- The
java/summary/lines-of-codequery now only counts lines of Java code. The newjava/summary/lines-of-code-kotlincounts lines of Kotlin code.
- The query
java/groovy-injectionnow recognizesgroovy.text.TemplateEngine.createTemplateas a sink. - The queries
java/xxeandjava/xxe-localnow recognize the second argument of calls toXPath.evaluateas a sink. - Experimental sinks for the query "Resolving XML external entity in user-controlled data" (
java/xxe) have been promoted to the main query pack. These sinks were originally submitted as part of an experimental query by @haby0.
No user-facing changes.
- The query
java/insecure-ldap-authhas been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally submitted as an experimental query by @luchua-bc
No user-facing changes.
- Added a new query,
java/android/arbitrary-apk-installation, to detect installation of APKs from untrusted sources.
No user-facing changes.
- Added a new query,
java/xxe-local, which is a version of the XXE query that uses local sources (for example, reads from a local file).
- The
java/index-out-of-boundsquery has improved its handling of arrays of constant length, and may report additional results in those cases.
- Added a new query,
java/android/sensitive-result-receiver, to find instances of sensitive data being leaked to an untrustedResultReceiver.
- Added a new query
java/android/websettings-allow-content-accessto detect Android WebViews which do not disable access tocontent://urls.
- The name, description and alert message for the query
java/concatenated-sql-queryhave been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query's files have been renamed fromSqlUnescaped.qlandSqlUnescapedLib.qlltoSqlConcatenated.qlandSqlConcatenatedLib.qllrespectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remainsjava/concatenated-sql-query, so alerts should not be re-raised as a result of this change.
- Added a new query,
java/summary/generated-vs-manual-coverage, to expose metrics for the number of API endpoints covered by generated versus manual MaD models. - Added a new query,
java/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase. - Added a new query,
java/android/missing-certificate-pinning, to find network calls where certificate pinning is not implemented. - Added a new query,
java/android-webview-addjavascriptinterface, to detect the use ofaddJavascriptInterface, which can lead to cross-site scripting. - Added a new query,
java/android-websettings-file-access, to detect configurations that enable file system access in Android WebViews. - Added a new query,
java/android-websettings-javascript-enabled, to detect if JavaScript execution is enabled in an Android WebView. - The query
java/regex-injectionhas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @edvraa.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel. - The query
java/misnamed-typeis now enabled for Kotlin. - The query
java/non-serializable-fieldis now enabled for Kotlin. - Fixed an issue in the query
java/android/implicit-pendingintentsby which an implicit Pending Intent marked as immutable was not correctly recognized as such. - The query
java/maven/non-https-urlno longer alerts about disabled repositories.
- Kotlin extraction will now fail if the Kotlin version in use is at least 1.7.30. This is to ensure using an as-yet-unsupported version is noticable, rather than silently failing to extract Kotlin code and therefore producing false-negative results.
No user-facing changes.
- The query
java/insufficient-key-sizehas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - Added a new query,
java/android/sensitive-keyboard-cache, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
No user-facing changes.
- Added a new query,
java/android/incomplete-provider-permissions, to detect if an Android ContentProvider is not protected with a correct set of permissions. - A new query "Uncontrolled data used in content resolution" (
java/androd/unsafe-content-uri-resolution) has been added. This query finds paths from user-provided data to URI resolution operations in Android'sContentResolverwithout previous validation or sanitization.
- Added a new query,
java/android/webview-debugging-enabled, to detect instances of WebView debugging being enabled in production builds.
- The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
PathSanitizer.qllhas been promoted from experimental to the main query pack. This sanitizer was originally submitted as part of an experimental query by @luchua-bc.- The queries
java/path-injection,java/path-injection-localandjava/zipslipnow use the sanitizers provided byPathSanitizer.qll.
- The query "Server-side template injection" (
java/server-side-template-injection) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @porcupineyhairs. - Added a new query,
java/android/backup-enabled, to detect if Android applications allow backups.
- Removed the
@security-severitytag from several queries not in theSecurity/folder that also had missingsecuritytags.
- The Java extractor now populates the
Methodrelating to aMethodAccessconsistently for calls using an explicit and implicitthisqualifier. Previously if the methodfoowas inherited from a specialised generic typeParentType<String>, then an explicit callthis.foo()would yield aMethodAccesswhosegetMethod()accessor returned the bound methodParentType<String>.foo, whereas an implicitly-qualifiedfoo()MethodAccess'sgetMethod()would return the unbound methodParentType.foo. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result ofMethodAccess.getMethod()may need to tolerate bound generic methods in more circumstances. The queriesjava/iterator-remove-failure,java/non-static-nested-class,java/internal-representation-exposure,java/subtle-inherited-callandjava/deprecated-callhave been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-thiscase as well. - Added taint model for arguments of
java.net.URIconstructors to the queriesjava/path-injectionandjava/path-injection-local. - Added new sinks related to Android's
AlarmManagerto the queryjava/android/implicit-pendingintents. - The alert message of many queries have been changed to make the message consistent with other languages.
- Added a new query,
java/android/implicitly-exported-component, to detect if components are implicitly exported in the Android manifest. - A new query "Use of RSA algorithm without OAEP" (
java/rsa-without-oaep) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme. - Added a new query,
java/android/debuggable-attribute-enabled, to detect if theandroid:debuggableattribute is enabled in the Android manifest. - The query "Using a static initialization vector for encryption" (
java/static-initialization-vector) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @artem-smotrakov. - A new query
java/partial-path-traversalfinds partial path traversal vulnerabilities resulting from incorrectly usingString#startsWithto compare canonical paths. - Added a new query,
java/suspicious-regexp-range, to detect character ranges in regular expressions that seem to match too many characters.
- The queries
java/redosandjava/polynomial-redosnow have a tag for CWE-1333.
- The query
java/static-initialization-vectorno longer requires aCipherobject to be initialized withENCRYPT_MODEto be considered a valid sink. Also, several new sanitizers were added. - Improved sanitizers for
java/sensitive-log, which removes some false positives and improves performance a bit.
- A new query "Android
WebViewthat accepts all certificates" (java/improper-webview-certificate-validation) has been added. This query finds implementations ofWebViewClients that accept all certificates in the case of an SSL error.
- The query
java/sensitive-loghas been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
- The query
java/path-injectionnow recognises vulnerable APIs defined using theSinkModelCsvclass with thecreate-filetype. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/java-allpackage.
- A new query "Improper verification of intent by broadcast receiver" (
java/improper-intent-verification) has been added. This query finds instances of AndroidBroadcastReceivers that don't verify the action string of received intents when registered to receive system intents.
- The query
java/log-injectionnow reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
- Two new queries "Inefficient regular expression" (
java/redos) and "Polynomial regular expression used on uncontrolled data" (java/polynomial-redos) have been added. These queries help find instances of Regular Expression Denial of Service vulnerabilities.
- Query
java/sensitive-loghas received several improvements.- It no longer considers usernames as sensitive information.
- The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
- A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
- Query
java/predictable-seednow has a tag for CWE-337.
- Query
java/insecure-cookienow tolerates setting a cookie's secure flag torequest.isSecure(). This means servlets that intentionally accept unencrypted connections will no longer raise an alert. - The query
java/non-https-urlshas been simplified and no longer requires its sinks to beMethodAccesses. - The logic to detect
WebViews with JavaScript (and optionally file access) enabled in the queryjava/android/unsafe-android-webview-fetchhas been improved.
- Query
java/insecure-cookieno longer produces a false positive ifcookie.setSecure(...)is called passing a constant that always equalstrue.
- Added the
security-severitytag to several queries.
- Fixed "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) to resolve false-negatives when OS isn't properly used as logical guard. - The
SwitchCase.getRuleExpression()predicate now gets expressions for case rules with an expression on the right-hand side of the arrow belonging to bothSwitchStmtandSwitchExpr, and the correspondinggetRuleStatement()no longer returns anExprStmtin either case. PreviouslySwitchStmtandSwitchExprbehaved differently in this respect.
- The query "Insertion of sensitive information into log files" (
java/sensitive-logging) has been promoted from experimental to the main query pack. This query was originally submitted as an experimental query by @luchua-bc.
- Updated "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) to remove false-positives when OS is properly used as logical guard.
- Add more classes to Netty request/response splitting. Change identification to
java/netty-http-request-or-response-splitting. Identify request splitting differently from response splitting in query results. Support additional classes:io.netty.handler.codec.http.CombinedHttpHeadersio.netty.handler.codec.http.DefaultHttpRequestio.netty.handler.codec.http.DefaultFullHttpRequest
- A new query titled "Local information disclosure in a temporary directory" (
java/local-temp-file-or-directory-information-disclosure) has been added. This query finds uses of APIs that leak potentially sensitive information to other local users via the system temporary directory. This query was originally submitted as query by @JLLeitschuh.
- A new query "Cleartext storage of sensitive information using a local database on Android" (
java/android/cleartext-storage-database) has been added. This query finds instances of sensitive data being stored in local databases without encryption, which may expose it to attackers or malicious applications.
- A new query "Use of implicit PendingIntents" (
java/android/pending-intents) has been added. This query finds implicit and mutablePendingIntentssent to an unspecified third party component, which may provide an attacker with access to internal components of the application or cause other unintended effects. - Two new queries, "Android fragment injection" (
java/android/fragment-injection) and "Android fragment injection in PreferenceActivity" (java/android/fragment-injection-preference-activity) have been added. These queries find exported Android activities that instantiate and host fragments created from user-provided data. Such activities are vulnerable to access control bypass and expose the Android application to unintended effects. - The query "
TrustManagerthat accepts all certificates" (java/insecure-trustmanager) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @intrigus-lgtm. - The query "Log Injection" (
java/log-injection) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally submitted as an experimental query by @porcupineyhairs and @dellalibera. - A new query "Intent URI permission manipulation" (
java/android/intent-uri-permission-manipulation) has been added. This query finds Android components that return unmodified, received Intents to the calling applications, which can provide unintended access to internal content providers of the victim application. - A new query "Cleartext storage of sensitive information in the Android filesystem" (
java/android/cleartext-storage-filesystem) has been added. This query finds instances of sensitive data being stored in local files without encryption, which may expose it to attackers or malicious applications. - The query "Cleartext storage of sensitive information using
SharedPreferenceson Android" (java/android/cleartext-storage-shared-prefs) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc. - The query "Unsafe certificate trust" (
java/unsafe-cert-trust) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @luchua-bc.
- The "Random used only once" (
java/random-used-once) query no longer has asecurity-severityscore. This has been causing some tools to categorise it as a security query, when it is more useful as a code-quality query.
- The
java/constant-comparisonquery no longer raises false alerts regarding comparisons with Unicode surrogate character literals.