hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into fix/path-injection-read-subkind

Browse Source
This commit is contained in:
MarkLee131
2026-05-07 23:48:42 +08:00
committed by GitHub
parent f9240e7058 f9e42ac443
commit 26af52897d
234 changed files with 5646 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
Cargo.lock generated
View File

@@ -240,9 +240,9 @@ dependencies = [
[[package]]
name = "cc"
version = "1.2.37"
version = "1.2.61"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
dependencies = [
"find-msvc-tools",
"jobserver",
@@ -416,6 +416,7 @@ dependencies = [
"tree-sitter",
"tree-sitter-json",
"tree-sitter-ql",
"yeast",
"zstd",
]
@@ -754,9 +755,9 @@ dependencies = [
[[package]]
name = "find-msvc-tools"
version = "0.1.1"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
[[package]]
name = "fixedbitset"
@@ -2853,9 +2854,9 @@ dependencies = [
[[package]]
name = "tree-sitter"
version = "0.25.9"
version = "0.26.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa"
checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
dependencies = [
"cc",
"regex",
@@ -2891,6 +2892,16 @@ version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"
[[package]]
name = "tree-sitter-python"
version = "0.23.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04"
dependencies = [
"cc",
"tree-sitter-language",
]
[[package]]
name = "tree-sitter-ql"
version = "0.23.1"
@@ -3367,6 +3378,29 @@ version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
[[package]]
name = "yeast"
version = "0.1.0"
dependencies = [
"clap",
"serde",
"serde_json",
"serde_yaml",
"tree-sitter",
"tree-sitter-python",
"tree-sitter-ruby",
"yeast-macros",
]
[[package]]
name = "yeast-macros"
version = "0.1.0"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "yoke"
version = "0.8.0"

2
Cargo.toml
View File

@@ -4,6 +4,8 @@
resolver = "2"
members = [
"shared/tree-sitter-extractor",
"shared/yeast",
"shared/yeast-macros",
"ruby/extractor",
"rust/extractor",
"rust/extractor/macros",

4
MODULE.bazel
View File

@@ -141,14 +141,16 @@ use_repo(
"vendor_ts__serde-1.0.228",
"vendor_ts__serde_json-1.0.145",
"vendor_ts__serde_with-3.14.1",
"vendor_ts__serde_yaml-0.9.34-deprecated",
"vendor_ts__syn-2.0.106",
"vendor_ts__toml-0.9.7",
"vendor_ts__tracing-0.1.41",
"vendor_ts__tracing-flame-0.2.0",
"vendor_ts__tracing-subscriber-0.3.20",
"vendor_ts__tree-sitter-0.25.9",
"vendor_ts__tree-sitter-0.26.8",
"vendor_ts__tree-sitter-embedded-template-0.25.0",
"vendor_ts__tree-sitter-json-0.24.8",
"vendor_ts__tree-sitter-python-0.23.6",
"vendor_ts__tree-sitter-ql-0.23.1",
"vendor_ts__tree-sitter-ruby-0.23.1",
"vendor_ts__triomphe-0.1.14",

4
actions/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.4.35
No user-facing changes.
## 0.4.34
### Minor Analysis Improvements

3
actions/ql/lib/change-notes/released/0.4.35.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.4.35
No user-facing changes.

2
actions/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.4.34
lastReleaseVersion: 0.4.35

2
actions/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-all
version: 0.4.35-dev
version: 0.4.36-dev
library: true
warnOnImplicitThis: true
dependencies:

6
actions/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 0.6.27
No user-facing changes.
## 0.6.26
### Major Analysis Improvements
@@ -173,7 +177,7 @@ No user-facing changes.
* `actions/if-expression-always-true/critical`
* `actions/if-expression-always-true/high`
* `actions/unnecessary-use-of-advanced-config`
* The following query has been moved from the `code-scanning` suite to the `security-extended`
suite. Any existing alerts for this query will be closed automatically unless the analysis is
configured to use the `security-extended` suite.

3
actions/ql/src/change-notes/released/0.6.27.md Normal file
View File

@@ -0,0 +1,3 @@
## 0.6.27
No user-facing changes.

2
actions/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.26
lastReleaseVersion: 0.6.27

2
actions/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/actions-queries
version: 0.6.27-dev
version: 0.6.28-dev
library: false
warnOnImplicitThis: true
groups: [actions, queries]

11
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,14 @@
## 10.1.0
### New Features
* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
### Minor Analysis Improvements
* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
## 10.0.0
### Breaking Changes

4
cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).

4
cpp/ql/lib/change-notes/2026-03-28-switch-stmt.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.

4
cpp/ql/lib/change-notes/2026-04-28-strsafe.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added taint flow models for the `Strsafe.h` header from the Windows SDK.

10
cpp/ql/lib/change-notes/released/10.1.0.md Normal file
View File

@@ -0,0 +1,10 @@
## 10.1.0
### New Features
* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
### Minor Analysis Improvements
* Added taint flow models for the `Strsafe.h` header from the Windows SDK.

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 10.0.0
lastReleaseVersion: 10.1.0

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 10.0.1-dev
version: 10.1.1-dev
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

6
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.2
No user-facing changes.
## 1.6.1
### Minor Analysis Improvements
@@ -366,7 +370,7 @@ No user-facing changes.
### Minor Analysis Improvements
* The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
* Added dataflow models for the `gettext` function variants.
* Added dataflow models for the `gettext` function variants.
## 0.9.4

3
cpp/ql/src/change-notes/released/1.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.2
No user-facing changes.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.1
lastReleaseVersion: 1.6.2

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.6.2-dev
version: 1.6.3-dev
groups:
- cpp
- queries

4
csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.66
No user-facing changes.
## 1.7.65
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.66.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.66
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.65
lastReleaseVersion: 1.7.66

2
csharp/ql/campaigns/Solorigate/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-all
version: 1.7.66-dev
version: 1.7.67-dev
groups:
- csharp
- solorigate

4
csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.66
No user-facing changes.
## 1.7.65
No user-facing changes.

3
csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.66.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.66
No user-facing changes.

2
csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.65
lastReleaseVersion: 1.7.66

2
csharp/ql/campaigns/Solorigate/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-solorigate-queries
version: 1.7.66-dev
version: 1.7.67-dev
groups:
- csharp
- solorigate

39
csharp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,42 @@
## 6.0.0
### Breaking Changes
* The C# control flow graph (CFG) implementation has been completely
rewritten. The CFG now includes additional nodes to more accurately represent
certain constructs. This also means that any existing code that implicitly
relies on very specific details about the CFG may need to be updated.
The CFG no longer uses splitting, which means that AST nodes now have a unique
CFG node representation.
Additionally, the following breaking changes have been made:
- `ControlFlow::Node` has been renamed to `ControlFlowNode`.
- `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
- `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
- `BasicBlocks.qll` has been deleted.
- `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
mapping remains one-to-many, but now for a different reason. It used to be
because of splitting, but now it's because of additional "helper" CFG
nodes. To get the (now canonical) CFG node for a given AST node, use
`ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
`ControlFlowElement.getControlFlowNode()` instead.
### Deprecated APIs
* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
### Major Analysis Improvements
* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
### Minor Analysis Improvements
* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
* C# 14: Added support for user-defined compound assignment operators.
## 5.5.0
### Deprecated APIs

4
csharp/ql/lib/change-notes/2026-03-06-compound-assignment-operations.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* C# 14: Added support for user-defined compound assignment operators.

4
csharp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).

4
csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.

4
csharp/ql/lib/change-notes/2026-04-10-nuget-feed-usage-in-bmn.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.

20
csharp/ql/lib/change-notes/2026-04-13-cfg.md
View File

@@ -1,20 +0,0 @@
---
category: breaking
---
* The C# control flow graph (CFG) implementation has been completely
rewritten. The CFG now includes additional nodes to more accurately represent
certain constructs. This also means that any existing code that implicitly
relies on very specific details about the CFG may need to be updated.
The CFG no longer uses splitting, which means that AST nodes now have a unique
CFG node representation.
Additionally, the following breaking changes have been made:
- `ControlFlow::Node` has been renamed to `ControlFlowNode`.
- `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
- `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
- `BasicBlocks.qll` has been deleted.
- `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
mapping remains one-to-many, but now for a different reason. It used to be
because of splitting, but now it's because of additional "helper" CFG
nodes. To get the (now canonical) CFG node for a given AST node, use
`ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
`ControlFlowElement.getControlFlowNode()` instead.

4
csharp/ql/lib/change-notes/2026-05-01-ssa-replacement.md
View File

@@ -1,4 +0,0 @@
---
category: deprecated
---
* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.

38
csharp/ql/lib/change-notes/released/6.0.0.md Normal file
View File

@@ -0,0 +1,38 @@
## 6.0.0
### Breaking Changes
* The C# control flow graph (CFG) implementation has been completely
rewritten. The CFG now includes additional nodes to more accurately represent
certain constructs. This also means that any existing code that implicitly
relies on very specific details about the CFG may need to be updated.
The CFG no longer uses splitting, which means that AST nodes now have a unique
CFG node representation.
Additionally, the following breaking changes have been made:
- `ControlFlow::Node` has been renamed to `ControlFlowNode`.
- `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
- `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
- `BasicBlocks.qll` has been deleted.
- `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
mapping remains one-to-many, but now for a different reason. It used to be
because of splitting, but now it's because of additional "helper" CFG
nodes. To get the (now canonical) CFG node for a given AST node, use
`ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
`ControlFlowElement.getControlFlowNode()` instead.
### Deprecated APIs
* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
### Major Analysis Improvements
* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
### Minor Analysis Improvements
* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
* C# 14: Added support for user-defined compound assignment operators.

2
csharp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 5.5.0
lastReleaseVersion: 6.0.0

2
csharp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-all
version: 5.5.1-dev
version: 6.0.1-dev
groups: csharp
dbscheme: semmlecode.csharp.dbscheme
extractor: csharp

4
csharp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.7.2
No user-facing changes.
## 1.7.1
### Minor Analysis Improvements

3
csharp/ql/src/change-notes/released/1.7.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.7.2
No user-facing changes.

2
csharp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.7.1
lastReleaseVersion: 1.7.2

2
csharp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/csharp-queries
version: 1.7.2-dev
version: 1.7.3-dev
groups:
- csharp
- queries

4
go/ql/consistency-queries/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.49
No user-facing changes.
## 1.0.48
No user-facing changes.

3
go/ql/consistency-queries/change-notes/released/1.0.49.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.49
No user-facing changes.

2
go/ql/consistency-queries/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.48
lastReleaseVersion: 1.0.49

2
go/ql/consistency-queries/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql-go-consistency-queries
version: 1.0.49-dev
version: 1.0.50-dev
groups:
- go
- queries

6
go/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,9 @@
## 7.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Go](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-go/).
## 7.0.6
No user-facing changes.

7
go/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md → go/ql/lib/change-notes/released/7.1.0.md
View File

@@ -1,4 +1,5 @@
---
category: feature
---
## 7.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Go](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-go/).

2
go/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 7.0.6
lastReleaseVersion: 7.1.0

2
go/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-all
version: 7.0.7-dev
version: 7.1.1-dev
groups: go
dbscheme: go.dbscheme
extractor: go

4
go/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.6.2
No user-facing changes.
## 1.6.1
No user-facing changes.

3
go/ql/src/change-notes/released/1.6.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.6.2
No user-facing changes.

2
go/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.6.1
lastReleaseVersion: 1.6.2

2
go/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/go-queries
version: 1.6.2-dev
version: 1.6.3-dev
groups:
- go
- queries

15
java/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,18 @@
## 9.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
### Minor Analysis Improvements
* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.
* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.
## 9.0.4
### Minor Analysis Improvements

4
java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).

4
java/ql/lib/change-notes/2026-04-04-path-injection-torealpath.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.

4
java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).

4
java/ql/lib/change-notes/2026-04-04-sensitive-log-hash-sanitizer.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.

4
java/ql/lib/change-notes/2026-04-04-trust-boundary-regexp-barrier.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.

4
java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.

4
java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.

14
java/ql/lib/change-notes/released/9.1.0.md Normal file
View File

@@ -0,0 +1,14 @@
## 9.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
### Minor Analysis Improvements
* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
* The `java/sensitive-log` query now treats method calls whose names contain "encrypt", "hash", or "digest" as sanitizers, consistent with the existing treatment in `java/cleartext-storage-in-log`. This reduces false positives when sensitive data is hashed or encrypted before logging.
* The `java/trust-boundary-violation` query now recognizes regular expression checks (including `String.matches()` guards and `@javax.validation.constraints.Pattern` annotations) as sanitizers, consistent with the existing treatment of ESAPI validators. This reduces false positives when input is validated against a pattern before being stored in a session.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 9.0.4
lastReleaseVersion: 9.1.0

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 9.0.5-dev
version: 9.1.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java

4
java/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.11.2
No user-facing changes.
## 1.11.1
No user-facing changes.

3
java/ql/src/change-notes/released/1.11.2.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.11.2
No user-facing changes.

2
java/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.11.1
lastReleaseVersion: 1.11.2

2
java/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-queries
version: 1.11.2-dev
version: 1.11.3-dev
groups:
- java
- queries

7
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,10 @@
## 2.7.0
### New Features
* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).
## 2.6.28
No user-facing changes.

4
javascript/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).

8
javascript/ql/lib/change-notes/2026-04-12-vercel-node.md → javascript/ql/lib/change-notes/released/2.7.0.md
View File

@@ -1,4 +1,6 @@
---
category: feature
---
## 2.7.0
### New Features
* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognized via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for JavaScript](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/).

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.6.28
lastReleaseVersion: 2.7.0

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 2.6.29-dev
version: 2.7.1-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

4
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 2.3.9
No user-facing changes.
## 2.3.8
### Minor Analysis Improvements

3
javascript/ql/src/change-notes/released/2.3.9.md Normal file
View File

@@ -0,0 +1,3 @@
## 2.3.9
No user-facing changes.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 2.3.8
lastReleaseVersion: 2.3.9

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 2.3.9-dev
version: 2.3.10-dev
groups:
- javascript
- queries

30
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.bazel generated vendored
View File

@@ -529,6 +529,18 @@ alias(
tags = ["manual"],
)
alias(
name = "serde_yaml-0.9.34+deprecated",
actual = "@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml",
tags = ["manual"],
)
alias(
name = "serde_yaml",
actual = "@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml",
tags = ["manual"],
)
alias(
name = "syn-2.0.106",
actual = "@vendor_ts__syn-2.0.106//:syn",
@@ -590,14 +602,14 @@ alias(
)
alias(
name = "tree-sitter-0.25.9",
actual = "@vendor_ts__tree-sitter-0.25.9//:tree_sitter",
name = "tree-sitter-0.26.8",
actual = "@vendor_ts__tree-sitter-0.26.8//:tree_sitter",
tags = ["manual"],
)
alias(
name = "tree-sitter",
actual = "@vendor_ts__tree-sitter-0.25.9//:tree_sitter",
actual = "@vendor_ts__tree-sitter-0.26.8//:tree_sitter",
tags = ["manual"],
)
@@ -625,6 +637,18 @@ alias(
tags = ["manual"],
)
alias(
name = "tree-sitter-python-0.23.6",
actual = "@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python",
tags = ["manual"],
)
alias(
name = "tree-sitter-python",
actual = "@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python",
tags = ["manual"],
)
alias(
name = "tree-sitter-ql-0.23.1",
actual = "@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql",

4
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.37.bazel → misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.cc-1.2.61.bazel generated vendored
View File

@@ -96,9 +96,9 @@ rust_library(
"@rules_rust//rust/platform:x86_64-unknown-uefi": [],
"//conditions:default": ["@platforms//:incompatible"],
}),
version = "1.2.37",
version = "1.2.61",
deps = [
"@vendor_ts__find-msvc-tools-0.1.1//:find_msvc_tools",
"@vendor_ts__find-msvc-tools-0.1.9//:find_msvc_tools",
"@vendor_ts__jobserver-0.1.34//:jobserver",
"@vendor_ts__shlex-1.3.0//:shlex",
] + select({

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.find-msvc-tools-0.1.1.bazel → misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.find-msvc-tools-0.1.9.bazel generated vendored
View File

@@ -93,5 +93,5 @@ rust_library(
"@rules_rust//rust/platform:x86_64-unknown-uefi": [],
"//conditions:default": ["@platforms//:incompatible"],
}),
version = "0.1.1",
version = "0.1.9",
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.iana-time-zone-haiku-0.1.2.bazel generated vendored
View File

@@ -154,7 +154,7 @@ cargo_build_script(
version = "0.1.2",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
],
)

8
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.25.9.bazel → misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-0.26.8.bazel generated vendored
View File

@@ -101,12 +101,12 @@ rust_library(
"@rules_rust//rust/platform:x86_64-unknown-uefi": [],
"//conditions:default": ["@platforms//:incompatible"],
}),
version = "0.25.9",
version = "0.26.8",
deps = [
"@vendor_ts__regex-1.11.3//:regex",
"@vendor_ts__regex-syntax-0.8.6//:regex_syntax",
"@vendor_ts__streaming-iterator-0.1.9//:streaming_iterator",
"@vendor_ts__tree-sitter-0.25.9//:build_script_build",
"@vendor_ts__tree-sitter-0.26.8//:build_script_build",
"@vendor_ts__tree-sitter-language-0.1.5//:tree_sitter_language",
],
)
@@ -164,10 +164,10 @@ cargo_build_script(
"noclippy",
"norustfmt",
],
version = "0.25.9",
version = "0.26.8",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
"@vendor_ts__serde_json-1.0.145//:serde_json",
],
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-embedded-template-0.25.0.bazel generated vendored
View File

@@ -155,7 +155,7 @@ cargo_build_script(
version = "0.25.0",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
],
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-json-0.24.8.bazel generated vendored
View File

@@ -155,7 +155,7 @@ cargo_build_script(
version = "0.24.8",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
],
)

166
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-python-0.23.6.bazel generated vendored Normal file
View File

@@ -0,0 +1,166 @@
###############################################################################
# @generated
# DO NOT MODIFY: This file is auto-generated by a crate_universe tool. To
# regenerate this file, run the following:
#
# bazel run @@//misc/bazel/3rdparty:vendor_tree_sitter_extractors
###############################################################################
load(
"@rules_rust//cargo:defs.bzl",
"cargo_build_script",
"cargo_toml_env_vars",
)
load("@rules_rust//rust:defs.bzl", "rust_library")
package(default_visibility = ["//visibility:public"])
cargo_toml_env_vars(
name = "cargo_toml_env_vars",
src = "Cargo.toml",
)
rust_library(
name = "tree_sitter_python",
srcs = glob(
include = ["**/*.rs"],
allow_empty = True,
),
compile_data = glob(
include = ["**"],
allow_empty = True,
exclude = [
"**/* *",
".tmp_git_root/**/*",
"BUILD",
"BUILD.bazel",
"WORKSPACE",
"WORKSPACE.bazel",
],
),
crate_root = "bindings/rust/lib.rs",
edition = "2021",
rustc_env_files = [
":cargo_toml_env_vars",
],
rustc_flags = [
"--cap-lints=allow",
],
tags = [
"cargo-bazel",
"crate-name=tree-sitter-python",
"manual",
"noclippy",
"norustfmt",
],
target_compatible_with = select({
"@rules_rust//rust/platform:aarch64-apple-darwin": [],
"@rules_rust//rust/platform:aarch64-apple-ios": [],
"@rules_rust//rust/platform:aarch64-apple-ios-sim": [],
"@rules_rust//rust/platform:aarch64-linux-android": [],
"@rules_rust//rust/platform:aarch64-pc-windows-msvc": [],
"@rules_rust//rust/platform:aarch64-unknown-fuchsia": [],
"@rules_rust//rust/platform:aarch64-unknown-linux-gnu": [],
"@rules_rust//rust/platform:aarch64-unknown-nixos-gnu": [],
"@rules_rust//rust/platform:aarch64-unknown-nto-qnx710": [],
"@rules_rust//rust/platform:aarch64-unknown-uefi": [],
"@rules_rust//rust/platform:arm-unknown-linux-gnueabi": [],
"@rules_rust//rust/platform:arm-unknown-linux-musleabi": [],
"@rules_rust//rust/platform:armv7-linux-androideabi": [],
"@rules_rust//rust/platform:armv7-unknown-linux-gnueabi": [],
"@rules_rust//rust/platform:i686-apple-darwin": [],
"@rules_rust//rust/platform:i686-linux-android": [],
"@rules_rust//rust/platform:i686-pc-windows-msvc": [],
"@rules_rust//rust/platform:i686-unknown-freebsd": [],
"@rules_rust//rust/platform:i686-unknown-linux-gnu": [],
"@rules_rust//rust/platform:powerpc-unknown-linux-gnu": [],
"@rules_rust//rust/platform:riscv32imc-unknown-none-elf": [],
"@rules_rust//rust/platform:riscv64gc-unknown-linux-gnu": [],
"@rules_rust//rust/platform:riscv64gc-unknown-none-elf": [],
"@rules_rust//rust/platform:s390x-unknown-linux-gnu": [],
"@rules_rust//rust/platform:thumbv7em-none-eabi": [],
"@rules_rust//rust/platform:thumbv8m.main-none-eabi": [],
"@rules_rust//rust/platform:wasm32-unknown-emscripten": [],
"@rules_rust//rust/platform:wasm32-unknown-unknown": [],
"@rules_rust//rust/platform:wasm32-wasip1": [],
"@rules_rust//rust/platform:wasm32-wasip1-threads": [],
"@rules_rust//rust/platform:wasm32-wasip2": [],
"@rules_rust//rust/platform:x86_64-apple-darwin": [],
"@rules_rust//rust/platform:x86_64-apple-ios": [],
"@rules_rust//rust/platform:x86_64-linux-android": [],
"@rules_rust//rust/platform:x86_64-pc-windows-msvc": [],
"@rules_rust//rust/platform:x86_64-unknown-freebsd": [],
"@rules_rust//rust/platform:x86_64-unknown-fuchsia": [],
"@rules_rust//rust/platform:x86_64-unknown-linux-gnu": [],
"@rules_rust//rust/platform:x86_64-unknown-nixos-gnu": [],
"@rules_rust//rust/platform:x86_64-unknown-none": [],
"@rules_rust//rust/platform:x86_64-unknown-uefi": [],
"//conditions:default": ["@platforms//:incompatible"],
}),
version = "0.23.6",
deps = [
"@vendor_ts__tree-sitter-language-0.1.5//:tree_sitter_language",
"@vendor_ts__tree-sitter-python-0.23.6//:build_script_build",
],
)
cargo_build_script(
name = "_bs",
srcs = glob(
include = ["**/*.rs"],
allow_empty = True,
),
compile_data = glob(
include = ["**"],
allow_empty = True,
exclude = [
"**/* *",
"**/*.rs",
".tmp_git_root/**/*",
"BUILD",
"BUILD.bazel",
"WORKSPACE",
"WORKSPACE.bazel",
],
),
crate_name = "build_script_build",
crate_root = "bindings/rust/build.rs",
data = glob(
include = ["**"],
allow_empty = True,
exclude = [
"**/* *",
".tmp_git_root/**/*",
"BUILD",
"BUILD.bazel",
"WORKSPACE",
"WORKSPACE.bazel",
],
),
edition = "2021",
pkg_name = "tree-sitter-python",
rustc_env_files = [
":cargo_toml_env_vars",
],
rustc_flags = [
"--cap-lints=allow",
],
tags = [
"cargo-bazel",
"crate-name=tree-sitter-python",
"manual",
"noclippy",
"norustfmt",
],
version = "0.23.6",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.61//:cc",
],
)
alias(
name = "build_script_build",
actual = ":_bs",
tags = ["manual"],
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ql-0.23.1.bazel generated vendored
View File

@@ -155,7 +155,7 @@ cargo_build_script(
version = "0.23.1",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
],
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.tree-sitter-ruby-0.23.1.bazel generated vendored
View File

@@ -155,7 +155,7 @@ cargo_build_script(
version = "0.23.1",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
],
)

2
misc/bazel/3rdparty/tree_sitter_extractors_deps/BUILD.zstd-sys-2.0.16+zstd.1.5.7.bazel generated vendored
View File

@@ -165,7 +165,7 @@ cargo_build_script(
version = "2.0.16+zstd.1.5.7",
visibility = ["//visibility:private"],
deps = [
"@vendor_ts__cc-1.2.37//:cc",
"@vendor_ts__cc-1.2.61//:cc",
"@vendor_ts__pkg-config-0.3.32//:pkg_config",
],
)

114
misc/bazel/3rdparty/tree_sitter_extractors_deps/defs.bzl generated vendored
View File

@@ -303,7 +303,7 @@ _NORMAL_DEPENDENCIES = {
"serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
"tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"),
"tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.20//:tracing_subscriber"),
"tree-sitter": Label("@vendor_ts__tree-sitter-0.25.9//:tree_sitter"),
"tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
"tree-sitter-embedded-template": Label("@vendor_ts__tree-sitter-embedded-template-0.25.0//:tree_sitter_embedded_template"),
"tree-sitter-ruby": Label("@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"),
},
@@ -381,10 +381,28 @@ _NORMAL_DEPENDENCIES = {
"serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
"tracing": Label("@vendor_ts__tracing-0.1.41//:tracing"),
"tracing-subscriber": Label("@vendor_ts__tracing-subscriber-0.3.20//:tracing_subscriber"),
"tree-sitter": Label("@vendor_ts__tree-sitter-0.25.9//:tree_sitter"),
"tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
"zstd": Label("@vendor_ts__zstd-0.13.3//:zstd"),
},
},
"shared/yeast": {
_COMMON_CONDITION: {
"clap": Label("@vendor_ts__clap-4.5.48//:clap"),
"serde": Label("@vendor_ts__serde-1.0.228//:serde"),
"serde_json": Label("@vendor_ts__serde_json-1.0.145//:serde_json"),
"serde_yaml": Label("@vendor_ts__serde_yaml-0.9.34-deprecated//:serde_yaml"),
"tree-sitter": Label("@vendor_ts__tree-sitter-0.26.8//:tree_sitter"),
"tree-sitter-python": Label("@vendor_ts__tree-sitter-python-0.23.6//:tree_sitter_python"),
"tree-sitter-ruby": Label("@vendor_ts__tree-sitter-ruby-0.23.1//:tree_sitter_ruby"),
},
},
"shared/yeast-macros": {
_COMMON_CONDITION: {
"proc-macro2": Label("@vendor_ts__proc-macro2-1.0.101//:proc_macro2"),
"quote": Label("@vendor_ts__quote-1.0.41//:quote"),
"syn": Label("@vendor_ts__syn-2.0.106//:syn"),
},
},
}
_NORMAL_ALIASES = {
@@ -411,6 +429,14 @@ _NORMAL_ALIASES = {
_COMMON_CONDITION: {
},
},
"shared/yeast": {
_COMMON_CONDITION: {
},
},
"shared/yeast-macros": {
_COMMON_CONDITION: {
},
},
}
_NORMAL_DEV_DEPENDENCIES = {
@@ -431,6 +457,10 @@ _NORMAL_DEV_DEPENDENCIES = {
"tree-sitter-ql": Label("@vendor_ts__tree-sitter-ql-0.23.1//:tree_sitter_ql"),
},
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_NORMAL_DEV_ALIASES = {
@@ -448,6 +478,10 @@ _NORMAL_DEV_ALIASES = {
_COMMON_CONDITION: {
},
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_PROC_MACRO_DEPENDENCIES = {
@@ -463,6 +497,10 @@ _PROC_MACRO_DEPENDENCIES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_PROC_MACRO_ALIASES = {
@@ -478,6 +516,10 @@ _PROC_MACRO_ALIASES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_PROC_MACRO_DEV_DEPENDENCIES = {
@@ -493,6 +535,10 @@ _PROC_MACRO_DEV_DEPENDENCIES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_PROC_MACRO_DEV_ALIASES = {
@@ -510,6 +556,10 @@ _PROC_MACRO_DEV_ALIASES = {
_COMMON_CONDITION: {
},
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_BUILD_DEPENDENCIES = {
@@ -525,6 +575,10 @@ _BUILD_DEPENDENCIES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_BUILD_ALIASES = {
@@ -540,6 +594,10 @@ _BUILD_ALIASES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_BUILD_PROC_MACRO_DEPENDENCIES = {
@@ -555,6 +613,10 @@ _BUILD_PROC_MACRO_DEPENDENCIES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_BUILD_PROC_MACRO_ALIASES = {
@@ -570,6 +632,10 @@ _BUILD_PROC_MACRO_ALIASES = {
},
"shared/tree-sitter-extractor": {
},
"shared/yeast": {
},
"shared/yeast-macros": {
},
}
_CONDITIONS = {
@@ -923,12 +989,12 @@ def crate_repositories():
maybe(
http_archive,
name = "vendor_ts__cc-1.2.37",
sha256 = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44",
name = "vendor_ts__cc-1.2.61",
sha256 = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d",
type = "tar.gz",
urls = ["https://static.crates.io/crates/cc/1.2.37/download"],
strip_prefix = "cc-1.2.37",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.37.bazel"),
urls = ["https://static.crates.io/crates/cc/1.2.61/download"],
strip_prefix = "cc-1.2.61",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.cc-1.2.61.bazel"),
)
maybe(
@@ -1373,12 +1439,12 @@ def crate_repositories():
maybe(
http_archive,
name = "vendor_ts__find-msvc-tools-0.1.1",
sha256 = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d",
name = "vendor_ts__find-msvc-tools-0.1.9",
sha256 = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582",
type = "tar.gz",
urls = ["https://static.crates.io/crates/find-msvc-tools/0.1.1/download"],
strip_prefix = "find-msvc-tools-0.1.1",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.find-msvc-tools-0.1.1.bazel"),
urls = ["https://static.crates.io/crates/find-msvc-tools/0.1.9/download"],
strip_prefix = "find-msvc-tools-0.1.9",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.find-msvc-tools-0.1.9.bazel"),
)
maybe(
@@ -3363,12 +3429,12 @@ def crate_repositories():
maybe(
http_archive,
name = "vendor_ts__tree-sitter-0.25.9",
sha256 = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa",
name = "vendor_ts__tree-sitter-0.26.8",
sha256 = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538",
type = "tar.gz",
urls = ["https://static.crates.io/crates/tree-sitter/0.25.9/download"],
strip_prefix = "tree-sitter-0.25.9",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-0.25.9.bazel"),
urls = ["https://static.crates.io/crates/tree-sitter/0.26.8/download"],
strip_prefix = "tree-sitter-0.26.8",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-0.26.8.bazel"),
)
maybe(
@@ -3401,6 +3467,16 @@ def crate_repositories():
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-language-0.1.5.bazel"),
)
maybe(
http_archive,
name = "vendor_ts__tree-sitter-python-0.23.6",
sha256 = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04",
type = "tar.gz",
urls = ["https://static.crates.io/crates/tree-sitter-python/0.23.6/download"],
strip_prefix = "tree-sitter-python-0.23.6",
build_file = Label("//misc/bazel/3rdparty/tree_sitter_extractors_deps:BUILD.tree-sitter-python-0.23.6.bazel"),
)
maybe(
http_archive,
name = "vendor_ts__tree-sitter-ql-0.23.1",
@@ -4152,13 +4228,15 @@ def crate_repositories():
struct(repo = "vendor_ts__serde-1.0.228", is_dev_dep = False),
struct(repo = "vendor_ts__serde_json-1.0.145", is_dev_dep = False),
struct(repo = "vendor_ts__serde_with-3.14.1", is_dev_dep = False),
struct(repo = "vendor_ts__serde_yaml-0.9.34-deprecated", is_dev_dep = False),
struct(repo = "vendor_ts__syn-2.0.106", is_dev_dep = False),
struct(repo = "vendor_ts__toml-0.9.7", is_dev_dep = False),
struct(repo = "vendor_ts__tracing-0.1.41", is_dev_dep = False),
struct(repo = "vendor_ts__tracing-flame-0.2.0", is_dev_dep = False),
struct(repo = "vendor_ts__tracing-subscriber-0.3.20", is_dev_dep = False),
struct(repo = "vendor_ts__tree-sitter-0.25.9", is_dev_dep = False),
struct(repo = "vendor_ts__tree-sitter-0.26.8", is_dev_dep = False),
struct(repo = "vendor_ts__tree-sitter-embedded-template-0.25.0", is_dev_dep = False),
struct(repo = "vendor_ts__tree-sitter-python-0.23.6", is_dev_dep = False),
struct(repo = "vendor_ts__tree-sitter-ruby-0.23.1", is_dev_dep = False),
struct(repo = "vendor_ts__triomphe-0.1.14", is_dev_dep = False),
struct(repo = "vendor_ts__ungrammar-1.16.1", is_dev_dep = False),

4
misc/suite-helpers/CHANGELOG.md
View File

@@ -1,3 +1,7 @@
## 1.0.49
No user-facing changes.
## 1.0.48
No user-facing changes.

3
misc/suite-helpers/change-notes/released/1.0.49.md Normal file
View File

@@ -0,0 +1,3 @@
## 1.0.49
No user-facing changes.

2
misc/suite-helpers/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.0.48
lastReleaseVersion: 1.0.49

2
misc/suite-helpers/qlpack.yml
View File

@@ -1,4 +1,4 @@
name: codeql/suite-helpers
version: 1.0.49-dev
version: 1.0.50-dev
groups: shared
warnOnImplicitThis: true

10
python/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,13 @@
## 7.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Python](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/).
### Minor Analysis Improvements
- The Python extractor now supports unpacking in comprehensions, e.g. `[*x for x in nested]` (as defined in [PEP-798](https://peps.python.org/pep-0798/)) that will be part of Python 3.15.
## 7.0.5
### Minor Analysis Improvements

4
python/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Python](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/).

5
python/ql/lib/change-notes/2026-04-10-support-comprehension-unpacking.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
- The Python extractor now supports unpacking in comprehensions, e.g. `[*x for x in nested]` (as defined in [PEP-798](https://peps.python.org/pep-0798/)) that will be part of Python 3.15.

9
python/ql/lib/change-notes/released/7.1.0.md Normal file
View File

@@ -0,0 +1,9 @@
## 7.1.0
### New Features
* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Python](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/).
### Minor Analysis Improvements
- The Python extractor now supports unpacking in comprehensions, e.g. `[*x for x in nested]` (as defined in [PEP-798](https://peps.python.org/pep-0798/)) that will be part of Python 3.15.

Some files were not shown because too many files have changed in this diff Show More