|
6 | 6 |
|
7 | 7 | * Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`). |
8 | 8 |
|
9 | | -* Imports with the `.js` extension can now be resolved to a TypeScript file, |
| 9 | +* Resolution of imports has improved, leading to more results from the security queries: |
| 10 | + - Imports with the `.js` extension can now be resolved to a TypeScript file, |
10 | 11 | when the import refers to a file generated by TypeScript. |
| 12 | + - Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved. |
| 13 | + - Export declarations of the form `export * as ns from "x"` are now analyzed more precisely. |
11 | 14 |
|
12 | | -* Imports that rely on path-mappings from a `tsconfig.json` file can now be resolved. |
| 15 | +* The analysis of sanitizers has improved, leading to more accurate results from the security queries. |
| 16 | + In particular: |
| 17 | + - Sanitizer guards now act across function boundaries in more cases. |
| 18 | + - Sanitizers can now better distinguish between a tainted value and an object _containing_ a tainted value. |
13 | 19 |
|
14 | | -* Export declarations of the form `export * as ns from "x"` are now analyzed more precisely. |
15 | | - |
16 | | -* The analysis of sanitizer guards has improved, leading to fewer false-positive results from the security queries. |
17 | | - |
18 | | -* The call graph construction has been improved, leading to more results from the security queries: |
| 20 | +* Call graph construction has been improved, leading to more results from the security queries: |
19 | 21 | - Calls can now be resolved to indirectly-defined class members in more cases. |
20 | 22 | - Calls through partial invocations such as `.bind` can now be resolved in more cases. |
21 | 23 |
|
|
80 | 82 | | Use of password hash with insufficient computational effort (`js/insufficient-password-hash`) | Fewer false positive results | This query now recognizes additional cases that do not require secure hashing. | |
81 | 83 | | Useless regular-expression character escape (`js/useless-regexp-character-escape`) | Fewer false positive results | This query now distinguishes escapes in strings and regular expression literals. | |
82 | 84 | | Identical operands (`js/redundant-operation`) | Fewer results | This query now recognizes cases where the operands change a value using ++/-- expressions. | |
| 85 | +| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer results | This query now recognizes cases where a function uses the `Function.arguments` value to process a variable number of parameters. | |
83 | 86 |
|
84 | 87 | ## Changes to libraries |
85 | 88 |
|
86 | 89 | * The predicates `RegExpTerm.getSuccessor` and `RegExpTerm.getPredecessor` have been changed to reflect textual, not operational, matching order. This only makes a difference in lookbehind assertions, which are operationally matched backwards. Previously, `getSuccessor` would mimick this, so in an assertion `(?<=ab)` the term `b` would be considered the predecessor, not the successor, of `a`. Textually, however, `a` is still matched before `b`, and this is the order we now follow. |
87 | 90 | * An extensible model of the `EventEmitter` pattern has been implemented. |
| 91 | +* Taint-tracking configurations now interact differently with the `data` flow label, which may affect queries |
| 92 | + that combine taint-tracking and flow labels. |
| 93 | + - Sources added by the 1-argument `isSource` predicate are associated with the `taint` label now, instead of the `data` label. |
| 94 | + - Sanitizers now only block the `taint` label. As a result, sanitizers no longer block the flow of tainted values wrapped inside a property of an object. |
| 95 | + To retain the old behavior, instead use a barrier, or block the `data` flow label using a labeled sanitizer. |
0 commit comments