- A
Diagnostic.getCompilationInfo()predicate has been added.
- Fixed a typo in the
StdlibRandomSourceclass inRandomDataSource.qll, which caused the class to improperly model calls to thenextBytesmethod. Queries relying onStdlibRandomSourcemay see an increase in results. - Improved the precision of virtual dispatch of
java.io.InputStreammethods. Now, calls to these methods will not dispatch to arbitrary implementations ofInputStreamif there is a high-confidence alternative (like a models-as-data summary). - Added more dataflow steps for
java.io.InputStreams that wrap otherjava.io.InputStreams. - Added models for the Struts 2 framework.
- Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.