Analysis in all applications
The following changes in version 1.20 affect Java analysis in all applications.
TaintTracking libraries are extended to cover additional remote user input and taint steps from the following frameworks: Guice, Protobuf, Thrift and Struts. This affects all security queries, which may yield additional results on projects that use these frameworks.
| Double-checked locking is not thread-safe (
||reliability, correctness, concurrency, external/cwe/cwe-609|| Identifies wrong implementations of double-checked locking that does not use the
| Race condition in double-checked locking object initialization (
||reliability, correctness, concurrency, external/cwe/cwe-609||Identifies wrong implementations of double-checked locking that performs additional initialization after exposing the constructed object.|
Changes to existing queries
| Arbitrary file write during archive extraction (“Zip Slip”) (
||Fewer false positive results|| Results involving a sanitization step that converts a destination
| Result of multiplication cast to wider type (
||Fewer results|| Results involving conversions to
Changes to QL libraries
- The deprecated library
semmle.code.java.security.DataFlowhas been removed. Improved data flow libraries have been available in
- Taint tracking now includes additional default data-flow steps through collections, maps, and iterators. This affects all security queries, which can report more results based on such paths.
Additional changes for analysis in QL tools and applications only
There are no changes in this version that affect Java analysis only in QL for Eclipse, and the QL command-line tools.