hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Release preparation for version 2.18.2"

Browse Source
This commit is contained in:
Alexander Eyers-Taylor
2024-08-07 14:24:37 +01:00
committed by GitHub
parent 26444cb0cd
commit 46577b585e
163 changed files with 180 additions and 425 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/lib/CHANGELOG.md
View File

@@ -1,23 +1,3 @@
## 3.0.0
### Breaking Changes
* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
### New Features
* Java support for `build-mode: none` is now out of beta, and generally available.
### Major Analysis Improvements
* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
### Minor Analysis Improvements
* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
* Adds models for request handlers using the `org.lastaflute.web` web framework.
## 2.0.0
### Breaking Changes

21
java/ql/lib/change-notes/released/3.0.0.md → java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md
View File

@@ -1,19 +1,4 @@
## 3.0.0
### Breaking Changes
* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
### New Features
* Java support for `build-mode: none` is now out of beta, and generally available.
### Major Analysis Improvements
---
category: majorAnalysis
---
* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
### Minor Analysis Improvements
* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
* Adds models for request handlers using the `org.lastaflute.web` web framework.

4
java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Adds models for request handlers using the `org.lastaflute.web` web framework.

4
java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.

4
java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.

4
java/ql/lib/change-notes/2024-07-25-env-vars.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: breaking
---
* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.

4
java/ql/lib/change-notes/2024-08-02-buildless-ga.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Java support for `build-mode: none` is now out of beta, and generally available.

2
java/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 3.0.0
lastReleaseVersion: 2.0.0

2
java/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/java-all
version: 3.0.0
version: 2.0.1-dev
groups: java
dbscheme: config/semmlecode.dbscheme
extractor: java