- A
Diagnostic.getCompilationInfo()
predicate has been added.
- Fixed a typo in the
StdlibRandomSource
class inRandomDataSource.qll
, which caused the class to improperly model calls to thenextBytes
method. Queries relying onStdlibRandomSource
may see an increase in results. - Improved the precision of virtual dispatch of
java.io.InputStream
methods. Now, calls to these methods will not dispatch to arbitrary implementations ofInputStream
if there is a high-confidence alternative (like a models-as-data summary). - Added more dataflow steps for
java.io.InputStream
s that wrap otherjava.io.InputStream
s. - Added models for the Struts 2 framework.
- Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.