- Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the
java/sensitive-logquery. They normally relate to things likejava.util.StringTokenizer, which are not sensitive information. This should fix some false positive alerts. - The query "Unused classes and interfaces" (
java/unused-reference-type) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with@test. - Alerts about exposing
exception.getMessage()in servlet responses are now split out ofjava/stack-trace-exposureinto its own queryjava/error-message-exposure. - Added the extensible abstract class
SensitiveLoggerSource. Now this class can be extended to add more sources to thejava/sensitive-logquery or for customizations overrides.