- Regular expression checks via annotation with
@javax.validation.constraints.Patternare now recognized as sanitizers forjava/path-injection. - Added summary and LLM-generated source and sink models for
org.apache.poi. - The first argument of the
urimethod ofWebClient$UriSpecinorg.springframework.web.reactive.function.clientis now considered a request forgery sink. Previously only the first arguments of theWebClient.createandWebClient$Builder.baseUrlmethods were considered. This may lead to more alerts for the queryjava/ssrf(Server-side request forgery).