- Two new queries "Inefficient regular expression" (
java/redos) and "Polynomial regular expression used on uncontrolled data" (java/polynomial-redos) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.
- Query
java/sensitive-loghas received several improvements.- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.