Release preparation for version 2.24.0

2026-02-11 20:51:06 +01:00 · 2026-01-19 14:49:14 +00:00
parent bedb80346a
commit 4142b9c4ce
218 changed files with 587 additions and 316 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 7.8.4
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
+* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.
+* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.
+
 ## 7.8.3

 No user-facing changes.
--- a/java/ql/lib/change-notes/2024-09-24-multipart.md
+++ b/java/ql/lib/change-notes/2024-09-24-multipart.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.
--- a/java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md
+++ b/java/ql/lib/change-notes/2025-11-27-spring-rest-template-request-forgery-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.
--- a/java/ql/lib/change-notes/2025-12-02-improve-regex-sanitizer.md
+++ b/java/ql/lib/change-notes/2025-12-02-improve-regex-sanitizer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.
--- a/java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md
+++ b/java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
--- a/java/ql/lib/change-notes/2025-12-16-java-xml-paths.md
+++ b/java/ql/lib/change-notes/2025-12-16-java-xml-paths.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.
--- a/java/ql/lib/change-notes/released/7.8.4.md
+++ b/java/ql/lib/change-notes/released/7.8.4.md
@@ -0,0 +1,9 @@
+## 7.8.4
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
+* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.
+* URI template variables of all Spring `RestTemplate` methods are now considered as request forgery sinks. Previously only the `getForObject` method was considered. This may lead to more alerts for the query `java/ssrf`.
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.8.3
+lastReleaseVersion: 7.8.4
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.8.4-dev
+version: 7.8.4
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 1.10.5
+
+### Minor Analysis Improvements
+
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.
+* Java thread safety analysis now understands initialization to thread safe classes inside constructors.
+
 ## 1.10.4

 No user-facing changes.
--- a/java/ql/src/change-notes/2025-11-25-thread-safe-initializers.md
+++ b/java/ql/src/change-notes/2025-11-25-thread-safe-initializers.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Java thread safety analysis now understands initialization to thread safe classes inside constructors.
--- a/java/ql/src/change-notes/2025-12-24-couchbase-sinks.md
+++ b/java/ql/src/change-notes/2025-12-24-couchbase-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.
--- a/java/ql/src/change-notes/released/1.10.5.md
+++ b/java/ql/src/change-notes/released/1.10.5.md
@@ -0,0 +1,6 @@
+## 1.10.5
+
+### Minor Analysis Improvements
+
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.
+* Java thread safety analysis now understands initialization to thread safe classes inside constructors.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.10.4
+lastReleaseVersion: 1.10.5
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.10.5-dev
+version: 1.10.5
 groups:
  - java
  - queries