v2.0.0

What's Changed

• De-noise alert position by @jeongsoolee09 in #36
• Update expected results by @jeongsoolee09 in #38
• merge main by @mbaluda in #39
• Bump version: 1.0.0 and 1.0.1 by @jeongsoolee09 in #37
• Add first draft of qhelp for queries by @jeongsoolee09 in #33
• Improve test automation by @mbaluda in #41
• Prepare for 0.1.1 pack release by @jeongsoolee09 in #46
• Update UI5Clickjacking.ql precision by @mbaluda in #49
• Track dataflow through event handlers and their parameters by @mbaluda in #40
• Update codeql_tests.yml by @mbaluda in #47
• Avoid duplicate alerts by @mbaluda in #50
• Bump all versions to 0.2.0 by @jeongsoolee09 in #54
• Integrate QLT by @jsinglet in #53
• Delete codeql-sap-js.code-workspace by @mbaluda in #55
• Introduce new repository structure by @jeongsoolee09 in #56
• Add diagnostic queries by @rvermeulen in #60
• Generalize UI5 sources by @rvermeulen in #61
• Bump version to 0.3.0 by @jeongsoolee09 in #62
• Add diagnostic query to list partial paths by @rvermeulen in #63
• Broaden the requirements for an XML view by @rvermeulen in #65
• Upgrade CodeQL dependencies and bump pack versions by @rvermeulen in #68
• Add UI5 web app detection by @rvermeulen in #66
• Extend bindings modeling by @rvermeulen in #69
• Fix resource root resolve by @rvermeulen in #71
• Add heuristic model pack by @rvermeulen in #72
• Expand javascript bindings by @rvermeulen in #73
• Address CP between binding strings and static javascript binding by @rvermeulen in #75
• Remove tokens for QLT by @jsinglet in #76
• Cover CAP's Fluent API to construct cds.ql queries by @jeongsoolee09 in #29
• Trigger the unit test only on main by @rvermeulen in #74
• Detect XSS involving server-side models and controller handler parameters by @jeongsoolee09 in #67
• Bump version to 0.5.0 by @jeongsoolee09 in #80
• CAP SQLi/LOGi queries by @mbaluda in #82
• Bump codeql/javascript-all to ^0.8.7 by @jeongsoolee09 in #79
• Add cap cxn parse sink model and test by @knewbury01 in #83
• Path should not cross different apps by @mbaluda in #88
• Refine Code Scanning workflow configuration by @mbaluda in #85
• Implement CDS log sinks by @knewbury01 in #81
• Create query for vulnerability not specific to webapp security by @jeongsoolee09 in #78
• Add sarif-diff to Code Scanning workflow by @mbaluda in #58
• Optimize UI5BindingPath.getNode by @jeongsoolee09 in #92
• Edit dependencies, precision and suite file names by @jeongsoolee09 in #91
• Stylistic edits to help files by @jeongsoolee09 in #90
• Log-injection improvements by @mbaluda in #89
• Separate CAP from non-CAP alerts by @mbaluda in #96
• Upgrade QLT Version by @jsinglet in #97
• Cover missing XSS vulnerability by @jeongsoolee09 in #104
• Perform missing version ups from 0.5.0 to 0.6.0 by @jeongsoolee09 in #105
• fix paths for json files compiled from cds by @mbaluda in #106
• Cover multi-service log injection by @jeongsoolee09 in #94
• Bump remaining 0.5.0 to 0.6.0 by @jeongsoolee09 in #108
• Add authentication/authorization related PoCs by @jeongsoolee09 in #107
• Fix FN cap sources by @knewbury01 in #109
• Patch for cap remoteflowsource ServiceinCDSHandlerParameter by @knewbury01 in #110
• Bump CAP packs' version from 0.1.0 to 0.2.0 by @jeongsoolee09 in #114
• CodeQL version from qlt.conf.json by @mbaluda in #119
• Add two log injection applications with custom listeners by @jeongsoolee09 in #116
• Remove .expected files by @jeongsoolee09 in #121
• Fix code-scanning workflow by @mbaluda in #122
• Adapt to modified LGTM_ env variables behavior by @mbaluda in #125
• Update urls for cql injection help file by @knewbury01 in #128
• Adjust cap log sinks by @knewbury01 in #130
• Use qlt-action from advanced-security/codeql-development-toolkit by @mbaluda in #131
• XSJS queries and CodeQL update by @mbaluda in #129
• Add sensitive information exposure query by @knewbury01 in #126
• Address CodeQL warnings by @mbaluda in #133
• Add fully qualified name matching on E2 sources by @knewbury01 in #137
• UI5 client side log-injection improvements by @mbaluda in #136
• Implement queries for authentication / authorization related issues by @jeongsoolee09 in #113
• Add help files to Authentication/Authorization queries by @jeongsoolee09 in #138
• Revert "Undo commit a79ebb-693132" by @mbaluda in #142
• Adds XSJS CSRF and authorization queries by @mbaluda in #144
• Implement UnnecessarilyGrantedPrivilegedAccessRights by @jeongsoolee09 in #139
• Add README for CAP and XSJS by @mbaluda in #147
• fix broken links by @mbaluda in #148
• Bump version of qlpack.ymls for CAP release by @jeongsoolee09 in #149
• Deals with external .cds files by @mbaluda in #150
• Update README.md by @mbaluda in #151
• Prepare project for publishing by @mbaluda in #156
• Create SECURITY.md by @lcartey in #157
• Refine locations in the CDS file by @lcartey in #159
• Add a CodeQL extractor for SAP CAP cds files by @lcartey in #158
• Rename XSJS packs to remove -async- qualifier by @lcartey in #160
• Remove cartesian product in MkConstBindingPathComponentList by @lcartey in #161
• Capture and report CDS compilation errors by @lcartey in #162
• cds extractor: npm install in each package.json by @lcartey in #163
• CDL: Improve performance by simplifying CDS location identification by @lcartey in #165
• Remove 'log-injection-single-file' by @jeongsoolee09 in #166
• Exclude injection alerts where the input data type is not String by @mbaluda in #115
• Apply markdownlint fixes for project .md files by @data-douser in #167
• Run cds compile command without -o option by @data-douser in #172
• Bump codeql/javascript-all and fix breaking changes by @jeongsoolee09 in #170
• Rename pack javascript-sap-xsjs-lib to javascript-sap-xsjs-all by @jeongsoolee09 in #173
• Avoid redirecting cds compiler stdout by @data-douser in #174
• Address a performance regression in recent upgrade by @lcartey in #177
• Add Customizations.qll files to support integration of sources into Custom CodeQL bundles by @lcartey in #178
• Initial version of platform-independent CDS extractor by @data-douser in #169
• Add support for indexing UI5 XML views by @lcartey in #179
• Improve logging and quoting in extractor scripts by @data-douser in #182
• Remove XSJS' RemoteFlowSources.qll by @jeongsoolee09 in #184
• Improve UI5 performance for large codebases by @lcartey in #186
• Remove dependencies on isSink in the taint tracking configurations of the default queries by @jeongsoolee09 in #180
• Begin multi-phase conversion of the CodeQL CDS extractor : Improve Modularity and Testing by @data-douser in #188
• Remove FPs of js/ui5-log-injection-to-http by @jeongsoolee09 in #190
• Fix CDS extractor findPackageJsonDirs function by @data-douser in #194
• Improve language of XSJSAuthentication.md by @jeongsoolee09 in #196
• Update XSJSCsrfDisabled by @jeongsoolee09 in #197
• Bump path-to-regexp and express in /javascript/frameworks/cap/test/models/cds/entityreference by @dependabot[bot] in #175
• Bump cookie and express in /javascript/frameworks/cap/test/models/cds/entityreference by @dependabot[bot] in #176
• Bump tar-fs from 2.1.1 to 2.1.2 in /javascript/frameworks/cap/test/models/cds/entityreference by @dependabot[bot] in #181
• Bump the npm_and_yarn group across 4 directories with 19 updates by @dependabot[bot] in #185
• Bump the npm_and_yarn group across 4 directories with 20 updates by @dependabot[bot] in #187
• Bump the npm_and_yarn group across 4 directories with 20 updates by @dependabot[bot] in #189
• Bump the npm_and_yarn group across 3 directories with 11 updates by @dependabot[bot] in #193
• Bump the npm_and_yarn group across 2 directories with 1 update by @dependabot[bot] in #198
• Bump brace-expansion from 1.1.11 to 1.1.12 in /extractors/cds/tools in the npm_and_yarn group across 1 directory by @dependabot[bot] in #199
• Improve CQL Injection Query by @jeongsoolee09 in #200
• CDS Extractor Rewrite Phase 2 : Improve Performance and Precision by @data-douser in #195
• Add pull request template by @jeongsoolee09 in #202
• Enhance remote flow sources for CAP by @knewbury01 in #201
• Setup CDS extractor esbuild JS bundle by @data-douser in #203
• Move pull request template by @knewbury01 in #205
• CDS extractor : Implement retry for CDS compilation tasks by @data-douser in #209
• Improve CDS extractor workflow scripts by @data-douser in #212
• Add sensitive exposure split query by @knewbury01 in #207
• Restrict RemoteFlowSource of CAP to only some properties and method calls on it by @jeongsoolee09 in #208
• Update the dependencies to CodeQL CLI 2.22.2. by @lcartey in #210
• Bump all QL pack versions to 2.0.0 by @jeongsoolee09 in #214

New Contributors

• @jsinglet made their first contribution in #53
• @knewbury01 made their first contribution in #83
• @lcartey made their first contribution in #157
• @data-douser made their first contribution in #167
• @dependabot[bot] made their first contribution in #175

Full Changelog: v1.0.0...v2.0.0