- The Java and Kotlin extractors no longer support the
SOURCE_ARCHIVEandTRAP_FOLDERlegacy environment variable.
- Java support for
build-mode: noneis now out of beta, and generally available.
- We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see Analyzing your code with CodeQL queries and Customizing your advanced setup for code scanning.
- Added flow through some methods of the class
java.net.URLby ensuring that the fields of a URL are tainted. - Added path-injection sinks for
org.apache.tools.ant.taskdefs.Property.setFileandorg.apache.tools.ant.taskdefs.Property.setResource. - Adds models for request handlers using the
org.lastaflute.webweb framework.