Merge branch 'main' into santander-java-crypto-check

2025-12-16 16:53:25 +01:00 · 2025-10-18 17:56:43 -04:00
parent c01c060476 66f95bcbcd
commit 2b683c210f
415 changed files with 13870 additions and 1146 deletions
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+
+### New Features
+
+* C/C++ `build-mode: none` support is now generally available.
+
 ## 5.6.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2025-10-07-bmn-ga.md
+++ b/cpp/ql/lib/change-notes/2025-10-07-bmn-ga.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* The C/C++ "build-mode: none" support is now General Availability (GA).
--- a/cpp/ql/lib/change-notes/2025-09-18-guards.md
+++ b/cpp/ql/lib/change-notes/2025-09-18-guards.md
@@ -1,4 +1,9 @@
---
-category: breaking
---
-* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+## 6.0.0
+
+### Breaking Changes
+
+* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
+
+### New Features
+
+* C/C++ `build-mode: none` support is now generally available.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.6.1
+lastReleaseVersion: 6.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 5.6.2-dev
+version: 6.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.2
+
+No user-facing changes.
+
 ## 1.5.1

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -3,11 +3,15 @@
  "qhelp.dtd">
 <qhelp>
 <overview>
-<p>Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.</p>
+<p>Using broken or weak cryptographic algorithms may compromise security guarantees such as confidentiality, integrity, and authenticity.</p>

-<p>Many cryptographic algorithms provided by cryptography libraries are known to be weak, or 
-flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted
-data.</p>
+<p>Many cryptographic algorithms are known to be weak or flawed. The security guarantees of a system often rely on the underlying cryptography, so using a weak algorithm can have severe consequences. For example:
+</p>
+<ul>
+  <li>If a weak encryption algorithm is used, an attacker may be able to decrypt sensitive data.</li>
+  <li>If a weak hashing algorithm is used to protect data integrity, an attacker may be able to craft a malicious input that has the same hash as a benign one.</li>
+  <li>If a weak algorithm is used for digital signatures, an attacker may be able to forge signatures and impersonate legitimate users.</li>
+</ul>

 </overview>
 <recommendation>
--- a/cpp/ql/src/change-notes/released/1.5.2.md
+++ b/cpp/ql/src/change-notes/released/1.5.2.md
@@ -0,0 +1,3 @@
+## 1.5.2
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.1
+lastReleaseVersion: 1.5.2
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.2-dev
+version: 1.5.3-dev
 groups:
  - cpp
  - queries