Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space SDmaster and version 1.22
Dont print
Panel
borderColor#39B54A
bgColor#ffffff
titleColor#39B54A
titleBGColor#ffffff

On this page:

Table of Contents
maxLevel2

HIDDEN

Analysis in all applications

The following changes in version 1.18 affect Java analysis in all applications.


Markdown
hardwrapfalse
## General improvements

* The extractor now supports the extraction of code written using Java 10,
  including all new language features introduced in the Java 10 release.

* The Maven `settings_file` option in an `lgtm.yml` configuration
  can now be specified as a relative path (relative to the source
  root directory `$LGTM_SRC`). This is useful when a project-specific
  settings file is stored along with the source code.


* In previous versions of LGTM, code was built in an environment with
 `JAVA_HOME` set to the version of Java bundled with the QL analysis
  tools. This version of Java was also added to the `PATH`.
  LGTM no longer changes the `JAVA_HOME` or `PATH` environment variables.

## New queries

| **Query**                   | **Tags**  | **Purpose**                                                        |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Hard-coded credential in API call (`java/hardcoded-credential-api-call`) | security, external/cwe/cwe-798 | Highlights hard-coded credentials that flow to a sensitive API call. Results are hidden on LGTM by default. |

## Changes to existing queries

| **Query**                  | **Expected impact**    | **Change**                                                       |
|----------------------------|------------------------|------------------------------------------------------------------|
| Dereferenced variable may be null (`java/dereferenced-value-may-be-null`) | Fewer false positive results | Switch cases acting as implicit null guards are taken into account. |
| Missing format argument (`java/missing-format-argument`) | More results | Additional results involving `org.slf4j.Logger`-based formatting are now reported. |
| Potential database resource leak (`java/database-resource-leak`) | Fewer false positive results | Results arising from `Mockito.verify(..)` objects are no longer reported. |
| Resolving XML external entity in user-controlled data (`java/xxe`) | More results | Additional results involving the Simple XML serialization framework are now reported. |
| Uncontrolled data in arithmetic expression (`java/uncontrolled-arithmetic`) | More results | Additional results involving prefix/postfix increment/decrement expressions are now reported. |
| Unused format argument (`java/unused-format-argument`) | More results | Additional results involving `org.slf4j.Logger`-based formatting are now reported. |
| Useless null check (`java/useless-null-check`) | More results | Null checks on `this` and variables that are already checked for `null` are now reported. |
| User-controlled data in arithmetic expression (`java/tainted-arithmetic`) | More results | Additional results involving prefix/postfix increment/decrement expressions are now reported. |

## Changes to QL libraries

* The control-flow graph is improved with more precise tracking of method calls
  that always throw exceptions. This improves precision for a wide range of
  queries, in particular those that rely directly on local control flow,
  including `java/constant-comparison`, `java/dereferenced-value-may-be-null`,
  and `java/switch-fall-through`.
* The data-flow and taint-tracking libraries can now track flow through instance
  fields. This affects all security queries, which can return additional
  results with more complex flow paths.
* The data-flow and taint-tracking libraries now perform type-based path pruning
  to rule out some impossible paths. This increases the precision of all
  security queries.
* The `Guards` library is extended to include a class `Guard` and in particular
  the predicate `Guard.controls(..)`. This is similar to `ConditionBlock.controls`
  but also includes switch case-guards and identifies implicit guards through
  logical reasoning.
* The `VirtualDispatch` library models dispatch to lambdas and other anonymous
  classes more precisely. This affects a wide range of queries including more
  precise data flow for all security queries, and improved precision for all
  queries based on SSA, including `java/constant-comparison`,
  `java/dereferenced-value-may-be-null`, and `java/index-out-of-bounds`.


Additional changes for analysis in QL tools and applications only

There are no changes in version 1.18 that affect Java analysis only in QL for Eclipse, and the QL command-line tools.