codeql/change-notes/1.20/analysis-java.md

# Improvements to Java analysis

## General improvements


## New queries

| **Query**                   | **Tags**  | **Purpose**                                                        |
|-----------------------------|-----------|--------------------------------------------------------------------|
| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) | reliability, correctness, concurrency, external/cwe/cwe-609 | Identifies wrong implementations of double-checked locking that does not use the `volatile` keyword. |
| Race condition in double-checked locking object initialization (`java/unsafe-double-checked-locking-init-order`) | reliability, correctness, concurrency, external/cwe/cwe-609 | Identifies wrong implementations of double-checked locking that performs additional initialization after exposing the constructed object. |

## Changes to existing queries

| **Query**                  | **Expected impact**    | **Change**                                                       |
|----------------------------|------------------------|------------------------------------------------------------------|
| Arbitrary file write during archive extraction ("Zip Slip") (`java/zipslip`) | Fewer false positive results | Results involving a sanitization step that converts a destination `Path` to a `File` are no longer reported. |
| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) | Fewer false positive results and more true positive results | Results that use safe publication through a `final` field are no longer reported. Results that initialize immutable types like `String` incorrectly are now reported. |
| Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) | Fewer results | Results involving conversions to `float` or `double` are no longer reported, as they were almost exclusively false positives. |

## Changes to QL libraries

* The deprecated library `semmle.code.java.security.DataFlow` has been removed.
  Improved data flow libraries have been available in
  `semmle.code.java.dataflow.DataFlow`,
  `semmle.code.java.dataflow.TaintTracking`, and
  `semmle.code.java.dataflow.FlowSources` since 1.16.
* Taint tracking now includes additional default data-flow steps through
  collections, maps, and iterators. This affects all security queries, which
  can report more results based on such paths.
* The `FlowSources` and `TaintTracking` libraries are extended to cover additional remote user
  input and taint steps from the Apache Thrift, Apache Struts, Guice and Protobuf frameworks.
  This affects all security queries, which may yield additional results on projects
  that use these frameworks.
Java: Add 2 double-checked-locking queries. 2018-11-27 15:29:00 +03:00			`# Improvements to Java analysis`

			`## General improvements`


			`## New queries`

			`\| Query \| Tags \| Purpose \|`
			`\|-----------------------------\|-----------\|--------------------------------------------------------------------\|`
			\| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) \| reliability, correctness, concurrency, external/cwe/cwe-609 \| Identifies wrong implementations of double-checked locking that does not use the `volatile` keyword. \|
			\| Race condition in double-checked locking object initialization (`java/unsafe-double-checked-locking-init-order`) \| reliability, correctness, concurrency, external/cwe/cwe-609 \| Identifies wrong implementations of double-checked locking that performs additional initialization after exposing the constructed object. \|

			`## Changes to existing queries`

			`\| Query \| Expected impact \| Change \|`
			`\|----------------------------\|------------------------\|------------------------------------------------------------------\|`
Java: Add a flow step for `Path::toFile` in ZipSlip 2019-02-07 14:09:20 +03:00			\| Arbitrary file write during archive extraction ("Zip Slip") (`java/zipslip`) \| Fewer false positive results \| Results involving a sanitization step that converts a destination `Path` to a `File` are no longer reported. \|
Java: Extend change note. 2019-01-18 14:08:00 +03:00			\| Double-checked locking is not thread-safe (`java/unsafe-double-checked-locking`) \| Fewer false positive results and more true positive results \| Results that use safe publication through a `final` field are no longer reported. Results that initialize immutable types like `String` incorrectly are now reported. \|
Java: Restrict attention to integral types in IntMultToLong. 2019-01-07 16:27:52 +03:00			\| Result of multiplication cast to wider type (`java/integer-multiplication-cast-to-long`) \| Fewer results \| Results involving conversions to `float` or `double` are no longer reported, as they were almost exclusively false positives. \|
Java: Add 2 double-checked-locking queries. 2018-11-27 15:29:00 +03:00
			`## Changes to QL libraries`

Java: Add change note. 2019-01-08 17:50:14 +03:00			* The deprecated library `semmle.code.java.security.DataFlow` has been removed.
			`Improved data flow libraries have been available in`
			`semmle.code.java.dataflow.DataFlow`,
			`semmle.code.java.dataflow.TaintTracking`, and
			`semmle.code.java.dataflow.FlowSources` since 1.16.
Java: Add additional taint steps through collections. 2019-01-28 16:30:08 +03:00			`* Taint tracking now includes additional default data-flow steps through`
			`collections, maps, and iterators. This affects all security queries, which`
			`can report more results based on such paths.`
Java: add change note for additional framework support 2019-02-14 03:13:33 +03:00			* The `FlowSources` and `TaintTracking` libraries are extended to cover additional remote user
			`input and taint steps from the Apache Thrift, Apache Struts, Guice and Protobuf frameworks.`
			`This affects all security queries, which may yield additional results on projects`
			`that use these frameworks.`
Java: Add change note. 2019-01-08 17:50:14 +03:00
Java: Add 2 double-checked-locking queries. 2018-11-27 15:29:00 +03:00