Add change note and update qhelp

Author: smowton

java/change-notes/2021-08-10-gson-unsafe-deserialization.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query now recognizes deserialization using the `Gson` library.

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -15,7 +15,7 @@ may have unforeseen effects, such as the execution of arbitrary code.
 <p>
 There are many different serialization frameworks.  This query currently
 supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap,
-Jackson, Jabsorb, Jodd JSON, Flexjson and Java IO serialization through
+Jackson, Jabsorb, Jodd JSON, Flexjson, Gson and Java IO serialization through
 <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
@@ -113,6 +113,10 @@ Jodd JSON documentation on deserialization:
 RCE in Flexjson:
 <a href="https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html">Flexjson deserialization</a>.
 </li>
+<li>
+Android Intent deserialization vulnerabilities with GSON parser:
+<a href="https://blog.oversecured.com/Exploiting-memory-corruption-vulnerabilities-on-Android/#insecure-use-of-json-parsers">Insecure use of JSON parsers</a>.
+</li>
 </references>
 
 </qhelp>