From 71ac4003f56e00524aa706bbeedbc7389551693e Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Sat, 24 Aug 2019 12:30:33 +0100 Subject: [PATCH 1/2] Finalize release notes --- change-notes/1.22/analysis-javascript.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/change-notes/1.22/analysis-javascript.md b/change-notes/1.22/analysis-javascript.md index 98f531c143ab..706e54dd679d 100644 --- a/change-notes/1.22/analysis-javascript.md +++ b/change-notes/1.22/analysis-javascript.md @@ -28,14 +28,14 @@ | **Query** | **Expected impact** | **Change** | |--------------------------------|------------------------------|---------------------------------------------------------------------------| -| Shift out of range | Fewer false positive results | This rule now correctly handles BigInt shift operands. | -| Conflicting HTML element attributes | Fewer results | Results are no longer shown on LGTM by default. | -| Superfluous trailing arguments | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. | -| Undocumented parameter | No changes to results | This rule is now run on LGTM, although its results are still not shown by default. | +| Conflicting HTML element attributes (`js/conflicting-html-attribute`) | No changes to results | Results are no longer shown on LGTM by default. | +| Shift out of range (`js/shift-out-of-range`| Fewer false positive results | This rule now correctly handles BigInt shift operands. | +| Superfluous trailing arguments (`js/superfluous-trailing-arguments`) | Fewer false-positive results. | This rule no longer flags calls to placeholder functions that trivially throw an exception. | +| Undocumented parameter (`js/jsdoc/missing-parameter`) | No changes to results | This rule is now run on LGTM, although its results are still not shown by default. | ## Changes to QL libraries -- The `getName()` predicate on functions and classes now gets a name +- The `getName()` predicate on functions and classes now gets a name that is inferred from the context if the function or class was not declared with a name. - The two-argument and three-argument variants of `DataFlow::Configuration::isBarrier` and `TaintTracking::Configuration::isSanitizer` have been deprecated. Overriding them no From 28d0e890a8ed20d5c4610c5f0e83db7b0a422b81 Mon Sep 17 00:00:00 2001 From: Asger F Date: Sat, 24 Aug 2019 13:21:23 +0100 Subject: [PATCH 2/2] JS: Add change note about CHA --- change-notes/1.22/analysis-javascript.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/change-notes/1.22/analysis-javascript.md b/change-notes/1.22/analysis-javascript.md index 706e54dd679d..861258829c32 100644 --- a/change-notes/1.22/analysis-javascript.md +++ b/change-notes/1.22/analysis-javascript.md @@ -16,7 +16,9 @@ * Support for tracking data flow and taint through getter functions (that is, functions that return a property of one of their arguments) and through the receiver object of method calls has been improved. This may produce more security alerts. * Taint tracking through object property names has been made more precise, resulting in fewer false positive results. - + +* Method calls are now resolved in more cases, due to improved class hierarchy analysis. This may produce more security alerts. + ## New queries | **Query** | **Tags** | **Purpose** |