diff --git a/actions/ql/lib/CHANGELOG.md b/actions/ql/lib/CHANGELOG.md index 2b79e89d6d1..f677e631b4b 100644 --- a/actions/ql/lib/CHANGELOG.md +++ b/actions/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.4.38 + +### Bug Fixes + +* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows. +* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results. + ## 0.4.37 ### Minor Analysis Improvements diff --git a/actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md b/actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md deleted file mode 100644 index 8fbf902b6ee..00000000000 --- a/actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results. \ No newline at end of file diff --git a/actions/ql/lib/change-notes/2026-06-15-permission_check.md b/actions/ql/lib/change-notes/2026-06-15-permission_check.md deleted file mode 100644 index 6c918922239..00000000000 --- a/actions/ql/lib/change-notes/2026-06-15-permission_check.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows. \ No newline at end of file diff --git a/actions/ql/lib/change-notes/released/0.4.38.md b/actions/ql/lib/change-notes/released/0.4.38.md new file mode 100644 index 00000000000..5caaaed441b --- /dev/null +++ b/actions/ql/lib/change-notes/released/0.4.38.md @@ -0,0 +1,6 @@ +## 0.4.38 + +### Bug Fixes + +* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows. +* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results. diff --git a/actions/ql/lib/codeql-pack.release.yml b/actions/ql/lib/codeql-pack.release.yml index df274514780..5b7b7bb1f33 100644 --- a/actions/ql/lib/codeql-pack.release.yml +++ b/actions/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.37 +lastReleaseVersion: 0.4.38 diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 5d47e3f3d67..e76d300c761 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.38-dev +version: 0.4.38 library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/CHANGELOG.md b/actions/ql/src/CHANGELOG.md index cc99d741c50..d05f3336c09 100644 --- a/actions/ql/src/CHANGELOG.md +++ b/actions/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.6.30 + +### Query Metadata Changes + +* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context. + ## 0.6.29 ### Query Metadata Changes diff --git a/actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md b/actions/ql/src/change-notes/released/0.6.30.md similarity index 78% rename from actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md rename to actions/ql/src/change-notes/released/0.6.30.md index cb082fc63a5..91d487c1752 100644 --- a/actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md +++ b/actions/ql/src/change-notes/released/0.6.30.md @@ -1,4 +1,5 @@ ---- -category: queryMetadata ---- +## 0.6.30 + +### Query Metadata Changes + * The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context. diff --git a/actions/ql/src/codeql-pack.release.yml b/actions/ql/src/codeql-pack.release.yml index e785984cacc..14436232c24 100644 --- a/actions/ql/src/codeql-pack.release.yml +++ b/actions/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.29 +lastReleaseVersion: 0.6.30 diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 19187efb071..07b33838f87 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.30-dev +version: 0.6.30 library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 0b3413f9d3c..fd08c4404b0 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,20 @@ +## 11.0.0 + +### Breaking Changes + +* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead. +* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead. +* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead. +* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead. +* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead. +* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead. +* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly. +* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead. +* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead. +* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead. +* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead. +* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0. + ## 10.2.0 ### Deprecated APIs diff --git a/cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md b/cpp/ql/lib/change-notes/released/11.0.0.md similarity index 97% rename from cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md rename to cpp/ql/lib/change-notes/released/11.0.0.md index 33ad83230d4..b631baa748b 100644 --- a/cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md +++ b/cpp/ql/lib/change-notes/released/11.0.0.md @@ -1,6 +1,7 @@ ---- -category: breaking ---- +## 11.0.0 + +### Breaking Changes + * Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead. * Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead. * Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index a230efed2a4..e9866a9ab38 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 10.2.0 +lastReleaseVersion: 11.0.0 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 6f63423d953..a94049121b5 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 10.2.1-dev +version: 11.0.0 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index e8a2af1383c..9d8877f2181 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.6.5 + +No user-facing changes. + ## 1.6.4 No user-facing changes. diff --git a/cpp/ql/src/change-notes/released/1.6.5.md b/cpp/ql/src/change-notes/released/1.6.5.md new file mode 100644 index 00000000000..44f1ca6de3e --- /dev/null +++ b/cpp/ql/src/change-notes/released/1.6.5.md @@ -0,0 +1,3 @@ +## 1.6.5 + +No user-facing changes. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 1910e09d6a6..03153270557 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.4 +lastReleaseVersion: 1.6.5 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 7f3df37c30a..070a7b2926a 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.6.5-dev +version: 1.6.5 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 3ceb4374a77..e1fbde4a626 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.69 + +No user-facing changes. + ## 1.7.68 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.69.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.69.md new file mode 100644 index 00000000000..77e5690eb75 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.69.md @@ -0,0 +1,3 @@ +## 1.7.69 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index f737dfa0972..711f9a5b58f 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.68 +lastReleaseVersion: 1.7.69 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 52172a7a189..22871294a83 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.69-dev +version: 1.7.69 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 3ceb4374a77..e1fbde4a626 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.69 + +No user-facing changes. + ## 1.7.68 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.69.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.69.md new file mode 100644 index 00000000000..77e5690eb75 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.69.md @@ -0,0 +1,3 @@ +## 1.7.69 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index f737dfa0972..711f9a5b58f 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.68 +lastReleaseVersion: 1.7.69 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index cf63a439518..436471955f8 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.69-dev +version: 1.7.69 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index a45a993832e..7987a729ec6 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,19 @@ +## 7.0.0 + +### Breaking Changes + +* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`. + +### Major Analysis Improvements + +* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses. + +### Minor Analysis Improvements + +* Improved property and indexer call target resolution for partially overridden properties and indexers. +* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls. +* Improved call target resolution for ref-return properties and indexers. + ## 6.0.2 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md b/csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md deleted file mode 100644 index d92d5fdf819..00000000000 --- a/csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved call target resolution for ref-return properties and indexers. diff --git a/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md b/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md deleted file mode 100644 index b5e81d9adb9..00000000000 --- a/csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls. diff --git a/csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md b/csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md deleted file mode 100644 index 4be78a49c1f..00000000000 --- a/csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Improved property and indexer call target resolution for partially overridden properties and indexers. diff --git a/csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md b/csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md deleted file mode 100644 index aca9d7631cd..00000000000 --- a/csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: majorAnalysis ---- -* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses. diff --git a/csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md b/csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md deleted file mode 100644 index 89459c5b981..00000000000 --- a/csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: breaking ---- -* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`. diff --git a/csharp/ql/lib/change-notes/released/7.0.0.md b/csharp/ql/lib/change-notes/released/7.0.0.md new file mode 100644 index 00000000000..3c1aabbfc4d --- /dev/null +++ b/csharp/ql/lib/change-notes/released/7.0.0.md @@ -0,0 +1,15 @@ +## 7.0.0 + +### Breaking Changes + +* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`. + +### Major Analysis Improvements + +* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses. + +### Minor Analysis Improvements + +* Improved property and indexer call target resolution for partially overridden properties and indexers. +* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls. +* Improved call target resolution for ref-return properties and indexers. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 70437ec53b8..e0db21c7869 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.0.2 +lastReleaseVersion: 7.0.0 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 638f9902642..bb064590667 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 6.0.3-dev +version: 7.0.0 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 5c196df3614..2e316088da5 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.5 + +No user-facing changes. + ## 1.7.4 No user-facing changes. diff --git a/csharp/ql/src/change-notes/released/1.7.5.md b/csharp/ql/src/change-notes/released/1.7.5.md new file mode 100644 index 00000000000..f17d9279e0d --- /dev/null +++ b/csharp/ql/src/change-notes/released/1.7.5.md @@ -0,0 +1,3 @@ +## 1.7.5 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index f4f3a4d5120..83aebd7c12a 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.4 +lastReleaseVersion: 1.7.5 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 378d02fee3f..0b112e385e9 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.7.5-dev +version: 1.7.5 groups: - csharp - queries diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md index 14258018aea..1b79dbf69e2 100644 --- a/go/ql/consistency-queries/CHANGELOG.md +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/1.0.52.md b/go/ql/consistency-queries/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/go/ql/consistency-queries/codeql-pack.release.yml +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index 6938858c6ba..53ca8acd9aa 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.52-dev +version: 1.0.52 groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 0d5738ad029..29a5bfbf178 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,20 @@ +## 7.2.0 + +### Deprecated APIs + +* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead. + +### Minor Analysis Improvements + +* Added models for the `log/slog` package (Go 1.21+). Its logging functions and + `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context` + variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the + `go/log-injection` and `go/clear-text-logging` queries cover code that logs + through `slog`. +* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body. +* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated. +* More logging functions are now recognized as not returning or panicking. + ## 7.1.2 No user-facing changes. diff --git a/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md b/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md deleted file mode 100644 index c48b2f32f83..00000000000 --- a/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* More logging functions are now recognized as not returning or panicking. diff --git a/go/ql/lib/change-notes/2026-06-08-deprecate-functypeexpr-getresultdecl.md b/go/ql/lib/change-notes/2026-06-08-deprecate-functypeexpr-getresultdecl.md deleted file mode 100644 index 157fa33bf6a..00000000000 --- a/go/ql/lib/change-notes/2026-06-08-deprecate-functypeexpr-getresultdecl.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: deprecated ---- -* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead. diff --git a/go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md b/go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md deleted file mode 100644 index a567dd4edda..00000000000 --- a/go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body. diff --git a/go/ql/lib/change-notes/2026-06-08-functypeexpr-getnumresult.md b/go/ql/lib/change-notes/2026-06-08-functypeexpr-getnumresult.md deleted file mode 100644 index 70564beef11..00000000000 --- a/go/ql/lib/change-notes/2026-06-08-functypeexpr-getnumresult.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated. diff --git a/go/ql/lib/change-notes/2026-06-17-model-log-slog.md b/go/ql/lib/change-notes/2026-06-17-model-log-slog.md deleted file mode 100644 index 06bba53a6ed..00000000000 --- a/go/ql/lib/change-notes/2026-06-17-model-log-slog.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -category: minorAnalysis ---- -* Added models for the `log/slog` package (Go 1.21+). Its logging functions and - `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context` - variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the - `go/log-injection` and `go/clear-text-logging` queries cover code that logs - through `slog`. diff --git a/go/ql/lib/change-notes/released/7.2.0.md b/go/ql/lib/change-notes/released/7.2.0.md new file mode 100644 index 00000000000..0d3035c4a05 --- /dev/null +++ b/go/ql/lib/change-notes/released/7.2.0.md @@ -0,0 +1,16 @@ +## 7.2.0 + +### Deprecated APIs + +* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead. + +### Minor Analysis Improvements + +* Added models for the `log/slog` package (Go 1.21+). Its logging functions and + `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context` + variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the + `go/log-injection` and `go/clear-text-logging` queries cover code that logs + through `slog`. +* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body. +* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated. +* More logging functions are now recognized as not returning or panicking. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index 547681cc440..fda9ea165fc 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.1.2 +lastReleaseVersion: 7.2.0 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index f17f45ae2ab..d8737a2eba2 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 7.1.3-dev +version: 7.2.0 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index c58883ee3c2..b74b08295b2 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.6.5 + +### Minor Analysis Improvements + +* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged. + ## 1.6.4 No user-facing changes. diff --git a/go/ql/src/change-notes/2026-06-04-unhandled-writable-file-close.md b/go/ql/src/change-notes/released/1.6.5.md similarity index 86% rename from go/ql/src/change-notes/2026-06-04-unhandled-writable-file-close.md rename to go/ql/src/change-notes/released/1.6.5.md index f2da5d217f8..38a8f0a4028 100644 --- a/go/ql/src/change-notes/2026-06-04-unhandled-writable-file-close.md +++ b/go/ql/src/change-notes/released/1.6.5.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 1.6.5 + +### Minor Analysis Improvements + * The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index 1910e09d6a6..03153270557 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.4 +lastReleaseVersion: 1.6.5 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 3357004e466..4d435e70503 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.6.5-dev +version: 1.6.5 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 2e702064d7f..9a60d9f070e 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,13 @@ +## 9.2.0 + +### New Features + +* Kotlin 2.4.0 can now be analysed. + +### Minor Analysis Improvements + +* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`. + ## 9.1.2 ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md b/java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md deleted file mode 100644 index b778a48148a..00000000000 --- a/java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Kotlin 2.4.0 can now be analysed. diff --git a/java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md b/java/ql/lib/change-notes/released/9.2.0.md similarity index 51% rename from java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md rename to java/ql/lib/change-notes/released/9.2.0.md index d51f4897486..3df26b56dca 100644 --- a/java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md +++ b/java/ql/lib/change-notes/released/9.2.0.md @@ -1,4 +1,9 @@ ---- -category: minorAnalysis ---- +## 9.2.0 + +### New Features + +* Kotlin 2.4.0 can now be analysed. + +### Minor Analysis Improvements + * Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 1fd7d868f4e..8bc32f3e62a 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 9.1.2 +lastReleaseVersion: 9.2.0 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 18948bf45f5..39392cceea5 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 9.1.3-dev +version: 9.2.0 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index e013e79ce9e..4e7c1a329c2 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.11.5 + +No user-facing changes. + ## 1.11.4 No user-facing changes. diff --git a/java/ql/src/change-notes/released/1.11.5.md b/java/ql/src/change-notes/released/1.11.5.md new file mode 100644 index 00000000000..bc8ea1d7829 --- /dev/null +++ b/java/ql/src/change-notes/released/1.11.5.md @@ -0,0 +1,3 @@ +## 1.11.5 + +No user-facing changes. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 813a925461f..d3dd29373b1 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.11.4 +lastReleaseVersion: 1.11.5 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index ac519484225..56f4305446b 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.11.5-dev +version: 1.11.5 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 6471aa3fe68..e3802a7686e 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,14 @@ +## 2.8.0 + +### New Features + +* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`. + +### Minor Analysis Improvements + +* Added more prompt-injection sinks for the OpenAI, Anthropic, and Google GenAI SDKs: OpenAI `videos.create`/`edit`/`extend`/`remix` (Sora) prompts and `beta.realtime.sessions.create` instructions, Anthropic legacy `completions.create` prompts, and Google GenAI `caches.create` cached contents and system instructions. +* The OpenAI legacy `completions.create` prompt is now treated as a user-prompt-injection sink instead of a system-prompt-injection sink, since the legacy `/v1/completions` endpoint takes a single free-form prompt with no role separation. + ## 2.7.2 ### Minor Analysis Improvements diff --git a/javascript/ql/lib/change-notes/2026-05-05-use-memo-directive.md b/javascript/ql/lib/change-notes/2026-05-05-use-memo-directive.md deleted file mode 100644 index be95205c9ab..00000000000 --- a/javascript/ql/lib/change-notes/2026-05-05-use-memo-directive.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`. diff --git a/javascript/ql/lib/change-notes/2026-06-18-prompt-injection-sinks.md b/javascript/ql/lib/change-notes/released/2.8.0.md similarity index 74% rename from javascript/ql/lib/change-notes/2026-06-18-prompt-injection-sinks.md rename to javascript/ql/lib/change-notes/released/2.8.0.md index 3ea46670acd..4060343bf0a 100644 --- a/javascript/ql/lib/change-notes/2026-06-18-prompt-injection-sinks.md +++ b/javascript/ql/lib/change-notes/released/2.8.0.md @@ -1,5 +1,10 @@ ---- -category: minorAnalysis ---- +## 2.8.0 + +### New Features + +* Added `UseMemoDirective` and `UseNoMemoDirective` classes to model the React compiler directives `"use memo"` and `"use no memo"`. + +### Minor Analysis Improvements + * Added more prompt-injection sinks for the OpenAI, Anthropic, and Google GenAI SDKs: OpenAI `videos.create`/`edit`/`extend`/`remix` (Sora) prompts and `beta.realtime.sessions.create` instructions, Anthropic legacy `completions.create` prompts, and Google GenAI `caches.create` cached contents and system instructions. * The OpenAI legacy `completions.create` prompt is now treated as a user-prompt-injection sink instead of a system-prompt-injection sink, since the legacy `/v1/completions` endpoint takes a single free-form prompt with no role separation. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 5160df7b1b7..8e0a6e07a08 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.7.2 +lastReleaseVersion: 2.8.0 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 870ad58a1b8..d5e18e49051 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.7.3-dev +version: 2.8.0 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index b3a62befc5e..3da6a12390e 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 2.4.0 + +### New Queries + +* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior. +* Added a new experimental query, `javascript/ssrf-ipv6-transition-incomplete-guard`, to detect SSRF host-validation guards that reject private IPv4 ranges but fail to unwrap IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, 6to4 `2002::`), allowing the guard to be bypassed by wrapping an internal IPv4 address in a transition literal. + ## 2.3.11 No user-facing changes. diff --git a/javascript/ql/src/change-notes/2026-06-08-new-system-prompt-injection-query.md b/javascript/ql/src/change-notes/2026-06-08-new-system-prompt-injection-query.md deleted file mode 100644 index 1764a7cbc1a..00000000000 --- a/javascript/ql/src/change-notes/2026-06-08-new-system-prompt-injection-query.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: newQuery ---- - -* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior. diff --git a/javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md b/javascript/ql/src/change-notes/released/2.4.0.md similarity index 60% rename from javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md rename to javascript/ql/src/change-notes/released/2.4.0.md index 35bd19acf46..21d82834f92 100644 --- a/javascript/ql/src/change-notes/2026-06-06-ssrf-ipv6-transition-incomplete-guard.md +++ b/javascript/ql/src/change-notes/released/2.4.0.md @@ -1,4 +1,6 @@ ---- -category: newQuery ---- +## 2.4.0 + +### New Queries + +* Added a new query, `js/system-prompt-injection`, to detect cases where untrusted, user-provided values flow into the system prompt of an AI model, allowing an attacker to manipulate the model's behavior. * Added a new experimental query, `javascript/ssrf-ipv6-transition-incomplete-guard`, to detect SSRF host-validation guards that reject private IPv4 ranges but fail to unwrap IPv6-transition forms (IPv4-mapped `::ffff:`, NAT64 `64:ff9b::`, 6to4 `2002::`), allowing the guard to be bypassed by wrapping an internal IPv4 address in a transition literal. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 5ac091006e8..cb0ea3a249a 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.3.11 +lastReleaseVersion: 2.4.0 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 09303bab573..ddc3eaa3817 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.12-dev +version: 2.4.0 groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 8f96c9ba8dd..b73e8234a5b 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/1.0.52.md b/misc/suite-helpers/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/misc/suite-helpers/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 7ac4b0e1dc3..a3699af86ca 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.52-dev +version: 1.0.52 groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index 99e46d2808a..7d4f024be7a 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,16 @@ +## 7.2.0 + +### Deprecated APIs + +* The `Function.getAReturnValueFlowNode()` predicate has been deprecated. Bind a `Return` node explicitly instead — `exists(Return ret | ret.getScope() = f and n.getNode() = ret.getValue())`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. +* The `AstNode.getAFlowNode()` predicate has been deprecated. Use `ControlFlowNode.getNode()` from the other direction instead: replace `e.getAFlowNode() = n` with `n.getNode() = e`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. + +### Minor Analysis Improvements + +* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results. +* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged. +* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts. + ## 7.1.2 ### Minor Analysis Improvements diff --git a/python/ql/lib/change-notes/2026-05-19-deprecate-getAFlowNode.md b/python/ql/lib/change-notes/2026-05-19-deprecate-getAFlowNode.md deleted file mode 100644 index fc224f063f4..00000000000 --- a/python/ql/lib/change-notes/2026-05-19-deprecate-getAFlowNode.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The `AstNode.getAFlowNode()` predicate has been deprecated. Use `ControlFlowNode.getNode()` from the other direction instead: replace `e.getAFlowNode() = n` with `n.getNode() = e`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. - diff --git a/python/ql/lib/change-notes/2026-05-28-remove-imprecise-containter-steps.md b/python/ql/lib/change-notes/2026-05-28-remove-imprecise-containter-steps.md deleted file mode 100644 index 25c664d6c05..00000000000 --- a/python/ql/lib/change-notes/2026-05-28-remove-imprecise-containter-steps.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts. diff --git a/python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md b/python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md deleted file mode 100644 index 44ee5b5ff80..00000000000 --- a/python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged. diff --git a/python/ql/lib/change-notes/2026-06-01-deprecate-getAReturnValueFlowNode.md b/python/ql/lib/change-notes/2026-06-01-deprecate-getAReturnValueFlowNode.md deleted file mode 100644 index 42c6cc60cea..00000000000 --- a/python/ql/lib/change-notes/2026-06-01-deprecate-getAReturnValueFlowNode.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: deprecated ---- -* The `Function.getAReturnValueFlowNode()` predicate has been deprecated. Bind a `Return` node explicitly instead — `exists(Return ret | ret.getScope() = f and n.getNode() = ret.getValue())`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. diff --git a/python/ql/lib/change-notes/2026-06-11-fix-type-tracking-instance-attributes.md b/python/ql/lib/change-notes/2026-06-11-fix-type-tracking-instance-attributes.md deleted file mode 100644 index da7b752ad67..00000000000 --- a/python/ql/lib/change-notes/2026-06-11-fix-type-tracking-instance-attributes.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results. diff --git a/python/ql/lib/change-notes/released/7.2.0.md b/python/ql/lib/change-notes/released/7.2.0.md new file mode 100644 index 00000000000..93c31d28ab1 --- /dev/null +++ b/python/ql/lib/change-notes/released/7.2.0.md @@ -0,0 +1,12 @@ +## 7.2.0 + +### Deprecated APIs + +* The `Function.getAReturnValueFlowNode()` predicate has been deprecated. Bind a `Return` node explicitly instead — `exists(Return ret | ret.getScope() = f and n.getNode() = ret.getValue())`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. +* The `AstNode.getAFlowNode()` predicate has been deprecated. Use `ControlFlowNode.getNode()` from the other direction instead: replace `e.getAFlowNode() = n` with `n.getNode() = e`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect. + +### Minor Analysis Improvements + +* Python type tracking now follows values stored in instance attributes such as `self.attr` across instance methods, including across a class hierarchy (for example, a value stored on `self.attr` in a base class and read in a subclass, or vice versa). As a result, analysis is more likely to recognize user-defined objects that are stored on `self` and used later in other methods, which may produce additional results. +* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged. +* Python taint tracking is now more precise for values flowing through container contents, such as list, set, tuple, and dictionary elements. This may remove some false positive alerts. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 547681cc440..fda9ea165fc 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.1.2 +lastReleaseVersion: 7.2.0 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index 210e683a54f..a3dd754b209 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 7.1.3-dev +version: 7.2.0 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 27698f1d3df..0c9c972e5fa 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.8.5 + +### Minor Analysis Improvements + +* The `py/modification-of-locals` query no longer flags modifications of a `locals()` dictionary that has been passed out of the scope in which `locals()` was called (for example, by passing it to another function or storing it in an instance attribute). In such cases the dictionary is used as an ordinary mapping and modifying it is meaningful, so these were false positives. The "modification has no effect" claim only applies within the scope that called `locals()`, which is now the only case reported. + ## 1.8.4 No user-facing changes. diff --git a/python/ql/src/change-notes/2026-06-17-modification-of-locals-cross-scope.md b/python/ql/src/change-notes/released/1.8.5.md similarity index 92% rename from python/ql/src/change-notes/2026-06-17-modification-of-locals-cross-scope.md rename to python/ql/src/change-notes/released/1.8.5.md index 5a625a95511..1b8e94d2a5c 100644 --- a/python/ql/src/change-notes/2026-06-17-modification-of-locals-cross-scope.md +++ b/python/ql/src/change-notes/released/1.8.5.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 1.8.5 + +### Minor Analysis Improvements + * The `py/modification-of-locals` query no longer flags modifications of a `locals()` dictionary that has been passed out of the scope in which `locals()` was called (for example, by passing it to another function or storing it in an instance attribute). In such cases the dictionary is used as an ordinary mapping and modifying it is meaningful, so these were false positives. The "modification has no effect" claim only applies within the scope that called `locals()`, which is now the only case reported. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index f2a60cd1327..75869ad94ec 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.8.4 +lastReleaseVersion: 1.8.5 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 0eba954079e..d302c790d80 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.8.5-dev +version: 1.8.5 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index d26bfa6f205..3e1ebc8c712 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 6.0.0 + +### Breaking Changes + +* The `else` branch of a `case` expression is no longer represented as a `StmtSequence` directly. Instead, a new `CaseElseBranch` AST node wraps the body (a `StmtSequence`). `CaseExpr.getElseBranch()` now returns a `CaseElseBranch`, and the body of the else branch can be accessed via `CaseElseBranch.getBody()`. + ## 5.2.2 No user-facing changes. diff --git a/ruby/ql/lib/change-notes/2026-06-15-case-else-branch.md b/ruby/ql/lib/change-notes/released/6.0.0.md similarity index 90% rename from ruby/ql/lib/change-notes/2026-06-15-case-else-branch.md rename to ruby/ql/lib/change-notes/released/6.0.0.md index a927f1e2c28..b3c3b67fb94 100644 --- a/ruby/ql/lib/change-notes/2026-06-15-case-else-branch.md +++ b/ruby/ql/lib/change-notes/released/6.0.0.md @@ -1,4 +1,5 @@ ---- -category: breaking ---- +## 6.0.0 + +### Breaking Changes + * The `else` branch of a `case` expression is no longer represented as a `StmtSequence` directly. Instead, a new `CaseElseBranch` AST node wraps the body (a `StmtSequence`). `CaseExpr.getElseBranch()` now returns a `CaseElseBranch`, and the body of the else branch can be accessed via `CaseElseBranch.getBody()`. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index e3b1b0c079d..f8c4fa43ccb 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.2.2 +lastReleaseVersion: 6.0.0 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 399564bdb33..381cf9c693c 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.2.3-dev +version: 6.0.0 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 384ca633202..1df5dad19b5 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.6.5 + +No user-facing changes. + ## 1.6.4 No user-facing changes. diff --git a/ruby/ql/src/change-notes/released/1.6.5.md b/ruby/ql/src/change-notes/released/1.6.5.md new file mode 100644 index 00000000000..44f1ca6de3e --- /dev/null +++ b/ruby/ql/src/change-notes/released/1.6.5.md @@ -0,0 +1,3 @@ +## 1.6.5 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 1910e09d6a6..03153270557 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.4 +lastReleaseVersion: 1.6.5 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 72b0258fa30..63e1a8f2182 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.6.5-dev +version: 1.6.5 groups: - ruby - queries diff --git a/rust/ql/lib/CHANGELOG.md b/rust/ql/lib/CHANGELOG.md index 3651026d737..d0ffbecc504 100644 --- a/rust/ql/lib/CHANGELOG.md +++ b/rust/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.2.16 + +No user-facing changes. + ## 0.2.15 ### Minor Analysis Improvements diff --git a/rust/ql/lib/change-notes/released/0.2.16.md b/rust/ql/lib/change-notes/released/0.2.16.md new file mode 100644 index 00000000000..0e384109cab --- /dev/null +++ b/rust/ql/lib/change-notes/released/0.2.16.md @@ -0,0 +1,3 @@ +## 0.2.16 + +No user-facing changes. diff --git a/rust/ql/lib/codeql-pack.release.yml b/rust/ql/lib/codeql-pack.release.yml index 0f574e080e4..2aa64d9ed07 100644 --- a/rust/ql/lib/codeql-pack.release.yml +++ b/rust/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.15 +lastReleaseVersion: 0.2.16 diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 931c069ad24..586eb2ae7f1 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.16-dev +version: 0.2.16 groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/CHANGELOG.md b/rust/ql/src/CHANGELOG.md index 4f4807ff82e..5b50934a5fc 100644 --- a/rust/ql/src/CHANGELOG.md +++ b/rust/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.1.37 + +No user-facing changes. + ## 0.1.36 No user-facing changes. diff --git a/rust/ql/src/change-notes/released/0.1.37.md b/rust/ql/src/change-notes/released/0.1.37.md new file mode 100644 index 00000000000..7e19340e948 --- /dev/null +++ b/rust/ql/src/change-notes/released/0.1.37.md @@ -0,0 +1,3 @@ +## 0.1.37 + +No user-facing changes. diff --git a/rust/ql/src/codeql-pack.release.yml b/rust/ql/src/codeql-pack.release.yml index 270bd27a7aa..38d6184e74c 100644 --- a/rust/ql/src/codeql-pack.release.yml +++ b/rust/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.36 +lastReleaseVersion: 0.1.37 diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 9ba6302ecc0..050798f9ac9 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.37-dev +version: 0.1.37 groups: - rust - queries diff --git a/shared/concepts/CHANGELOG.md b/shared/concepts/CHANGELOG.md index 787779674f0..5e5a0889e5d 100644 --- a/shared/concepts/CHANGELOG.md +++ b/shared/concepts/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.26 + +No user-facing changes. + ## 0.0.25 No user-facing changes. diff --git a/shared/concepts/change-notes/released/0.0.26.md b/shared/concepts/change-notes/released/0.0.26.md new file mode 100644 index 00000000000..e6dc680cc11 --- /dev/null +++ b/shared/concepts/change-notes/released/0.0.26.md @@ -0,0 +1,3 @@ +## 0.0.26 + +No user-facing changes. diff --git a/shared/concepts/codeql-pack.release.yml b/shared/concepts/codeql-pack.release.yml index 6d0e80a50c3..c576d2d7db2 100644 --- a/shared/concepts/codeql-pack.release.yml +++ b/shared/concepts/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.25 +lastReleaseVersion: 0.0.26 diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index dd1f0280e79..78a8e0303bd 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.26-dev +version: 0.0.26 groups: shared library: true dependencies: diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index 8ac7faf2554..80735c7276d 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.36 + +No user-facing changes. + ## 2.0.35 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/2.0.36.md b/shared/controlflow/change-notes/released/2.0.36.md new file mode 100644 index 00000000000..8acdd12366e --- /dev/null +++ b/shared/controlflow/change-notes/released/2.0.36.md @@ -0,0 +1,3 @@ +## 2.0.36 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index 27eb8ef8ece..7e4aaa0dd67 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.35 +lastReleaseVersion: 2.0.36 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index b3518003b24..b95c5308f10 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.36-dev +version: 2.0.36 groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index b2cf75110ac..a1074cfcebb 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.1.8 + +No user-facing changes. + ## 2.1.7 No user-facing changes. diff --git a/shared/dataflow/change-notes/released/2.1.8.md b/shared/dataflow/change-notes/released/2.1.8.md new file mode 100644 index 00000000000..81d5b413ddf --- /dev/null +++ b/shared/dataflow/change-notes/released/2.1.8.md @@ -0,0 +1,3 @@ +## 2.1.8 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index cfa57a47251..93b985f46e1 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.1.7 +lastReleaseVersion: 2.1.8 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index cdce161af7e..d7f25a4b249 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.1.8-dev +version: 2.1.8 groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index 6619a18079c..08494880152 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/mad/change-notes/released/1.0.52.md b/shared/mad/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/mad/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 21a06e7cc4d..5e01e1e4f35 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true dependencies: diff --git a/shared/namebinding/CHANGELOG.md b/shared/namebinding/CHANGELOG.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/shared/namebinding/CHANGELOG.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/shared/namebinding/change-notes/released/0.0.1.md b/shared/namebinding/change-notes/released/0.0.1.md new file mode 100644 index 00000000000..59b60bad0f3 --- /dev/null +++ b/shared/namebinding/change-notes/released/0.0.1.md @@ -0,0 +1,3 @@ +## 0.0.1 + +No user-facing changes. diff --git a/shared/namebinding/codeql-pack.release.yml b/shared/namebinding/codeql-pack.release.yml new file mode 100644 index 00000000000..c6933410b71 --- /dev/null +++ b/shared/namebinding/codeql-pack.release.yml @@ -0,0 +1,2 @@ +--- +lastReleaseVersion: 0.0.1 diff --git a/shared/namebinding/qlpack.yml b/shared/namebinding/qlpack.yml index 1bd12ee05dd..8c40ac07c31 100644 --- a/shared/namebinding/qlpack.yml +++ b/shared/namebinding/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/namebinding -version: 0.0.1-dev +version: 0.0.1 groups: shared library: true dependencies: diff --git a/shared/quantum/CHANGELOG.md b/shared/quantum/CHANGELOG.md index c8b656e4f35..1652285654a 100644 --- a/shared/quantum/CHANGELOG.md +++ b/shared/quantum/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.30 + +No user-facing changes. + ## 0.0.29 No user-facing changes. diff --git a/shared/quantum/change-notes/released/0.0.30.md b/shared/quantum/change-notes/released/0.0.30.md new file mode 100644 index 00000000000..10c7a0c5c13 --- /dev/null +++ b/shared/quantum/change-notes/released/0.0.30.md @@ -0,0 +1,3 @@ +## 0.0.30 + +No user-facing changes. diff --git a/shared/quantum/codeql-pack.release.yml b/shared/quantum/codeql-pack.release.yml index c81f1813120..0c61b463bab 100644 --- a/shared/quantum/codeql-pack.release.yml +++ b/shared/quantum/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.29 +lastReleaseVersion: 0.0.30 diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index c430e4a69be..27ae4ab7ed2 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.30-dev +version: 0.0.30 groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/CHANGELOG.md b/shared/rangeanalysis/CHANGELOG.md index a400a91f8c9..cc127126c92 100644 --- a/shared/rangeanalysis/CHANGELOG.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/rangeanalysis/change-notes/released/1.0.52.md b/shared/rangeanalysis/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/rangeanalysis/codeql-pack.release.yml +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 7cecb52325f..7d1dcaeddea 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index c4b7fc6e87f..488896015d6 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/regex/change-notes/released/1.0.52.md b/shared/regex/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/regex/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index a1ec511b126..84307ddf1c6 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 9cfe68398b2..2348e9a484f 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.28 + +No user-facing changes. + ## 2.0.27 No user-facing changes. diff --git a/shared/ssa/change-notes/released/2.0.28.md b/shared/ssa/change-notes/released/2.0.28.md new file mode 100644 index 00000000000..3f9412b6e63 --- /dev/null +++ b/shared/ssa/change-notes/released/2.0.28.md @@ -0,0 +1,3 @@ +## 2.0.28 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index a047558f018..ec5bd6ba369 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.27 +lastReleaseVersion: 2.0.28 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index 9c14b9e6469..f377ac9a446 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.28-dev +version: 2.0.28 groups: shared library: true dependencies: diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md index 14258018aea..1b79dbf69e2 100644 --- a/shared/threat-models/CHANGELOG.md +++ b/shared/threat-models/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/threat-models/change-notes/released/1.0.52.md b/shared/threat-models/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/threat-models/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/threat-models/codeql-pack.release.yml +++ b/shared/threat-models/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index c7326273c65..66fd334702c 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.52-dev +version: 1.0.52 library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index 9e78286a1a4..cb1a4642f73 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/1.0.52.md b/shared/tutorial/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/tutorial/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index bb6eeeb2460..bd20c00aff1 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/CHANGELOG.md b/shared/typeflow/CHANGELOG.md index e9334c9da8d..6e1c15f6a2a 100644 --- a/shared/typeflow/CHANGELOG.md +++ b/shared/typeflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/typeflow/change-notes/released/1.0.52.md b/shared/typeflow/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/typeflow/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/typeflow/codeql-pack.release.yml b/shared/typeflow/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/typeflow/codeql-pack.release.yml +++ b/shared/typeflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 9790bbcaeae..ea6c5bf4900 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true dependencies: diff --git a/shared/typeinference/CHANGELOG.md b/shared/typeinference/CHANGELOG.md index 24dc81f3aa2..66b8fa3444b 100644 --- a/shared/typeinference/CHANGELOG.md +++ b/shared/typeinference/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.33 + +No user-facing changes. + ## 0.0.32 No user-facing changes. diff --git a/shared/typeinference/change-notes/released/0.0.33.md b/shared/typeinference/change-notes/released/0.0.33.md new file mode 100644 index 00000000000..0b46f1130fa --- /dev/null +++ b/shared/typeinference/change-notes/released/0.0.33.md @@ -0,0 +1,3 @@ +## 0.0.33 + +No user-facing changes. diff --git a/shared/typeinference/codeql-pack.release.yml b/shared/typeinference/codeql-pack.release.yml index 714fcfc1828..dff9e7f6ea9 100644 --- a/shared/typeinference/codeql-pack.release.yml +++ b/shared/typeinference/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.32 +lastReleaseVersion: 0.0.33 diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index ab43c330dcc..8fe69c97e66 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.33-dev +version: 0.0.33 groups: shared library: true dependencies: diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index e9b5492b0d8..8a7f7ab7014 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.36 + +No user-facing changes. + ## 2.0.35 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/2.0.36.md b/shared/typetracking/change-notes/released/2.0.36.md new file mode 100644 index 00000000000..8acdd12366e --- /dev/null +++ b/shared/typetracking/change-notes/released/2.0.36.md @@ -0,0 +1,3 @@ +## 2.0.36 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index 27eb8ef8ece..7e4aaa0dd67 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.35 +lastReleaseVersion: 2.0.36 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index de6ff4c16c9..cc4c1abdae5 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.36-dev +version: 2.0.36 groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index dbafbea9b98..738e64b021c 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/typos/change-notes/released/1.0.52.md b/shared/typos/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/typos/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index 0b6aee6fd1c..2c485456cdd 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index df741ed9d73..10b02218c5f 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.39 + +No user-facing changes. + ## 2.0.38 No user-facing changes. diff --git a/shared/util/change-notes/released/2.0.39.md b/shared/util/change-notes/released/2.0.39.md new file mode 100644 index 00000000000..887d030df42 --- /dev/null +++ b/shared/util/change-notes/released/2.0.39.md @@ -0,0 +1,3 @@ +## 2.0.39 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index 4ec9eb0980c..063a268e5f9 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.38 +lastReleaseVersion: 2.0.39 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 2914785b146..a2b2e5a457e 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.39-dev +version: 2.0.39 groups: shared library: true dependencies: null diff --git a/shared/xml/CHANGELOG.md b/shared/xml/CHANGELOG.md index 685a8032d64..4a639c1f50f 100644 --- a/shared/xml/CHANGELOG.md +++ b/shared/xml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/xml/change-notes/released/1.0.52.md b/shared/xml/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/xml/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/xml/codeql-pack.release.yml b/shared/xml/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/xml/codeql-pack.release.yml +++ b/shared/xml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 0476610fda8..6398c282016 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true dependencies: diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index 4f57ee07cfa..69f699d7847 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.52 + +No user-facing changes. + ## 1.0.51 No user-facing changes. diff --git a/shared/yaml/change-notes/released/1.0.52.md b/shared/yaml/change-notes/released/1.0.52.md new file mode 100644 index 00000000000..a91f5a8025d --- /dev/null +++ b/shared/yaml/change-notes/released/1.0.52.md @@ -0,0 +1,3 @@ +## 1.0.52 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index 232dbe38ec8..ea1d2eed4d2 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.51 +lastReleaseVersion: 1.0.52 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index ae27690a3f9..1458b851b2a 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.52-dev +version: 1.0.52 groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index 1eb5afb48e7..1d75e0d4eb1 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 6.7.1 + +No user-facing changes. + ## 6.7.0 ### Major Analysis Improvements diff --git a/swift/ql/lib/change-notes/released/6.7.1.md b/swift/ql/lib/change-notes/released/6.7.1.md new file mode 100644 index 00000000000..25234a20eda --- /dev/null +++ b/swift/ql/lib/change-notes/released/6.7.1.md @@ -0,0 +1,3 @@ +## 6.7.1 + +No user-facing changes. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 55a13d309e5..9512a723a32 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.7.0 +lastReleaseVersion: 6.7.1 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 960d679e6d9..c371ef64c15 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.7.1-dev +version: 6.7.1 groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index 4e3b53c37b3..d185e3d5428 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 1.3.5 + +### Minor Analysis Improvements + +* Fixed an issue where common usage patterns for `CryptoKit` weren't being recognized as hashing sinks for the `swift/weak-sensitive-data-hashing` and `swift/weak-password-hashing` queries. These queries may find additional results after this change. + ## 1.3.4 No user-facing changes. diff --git a/swift/ql/src/change-notes/2026-05-26-hashing-sinks.md b/swift/ql/src/change-notes/released/1.3.5.md similarity index 85% rename from swift/ql/src/change-notes/2026-05-26-hashing-sinks.md rename to swift/ql/src/change-notes/released/1.3.5.md index 92a2c1c3a06..c272a72df50 100644 --- a/swift/ql/src/change-notes/2026-05-26-hashing-sinks.md +++ b/swift/ql/src/change-notes/released/1.3.5.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 1.3.5 + +### Minor Analysis Improvements + * Fixed an issue where common usage patterns for `CryptoKit` weren't being recognized as hashing sinks for the `swift/weak-sensitive-data-hashing` and `swift/weak-password-hashing` queries. These queries may find additional results after this change. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index 8263ddf2c8b..1e1845ea66d 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.3.4 +lastReleaseVersion: 1.3.5 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 578456c089a..becbbca93e8 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.3.5-dev +version: 1.3.5 groups: - swift - queries