You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: csharp/ql/lib/CHANGELOG.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@
6
6
7
7
### Major Analysis Improvements
8
8
9
-
* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions, for example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
9
+
* The representation of the C# control-flow graph has been significantly changed. This has minor effects on a wide range of queries including both minor improvements and minor regressions. For example, improved precision has been observed for `cs/inefficient-containskey` and `cs/stringbuilder-creation-in-loop`. Two queries stand out as being significantly affected with great improvements: `cs/dereferenced-value-may-be-null` has been completely rewritten which removes a very significant number of false positives. Furthermore, `cs/constant-condition` has been updated to report many new results - these new results are primarily expected to be true positives, but a few new false positives are expected as well. As part of these changes, `cs/dereferenced-value-may-be-null` has been changed from a `path-problem` query to a `problem` query, so paths are no longer reported for this query.
10
10
11
11
### Minor Analysis Improvements
12
12
@@ -143,7 +143,7 @@ No user-facing changes.
143
143
* Added `remote` flow source models for properties of Blazor components annotated with any of the following attributes from `Microsoft.AspNetCore.Components`:
144
144
-`[SupplyParameterFromForm]`
145
145
-`[SupplyParameterFromQuery]`
146
-
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
146
+
* Added the constructor and explicit cast operator of `Microsoft.AspNetCore.Components.MarkupString` as an `html-injection` sink. This will help catch cross-site scripting resulting from using `MarkupString`.
147
147
* Added flow summaries for the `Microsoft.AspNetCore.Mvc.Controller::View` method.
148
148
* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
149
149
* The C# extractor now supports *basic* extraction of .NET 9 projects. There might be limited support for extraction of code using the new C# 13 language features.
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
166
+
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
167
167
168
168
## 3.1.1
169
169
@@ -201,8 +201,8 @@ No user-facing changes.
201
201
202
202
### Breaking Changes
203
203
204
-
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
205
-
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
204
+
* Deleted many deprecated taint-tracking configurations based on `TaintTracking::Configuration`.
205
+
* Deleted many deprecated dataflow configurations based on `DataFlow::Configuration`.
206
206
* Deleted the deprecated `explorationLimit` predicate from `DataFlow::Configuration`, use `FlowExploration<explorationLimit>` instead.
207
207
208
208
### Minor Analysis Improvements
@@ -451,7 +451,7 @@ No user-facing changes.
451
451
452
452
### New Features
453
453
454
-
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
454
+
* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`.
455
455
Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
456
456
457
457
### Minor Analysis Improvements
@@ -586,7 +586,7 @@ No user-facing changes.
586
586
587
587
* Attributes on methods in CIL are now extracted (Bugfix).
588
588
* Support for `static virtual` and `static abstract` interface members.
589
-
* Support for *operators* in interface definitions.
589
+
* Support for *operators* in interface definitions.
590
590
* C# 11: Added support for the unsigned right shift `>>>` and unsigned right shift assignment `>>>=` operators.
591
591
* Query id's have been aligned such that they are prefixed with `cs` instead of `csharp`.
592
592
@@ -626,13 +626,13 @@ No user-facing changes.
626
626
### Minor Analysis Improvements
627
627
628
628
* `DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
629
-
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
629
+
* ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
630
630
631
631
## 0.4.0
632
632
633
633
### Deprecated APIs
634
634
635
-
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
635
+
* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
636
636
The old name still exists as a deprecated alias.
637
637
638
638
### Bug Fixes
@@ -645,7 +645,7 @@ No user-facing changes.
645
645
646
646
### Deprecated APIs
647
647
648
-
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
648
+
* Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
649
649
The old name still exists as a deprecated alias.
650
650
651
651
### Minor Analysis Improvements
@@ -692,7 +692,7 @@ No user-facing changes.
692
692
693
693
### Deprecated APIs
694
694
695
-
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
695
+
* Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide.
0 commit comments