- Query
java/predictable-seednow has a tag for CWE-337.
- Query
java/insecure-cookienow tolerates setting a cookie's secure flag torequest.isSecure(). This means servlets that intentionally accept unencrypted connections will no longer raise an alert. - The query
java/non-https-urlshas been simplified and no longer requires its sinks to beMethodAccesses. - The logic to detect
WebViews with JavaScript (and optionally file access) enabled in the queryjava/android/unsafe-android-webview-fetchhas been improved.