Change note

owen-mc · owen-mc · commit 7764fbb66407 · 2025-07-11T11:05:48.000+01:00
diff --git a/java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md b/java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The qualifiers of a calls to `readObject` on any classes that implement `java.io.ObjectInput` are now recognised as sinks for `java/unsafe-deserialization`. Previously this was only the case for classes which extend `java.io.ObjectInputStream`.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The qualifiers of a calls to `readObject` on any classes that implement `java.io.ObjectInput` are now recognised as sinks for `java/unsafe-deserialization`. Previously this was only the case for classes which extend `java.io.ObjectInputStream`.