codeql/java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md at 7764fbb664075a5df393eb749968d770843a218d · owen-mc/codeql · GitHub

4 lines (4 loc) · 279 Bytes

  
    category
    minorAnalysis
  
The qualifiers of a calls to readObject on any classes that implement java.io.ObjectInput are now recognised as sinks for java/unsafe-deserialization. Previously this was only the case for classes which extend java.io.ObjectInputStream.