Merge branch 'main' into redsun82/update-rules-kotlin

2026-05-14 11:19:27 +02:00 · 2026-03-20 11:37:04 +01:00
parent 6d3bfd6af7 ec726f5941
commit 40f90eaa64
184 changed files with 493 additions and 236 deletions
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -1,78 +0,0 @@
-name: "Compile all queries using the latest stable CodeQL CLI"
-
-on:
-  push:
-    branches:  # makes sure the cache gets populated - running on the branches people tend to merge into.
-      - main
-      - "rc/*"
-      - "codeql-cli-*"
-  pull_request:
-    paths:
-      - '**.ql'
-      - '**.qll'
-      - '**/qlpack.yml'
-      - '**.dbscheme'
-
-permissions:
-  contents: read
-
-jobs:
-  detect-changes:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest
-    outputs:
-      languages: ${{ steps.detect.outputs.languages }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: Detect changed languages
-        id: detect
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # For PRs, detect which languages have changes
-            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
-            languages=()
-            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
-              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
-                languages+=("$lang")
-              fi
-            done
-            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
-          else
-            # For pushes to main/rc branches, run all languages
-            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-  compile-queries:
-    needs: detect-changes
-    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
-
-    steps:
-      - uses: actions/checkout@v5
-      - name: Setup CodeQL
-        uses: ./.github/actions/fetch-codeql
-        with:
-          channel: 'release'
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: ${{ matrix.language }}-queries
-      - name: check formatting
-        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
-      - name: compile queries - check-only
-        # run with --check-only if running in a PR (github.sha != main)
-        if : ${{ github.event_name == 'pull_request' }}
-        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
-      - name: compile queries - full
-        # do full compile if running on main - this populates the cache
-        if : ${{ github.event_name != 'pull_request' }}
-        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -17,12 +17,12 @@ local_path_override(
 bazel_dep(name = "platforms", version = "1.0.0")
 bazel_dep(name = "rules_cc", version = "0.2.17")
 bazel_dep(name = "rules_go", version = "0.60.0")
-bazel_dep(name = "rules_java", version = "9.0.3")
+bazel_dep(name = "rules_java", version = "9.6.1")
 bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "1.9.0")
 bazel_dep(name = "rules_shell", version = "0.6.1")
-bazel_dep(name = "bazel_skylib", version = "1.8.1")
+bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.30
+
+No user-facing changes.
+
 ## 0.4.29

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.30.md
+++ b/actions/ql/lib/change-notes/released/0.4.30.md
@@ -0,0 +1,3 @@
+## 0.4.30
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.29
+lastReleaseVersion: 0.4.30
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.30-dev
+version: 0.4.31-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.22
+
+No user-facing changes.
+
 ## 0.6.21

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.22.md
+++ b/actions/ql/src/change-notes/released/0.6.22.md
@@ -0,0 +1,3 @@
+## 0.6.22
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.21
+lastReleaseVersion: 0.6.22
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.22-dev
+version: 0.6.23-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 8.0.1
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 8.0.0

 ### Breaking Changes
--- a/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 8.0.1
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.0
+lastReleaseVersion: 8.0.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.1-dev
+version: 8.0.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.13
+
+No user-facing changes.
+
 ## 1.5.12

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -23,13 +23,31 @@ import Flow::PathGraph

 predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }

+/**
+ * Holds if `f` is a printf-like function or a (possibly nested) wrapper
+ * that forwards a format-string parameter to one.
+ *
+ * Functions that *implement* printf-like behavior (e.g. a custom
+ * `vsnprintf` variant) internally parse the caller-supplied format string
+ * and build small, bounded, local format strings such as `"%d"` or `"%ld"`
+ * for inner `sprintf` calls.  Taint that reaches those inner calls via the
+ * parsed format specifier is not exploitable, so sinks inside such
+ * functions should be excluded.
+ */
+private predicate isPrintfImplementation(Function f) {
+  f instanceof PrintfLikeFunction
+  or
+  exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
+}
+
 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { isSource(node, _) }

  predicate isSink(DataFlow::Node node) {
    exists(PrintfLikeFunction printf |
      printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
-    )
+    ) and
+    not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
  }

  private predicate isArithmeticNonCharType(ArithmeticType type) {
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon
 private predicate isCharSzPtrExpr(Expr e) {
  exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
    pt.getBaseType() instanceof CharType or
-    pt.getBaseType() instanceof VoidType
+    pt.getBaseType() instanceof VoidType or
+    pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
  )
 }

--- a/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
+++ b/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
--- a/cpp/ql/src/change-notes/released/1.5.13.md
+++ b/cpp/ql/src/change-notes/released/1.5.13.md
@@ -0,0 +1,3 @@
+## 1.5.13
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.12
+lastReleaseVersion: 1.5.13
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.13-dev
+version: 1.5.14-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
@@ -1,3 +1,5 @@
+| buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
+| buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
 | test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
@@ -0,0 +1,10 @@
+// semmle-extractor-options: --expect_errors
+
+void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) {
+  *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
+  *(p_short + sizeof(int)); // BAD
+  *(p_int + sizeof(int)); // BAD
+  *(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type)
+  *(p_16 + sizeof(int)); // BAD [NOT DETECTED]
+  *(p_32 + sizeof(int)); // BAD [NOT DETECTED]
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
@@ -93,3 +93,9 @@ private:
  myChar * const myCharsPointer;
  myInt * const myIntsPointer;
 };
+
+typedef unsigned char uint8_t;
+typedef unsigned short uint16_t;
+typedef unsigned int uint32_t;
+
+void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32);
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.61
+
+No user-facing changes.
+
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
@@ -0,0 +1,3 @@
+## 1.7.61
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.61
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.61-dev
+version: 1.7.62-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.61
+
+No user-facing changes.
+
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
@@ -0,0 +1,3 @@
+## 1.7.61
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.61
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.61-dev
+version: 1.7.62-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 5.4.9
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
+* Added reverse taint flow from implicit conversion operator calls to their arguments.
+* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
+* C# 14: Added support for partial constructors.
+
 ## 5.4.8

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
+++ b/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 14: Added support for partial constructors.
--- a/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
+++ b/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
--- a/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
+++ b/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added reverse taint flow from implicit conversion operator calls to their arguments.
--- a/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
+++ b/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
--- a/csharp/ql/lib/change-notes/released/5.4.9.md
+++ b/csharp/ql/lib/change-notes/released/5.4.9.md
@@ -0,0 +1,9 @@
+## 5.4.9
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
+* Added reverse taint flow from implicit conversion operator calls to their arguments.
+* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
+* C# 14: Added support for partial constructors.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.8
+lastReleaseVersion: 5.4.9
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.9-dev
+version: 5.4.10-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.4
+
+No user-facing changes.
+
 ## 1.6.3

 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/1.6.4.md
+++ b/csharp/ql/src/change-notes/released/1.6.4.md
@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.4
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.4-dev
+version: 1.6.5-dev
 groups:
  - csharp
  - queries
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.44
+
+No user-facing changes.
+
 ## 1.0.43

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.44.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.44.md
@@ -0,0 +1,3 @@
+## 1.0.44
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.43
+lastReleaseVersion: 1.0.44
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.44-dev
+version: 1.0.45-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 7.0.2
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 7.0.1

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 7.0.2
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.1
+lastReleaseVersion: 7.0.2
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.2-dev
+version: 7.0.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.8
+
+No user-facing changes.
+
 ## 1.5.7

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.5.8.md
+++ b/go/ql/src/change-notes/released/1.5.8.md
@@ -0,0 +1,3 @@
+## 1.5.8
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.7
+lastReleaseVersion: 1.5.8
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.8-dev
+version: 1.5.9-dev
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,26 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The Java control flow graph (CFG) implementation has been completely
+  rewritten. The CFG now includes additional nodes to more accurately represent
+  certain constructs. This also means that any existing code that implicitly
+  relies on very specific details about the CFG may need to be updated.
+  The CFG now only includes the nodes that are reachable from the entry point.
+  Additionally, the following breaking changes have been made:
+  - `ControlFlowNode.asCall` has been removed - use `Call.getControlFlowNode` instead.
+  - `ControlFlowNode.getEnclosingStmt` has been removed.
+  - `ControlFlow::ExprNode` has been removed.
+  - `ControlFlow::StmtNode` has been removed.
+  - `ControlFlow::Node` has been removed - this was merely an alias of
+    `ControlFlowNode`, which is still available.
+  - Previously deprecated predicates on `BasicBlock` have been removed.
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* The class `Assignment` now extends `BinaryExpr`. Uses of `BinaryExpr` may in some cases need slight adjustment.
+
 ## 8.1.1

 ### Minor Analysis Improvements
--- a/java/ql/lib/change-notes/2026-03-04-binary-assignment.md
+++ b/java/ql/lib/change-notes/2026-03-04-binary-assignment.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The class `Assignment` now extends `BinaryExpr`. Uses of `BinaryExpr` may in some cases need slight adjustment.
--- a/java/ql/lib/change-notes/released/9.0.0.md
+++ b/java/ql/lib/change-notes/released/9.0.0.md
@@ -1,6 +1,7 @@
---
-category: breaking
---
+## 9.0.0
+
+### Breaking Changes
+
 * The Java control flow graph (CFG) implementation has been completely
  rewritten. The CFG now includes additional nodes to more accurately represent
  certain constructs. This also means that any existing code that implicitly
@@ -14,3 +15,8 @@ category: breaking
  - `ControlFlow::Node` has been removed - this was merely an alias of
    `ControlFlowNode`, which is still available.
  - Previously deprecated predicates on `BasicBlock` have been removed.
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* The class `Assignment` now extends `BinaryExpr`. Uses of `BinaryExpr` may in some cases need slight adjustment.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.1.1
+lastReleaseVersion: 9.0.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 8.1.2-dev
+version: 9.0.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.10.9
+
+No user-facing changes.
+
 ## 1.10.8

 ### Minor Analysis Improvements
--- a/java/ql/src/change-notes/released/1.10.9.md
+++ b/java/ql/src/change-notes/released/1.10.9.md
@@ -0,0 +1,3 @@
+## 1.10.9
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.10.8
+lastReleaseVersion: 1.10.9
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.10.9-dev
+version: 1.10.10-dev
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 2.6.24
+
+### Minor Analysis Improvements
+
+* Added support for browser-specific source kinds (`browser`, `browser-url-query`, `browser-url-fragment`, `browser-url-path`, `browser-url`, `browser-window-name`, `browser-message-event`) that can be used in data extensions to model sources in browser environments.
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 2.6.23

 ### Minor Analysis Improvements
--- a/javascript/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/javascript/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/javascript/ql/lib/change-notes/2026-03-11-browser-source-kinds.md
+++ b/javascript/ql/lib/change-notes/2026-03-11-browser-source-kinds.md
@@ -1,4 +1,6 @@
---
-category: minorAnalysis
---
+## 2.6.24
+
+### Minor Analysis Improvements
+
 * Added support for browser-specific source kinds (`browser`, `browser-url-query`, `browser-url-fragment`, `browser-url-path`, `browser-url`, `browser-window-name`, `browser-message-event`) that can be used in data extensions to model sources in browser environments.
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.23
+lastReleaseVersion: 2.6.24
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.24-dev
+version: 2.6.25-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.3.4
+
+No user-facing changes.
+
 ## 2.3.3

 No user-facing changes.
--- a/javascript/ql/src/change-notes/released/2.3.4.md
+++ b/javascript/ql/src/change-notes/released/2.3.4.md
@@ -0,0 +1,3 @@
+## 2.3.4
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.3
+lastReleaseVersion: 2.3.4
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.4-dev
+version: 2.3.5-dev
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.44
+
+No user-facing changes.
+
 ## 1.0.43

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.44.md
+++ b/misc/suite-helpers/change-notes/released/1.0.44.md
@@ -0,0 +1,3 @@
+## 1.0.44
+
+No user-facing changes.
--- a/misc/suite-helpers/codeql-pack.release.yml
+++ b/misc/suite-helpers/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.43
+lastReleaseVersion: 1.0.44
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.44-dev
+version: 1.0.45-dev
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/lib/CHANGELOG.md
+++ b/python/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 7.0.1
+
+### Minor Analysis Improvements
+
+- The call graph resolution no longer considers methods marked using [`@typing.overload`](https://typing.python.org/en/latest/spec/overload.html#overloads) as valid targets. This ensures that only the method that contains the actual implementation gets resolved as a target.
+* Inline expectations test comments, which are of the form `# $ tag` or `# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 7.0.0

 ### Breaking Changes
--- a/python/ql/lib/change-notes/2026-03-05-ignore-type-overloaded-methods-during-resolution.md
+++ b/python/ql/lib/change-notes/2026-03-05-ignore-type-overloaded-methods-during-resolution.md
@@ -1,5 +1,6 @@
---
-category: minorAnalysis
---
+## 7.0.1
+
+### Minor Analysis Improvements

 - The call graph resolution no longer considers methods marked using [`@typing.overload`](https://typing.python.org/en/latest/spec/overload.html#overloads) as valid targets. This ensures that only the method that contains the actual implementation gets resolved as a target.
+* Inline expectations test comments, which are of the form `# $ tag` or `# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/python/ql/lib/codeql-pack.release.yml
+++ b/python/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.0
+lastReleaseVersion: 7.0.1
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.0.1-dev
+version: 7.0.2-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/src/CHANGELOG.md
+++ b/python/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.9
+
+No user-facing changes.
+
 ## 1.7.8

 No user-facing changes.
--- a/python/ql/src/change-notes/released/1.7.9.md
+++ b/python/ql/src/change-notes/released/1.7.9.md
@@ -0,0 +1,3 @@
+## 1.7.9
+
+No user-facing changes.
--- a/python/ql/src/codeql-pack.release.yml
+++ b/python/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.8
+lastReleaseVersion: 1.7.9
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.7.9-dev
+version: 1.7.10-dev
 groups:
  - python
  - queries
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 5.1.12
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `# $ tag` or `# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 5.1.11

 ### Minor Analysis Improvements
--- a/ruby/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/ruby/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Inline expectations test comments, which are of the form `# $ tag` or `# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/python/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/python/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 5.1.12
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `# $ tag` or `# $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.11
+lastReleaseVersion: 5.1.12
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 5.1.12-dev
+version: 5.1.13-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.9
+
+No user-facing changes.
+
 ## 1.5.8

 No user-facing changes.
--- a/ruby/ql/src/change-notes/released/1.5.9.md
+++ b/ruby/ql/src/change-notes/released/1.5.9.md
@@ -0,0 +1,3 @@
+## 1.5.9
+
+No user-facing changes.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.9
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.5.9-dev
+version: 1.5.10-dev
 groups:
  - ruby
  - queries
--- a/rust/ql/lib/CHANGELOG.md
+++ b/rust/ql/lib/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.2.8
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* Added neutral models to inhibit spurious generated sink models for `map` and `from`. This fixes some false positive query results.
+
 ## 0.2.7

 ### Minor Analysis Improvements
--- a/rust/ql/lib/change-notes/2026-02-26-neutral-models-map-from.md
+++ b/rust/ql/lib/change-notes/2026-02-26-neutral-models-map-from.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added neutral models to inhibit spurious generated sink models for `map` and `from`. This fixes some false positive query results.
--- a/rust/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/rust/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/java/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/java/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,6 @@
---
-category: minorAnalysis
---
+## 0.2.8
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+* Added neutral models to inhibit spurious generated sink models for `map` and `from`. This fixes some false positive query results.
--- a/Show More
+++ b/Show More