hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-15 03:54:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Release preparation for version 2.25.2

Browse Source
This commit is contained in:
github-actions[bot]
2026-04-06 10:30:38 +00:00
parent fb8b5699f2
commit 4fe2f6d2b4
182 changed files with 483 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cpp/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## 9.0.0
### Breaking Changes
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
### New Features
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
### Minor Analysis Improvements
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
* Added dataflow through members initialized via non-static data member initialization (NSDMI).
## 8.0.3
No user-facing changes.

4
cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

5
cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
View File

@@ -1,5 +0,0 @@
---
category: feature
---
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

5
cpp/ql/lib/change-notes/2026-03-24-field-init.md
View File

@@ -1,5 +0,0 @@
---
category: feature
---
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

4
cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md
View File

@@ -1,4 +0,0 @@
---
category: breaking
---
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

4
cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added dataflow through members initialized via non-static data member initialization (NSDMI).

4
cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.

4
cpp/ql/lib/change-notes/2026-03-31-meson.md
View File

@@ -1,4 +0,0 @@
---
category: feature
---
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.

19
cpp/ql/lib/change-notes/released/9.0.0.md Normal file
View File

@@ -0,0 +1,19 @@
## 9.0.0
### Breaking Changes
* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
### New Features
* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
### Minor Analysis Improvements
* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
* Added dataflow through members initialized via non-static data member initialization (NSDMI).

2
cpp/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 8.0.3
lastReleaseVersion: 9.0.0

2
cpp/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-all
version: 8.0.4-dev
version: 9.0.0
groups: cpp
dbscheme: semmlecode.cpp.dbscheme
extractor: cpp

14
cpp/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,17 @@
## 1.6.0
### Query Metadata Changes
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
### Minor Analysis Improvements
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
## 1.5.15
No user-facing changes.

4
cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
View File

@@ -1,4 +0,0 @@
---
category: queryMetadata
---
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

4
cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

4
cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

4
cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.

13
cpp/ql/src/change-notes/released/1.6.0.md Normal file
View File

@@ -0,0 +1,13 @@
## 1.6.0
### Query Metadata Changes
* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
### Minor Analysis Improvements
* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

2
cpp/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 1.5.15
lastReleaseVersion: 1.6.0

2
cpp/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/cpp-queries
version: 1.5.16-dev
version: 1.6.0
groups:
- cpp
- queries