Merge tag 'codeql-cli/latest'

Compatible with the latest released version of the CodeQL CLI

MODULE.bazel

@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "0.0.10")
-bazel_dep(name = "rules_go", version = "0.49.0")
+bazel_dep(name = "rules_go", version = "0.50.0")
 bazel_dep(name = "rules_pkg", version = "0.10.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.32.2")
@@ -153,7 +153,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.22.2")
+go_sdk.download(version = "1.23.1")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.4.2
+
+No user-facing changes.
+
 ## 1.4.1
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/1.4.2.md

@@ -0,0 +1,3 @@
+## 1.4.2
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.4.1
+lastReleaseVersion: 1.4.2

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 1.4.1
+version: 1.4.2
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.2.2
+
+No user-facing changes.
+
 ## 1.2.1
 
 ### Minor Analysis Improvements

cpp/ql/src/change-notes/released/1.2.2.md

@@ -0,0 +1,3 @@
+## 1.2.2
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.2.1
+lastReleaseVersion: 1.2.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.2.1
+version: 1.2.2
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.24
+
+No user-facing changes.
+
 ## 1.7.23
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.24.md

@@ -0,0 +1,3 @@
+## 1.7.24
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.23
+lastReleaseVersion: 1.7.24

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.23
+version: 1.7.24
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.24
+
+No user-facing changes.
+
 ## 1.7.23
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.24.md

@@ -0,0 +1,3 @@
+## 1.7.24
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.23
+lastReleaseVersion: 1.7.24

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.23
+version: 1.7.24
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.2.0
+
+### New Features
+
+* C# support for `build-mode: none` is now out of beta, and generally available.
+
 ## 1.1.0
 
 ### Major Analysis Improvements

csharp/ql/lib/change-notes/released/1.2.0.md

@@ -0,0 +1,5 @@
+## 1.2.0
+
+### New Features
+
+* C# support for `build-mode: none` is now out of beta, and generally available.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.0
+lastReleaseVersion: 1.2.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 1.1.0
+version: 1.2.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.7
+
+No user-facing changes.
+
 ## 1.0.6
 
 ### Minor Analysis Improvements

csharp/ql/src/change-notes/released/1.0.7.md

@@ -0,0 +1,3 @@
+## 1.0.7
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.6
+lastReleaseVersion: 1.0.7

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.0.6
+version: 1.0.7
 groups:
   - csharp
   - queries

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst

@@ -75,8 +75,8 @@ C#
 *   The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
 *   All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
 
@@ -134,8 +134,8 @@ JavaScript/TypeScript
 Minor Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
 
@@ -162,8 +162,8 @@ Golang
 
 *   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
 

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst

@@ -40,8 +40,8 @@ C#
 
 *   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
 
@@ -63,8 +63,8 @@ Ruby
 New Queries
 ~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
     This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
@@ -80,8 +80,8 @@ C/C++
 
 *   :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
 *   Added :code:`Modifier.isInline()`.
@@ -126,7 +126,7 @@ Python
 New Features
 ~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst

@@ -84,8 +84,8 @@ C/C++
 Minor Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
 *   Added data flow models for :code:`java.util.Scanner`.
@@ -99,7 +99,7 @@ Ruby
 New Features
 ~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst

@@ -37,8 +37,8 @@ Query Packs
 Major Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The query :code:`java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
 
@@ -55,16 +55,16 @@ Golang
 
 *   The query :code:`go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The query :code:`java/path-injection` now recognises vulnerable APIs defined using the :code:`SinkModelCsv` class with the :code:`create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
 
 New Queries
 ~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   A new query "Android :code:`WebView` that accepts all certificates" (:code:`java/improper-webview-certificate-validation`) has been added. This query finds implementations of :code:`WebViewClient`\ s that accept all certificates in the case of an SSL error.
 
@@ -82,8 +82,8 @@ C/C++
 Minor Analysis Improvements
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Improved analysis of the Android class :code:`AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
 *   Added a data-flow model for the :code:`setProperty` method of :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst

@@ -40,17 +40,17 @@ C#
 *   Added better support for the SQLite framework in the SQL injection query.
 *   File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The query :code:`java/static-initialization-vector` no longer requires a :code:`Cipher` object to be initialized with :code:`ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
 *   Improved sanitizers for :code:`java/sensitive-log`, which removes some false positives and improves performance a bit.
 
 New Queries
 ~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added a new query, :code:`java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest.
 *   A new query "Use of RSA algorithm without OAEP" (:code:`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
@@ -84,8 +84,8 @@ Ruby
 Query Metadata Changes
 ~~~~~~~~~~~~~~~~~~~~~~
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   The queries :code:`java/redos` and :code:`java/polynomial-redos` now have a tag for CWE-1333.
 
@@ -121,8 +121,8 @@ Golang
 *   Fixed data-flow to captured variable references.
 *   We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added new flow steps for the classes :code:`java.nio.file.Path` and :code:`java.nio.file.Paths`.
 *   The class :code:`AndroidFragment` now also models the Android Jetpack version of the :code:`Fragment` class (:code:`androidx.fragment.app.Fragment`).
@@ -161,8 +161,8 @@ C#
 *   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
     The old name still exists as a deprecated alias.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
     The old name still exists as a deprecated alias.
@@ -204,8 +204,8 @@ C/C++
 *   Added support for getting the link targets of global and namespace variables.
 *   Added a :code:`BlockAssignExpr` class, which models a :code:`memcpy`\ -like operation used in compiler generated copy/move constructors and assignment operations.
 
-Java
-""""
+Java/Kotlin
+"""""""""""
 
 *   Added a new predicate, :code:`requiresPermissions`, in the :code:`AndroidComponentXmlElement` and :code:`AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its :code:`android:permission` attribute.
 *   Added a new predicate, :code:`hasAnIntentFilterElement`, in the :code:`AndroidComponentXmlElement` class to detect if a component contains an intent filter element.