Merge pull request #15416 from github/post-release-prep/codeql-cli-2.16.1

Post-release preparation for codeql-cli-2.16.1
2026-04-21 15:05:56 +02:00 · 2024-01-25 14:15:25 +00:00
parent fb11e4e14f d0b74c00fe
commit 10343dd822
157 changed files with 469 additions and 221 deletions
--- a/java/ql/automodel/src/CHANGELOG.md
+++ b/java/ql/automodel/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.13
+
+No user-facing changes.
+
 ## 0.0.12

 No user-facing changes.
--- a/java/ql/automodel/src/change-notes/released/0.0.13.md
+++ b/java/ql/automodel/src/change-notes/released/0.0.13.md
@@ -0,0 +1,3 @@
+## 0.0.13
+
+No user-facing changes.
--- a/java/ql/automodel/src/codeql-pack.release.yml
+++ b/java/ql/automodel/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.12
+lastReleaseVersion: 0.0.13
--- a/java/ql/automodel/src/qlpack.yml
+++ b/java/ql/automodel/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 0.0.13-dev
+version: 0.0.14-dev
 groups:
    - java
    - automodel
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,29 @@
+## 0.8.7
+
+### New Features
+
+* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
+* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.
+
+### Minor Analysis Improvements
+
+* Deleted many deprecated predicates and classes with uppercase `EJB`, `JMX`, `NFE`, `DNS` etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `semmle/code/java/security/OverlyLargeRangeQuery.qll`, `semmle/code/java/security/regexp/ExponentialBackTracking.qll`, `semmle/code/java/security/regexp/NfaUtils.qll`, and `semmle/code/java/security/regexp/NfaUtils.qll` files.
+* Improved models for `java.lang.Throwable` and `java.lang.Exception`, and the `valueOf` method of `java.lang.String`.
+* Added taint tracking for the following GSON methods:
+  * `com.google.gson.stream.JsonReader` constructor
+  * `com.google.gson.stream.JsonWriter` constructor
+  * `com.google.gson.JsonObject.getAsJsonArray`
+  * `com.google.gson.JsonObject.getAsJsonObject`
+  * `com.google.gson.JsonObject.getAsJsonPrimitive`
+  * `com.google.gson.JsonParser.parseReader`
+  * `com.google.gson.JsonParser.parseString`
+* Added a dataflow model for `java.awt.Desktop.browse(URI)`.
+
+### Bug Fixes
+
+* Fixed regular expressions containing flags not being parsed correctly in some cases.
+
 ## 0.8.6

 ### Deprecated APIs
--- a/java/ql/lib/change-notes/2023-12-21-new-models.md
+++ b/java/ql/lib/change-notes/2023-12-21-new-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a dataflow model for `java.awt.Desktop.browse(URI)`.
--- a/java/ql/lib/change-notes/2024-01-02-gson-model-updates.md
+++ b/java/ql/lib/change-notes/2024-01-02-gson-model-updates.md
@@ -1,11 +0,0 @@
---
-category: minorAnalysis
---
-* Added taint tracking for the following GSON methods:
-  * `com.google.gson.stream.JsonReader` constructor
-  * `com.google.gson.stream.JsonWriter` constructor
-  * `com.google.gson.JsonObject.getAsJsonArray`
-  * `com.google.gson.JsonObject.getAsJsonObject`
-  * `com.google.gson.JsonObject.getAsJsonPrimitive`
-  * `com.google.gson.JsonParser.parseReader`
-  * `com.google.gson.JsonParser.parseString`
--- a/java/ql/lib/change-notes/2024-01-06-regex-flag-parsing.md
+++ b/java/ql/lib/change-notes/2024-01-06-regex-flag-parsing.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed regular expressions containing flags not being parsed correctly in some cases.
--- a/java/ql/lib/change-notes/2024-01-10-new-jdk-models.md
+++ b/java/ql/lib/change-notes/2024-01-10-new-jdk-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Improved models for `java.lang.Throwable` and `java.lang.Exception`, and the `valueOf` method of `java.lang.String`.
--- a/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md
+++ b/java/ql/lib/change-notes/2024-01-20-introduce-simplescalarsanitizer-class-for-common-sanitizer.md
@@ -1,5 +0,0 @@
---
-category: feature
---
-* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
-* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.
--- a/java/ql/lib/change-notes/2024-01-22-outdated-deprecations.md
+++ b/java/ql/lib/change-notes/2024-01-22-outdated-deprecations.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-* Deleted many deprecated predicates and classes with uppercase `EJB`, `JMX`, `NFE`, `DNS` etc. in their names. Use the PascalCased versions instead.
-* Deleted the deprecated `semmle/code/java/security/OverlyLargeRangeQuery.qll`, `semmle/code/java/security/regexp/ExponentialBackTracking.qll`, `semmle/code/java/security/regexp/NfaUtils.qll`, and `semmle/code/java/security/regexp/NfaUtils.qll` files.
--- a/java/ql/lib/change-notes/released/0.8.7.md
+++ b/java/ql/lib/change-notes/released/0.8.7.md
@@ -0,0 +1,25 @@
+## 0.8.7
+
+### New Features
+
+* Added a new library `semmle.code.java.security.Sanitizers` which contains a new sanitizer class `SimpleTypeSanitizer`, which represents nodes which cannot realistically carry taint for most queries (e.g. primitives, their boxed equivalents, and numeric types).
+* Converted definitions of `isBarrier` and sanitizer classes to use `SimpleTypeSanitizer` instead of checking if `node.getType()` is `PrimitiveType` or `BoxedType`.
+
+### Minor Analysis Improvements
+
+* Deleted many deprecated predicates and classes with uppercase `EJB`, `JMX`, `NFE`, `DNS` etc. in their names. Use the PascalCased versions instead.
+* Deleted the deprecated `semmle/code/java/security/OverlyLargeRangeQuery.qll`, `semmle/code/java/security/regexp/ExponentialBackTracking.qll`, `semmle/code/java/security/regexp/NfaUtils.qll`, and `semmle/code/java/security/regexp/NfaUtils.qll` files.
+* Improved models for `java.lang.Throwable` and `java.lang.Exception`, and the `valueOf` method of `java.lang.String`.
+* Added taint tracking for the following GSON methods:
+  * `com.google.gson.stream.JsonReader` constructor
+  * `com.google.gson.stream.JsonWriter` constructor
+  * `com.google.gson.JsonObject.getAsJsonArray`
+  * `com.google.gson.JsonObject.getAsJsonObject`
+  * `com.google.gson.JsonObject.getAsJsonPrimitive`
+  * `com.google.gson.JsonParser.parseReader`
+  * `com.google.gson.JsonParser.parseString`
+* Added a dataflow model for `java.awt.Desktop.browse(URI)`.
+
+### Bug Fixes
+
+* Fixed regular expressions containing flags not being parsed correctly in some cases.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.6
+lastReleaseVersion: 0.8.7
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.8.7-dev
+version: 0.8.8-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.8.7
+
+### New Queries
+
+* Added the `java/exec-tainted-environment` query, to detect the injection of environment variables names or values from remote input.
+
+### Minor Analysis Improvements
+
+* A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
+
 ## 0.8.6

 ### Deprecated Queries
--- a/java/ql/src/change-notes/2024-01-09-environment-variable-injection-query.md
+++ b/java/ql/src/change-notes/2024-01-09-environment-variable-injection-query.md
@@ -1,5 +0,0 @@
---
-category: newQuery
---
-* Added the `java/exec-tainted-environment` query, to detect the injection of environment variables names or values from remote input.
-
--- a/java/ql/src/change-notes/2024-01-11-manual-neutral-model-blocks-generated-models.md
+++ b/java/ql/src/change-notes/2024-01-11-manual-neutral-model-blocks-generated-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
--- a/java/ql/src/change-notes/released/0.8.7.md
+++ b/java/ql/src/change-notes/released/0.8.7.md
@@ -0,0 +1,9 @@
+## 0.8.7
+
+### New Queries
+
+* Added the `java/exec-tainted-environment` query, to detect the injection of environment variables names or values from remote input.
+
+### Minor Analysis Improvements
+
+* A manual neutral summary model for a callable now blocks all generated summary models for that callable from having any effect.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.6
+lastReleaseVersion: 0.8.7
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.8.7-dev
+version: 0.8.8-dev
 groups:
  - java
  - queries