- The
execTainted
predicate inCommandLineQuery.qll
has been deprecated and replaced with the predicateexecIsTainted
. - The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- The
WebViewDubuggingQuery
library has been renamed toWebViewDebuggingQuery
to fix the typo in the file name.WebViewDubuggingQuery
is now deprecated.
- Predicates
Compilation.getExpandedArgument
andCompilation.getAnExpandedArgument
has been added.
- Fixed a bug in the regular expression used to identify sensitive information in
SensitiveActions::getCommonSensitiveInfoRegex
. This may affect the results of the queriesjava/android/sensitive-communication
,java/android/sensitive-keyboard-cache
, andjava/sensitive-log
. - Added a summary model for the
java.lang.UnsupportedOperationException(String)
constructor. - The filenames embedded in
Compilation.toString()
now use/
as the path separator on all platforms. - Added models for the following packages:
java.lang
java.net
java.nio.file
java.io
java.lang.module
org.apache.commons.httpclient.util
org.apache.commons.io
org.apache.http.client
org.eclipse.jetty.client
com.google.common.io
kotlin.io
- Added the
TaintedPathQuery.qll
library to provide theTaintedPathFlow
andTaintedPathLocalFlow
taint-tracking modules to reason about tainted path vulnerabilities. - Added the
ZipSlipQuery.qll
library to provide theZipSlipFlow
taint-tracking module to reason about zip-slip vulnerabilities. - Added the
InsecureBeanValidationQuery.qll
library to provide theBeanValidationFlow
taint-tracking module to reason about bean validation vulnerabilities. - Added the
XssQuery.qll
library to provide theXssFlow
taint-tracking module to reason about cross site scripting vulnerabilities. - Added the
LdapInjectionQuery.qll
library to provide theLdapInjectionFlow
taint-tracking module to reason about LDAP injection vulnerabilities. - Added the
ResponseSplittingQuery.qll
library to provide theResponseSplittingFlow
taint-tracking module to reason about response splitting vulnerabilities. - Added the
ExternallyControlledFormatStringQuery.qll
library to provide theExternallyControlledFormatStringFlow
taint-tracking module to reason about externally controlled format string vulnerabilities. - Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by
java/index-out-of-bounds
andjava/constant-comparison
. - A new models as data sink kind
command-injection
has been added. - The queries
java/command-line-injection
andjava/concatenated-command-line
now can be extended using thecommand-injection
models as data sink kind. - Added more sink and summary dataflow models for the following packages:
java.net
java.nio.file
javax.imageio.stream
javax.naming
javax.servlet
org.geogebra.web.full.main
hudson
hudson.cli
hudson.lifecycle
hudson.model
hudson.scm
hudson.util
hudson.util.io
- Added the extensible abstract class
JndiInjectionSanitizer
. Now this class can be extended to add more sanitizers to thejava/jndi-injection
query. - Added a summary model for the
nativeSQL
method of thejava.sql.Connection
interface. - Added sink and summary dataflow models for the Jenkins and Netty frameworks.
- The Models as Data syntax for selecting the qualifier has been changed from
-1
tothis
(e.g.Argument[-1]
is now written asArgument[this]
). - Added sources and flow step models for the Netty framework up to version 4.1.
- Added more dataflow models for frequently-used JDK APIs.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath
,DataFlow::hasFlow
,DataFlow::hasFlowTo
, andDataFlow::hasFlowToExpr
were accidentally exposed in a single version.