- Added the
java/insecure-randomnessquery to detect uses of weakly random values which an attacker may be able to predict. Also added thecrypto-parametersink kind for sinks which represent the parameters and keys of cryptographic operations.
- Modified the
java/potentially-weak-cryptographic-algorithmquery to include the use of weak cryptographic algorithms from configuration values specified in properties files. - The query
java/android/missing-certificate-pinningshould no longer alert about requests pointing to the local filesystem. - Removed some spurious sinks related to
com.opensymphony.xwork2.TextProvider.getTextfrom the queryjava/ognl-injection.
- The three queries
java/insufficient-key-size,java/server-side-template-injection, andjava/android/implicit-pendingintentshad accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.