Merge branch 'main' into jcogs33/unsafe-url-forward-promotion-resource-and-file-methods

2026-04-30 19:26:02 +02:00 · 2024-04-08 10:26:42 -04:00
parent e90f55a05f f08e8b1d5e
commit 5792f7b770
1363 changed files with 102298 additions and 48765 deletions
--- a/java/ql/lib/change-notes/2024-02-23-widget-flowsteps.md
+++ b/java/ql/lib/change-notes/2024-02-23-widget-flowsteps.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Some flow steps related to `android.text.Editable.toString` that were accidentally disabled have been re-enabled.
--- a/java/ql/lib/change-notes/2024-02-27-error-types.md
+++ b/java/ql/lib/change-notes/2024-02-27-error-types.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Java expressions with erroneous types (e.g. the result of a call whose callee couldn't be resolved during extraction) are now given a CodeQL `ErrorType` more often.
--- a/java/ql/lib/change-notes/2024-02-27-mvnw-versions.md
+++ b/java/ql/lib/change-notes/2024-02-27-mvnw-versions.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed the Java autobuilder overriding the version of Maven used by a project when the Maven wrapper `mvnw` is in use and the `maven-wrapper.jar` file is not present in the repository.
--- a/java/ql/lib/change-notes/2024-03-11-add-parcelfiledescriptor-open-model.md
+++ b/java/ql/lib/change-notes/2024-03-11-add-parcelfiledescriptor-open-model.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a `path-injection` sink for the `open` methods of the `android.os.ParcelFileDescriptor` class.
--- a/java/ql/lib/change-notes/2024-03-19-many-generated-jdk-models.md
+++ b/java/ql/lib/change-notes/2024-03-19-many-generated-jdk-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* About 6,700 summary models and 6,800 neutral summary models for the JDK that were generated using data flow have been added. This may lead to new alerts being reported.
--- a/java/ql/lib/change-notes/released/0.8.10.md
+++ b/java/ql/lib/change-notes/released/0.8.10.md
@@ -0,0 +1,10 @@
+## 0.8.10
+
+### Minor Analysis Improvements
+
+* Java expressions with erroneous types (e.g. the result of a call whose callee couldn't be resolved during extraction) are now given a CodeQL `ErrorType` more often.
+
+### Bug Fixes
+
+* Fixed the Java autobuilder overriding the version of Maven used by a project when the Maven wrapper `mvnw` is in use and the `maven-wrapper.jar` file is not present in the repository.
+* Some flow steps related to `android.text.Editable.toString` that were accidentally disabled have been re-enabled.
--- a/java/ql/lib/change-notes/released/0.8.11.md
+++ b/java/ql/lib/change-notes/released/0.8.11.md
@@ -0,0 +1,3 @@
+## 0.8.11
+
+No user-facing changes.
--- a/java/ql/lib/change-notes/released/0.8.12.md
+++ b/java/ql/lib/change-notes/released/0.8.12.md
@@ -0,0 +1,3 @@
+## 0.8.12
+
+No user-facing changes.
--- a/java/ql/lib/change-notes/released/0.9.0.md
+++ b/java/ql/lib/change-notes/released/0.9.0.md
@@ -0,0 +1,12 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The Java extractor no longer supports the `ODASA_SNAPSHOT` legacy environment variable.
+
+### Minor Analysis Improvements
+
+* Increased the precision of some dataflow models of the class `java.net.URL` by distinguishing the parts of a URL.
+* The Java extractor and QL libraries now support Java 22, including support for anonymous variables, lambda parameters and patterns.
+* Pattern cases with multiple patterns and that fall through to or from other pattern cases are now supported. The `PatternCase` class gains the new `getPatternAtIndex` and `getAPattern` predicates, and deprecates `getPattern`.
+* Added a `path-injection` sink for the `open` methods of the `android.os.ParcelFileDescriptor` class.