- The query "Server-side template injection" (
java/server-side-template-injection) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @porcupineyhairs. - Added a new query,
java/android/backup-enabled, to detect if Android applications allow backups.
- Removed the
@security-severitytag from several queries not in theSecurity/folder that also had missingsecuritytags.
- The Java extractor now populates the
Methodrelating to aMethodAccessconsistently for calls using an explicit and implicitthisqualifier. Previously if the methodfoowas inherited from a specialised generic typeParentType<String>, then an explicit callthis.foo()would yield aMethodAccesswhosegetMethod()accessor returned the bound methodParentType<String>.foo, whereas an implicitly-qualifiedfoo()MethodAccess'sgetMethod()would return the unbound methodParentType.foo. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result ofMethodAccess.getMethod()may need to tolerate bound generic methods in more circumstances. The queriesjava/iterator-remove-failure,java/non-static-nested-class,java/internal-representation-exposure,java/subtle-inherited-callandjava/deprecated-callhave been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-thiscase as well. - Added taint model for arguments of
java.net.URIconstructors to the queriesjava/path-injectionandjava/path-injection-local. - Added new sinks related to Android's
AlarmManagerto the queryjava/android/implicit-pendingintents. - The alert message of many queries have been changed to make the message consistent with other languages.