class
* `DelegatedProperty` class
* `ExtensionMethod` class
* `KtInitializerNode` class
* `KtLoopStmt` class
* `KtBreakContinueStmt` class
* `KtBreakStmt` class
* `KtContinueStmt` class
* `ClassObject` class
* `CompanionObject` class
* `LiveLiteral` class
* `LiveLiteralMethod` class
* `CastConversionContext` renamed to `CastingConversionContext`
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
### Minor Analysis Improvements
* Added models for the libraries OkHttp and Retrofit.
* Add taint models for the following `File` methods:
* `File::getAbsoluteFile`
* `File::getCanonicalFile`
* `File::getAbsolutePath`
* `File::getCanonicalPath`
* Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
* Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
## 0.2.0
### Breaking Changes
* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
### Minor Analysis Improvements
* Improved the data flow support for the Android class `SharedPreferences$Editor`. Specifically, the fluent logic of some of its methods is now taken into account when calculating data flow.
* Added flow sources and steps for JMS versions 1 and 2.
* Added flow sources and steps for RabbitMQ.
* Added flow steps for `java.io.DataInput` and `java.io.ObjectInput` implementations.
* Added data-flow models for the Spring Framework component `spring-beans`.
### Bug Fixes
* The QL class `JumpStmt` has been made the superclass of `BreakStmt`, `ContinueStmt` and `YieldStmt`. This allows directly using its inherited predicates without having to explicitly cast to `JumpStmt` first.
## 0.1.0
### Breaking Changes
* The recently added flow-state versions of `isBarrierIn`, `isBarrierOut`, `isSanitizerIn`, and `isSanitizerOut` in the data flow and taint tracking libraries have been removed.
* The `getUrl` predicate of `DeclaredRepository` in `MavenPom.qll` has been renamed to `getRepositoryUrl`.
### New Features
* There are now QL classes ErrorExpr and ErrorStmt. These may be generated by upgrade or downgrade scripts when databases cannot be fully converted.
### Minor Analysis Improvements
* Added guard preconditon support for assertion methods for popular testing libraries (e.g. Junit 4, Junit 5, TestNG).
## 0.0.13
## 0.0.12
### Breaking Changes
* The flow state variants of `isBarrier` and `isAdditionalFlowStep` are no longer exposed in the taint tracking library. The `isSanitizer` and `isAdditionalTaintStep` predicates should be used instead.
### Deprecated APIs
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
The old name still exists as a deprecated alias.
### New Features
* The data flow and taint tracking libraries have been extended with versions of `isBarrierIn`, `isBarrierOut`, and `isBarrierGuard`, respectively `isSanitizerIn`, `isSanitizerOut`, and `isSanitizerGuard`, that support flow states.
### Minor Analysis Improvements
* Added new guards `IsWindowsGuard`, `IsSpecificWindowsVariant`, `IsUnixGuard`, and `IsSpecificUnixVariant` to detect OS specific guards.
* Added a new predicate `getSystemProperty` that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API's, Google Guava, Apache Commons, Apache IO, etc.).
* Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (`java.sql`), Hikari Connection Pool, JDBI and Spring JDBC.
* Re-removed support for `CharacterLiteral` from `CompileTimeConstantExpr.getStringValue()` to restore the convention that that predicate only applies to `String`-typed constants.
* All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
## 0.0.11
### New Features
* Added `hasDescendant(RefType anc, Type sub)`
* Added `RefType.getADescendant()`
* Added `RefType.getAStrictAncestor()`
### Minor Analysis Improvements
* Add support for `CharacterLiteral` in `CompileTimeConstantExpr.getStringValue()`
## 0.0.10
### New Features
* Added predicates `ClassOrInterface.getAPermittedSubtype` and `isSealed` exposing information about sealed classes.
## 0.0.9
## 0.0.8
### Deprecated APIs
* The `codeql/java-upgrades` CodeQL pack has been removed. All upgrades scripts have been merged into the `codeql/java-all` CodeQL pack.
## 0.0.7
## 0.0.6
### Major Analysis Improvements
* Data flow now propagates taint from remote source `Parameter` types to read steps of their fields (e.g. `tainted.publicField` or `tainted.getField()`). This also applies to their subtypes and the types of their fields, recursively.
## 0.0.5
### Bug Fixes
* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The `RangeAnalysis` module now properly handles comparisons with Unicode surrogate character literals.
## 0.0.4
### Bug Fixes
* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
* The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
* The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.
Reference in New Issue View Git Blame Copy Permalink