0.3.2.md

0.3.2

New Queries

• A new query "Android WebView that accepts all certificates" (java/improper-webview-certificate-validation) has been added. This query finds implementations of WebViewClients that accept all certificates in the case of an SSL error.

Major Analysis Improvements

• The query java/sensitive-log has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.

Minor Analysis Improvements

• The query java/path-injection now recognises vulnerable APIs defined using the SinkModelCsv class with the create-file type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.