- The C# control flow graph (CFG) implementation has been completely
rewritten. The CFG now includes additional nodes to more accurately represent
certain constructs. This also means that any existing code that implicitly
relies on very specific details about the CFG may need to be updated.
The CFG no longer uses splitting, which means that AST nodes now have a unique
CFG node representation.
Additionally, the following breaking changes have been made:
ControlFlow::Nodehas been renamed toControlFlowNode.ControlFlow::Nodeshas been renamed toControlFlowNodes.BasicBlock.getCallablehas been renamed toBasicBlock.getEnclosingCallable.BasicBlocks.qllhas been deleted.ControlFlowNode.getAstNodehas changed its meaning. The AST-to-CFG mapping remains one-to-many, but now for a different reason. It used to be because of splitting, but now it's because of additional "helper" CFG nodes. To get the (now canonical) CFG node for a given AST node, useControlFlowNode.asExpr()orControlFlowNode.asStmt()orControlFlowElement.getControlFlowNode()instead.
- The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
- Data flow barriers and barrier guards can now be added using data extensions. For more information see Customizing library models for C#.
- When resolving dependencies in
build-mode: none,dotnet restorenow explicitly receives reachable NuGet feeds configured innuget.configwhen feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
- Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
- C# 14: Added support for user-defined compound assignment operators.