Merge pull request #4578 from aschackmull/java/changenotes

yo-h · web-flow · commit 5ac84755231e · 2020-10-29T13:32:28.000-04:00
Java: Add missing change notes for 1.26
diff --git a/change-notes/1.26/analysis-java.md b/change-notes/1.26/analysis-java.md
@@ -18,4 +18,3 @@ The following changes in version 1.26 affect Java analysis in all applications.
 
 ## Changes to libraries
 
-* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
diff --git a/java/change-notes/2020-05-21-mongodb-sql-injection-sinks.md b/java/change-notes/2020-05-21-mongodb-sql-injection-sinks.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The SQL injection queries have been improved to recognize MongoDB injection sinks.
diff --git a/java/change-notes/2020-05-21-websocket-taintsource.md b/java/change-notes/2020-05-21-websocket-taintsource.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Reads from `java.net.http.WebSocket` have been added as sources of tainted data for all
+  security queries.
diff --git a/java/change-notes/2020-06-30-jooq-sql-injection-sinks.md b/java/change-notes/2020-06-30-jooq-sql-injection-sinks.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The SQL injection queries have been improved to recognize unsafe jOOQ methods.
diff --git a/java/change-notes/2020-07-03-more-pathcreations.md b/java/change-notes/2020-07-03-more-pathcreations.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The query "Uncontrolled data used in path expression" (`java/path-injection`) has been
+  improved to recognize more path creation entry points.
diff --git a/java/change-notes/2020-07-09-untrusted-data-to-external-api.md b/java/change-notes/2020-07-09-untrusted-data-to-external-api.md
@@ -0,0 +1,9 @@
+lgtm,codescanning
+* Two new queries, "Untrusted data passed to external API" (`java/untrusted-data-to-external-api`)
+  and "Frequency counts for external APIs that are used with untrusted data"
+  (`java/count-untrusted-data-external-api`), have been added. These queries
+  should not be run by default as they are designed to have a low "true
+  positive" rate. However, they allow you to review the use of untrusted data
+  in an application to find new security vulnerabilities that are not found by
+  the default security queries, as well as identifying opportunities to improve
+  or add modeling of taint steps and sinks.
diff --git a/java/change-notes/2020-07-13-stacktraceexposure-fp-fix.md b/java/change-notes/2020-07-13-stacktraceexposure-fp-fix.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Information exposure through a stack trace" (`java/stack-trace-exposure`) has been
+  improved to report fewer false positives when `super.printStackTrace()` is called
+  in an overridden method.
diff --git a/java/change-notes/2020-08-11-printwriter-format-xss-sink.md b/java/change-notes/2020-08-11-printwriter-format-xss-sink.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The query "Cross-site scripting" (`java/xss`) has been improved to recognize
+  `PrintWriter.format` as an XSS sink.
diff --git a/java/change-notes/2020-08-14-dataflow-dispatch-instance-arg-ctx.md b/java/change-notes/2020-08-14-dataflow-dispatch-instance-arg-ctx.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Virtual dispatch in data flow has been improved to take call-context-specific type
+  improvements to instance arguments into account. This improves precision for certain
+  code patterns involving heavy virtual dispatch.
diff --git a/java/change-notes/2020-08-17-string-formatted.md b/java/change-notes/2020-08-17-string-formatted.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The string format queries now recognize the Java 14 `String.formatted` method.
diff --git a/java/change-notes/2020-08-24-records-flow.md b/java/change-notes/2020-08-24-records-flow.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data flow is now supported through Java 14 records.
diff --git a/java/change-notes/2020-08-31-extensible-security-queries.md b/java/change-notes/2020-08-31-extensible-security-queries.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Several security queries have been refactored to make them easier to extend with additional
+  sinks and/or taint steps. Sink definitions have generally been moved to importable libraries,
+  which can then be extended in `Customizations.qll`.
diff --git a/java/change-notes/2020-09-08-blockstmt.md b/java/change-notes/2020-09-08-blockstmt.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
diff --git a/java/change-notes/2020-09-17-exectainted-array.md b/java/change-notes/2020-09-17-exectainted-array.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Uncontrolled command line" (`java/command-line-injection`) has
+  been improved to better distinguish between command injection and safe
+  command arguments.
diff --git a/java/change-notes/2020-09-21-jhipster-gen-prng-query.md b/java/change-notes/2020-09-21-jhipster-gen-prng-query.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* A new query "Detect JHipster Generator Vulnerability CVE-2019-16303"
+  (`java/jhipster-prng`) has been added. This query finds weak random number generators
+  in security-sensitive methods generated by a vulnerable version of JHipster.

Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,3 @@ The following changes in version 1.26 affect Java analysis in all applications.`
`18`	`18`
`19`	`19`	`## Changes to libraries`
`20`	`20`
`21`		-* The QL class `Block`, denoting the `{ ... }` statement, is renamed to `BlockStmt`.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	`+* The SQL injection queries have been improved to recognize MongoDB injection sinks.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Reads from `java.net.http.WebSocket` have been added as sources of tainted data for all
	`3`	`+ security queries.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The query "Uncontrolled data used in path expression" (`java/path-injection`) has been
	`3`	`+ improved to recognize more path creation entry points.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The query "Cross-site scripting" (`java/xss`) has been improved to recognize
	`3`	+ `PrintWriter.format` as an XSS sink.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* The string format queries now recognize the Java 14 `String.formatted` method.