- Kotlin versions up to 1.9.0 are now supported.
-
Added flow through the block arguments of
kotlin.io.use
andkotlin.with
. -
Added models for the following packages:
- com.alibaba.druid.sql
- com.fasterxml.jackson.databind
- com.jcraft.jsch
- io.netty.handler.ssl
- okhttp3
- org.antlr.runtime
- org.fusesource.leveldbjni
- org.influxdb
- org.springframework.core.io
- org.yaml.snakeyaml
-
Deleted the deprecated
getRHS
predicate from theLValue
class, usegetRhs
instead. -
Deleted the deprecated
getCFGNode
predicate from theSsaVariable
class, usegetCfgNode
instead. -
Deleted many deprecated predicates and classes with uppercase
XML
,JSON
,URL
,API
, etc. in their names. Use the PascalCased versions instead. -
Added models for the following packages:
- java.lang
- java.nio.file
-
Added dataflow models for the Gson deserialization library.
-
Added models for the following packages:
- okhttp3
-
Added more dataflow models for the Play Framework.
-
Modified the models related to
java.nio.file.Files.copy
so that generic[Input|Output]Stream
arguments are not considered file-related sinks. -
Dataflow analysis has a new flow step through constructors of transitive subtypes of
java.io.InputStream
that wrap an underlying data source. Previously, the step only existed for direct subtypes ofjava.io.InputStream
. -
Path creation sinks modeled in
PathCreation.qll
have been added to the models-as-data sink kindpath-injection
. -
Updated the regular expression in the
HostnameSanitizer
sanitizer in thesemmle.code.java.security.RequestForgery
library to better detect strings prefixed with a hostname. -
Changed the
android-widget
Java source kind toremote
. Any custom data extensions that use theandroid-widget
source kind will need to be updated accordingly in order to continue working. -
Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
sql
tosql-injection
url-redirect
tourl-redirection
xpath
toxpath-injection
ssti
totemplate-injection
logging
tolog-injection
groovy
togroovy-injection
jexl
tojexl-injection
mvel
tomvel-injection
xslt
toxslt-injection
ldap
toldap-injection
pending-intent-sent
topending-intents
intent-start
tointent-redirection
set-hostname-verifier
tohostname-verification
header-splitting
toresponse-splitting
xss
tohtml-injection
andjs-injection
write-file
tofile-system-store
create-file
andread-file
topath-injection
open-url
andjdbc-url
torequest-forgery