Thecpp/overflow-destination,cpp/unclear-array-index-validation, andcpp/uncontrolled-allocation-size queries have been modernized and converted topath-problem queries and provide more true positive results.

Thecpp/system-data-exposure query has been increased frommedium tohigh precision, following a number of improvements to the query logic.

Updated “Local information disclosure in a temporary directory” (java/local-temp-file-or-directory-information-disclosure) to remove false-positives when OS is properly used as logical guard.

Fixed an issue that would sometimes prevent the data-flow analysis from finding flow paths through a function that stores its result on an object.This may lead to more results for the security queries.

The query “Insertion of sensitive information into log files” (java/sensitive-logging) has been promoted from experimental to the main query pack. This query was originallysubmitted as an experimental query by @luchua-bc.

Added a new query,rb/clear-text-storage-sensitive-data. The query finds cases where sensitive information, such as user credentials, are stored as cleartext.

Added a new query,rb/incomplete-hostname-regexp. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.

The flow state variants ofisBarrier andisAdditionalFlowStep are no longer exposed in the taint tracking library. TheisSanitizer andisAdditionalTaintStep predicates should be used instead.

The flow state variants ofisBarrier andisAdditionalFlowStep are no longer exposed in the taint tracking library. TheisSanitizer andisAdditionalTaintStep predicates should be used instead.

The flow state variants ofisBarrier andisAdditionalFlowStep are no longer exposed in the taint tracking library. TheisSanitizer andisAdditionalTaintStep predicates should be used instead.

The flow state variants ofisBarrier andisAdditionalFlowStep are no longer exposed in the taint tracking library. TheisSanitizer andisAdditionalTaintStep predicates should be used instead.

The flow state variants ofisBarrier andisAdditionalFlowStep are no longer exposed in the taint tracking library. TheisSanitizer andisAdditionalTaintStep predicates should be used instead.

DefaultOptions::exits now holds for C11 functions with the_Noreturn ornoreturn specifier.

hasImplicitCopyConstructor andhasImplicitCopyAssignmentOperator now correctly handle implicitly-deleted operators in templates.

All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

Added new guardsIsWindowsGuard,IsSpecificWindowsVariant,IsUnixGuard, andIsSpecificUnixVariant to detect OS specific guards.

Added a new predicategetSystemProperty that gets all expressions that retrieve system properties from a variety of sources (eg. alternative JDK API’s, Google Guava, Apache Commons, Apache IO, etc.).

Added support for detection of SSRF via JDBC database URLs, including connections made using the standard library (java.sql), Hikari Connection Pool, JDBI and Spring JDBC.

Re-removed support forCharacterLiteral fromCompileTimeConstantExpr.getStringValue() to restore the convention that that predicate only applies toString-typed constants.

All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.

getConstantValue() now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal"n",getConstantValue().getString() previously returned a QL string with two characters, a backslash followed byn; now it returns the single-character string “n” (U+000A, known as newline).

getConstantValue().getInt() previously returned incorrect values for integers larger than 2³¹-1 (the largest value that can be represented by the QLint type). It now returns no result in those cases.

AddedOrmWriteAccess concept to model data written to a database using an object-relational mapping (ORM) library.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Some predicates fromDefUse.qll,DataFlow.qll,TaintTracking.qll,DOM.qll,Definitions.qll that weren’t used by any query have been deprecated.The documentation for each predicate points to an alternative.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Some modules that started with a lowercase letter have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Some modules that started with a lowercase letter have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.The old name still exists as a deprecated alias.

The data flow and taint tracking libraries have been extended with versions ofisBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.

The data flow and taint tracking libraries have been extended with versions ofisBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.

The data flow and taint tracking libraries have been extended with versions ofisBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.

The data flow and taint tracking libraries have been extended with versions ofisBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.

The data flow and taint tracking libraries have been extended with versions ofisBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.