hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ff54dfe8aae51d15d5c032af2ba8a54b50043d41
codeql/java/ql/lib/change-notes/released/7.4.0.md
Nick Rolfe 2c03d1f14a Tweak changenotes
2025-07-23 10:38:57 +01:00

1.5 KiB
Raw Blame History

7.4.0

Deprecated APIs

  • The module semmle.code.java.frameworks.Castor has been deprecated and will be removed in a future release.
  • The module semmle.code.java.frameworks.JYaml has been deprecated and will be removed in a future release.
  • The classes UnsafeHessianInputReadObjectMethod and BurlapInputReadObjectMethod in the module semmle.code.java.frameworks.HessianBurlap have been deprecated and will be removed in a future release.
  • The class YamlBeansReaderReadMethod in the module semmle.code.java.frameworks.YamlBeans has been deprecated and will be removed in a future release.
  • The class MethodApacheSerializationUtilsDeserialize in the module semmle.code.java.frameworks.apache.Lang has been deprecated and will be removed in a future release.

New Features

  • You can now add sinks for the query "Deserialization of user-controlled data" (java/unsafe-deserialization) using data extensions by extending sinkModel and using the kind "unsafe-deserialization". The existing sinks that do not require extra logic to determine if they are unsafe are now defined in this way.

Minor Analysis Improvements

  • The qualifiers of a calls to readObject on any classes that implement java.io.ObjectInput are now recognised as sinks for java/unsafe-deserialization. Previously this was only the case for classes which extend java.io.ObjectInputStream.