- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
- Removed
localquery variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found byjava/unvalidated-url-redirection-localcan be found byjava/unvalidated-url-redirection, if thelocalthreat model is enabled. The removed queries arejava/path-injection-local,java/command-line-injection-local,java/xss-local,java/sql-injection-local,java/http-response-splitting-local,java/improper-validation-of-array-construction-local,java/improper-validation-of-array-index-local,java/tainted-format-string-local,java/tainted-arithmetic-local,java/unvalidated-url-redirection-local,java/xxe-localandjava/tainted-numeric-cast-local.
- The alert message for the query "Trust boundary violation" (
java/trust-boundary-violation) has been updated to include a link to the remote source. - The sanitizer of the query
java/zipsliphas been improved to include nodes that are safe due to having certain safe types. This reduces false positives.