Java: Add 1.25 change notes.

aschackmull · aschackmull · commit b1e6e3a6f23c · 2020-09-08T14:18:20.000+02:00
diff --git a/change-notes/1.25/analysis-java.md b/change-notes/1.25/analysis-java.md
@@ -4,6 +4,8 @@ The following changes in version 1.25 affect Java analysis in all applications.
 
 ## General improvements
 
+The Java autobuilder has been improved to detect more Gradle Java versions.
+
 ## New queries
 
 | **Query**                   | **Tags**  | **Purpose**                                                        |
@@ -14,10 +16,20 @@ The following changes in version 1.25 affect Java analysis in all applications.
 
 | **Query**                    | **Expected impact**    | **Change**                        |
 |------------------------------|------------------------|-----------------------------------|
-
+| Hard-coded credential in API call (`java/hardcoded-credential-api-call`) | More results | The query now recognizes the `BasicAWSCredentials` class of the Amazon client SDK library with hardcoded access key/secret key. |
+| Deserialization of user-controlled data (`java/unsafe-deserialization`) | Fewer false positive results | The query no longer reports results using `org.apache.commons.io.serialization.ValidatingObjectInputStream`. |
+| Use of a broken or risky cryptographic algorithm (`java/weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
+| Use of a potentially broken or risky cryptographic algorithm (`java/potentially-weak-cryptographic-algorithm`) | More results | The query now recognizes the `MessageDigest.getInstance` method. |
+| Reading from a world writable file (`java/world-writable-file-read`) | More results | The query now recognizes more JDK file operations. |
 
 ## Changes to libraries
 
+* The data-flow library has been improved with more taint flow modeling for the
+  Collections framework and other classes of the JDK. This affects all security
+  queries using data flow and can yield additional results.
+* The data-flow library has been improved with more taint flow modeling for the
+  Spring framework. This affects all security queries using data flow and can
+  yield additional results on project that rely on the Spring framework.
 * The data-flow library has been improved, which affects most security queries by potentially
   adding more results. Flow through methods now takes nested field reads/writes into account.
   For example, the library is able to track flow from `"taint"` to `sink()` via the method
@@ -39,3 +51,5 @@ The following changes in version 1.25 affect Java analysis in all applications.
     }
   }
   ```
+* The library has been extended with more support for Java 14 features
+  (`switch` expressions and pattern-matching for `instanceof`).
