Skip to content

Commit

Permalink
Merge pull request #18211 from github/post-release-prep/codeql-cli-2.…
Browse files Browse the repository at this point in the history
…20.0

Post-release preparation for codeql-cli-2.20.0
  • Loading branch information
henrymercer authored Dec 4, 2024
2 parents 515c650 + cf71a15 commit ccfb32e
Show file tree
Hide file tree
Showing 154 changed files with 441 additions and 180 deletions.
10 changes: 10 additions & 0 deletions cpp/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Deprecated APIs

* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.

## 2.1.1

No user-facing changes.
Expand Down
4 changes: 0 additions & 4 deletions cpp/ql/lib/change-notes/2024-11-18-throwing-functions.md

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: breaking
---
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Deprecated APIs

* The `NonThrowing` class (`semmle.code.cpp.models.interfaces.NonThrowing`) has been deprecated. Please use the `NonCppThrowingFunction` class instead.
2 changes: 1 addition & 1 deletion cpp/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.1
lastReleaseVersion: 3.0.0
2 changes: 1 addition & 1 deletion cpp/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 2.1.2-dev
version: 3.0.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp
Expand Down
10 changes: 10 additions & 0 deletions cpp/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 1.3.0

### New Queries

* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).

### Minor Analysis Improvements

* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.

## 1.2.7

No user-facing changes.
Expand Down
4 changes: 0 additions & 4 deletions cpp/ql/src/change-notes/2024-11-22-too-few-arguments.md

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: newQuery
---
## 1.3.0

### New Queries

* Added a new high-precision quality query, `cpp/guarded-free`, which detects useless NULL pointer checks before calls to `free`. A variation of this query was originally contributed as an [experimental query by @mario-campos](https://github.com/github/codeql/pull/16331).

### Minor Analysis Improvements

* The "Call to function with fewer arguments than declared parameters" query (`cpp/too-few-arguments`) query no longer produces results if the function has been implicitly declared.
2 changes: 1 addition & 1 deletion cpp/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.2.7
lastReleaseVersion: 1.3.0
2 changes: 1 addition & 1 deletion cpp/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.2.8-dev
version: 1.3.1-dev
groups:
- cpp
- queries
Expand Down
4 changes: 4 additions & 0 deletions csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.7.30

No user-facing changes.

## 1.7.29

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.7.30

No user-facing changes.
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.29
lastReleaseVersion: 1.7.30
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.30-dev
version: 1.7.31-dev
groups:
- csharp
- solorigate
Expand Down
4 changes: 4 additions & 0 deletions csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.7.30

No user-facing changes.

## 1.7.29

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.7.30

No user-facing changes.
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.29
lastReleaseVersion: 1.7.30
2 changes: 1 addition & 1 deletion csharp/ql/campaigns/Solorigate/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.30-dev
version: 1.7.31-dev
groups:
- csharp
- solorigate
Expand Down
17 changes: 17 additions & 0 deletions csharp/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
## 4.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Added support for data-flow through member accesses of objects with `dynamic` types.
* Only extract *public* and *protected* members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using `Field`-based summaries may need to be changed to `SyntheticField`-based flows if they reference private fields.
* Added `Microsoft.AspNetCore.Components.NagivationManager::Uri` as a remote flow source, since this value may contain user-specified values.
* Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
- `System.Web.HttpUtility::ParseQueryString`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.

## 3.1.1

### Minor Analysis Improvements
Expand Down

This file was deleted.

This file was deleted.

4 changes: 0 additions & 4 deletions csharp/ql/lib/change-notes/2024-12-03-dynamic-field-flow.md

This file was deleted.

This file was deleted.

16 changes: 16 additions & 0 deletions csharp/ql/lib/change-notes/released/4.0.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
## 4.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Added support for data-flow through member accesses of objects with `dynamic` types.
* Only extract *public* and *protected* members from reference assemblies. This yields an approximate average speed-up of around 10% for extraction and query execution. Custom MaD rows using `Field`-based summaries may need to be changed to `SyntheticField`-based flows if they reference private fields.
* Added `Microsoft.AspNetCore.Components.NagivationManager::Uri` as a remote flow source, since this value may contain user-specified values.
* Added the following URI-parsing methods as summaries, as they may be tainted with user-specified values:
- `System.Web.HttpUtility::ParseQueryString`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseQuery`
- `Microsoft.AspNetCore.WebUtilities.QueryHelpers::ParseNullableQuery`
* Added `js-interop` sinks for the `InvokeAsync` and `InvokeVoidAsync` methods of `Microsoft.JSInterop.IJSRuntime`, which can run arbitrary JavaScript.
2 changes: 1 addition & 1 deletion csharp/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 3.1.1
lastReleaseVersion: 4.0.0
2 changes: 1 addition & 1 deletion csharp/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 3.1.2-dev
version: 4.0.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp
Expand Down
6 changes: 6 additions & 0 deletions csharp/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## 1.0.13

### Minor Analysis Improvements

* `csharp/diagnostic/database-quality` has been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.

## 1.0.12

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.0.13

### Minor Analysis Improvements

* `csharp/diagnostic/database-quality` has been changed to exclude various property access expressions from database quality evaluation. The excluded property access expressions are expected to have no target callables even in manual or autobuilt databases.
2 changes: 1 addition & 1 deletion csharp/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.12
lastReleaseVersion: 1.0.13
2 changes: 1 addition & 1 deletion csharp/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.0.13-dev
version: 1.0.14-dev
groups:
- csharp
- queries
Expand Down
4 changes: 4 additions & 0 deletions go/ql/consistency-queries/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 1.0.13

No user-facing changes.

## 1.0.12

No user-facing changes.
Expand Down
3 changes: 3 additions & 0 deletions go/ql/consistency-queries/change-notes/released/1.0.13.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
## 1.0.13

No user-facing changes.
2 changes: 1 addition & 1 deletion go/ql/consistency-queries/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.12
lastReleaseVersion: 1.0.13
2 changes: 1 addition & 1 deletion go/ql/consistency-queries/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.13-dev
version: 1.0.14-dev
groups:
- go
- queries
Expand Down
14 changes: 14 additions & 0 deletions go/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,17 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.

### Bug Fixes

* Fixed a bug which meant that promoted fields and methods were missing when the embedded parent was not promoted due to a name clash.

## 2.1.3

### Minor Analysis Improvements
Expand Down

This file was deleted.

4 changes: 0 additions & 4 deletions go/ql/lib/change-notes/2024-11-20-heuristic-logging-sinks.md

This file was deleted.

13 changes: 13 additions & 0 deletions go/ql/lib/change-notes/released/3.0.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## 3.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.

### Bug Fixes

* Fixed a bug which meant that promoted fields and methods were missing when the embedded parent was not promoted due to a name clash.
2 changes: 1 addition & 1 deletion go/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.1.3
lastReleaseVersion: 3.0.0
2 changes: 1 addition & 1 deletion go/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/go-all
version: 2.1.4-dev
version: 3.0.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go
Expand Down
6 changes: 6 additions & 0 deletions go/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
## 1.1.4

### Minor Analysis Improvements

* Added value flow models for functions in the `slices` package which do not involve the `iter` package.

## 1.1.3

No user-facing changes.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---
category: minorAnalysis
---
## 1.1.4

### Minor Analysis Improvements

* Added value flow models for functions in the `slices` package which do not involve the `iter` package.
2 changes: 1 addition & 1 deletion go/ql/src/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.1.3
lastReleaseVersion: 1.1.4
2 changes: 1 addition & 1 deletion go/ql/src/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.1.4-dev
version: 1.1.5-dev
groups:
- go
- queries
Expand Down
10 changes: 10 additions & 0 deletions java/ql/lib/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
## 5.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Calling `coll.contains(x)` is now a taint sanitizer (for any query) for the value `x`, where `coll` is a collection of constants.

## 4.2.1

### Minor Analysis Improvements
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
category: breaking
---
## 5.0.0

### Breaking Changes

* Deleted the old deprecated data flow API that was based on extending a configuration class. See https://github.blog/changelog/2023-08-14-new-dataflow-api-for-writing-custom-codeql-queries for instructions on migrating your queries to use the new API.

### Minor Analysis Improvements

* Calling `coll.contains(x)` is now a taint sanitizer (for any query) for the value `x`, where `coll` is a collection of constants.
2 changes: 1 addition & 1 deletion java/ql/lib/codeql-pack.release.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
---
lastReleaseVersion: 4.2.1
lastReleaseVersion: 5.0.0
2 changes: 1 addition & 1 deletion java/ql/lib/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: codeql/java-all
version: 4.2.2-dev
version: 5.0.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java
Expand Down
8 changes: 8 additions & 0 deletions java/ql/src/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
## 1.1.10

### Minor Analysis Improvements

* Added SHA-384 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA-384.
* Added SHA3 to the list of secure hashing algorithms. As a result the `java/potentially-weak-cryptographic-algorithm` query should no longer flag up uses of SHA3.
* The `java/weak-cryptographic-algorithm` query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. The `java/potentially-weak-cryptographic-algorithm` query has been updated to report these uses instead.

## 1.1.9

No user-facing changes.
Expand Down
Loading

0 comments on commit ccfb32e

Please sign in to comment.