hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17366 from owen-mc/go/edit-release-change-notes

Browse Source 
Go: Remove threat models change note from 1.15.md
This commit is contained in:
Owen Mansel-Chan
2024-09-04 09:37:28 +01:00
committed by GitHub
parent 04f4039adc f5c195d830
commit 1e225d7c44
2 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
go/ql/lib/change-notes/2024-09-03-local-threat-models-file-environment.md Normal file
View File

@@ -0,0 +1,12 @@
---
category: minorAnalysis
---
* Local source models for reading and parsing environment variables have been added for the following libraries:
* os
* syscall
* github.com/caarlos0/env
* github.com/gobuffalo/envy
* github.com/hashicorp/go-envparse
* github.com/joho/godotenv
* github.com/kelseyhightower/envconfig
* Local source models have been added for the APIs which open files in the `io/fs`, `io/ioutil` and `os` packages in the Go standard library. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).

12
go/ql/lib/change-notes/released/1.1.5.md
View File

@@ -1,17 +1,5 @@
## 1.1.5
### Minor Analysis Improvements
* Local source models for reading and parsing environment variables have been added for the following libraries:
- os
- syscall
- github.com/caarlos0/env
- github.com/gobuffalo/envy
- github.com/hashicorp/go-envparse
- github.com/joho/godotenv
- github.com/kelseyhightower/envconfig
* Local source models have been added for the APIs which open files in the `io/fs`, `io/ioutil` and `os` packages in the Go standard library. You can optionally include threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
### Bug Fixes
* Fixed an issue where `io/ioutil.WriteFile`'s non-path arguments incorrectly generated `go/path-injection` alerts when untrusted data was written to a file, or controlled the file's mode.