- Added a new query,
java/summary/generated-vs-manual-coverage, to expose metrics for the number of API endpoints covered by generated versus manual MaD models. - Added a new query,
java/telemetry/supported-external-api, to detect supported 3rd party APIs used in a codebase. - Added a new query,
java/android/missing-certificate-pinning, to find network calls where certificate pinning is not implemented. - Added a new query,
java/android-webview-addjavascriptinterface, to detect the use ofaddJavascriptInterface, which can lead to cross-site scripting. - Added a new query,
java/android-websettings-file-access, to detect configurations that enable file system access in Android WebViews. - Added a new query,
java/android-websettings-javascript-enabled, to detect if JavaScript execution is enabled in an Android WebView. - The query
java/regex-injectionhas been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally submitted as an experimental query by @edvraa.
- The
AlertSuppression.qlquery has been updated to support the new// codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy// lgtmand// lgtm[query-id]comments can now also be placed on the line before an alert. - The extensible predicates for Models as Data have been renamed (the
extprefix has been removed). As an example,extSummaryModelhas been renamed tosummaryModel. - The query
java/misnamed-typeis now enabled for Kotlin. - The query
java/non-serializable-fieldis now enabled for Kotlin. - Fixed an issue in the query
java/android/implicit-pendingintentsby which an implicit Pending Intent marked as immutable was not correctly recognized as such. - The query
java/maven/non-https-urlno longer alerts about disabled repositories.