- Parameters of delegates passed to routing endpoint calls like
MapGetin ASP.NET Core are now considered remote flow sources. - The query
cs/unsafe-deserialization-untrusted-inputis not reporting on all calls ofJsonConvert.DeserializeObjectany longer, it only covers cases that explicitly use unsafe serialization settings. - Added better support for the SQLite framework in the SQL injection query.
- File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.