- Classes that define a
writeReplacemethod are no longer flagged by thejava/missing-no-arg-constructor-on-serializablequery on the assumption they are unlikely to be deserialized using the default algorithm. - The query "Use of a broken or risky cryptographic algorithm" (
java/weak-cryptographic-algorithm) now gives the reason why the cryptographic algorithm is considered weak.
No user-facing changes.
- Added SHA-384 to the list of secure hashing algorithms. As a result the
java/potentially-weak-cryptographic-algorithmquery should no longer flag up uses of SHA-384. - Added SHA3 to the list of secure hashing algorithms. As a result the
java/potentially-weak-cryptographic-algorithmquery should no longer flag up uses of SHA3. - The
java/weak-cryptographic-algorithmquery has been updated to no longer report uses of hash functions such asMD5andSHA1even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. Thejava/potentially-weak-cryptographic-algorithmquery has been updated to report these uses instead.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added taint summary model for
org.springframework.core.io.InputStreamSource#getInputStream().
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the
java/sensitive-logquery. They normally relate to things likejava.util.StringTokenizer, which are not sensitive information. This should fix some false positive alerts. - The query "Unused classes and interfaces" (
java/unused-reference-type) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with@test. - Alerts about exposing
exception.getMessage()in servlet responses are now split out ofjava/stack-trace-exposureinto its own queryjava/error-message-exposure. - Added the extensible abstract class
SensitiveLoggerSource. Now this class can be extended to add more sources to thejava/sensitive-logquery or for customizations overrides.
- The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests which don't define an activity, content provider or service. We also only consider files which are under a folder containing such an Android Manifest for these queries. This should remove some false positive alerts.
- The query
java/weak-cryptographic-algorithmno longer alerts aboutRSA/ECBalgorithm strings.
- The query
java/tainted-permissions-checknow uses threat models. This means thatlocalsources are no longer included by default for this query, but can be added by enabling thelocalthreat model. - Added more
org.apache.commons.io.FileUtils-related sinks to the path injection query.
No user-facing changes.
- The query
java/spring-disabled-csrf-protectiondetects disabling CSRF viaServerHttpSecurity$CsrfSpec::disable. - Added more
java.io.File-related sinks to the path injection query.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
- Removed
localquery variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found byjava/unvalidated-url-redirection-localcan be found byjava/unvalidated-url-redirection, if thelocalthreat model is enabled. The removed queries arejava/path-injection-local,java/command-line-injection-local,java/xss-local,java/sql-injection-local,java/http-response-splitting-local,java/improper-validation-of-array-construction-local,java/improper-validation-of-array-index-local,java/tainted-format-string-local,java/tainted-arithmetic-local,java/unvalidated-url-redirection-local,java/xxe-localandjava/tainted-numeric-cast-local.
- The alert message for the query "Trust boundary violation" (
java/trust-boundary-violation) has been updated to include a link to the remote source. - The sanitizer of the query
java/zipsliphas been improved to include nodes that are safe due to having certain safe types. This reduces false positives.
No user-facing changes.
No user-facing changes.
- The
java/unknown-javadoc-parameternow accepts@paramtags that apply to the parameters of a record.
- The query
java/unsafe-url-forward-dispatch-loadhas been promoted from experimental to the main query pack asjava/unvalidated-url-forward. Its results will now appear by default. This query was originally submitted as an experimental query by @haby0 and by @luchua-bc.
- The
java/missing-case-in-switchquery now gives only a single alert for each switch statement, giving some examples of the missing cases as well as a count of how many are missing.
- Variables named
tokenImageare no longer sources for thejava/sensitive-logquery. This is because this variable name is used in parsing code generated by JavaCC, so it causes a large number of false positive alerts. - Added sanitizers for relative URLs,
List.contains(), and checking the host of a URI to thejava/ssrfandjava/unvalidated-url-redirectionqueries.
No user-facing changes.
No user-facing changes.
- Added a new query
java/android/insecure-local-key-genfor finding instances of keys generated for biometric authentication in an insecure way.
- To reduce the number of false positives in the query "Insertion of sensitive information into log files" (
java/sensitive-log), variables with names that contain "null" (case-insensitively) are no longer considered sources of sensitive information.
- Added a new query
java/android/insecure-local-authenticationfor finding uses of biometric authentication APIs that do not make use of aKeyStore-backed key and thus may be bypassed.
- The
security-severityscore of the queryjava/relative-path-commandhas been reduced to better adjust it to the specific conditions needed for exploitation.
- The sinks of the queries
java/path-injectionandjava/path-injection-localhave been reworked. Path creation sinks have been converted to summaries instead, while sinks now are actual file read/write operations only. This has reduced the false positive ratio of both queries.
- The sanitizer for the path injection queries has been improved to handle more cases where
equalsis used to check an exact path match. - The query
java/unvalidated-url-redirectionnow sanitizes results following the same logic as the queryjava/ssrf. URLs where the destination cannot be controlled externally are no longer reported.
- Added a new query
java/android/sensitive-textto detect instances of sensitive data being exposed through text fields without being properly masked. - Added a new query
java/android/sensitive-notificationto detect instances of sensitive data being exposed through Android notifications.
- Added the
java/exec-tainted-environmentquery, to detect the injection of environment variables names or values from remote input.
- A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
- Added the
java/insecure-randomnessquery to detect uses of weakly random values which an attacker may be able to predict. Also added thecrypto-parametersink kind for sinks which represent the parameters and keys of cryptographic operations.
- Modified the
java/potentially-weak-cryptographic-algorithmquery to include the use of weak cryptographic algorithms from configuration values specified in properties files. - The query
java/android/missing-certificate-pinningshould no longer alert about requests pointing to the local filesystem. - Removed some spurious sinks related to
com.opensymphony.xwork2.TextProvider.getTextfrom the queryjava/ognl-injection.
- The three queries
java/insufficient-key-size,java/server-side-template-injection, andjava/android/implicit-pendingintentshad accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
No user-facing changes.
No user-facing changes.
- The query
java/unsafe-deserializationhas been improved to detect insecure calls toObjectMessage.getObjectin JMS.
- java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged
lines-of-code. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts. - The query
java/spring-disabled-csrf-protectionhas been improved to detect more ways of disabling CSRF in Spring.
- Most data flow queries that track flow from remote flow sources now use the current threat model configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is remote flow sources) unless the threat model configuration is changed.
No user-facing changes.
No user-facing changes.
- Added the
java/trust-boundary-violationquery to detect trust boundary violations between HTTP requests and the HTTP session. Also added thetrust-boundary-violationsink kind for sinks which may cross a trust boundary, such as calls to theHttpSession#setAttributemethod.
- The queries "Resolving XML external entity in user-controlled data" (
java/xxe) and "Resolving XML external entity in user-controlled data from local source" (java/xxe-local) now recognize sinks in the MDHT library.
No user-facing changes.
- The sanitizer in
java/potentially-weak-cryptographic-algorithmhas been improved, so the query may yield additional results.
- The query "Unsafe resource fetching in Android WebView" (
java/android/unsafe-android-webview-fetch) now recognizes WebViews wheresetJavascriptEnabled,setAllowFileAccess,setAllowUniversalAccessFromFileURLs, and/orsetAllowFileAccessFromFileURLsare set inside the function block of the Kotlinapplyfunction.
- New models have been added for
org.apache.commons.lang. - The query
java/unsafe-deserializationhas been updated to take into accountSerialKiller, a library used to prevent deserialization of arbitrary classes.
- The query "Arbitrary file write during archive extraction ("Zip Slip")" (
java/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
- The
java/summary/lines-of-codequery now only counts lines of Java code. The newjava/summary/lines-of-code-kotlincounts lines of Kotlin code.
- The query
java/groovy-injectionnow recognizesgroovy.text.TemplateEngine.createTemplateas a sink. - The queries
java/xxeandjava/xxe-localnow recognize the second argument of calls toXPath.evaluateas a sink. - Experimental sinks for the query "Resolving XML external entity in user-controlled data" (
java/xxe) have been promoted to the main query pack. These sinks were originally submitted as part of an experimental query by @haby0.
No user-facing changes.
- The query
java/insecure-ldap-authhas been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally submitted as an experimental query by @luchua-bc
No user-facing changes.
- Added a new query,
java/android/arbitrary-apk-installation, to detect installation of APKs from untrusted sources.
No user-facing changes.
- Added a new query,
java/xxe-local, which is a version of the XXE query that uses local sources (for example, reads from a local file).
- The
java/index-out-of-boundsquery has improved its handling of arrays of constant length, and may report additional results in those cases.
- Added a new query,
java/android/sensitive-result-receiver, to find instances of sensitive data being leaked to an untrustedResultReceiver.
- Added a new query
java/android/websettings-allow-content-accessto detect Android WebViews which do not disable access tocontent://urls.
- The name, description and alert message for the query
java/concatenated-sql-queryhave been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query's files have been renamed fromSqlUnescaped.qlandSqlUnescapedLib.qlltoSqlConcatenated.qlandSqlConcatenatedLib.qllrespectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remainsjava/concatenated-sql-query, so alerts should not be re-raised as a result of this change.
- Added a new query,
java/summary/generated-vs-manual-coverage, to expose metrics for the number of API endpoints covered by generated versus manual MaD models. - Added a new query,
java/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase. - Added a new query,
java/android/missing-certificate-pinning, to find network calls where certificate pinning is not implemented. - Added a new query,
java/android-webview-addjavascriptinterface, to detect the use ofaddJavascriptInterface, which can lead to cross-site scripting. - Added a new query,
java/android-websettings-file-access, to detect configurations that enable file system access in Android WebViews. - Added a new query,
java/android-websettings-javascript-enabled, to detect if JavaScript execution is enabled in an Android WebView. - The query
java/regex-injectionhas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @edvraa.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel. - The query
java/misnamed-typeis now enabled for Kotlin. - The query
java/non-serializable-fieldis now enabled for Kotlin. - Fixed an issue in the query
java/android/implicit-pendingintentsby which an implicit Pending Intent marked as immutable was not correctly recognized as such. - The query
java/maven/non-https-urlno longer alerts about disabled repositories.
- Kotlin extraction will now fail if the Kotlin version in use is at least 1.7.30. This is to ensure using an as-yet-unsupported version is noticable, rather than silently failing to extract Kotlin code and therefore producing false-negative results.
No user-facing changes.
- The query
java/insufficient-key-sizehas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - Added a new query,
java/android/sensitive-keyboard-cache, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
No user-facing changes.
- Added a new query,
java/android/incomplete-provider-permissions, to detect if an Android ContentProvider is not protected with a correct set of permissions. - A new query "Uncontrolled data used in content resolution" (
java/androd/unsafe-content-uri-resolution) has been added. This query finds paths from user-provided data to URI resolution operations in Android'sContentResolverwithout previous validation or sanitization.
- Added a new query,
java/android/webview-debugging-enabled, to detect instances of WebView debugging being enabled in production builds.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
PathSanitizer.qllhas been promoted from experimental to the main query pack. This sanitizer was originally submitted as part of an experimental query by @luchua-bc.- The queries
java/path-injection,java/path-injection-localandjava/zipslipnow use the sanitizers provided byPathSanitizer.qll.
- The query "Server-side template injection" (
java/server-side-template-injection) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @porcupineyhairs. - Added a new query,
java/android/backup-enabled, to detect if Android applications allow backups.
- Removed the
@security-severitytag from several queries not in theSecurity/folder that also had missingsecuritytags.
- The Java extractor now populates the
Methodrelating to aMethodAccessconsistently for calls using an explicit and implicitthisqualifier. Previously if the methodfoowas inherited from a specialised generic typeParentType<String>, then an explicit callthis.foo()would yield aMethodAccesswhosegetMethod()accessor returned the bound methodParentType<String>.foo, whereas an implicitly-qualifiedfoo()MethodAccess'sgetMethod()would return the unbound methodParentType.foo. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result ofMethodAccess.getMethod()may need to tolerate bound generic methods in more circumstances. The queriesjava/iterator-remove-failure,java/non-static-nested-class,java/internal-representation-exposure,java/subtle-inherited-callandjava/deprecated-callhave been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-thiscase as well. - Added taint model for arguments of
java.net.URIconstructors to the queriesjava/path-injectionandjava/path-injection-local. - Added new sinks related to Android's
AlarmManagerto the queryjava/android/implicit-pendingintents. - The alert message of many queries have been changed to make the message consistent with other languages.
- Added a new query,
java/android/implicitly-exported-component, to detect if components are implicitly exported in the Android manifest. - A new query "Use of RSA algorithm without OAEP" (
java/rsa-without-oaep) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme. - Added a new query,
java/android/debuggable-attribute-enabled, to detect if theandroid:debuggableattribute is enabled in the Android manifest. - The query "Using a static initialization vector for encryption" (
java/static-initialization-vector) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @artem-smotrakov. - A new query
java/partial-path-traversalfinds partial path traversal vulnerabilities resulting from incorrectly usingString#startsWithto compare canonical paths. - Added a new query,
java/suspicious-regexp-range, to detect character ranges in regular expressions that seem to match too many characters.
- The queries
java/redosandjava/polynomial-redosnow have a tag for CWE-1333.
- The query
java/static-initialization-vectorno longer requires aCipherobject to be initialized withENCRYPT_MODEto be considered a valid sink. Also, several new sanitizers were added. - Improved sanitizers for
java/sensitive-log, which removes some false positives and improves performance a bit.
- A new query "Android
WebViewthat accepts all certificates" (java/improper-webview-certificate-validation) has been added. This query finds implementations ofWebViewClients that accept all certificates in the case of an SSL error.
- The query
java/sensitive-loghas been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
- The query
java/path-injectionnow recognises vulnerable APIs defined using theSinkModelCsvclass with thecreate-filetype. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/java-allpackage.
- A new query "Improper verification of intent by broadcast receiver" (
java/improper-intent-verification) has been added. This query finds instances of AndroidBroadcastReceivers that don't verify the action string of received intents when registered to receive system intents.
- The query
java/log-injectionnow reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
- Two new queries "Inefficient regular expression" (
java/redos) and "Polynomial regular expression used on uncontrolled data" (java/polynomial-redos) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.
- Query
java/sensitive-loghas received several improvements.- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
- Query
java/predictable-seednow has a tag for CWE-337.
- Query
java/insecure-cookienow tolerates setting a cookie's secure flag torequest.isSecure(). This means servlets that intentionally accept unencrypted connections will no longer raise an alert. - The query
java/non-https-urlshas been simplified and no longer requires its sinks to beMethodAccesses. - The logic to detect
WebViews with JavaScript (and optionally file access) enabled in the queryjava/android/unsafe-android-webview-fetchhas been improved.
- Query
java/insecure-cookieno longer produces a false positive ifcookie.setSecure(...)is called passing a constant that always equalstrue.
- Added the
security-severitytag to several queries.
- Fixed "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) to resolve false-negatives when OS isn't properly used as logical guard. - The
SwitchCase.getRuleExpression()predicate now gets expressions for case rules with an expression on the right-hand side of the arrow belonging to bothSwitchStmtandSwitchExpr, and the correspondinggetRuleStatement()no longer returns anExprStmtin either case. PreviouslySwitchStmtandSwitchExprbehaved differently in this respect.
- The query "Insertion of sensitive information into log files" (
java/sensitive-logging) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @luchua-bc.
- Updated "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) to remove false-positives when OS is properly used as logical guard.
- Add more classes to Netty request/response splitting. Change identification to
java/netty-http-request-or-response-splitting. Identify request splitting differently from response splitting in query results. Support additional classes:io.netty.handler.codec.http.CombinedHttpHeadersio.netty.handler.codec.http.DefaultHttpRequestio.netty.handler.codec.http.DefaultFullHttpRequest
- A new query titled "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.
- A new query "Cleartext storage of sensitive information using a local database on Android" (
java/android/cleartext-storage-database) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.
- A new query "Use of implicit PendingIntents" (
java/android/pending-intents) has been added. This query finds implicit and mutablePendingIntentssent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects. - Two new queries, "Android fragment injection" (
java/android/fragment-injection) and "Android fragment injection in PreferenceActivity" (java/android/fragment-injection-preference-activity) have been added. These queries find exported Android activities that instantiate and host fragments created from user-provided data. Such activities are vulnerable to access control bypass and expose the Android application to unintended effects. - The query "
TrustManagerthat accepts all certificates" (java/insecure-trustmanager) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @intrigus-lgtm. - The query "Log Injection" (
java/log-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally submitted as an experimental query by @porcupineyhairs and @dellalibera. - A new query "Intent URI permission manipulation" (
java/android/intent-uri-permission-manipulation) has been added. This query finds Android components that return unmodified, received Intents to the calling applications, which can provide unintended access to internal content providers of the victim application. - A new query "Cleartext storage of sensitive information in the Android filesystem" (
java/android/cleartext-storage-filesystem) has been added. This query finds instances of sensitive data being stored in local files without encryption, which may expose it to attackers or malicious applications. - The query "Cleartext storage of sensitive information using
SharedPreferenceson Android" (java/android/cleartext-storage-shared-prefs) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - The query "Unsafe certificate trust" (
java/unsafe-cert-trust) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc.
- The "Random used only once" (
java/random-used-once) query no longer has asecurity-severityscore. This has been causing some tools to categorise it as a security query, when it is more useful as a code-quality query.
- The
java/constant-comparisonquery no longer raises false alerts regarding comparisons with Unicode surrogate character literals.