Release preparation for version 2.11.3

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.
+
 ## 0.4.2
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 0.4.3
+
+### Minor Analysis Improvements
+
 * Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.3-dev
+version: 0.4.3
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+
 ## 0.4.2
 
 ### New Queries

cpp/ql/src/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.4.3-dev
+version: 0.4.3
 groups: 
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.3.3-dev
+version: 1.3.3
 groups:
     - csharp
     - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.3.3-dev
+version: 1.3.3
 groups:
     - csharp
     - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 No user-facing changes.

csharp/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.4.3-dev
+version: 0.4.3
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 No user-facing changes.

csharp/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.4.3-dev
+version: 0.4.3
 groups: 
   - csharp
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

go/ql/lib/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.3.3-dev
+version: 0.3.3
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.3.3
+
+### Minor Analysis Improvements
+
+* Query `go/clear-text-logging` now excludes `GetX` methods of protobuf `Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
+
 ## 0.3.2
 
 ### Minor Analysis Improvements

go/ql/src/change-notes/released/0.3.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 0.3.3
+
+### Minor Analysis Improvements
+
 * Query `go/clear-text-logging` now excludes `GetX` methods of protobuf `Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.3.3-dev
+version: 0.3.3
 groups:
   - go
   - queries

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 ### Deprecated APIs

java/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.4.3-dev
+version: 0.4.3
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 ### New Queries

java/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.4.3-dev
+version: 0.4.3
 groups: 
   - java
   - queries

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

javascript/ql/lib/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.3.3-dev
+version: 0.3.3
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `js/second-order-command-line-injection`, to detect shell
+  commands that may execute arbitrary code when the user has control over 
+  the arguments to a command-line program.
+  This currently flags up unsafe invocations of git and hg.
+
+### Minor Analysis Improvements
+
+- Added sources for user defined path and query parameters in `Next.js`.
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
 ## 0.4.2
 
 ### Minor Analysis Improvements

javascript/ql/src/change-notes/2022-09-05-second-order-command-injection.md

@@ -1,7 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `js/second-order-command-line-injection`, to detect shell
-  commands that may execute arbitrary code when the user has control over 
-  the arguments to a command-line program.
-  This currently flags up unsafe invocations of git and hg.

javascript/ql/src/change-notes/2022-10-07-alert-messages.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

javascript/ql/src/change-notes/2022-10-26-nextjs-params.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-
-- Added sources for user defined path and query parameters in `Next.js`.

javascript/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,13 @@
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `js/second-order-command-line-injection`, to detect shell
+  commands that may execute arbitrary code when the user has control over 
+  the arguments to a command-line program.
+  This currently flags up unsafe invocations of git and hg.
+
+### Minor Analysis Improvements
+
+- Added sources for user defined path and query parameters in `Next.js`.
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.4.3-dev
+version: 0.4.3
 groups: 
   - javascript
   - queries

misc/suite-helpers/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

misc/suite-helpers/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

misc/suite-helpers/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

misc/suite-helpers/qlpack.yml

@@ -1,3 +1,3 @@
 name: codeql/suite-helpers
-version: 0.3.3-dev
+version: 0.3.3
 groups: shared

python/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.3
+
+No user-facing changes.
+
 ## 0.6.2
 
 ### Minor Analysis Improvements

python/ql/lib/change-notes/released/0.6.3.md

@@ -0,0 +1,3 @@
+## 0.6.3
+
+No user-facing changes.

python/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 0.6.3-dev
+version: 0.6.3
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2
 
 ### Minor Analysis Improvements

python/ql/src/change-notes/released/0.5.3.md

@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.

python/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.5.3-dev
+version: 0.5.3
 groups: 
   - python
   - queries

ruby/ql/lib/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+ * There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
+- Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.
+* Taint flow is now tracked through extension methods on `Hash`, `String` and
+  `Object` provided by `ActiveSupport`.
+
 ## 0.4.2
 
 ### Minor Analysis Improvements

ruby/ql/lib/change-notes/2022-10-18-activesupport-flow.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Taint flow is now tracked through extension methods on `Hash`, `String` and
-  `Object` provided by `ActiveSupport`.

ruby/ql/lib/change-notes/2022-10-20-expand-faraday-model-for-ssrf-sink.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-
-- Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.

ruby/ql/lib/change-notes/2022-10-21-local-taint-step.md

@@ -1,4 +0,0 @@
----
- category: minorAnalysis
----
- * There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.

ruby/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,8 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+ * There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
+- Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.
+* Taint flow is now tracked through extension methods on `Hash`, `String` and
+  `Object` provided by `ActiveSupport`.

ruby/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.4.3-dev
+version: 0.4.3
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme

ruby/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* The `rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
+
 ## 0.4.2
 
 ### New Queries

ruby/ql/src/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 0.4.3
+
+### Minor Analysis Improvements
+
 * The `rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.

ruby/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

ruby/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 0.4.3-dev
+version: 0.4.3
 groups: 
   - ruby
   - queries

shared/ssa/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.4
+
+No user-facing changes.
+
 ## 0.0.3
 
 No user-facing changes.

shared/ssa/change-notes/released/0.0.4.md

@@ -0,0 +1,3 @@
+## 0.0.4
+
+No user-facing changes.

shared/ssa/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.3
+lastReleaseVersion: 0.0.4

shared/ssa/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/ssa
-version: 0.0.4-dev
+version: 0.0.4
 groups: shared
 library: true

shared/typos/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.4
+
+No user-facing changes.
+
 ## 0.0.3
 
 No user-facing changes.

shared/typos/change-notes/released/0.0.4.md

@@ -0,0 +1,3 @@
+## 0.0.4
+
+No user-facing changes.

shared/typos/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.3
+lastReleaseVersion: 0.0.4

shared/typos/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/typos
-version: 0.0.4-dev
+version: 0.0.4
 groups: shared
 library: true