- The query
java/log-injection
now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
- Two new queries "Inefficient regular expression" (
java/redos
) and "Polynomial regular expression used on uncontrolled data" (java/polynomial-redos
) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.
- Query
java/sensitive-log
has received several improvements.- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
- Query
java/predictable-seed
now has a tag for CWE-337.
- Query
java/insecure-cookie
now tolerates setting a cookie's secure flag torequest.isSecure()
. This means servlets that intentionally accept unencrypted connections will no longer raise an alert. - The query
java/non-https-urls
has been simplified and no longer requires its sinks to beMethodAccess
es. - The logic to detect
WebView
s with JavaScript (and optionally file access) enabled in the queryjava/android/unsafe-android-webview-fetch
has been improved.
- Query
java/insecure-cookie
no longer produces a false positive ifcookie.setSecure(...)
is called passing a constant that always equalstrue
.
- Added the
security-severity
tag to several queries.
- Fixed "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure
) to resolve false-negatives when OS isn't properly used as logical guard. - The
SwitchCase.getRuleExpression()
predicate now gets expressions for case rules with an expression on the right-hand side of the arrow belonging to bothSwitchStmt
andSwitchExpr
, and the correspondinggetRuleStatement()
no longer returns anExprStmt
in either case. PreviouslySwitchStmt
andSwitchExpr
behaved differently in this respect.
- The query "Insertion of sensitive information into log files" (
java/sensitive-logging
) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @luchua-bc.
- Updated "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure
) to remove false-positives when OS is properly used as logical guard.
- Add more classes to Netty request/response splitting. Change identification to
java/netty-http-request-or-response-splitting
. Identify request splitting differently from response splitting in query results. Support addional classes:io.netty.handler.codec.http.CombinedHttpHeaders
io.netty.handler.codec.http.DefaultHttpRequest
io.netty.handler.codec.http.DefaultFullHttpRequest
- A new query titled "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure
) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.
- A new query "Cleartext storage of sensitive information using a local database on Android" (
java/android/cleartext-storage-database
) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.
- A new query "Use of implicit PendingIntents" (
java/android/pending-intents
) has been added. This query finds implicit and mutablePendingIntents
sent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects. - Two new queries, "Android fragment injection" (
java/android/fragment-injection
) and "Android fragment injection in PreferenceActivity" (java/android/fragment-injection-preference-activity
) have been added. These queries find exported Android activities that instantiate and host fragments created from user-provided data. Such activities are vulnerable to access control bypass and expose the Android application to unintended effects. - The query "
TrustManager
that accepts all certificates" (java/insecure-trustmanager
) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @intrigus-lgtm. - The query "Log Injection" (
java/log-injection
) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally submitted as an experimental query by @porcupineyhairs and @dellalibera. - A new query "Intent URI permission manipulation" (
java/android/intent-uri-permission-manipulation
) has been added. This query finds Android components that return unmodified, received Intents to the calling applications, which can provide unintended access to internal content providers of the victim application. - A new query "Cleartext storage of sensitive information in the Android filesystem" (
java/android/cleartext-storage-filesystem
) has been added. This query finds instances of sensitive data being stored in local files without encryption, which may expose it to attackers or malicious applications. - The query "Cleartext storage of sensitive information using
SharedPreferences
on Android" (java/android/cleartext-storage-shared-prefs
) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - The query "Unsafe certificate trust" (
java/unsafe-cert-trust
) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc.
- The "Random used only once" (
java/random-used-once
) query no longer has asecurity-severity
score. This has been causing some tools to categorise it as a security query, when it is more useful as a code-quality query.
- The
java/constant-comparison
query no longer raises false alerts regarding comparisons with Unicode surrogate character literals.