mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Merge pull request #19172 from github/release-prep/2.21.0
Release preparation for version 2.21.0
This commit is contained in:
Arthur Baars
@@ -1,3 +1,10 @@
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
|
||||
## 0.4.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
## 0.4.6
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
||||
vulnerabilities on `pull_request` events.
|
||||
vulnerabilities on `pull_request` events.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.4.5
|
||||
lastReleaseVersion: 0.4.6
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-all
|
||||
version: 0.4.6-dev
|
||||
version: 0.4.6
|
||||
library: true
|
||||
warnOnImplicitThis: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
@@ -7,9 +15,10 @@ No user-facing changes.
|
||||
### Bug Fixes
|
||||
|
||||
* The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
|
||||
Immutable Actions feature is not yet available for customer use. The query remains in the
|
||||
default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
|
||||
available, the query will be updated to report alerts again.
|
||||
Immutable Actions feature is not yet available for customer use. The query has also been moved
|
||||
to the experimental folder and will not be used in code scanning unless it is explicitly added
|
||||
to a code scanning configuration. Once the Immutable Actions feature is available, the query will
|
||||
be updated to report alerts again.
|
||||
|
||||
## 0.5.0
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
## 0.5.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed typos in the query and alert titles for the queries
|
||||
`actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
`actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.5.2
|
||||
lastReleaseVersion: 0.5.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/actions-queries
|
||||
version: 0.5.3-dev
|
||||
version: 0.5.3
|
||||
library: false
|
||||
warnOnImplicitThis: true
|
||||
groups: [actions, queries]
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 4.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
|
||||
|
||||
## 4.0.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
|
||||
## 4.1.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 4.0.3
|
||||
lastReleaseVersion: 4.1.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 4.0.4-dev
|
||||
version: 4.1.0
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,3 +1,10 @@
|
||||
## 1.3.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
|
||||
* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
|
||||
|
||||
## 1.3.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
|
||||
@@ -1,4 +1,6 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
|
||||
## 1.3.7
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
|
||||
* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.3.6
|
||||
lastReleaseVersion: 1.3.7
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 1.3.7-dev
|
||||
version: 1.3.7
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.37
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.36
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.37
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.36
|
||||
lastReleaseVersion: 1.7.37
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.37-dev
|
||||
version: 1.7.37
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.7.37
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.36
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.7.37
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.36
|
||||
lastReleaseVersion: 1.7.37
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.37-dev
|
||||
version: 1.7.37
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,10 @@
|
||||
## 5.1.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The models for `System.Uri` have been modified to better model the flow of tainted URIs.
|
||||
* Modeled parameter passing between Blazor parent and child components.
|
||||
|
||||
## 5.1.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Modeled parameter passing between Blazor parent and child components.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The models for `System.Uri` have been modified to better model the flow of tainted URIs.
|
||||
6
csharp/ql/lib/change-notes/released/5.1.3.md
Normal file
6
csharp/ql/lib/change-notes/released/5.1.3.md
Normal file
@@ -0,0 +1,6 @@
|
||||
## 5.1.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The models for `System.Uri` have been modified to better model the flow of tainted URIs.
|
||||
* Modeled parameter passing between Blazor parent and child components.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 5.1.2
|
||||
lastReleaseVersion: 5.1.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 5.1.3-dev
|
||||
version: 5.1.3
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,3 +1,18 @@
|
||||
## 1.1.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `csharp/path-combine`, to recommend against the `Path.Combine` method due to it silently discarding its earlier parameters if later parameters are rooted.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved dependency resolution in `build-mode: none` extraction to handle failing `dotnet restore` processes that managed to download a subset of the dependencies before the failure.
|
||||
* Increase query precision for `cs/useless-gethashcode-call` by not flagging calls to `GetHashCode` on `uint`, `long` and `ulong`.
|
||||
* Increase query precision for `cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.
|
||||
* The `cs/local-not-disposed` query no longer flags un-disposed tasks as this is often not needed (explained [here](https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/)).
|
||||
* Increase query precision for `cs/useless-assignment-to-local` and `cs/constant-condition` when *unknown* types are involved (mostly relevant for `build-mode: none` databases).
|
||||
* Don't consider an if-statement to be *useless* in `cs/useless-if-statement` if there is at least a comment.
|
||||
|
||||
## 1.0.19
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new query, `csharp/path-combine`, to recommend against the `Path.Combine` method due to it silently discarding its earlier parameters if later parameters are rooted.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Don't consider an if-statement to be *useless* in `cs/useless-if-statement` if there is at least a comment.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `cs/local-not-disposed` query no longer flags un-disposed tasks as this is often not needed (explained [here](https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/)).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Increase query precision for `cs/useless-assignment-to-local` and `cs/constant-condition` when *unknown* types are involved (mostly relevant for `build-mode: none` databases).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Increase query precision for `cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Increase query precision for `cs/useless-gethashcode-call` by not flagging calls to `GetHashCode` on `uint`, `long` and `ulong`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved dependency resolution in `build-mode: none` extraction to handle failing `dotnet restore` processes that managed to download a subset of the dependencies before the failure.
|
||||
14
csharp/ql/src/change-notes/released/1.1.0.md
Normal file
14
csharp/ql/src/change-notes/released/1.1.0.md
Normal file
@@ -0,0 +1,14 @@
|
||||
## 1.1.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `csharp/path-combine`, to recommend against the `Path.Combine` method due to it silently discarding its earlier parameters if later parameters are rooted.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Improved dependency resolution in `build-mode: none` extraction to handle failing `dotnet restore` processes that managed to download a subset of the dependencies before the failure.
|
||||
* Increase query precision for `cs/useless-gethashcode-call` by not flagging calls to `GetHashCode` on `uint`, `long` and `ulong`.
|
||||
* Increase query precision for `cs/constant-condition` and allow the use of discards in switch/case statements and also take the condition (if any) into account.
|
||||
* The `cs/local-not-disposed` query no longer flags un-disposed tasks as this is often not needed (explained [here](https://devblogs.microsoft.com/pfxteam/do-i-need-to-dispose-of-tasks/)).
|
||||
* Increase query precision for `cs/useless-assignment-to-local` and `cs/constant-condition` when *unknown* types are involved (mostly relevant for `build-mode: none` databases).
|
||||
* Don't consider an if-statement to be *useless* in `cs/useless-if-statement` if there is at least a comment.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.19
|
||||
lastReleaseVersion: 1.1.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 1.0.20-dev
|
||||
version: 1.1.0
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.0.20
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.0.19
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.0.20
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.0.19
|
||||
lastReleaseVersion: 1.0.20
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql-go-consistency-queries
|
||||
version: 1.0.20-dev
|
||||
version: 1.0.20
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 4.2.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* We no longer track taint into a `sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a `sync.Map`.
|
||||
* `database` source models have been added for v1 and v2 of the `github.com/couchbase/gocb` package.
|
||||
* Added `database` source models for the `github.com/Masterminds/squirrel` ORM package.
|
||||
|
||||
## 4.2.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added `database` source models for the `github.com/Masterminds/squirrel` ORM package.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* `database` source models have been added for v1 and v2 of the `github.com/couchbase/gocb` package.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* We no longer track taint into a `sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a `sync.Map`.
|
||||
7
go/ql/lib/change-notes/released/4.2.2.md
Normal file
7
go/ql/lib/change-notes/released/4.2.2.md
Normal file
@@ -0,0 +1,7 @@
|
||||
## 4.2.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* We no longer track taint into a `sync.Map` via the key of a key-value pair, since we do not model any way in which keys can be read from a `sync.Map`.
|
||||
* `database` source models have been added for v1 and v2 of the `github.com/couchbase/gocb` package.
|
||||
* Added `database` source models for the `github.com/Masterminds/squirrel` ORM package.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 4.2.1
|
||||
lastReleaseVersion: 4.2.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 4.2.2-dev
|
||||
version: 4.2.2
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 1.1.11
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* False positives in "Log entries created from user input" (`go/log-injection`) and "Clear-text logging of sensitive information" (`go/clear-text-logging`) which involved the verb `%T` in a format specifier have been fixed. As a result, some users may also see more alerts from the "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`) query.
|
||||
|
||||
## 1.1.10
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 1.1.11
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* False positives in "Log entries created from user input" (`go/log-injection`) and "Clear-text logging of sensitive information" (`go/clear-text-logging`) which involved the verb `%T` in a format specifier have been fixed. As a result, some users may also see more alerts from the "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`) query.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.1.10
|
||||
lastReleaseVersion: 1.1.11
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 1.1.11-dev
|
||||
version: 1.1.11
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,18 @@
|
||||
## 7.1.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
|
||||
* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* In `build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
|
||||
* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
|
||||
* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.
|
||||
|
||||
## 7.1.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* In `build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
|
||||
14
java/ql/lib/change-notes/released/7.1.2.md
Normal file
14
java/ql/lib/change-notes/released/7.1.2.md
Normal file
@@ -0,0 +1,14 @@
|
||||
## 7.1.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
|
||||
* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* In `build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
|
||||
* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
|
||||
* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
|
||||
* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 7.1.1
|
||||
lastReleaseVersion: 7.1.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 7.1.2-dev
|
||||
version: 7.1.2
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
## 1.4.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new quality query, `java/empty-method`, to detect empty methods.
|
||||
* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
|
||||
* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.
|
||||
|
||||
## 1.3.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new quality query, `java/empty-method`, to detect empty methods.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
|
||||
15
java/ql/src/change-notes/released/1.4.0.md
Normal file
15
java/ql/src/change-notes/released/1.4.0.md
Normal file
@@ -0,0 +1,15 @@
|
||||
## 1.4.0
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new quality query, `java/empty-method`, to detect empty methods.
|
||||
* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
|
||||
* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.3.1
|
||||
lastReleaseVersion: 1.4.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 1.3.2-dev
|
||||
version: 1.4.0
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,35 @@
|
||||
## 2.6.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Extraction now supports regular expressions with the `v` flag, using the new operators:
|
||||
- Intersection `&&`
|
||||
- Subtraction `--`
|
||||
- `\q` quoted string
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added support for TypeScript 5.8.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added support for additional `fs-extra` methods as sinks in path-injection queries.
|
||||
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.
|
||||
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.
|
||||
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.
|
||||
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.
|
||||
* Improved support for `got` package with `Options`, `paginate()` and `extend()`
|
||||
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
|
||||
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.
|
||||
* Added support for the `underscore.string` package.
|
||||
* Added additional flow step for `unescape()` and `escape()`.
|
||||
* Added support for the `@tanstack/vue-query` package.
|
||||
* Added taint-steps for `unescape()`.
|
||||
* Added support for the `@tanstack/angular-query-experimental` package.
|
||||
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.
|
||||
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.
|
||||
* Added support for the `react-relay` library.
|
||||
|
||||
## 2.5.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Added support for TypeScript 5.8.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `react-relay` library.
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Extraction now supports regular expressions with the `v` flag, using the new operators:
|
||||
- Intersection `&&`
|
||||
- Subtraction `--`
|
||||
- `\q` quoted string
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `@tanstack/angular-query-experimental` package.
|
||||
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `@tanstack/vue-query` package.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added taint-steps for `unescape()`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added additional flow step for `unescape()` and `escape()`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `underscore.string` package.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved support for `got` package with `Options`, `paginate()` and `extend()`
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for additional `fs-extra` methods as sinks in path-injection queries.
|
||||
31
javascript/ql/lib/change-notes/released/2.6.0.md
Normal file
31
javascript/ql/lib/change-notes/released/2.6.0.md
Normal file
@@ -0,0 +1,31 @@
|
||||
## 2.6.0
|
||||
|
||||
### New Features
|
||||
|
||||
* Extraction now supports regular expressions with the `v` flag, using the new operators:
|
||||
- Intersection `&&`
|
||||
- Subtraction `--`
|
||||
- `\q` quoted string
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added support for TypeScript 5.8.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added support for additional `fs-extra` methods as sinks in path-injection queries.
|
||||
* Added support for the newer version of `Hapi` with the `@hapi/hapi` import and `server` function.
|
||||
* Improved modeling of the `node:fs` module: `await`-ed calls to `read` and `readFile` are now supported.
|
||||
* Added support for the `@sap/hana-client`, `@sap/hdbext` and `hdb` packages.
|
||||
* Enhanced `axios` support with new methods (`postForm`, `putForm`, `patchForm`, `getUri`, `create`) and added support for `interceptors.request` and `interceptors.response`.
|
||||
* Improved support for `got` package with `Options`, `paginate()` and `extend()`
|
||||
* Added support for the `ApolloServer` class from `@apollo/server` and similar packages. In particular, the incoming data in a GraphQL resolver is now seen as a source of untrusted user input.
|
||||
* Improved support for `superagent` to handle the case where the package is directly called as a function, or via the `.del()` or `.agent()` method.
|
||||
* Added support for the `underscore.string` package.
|
||||
* Added additional flow step for `unescape()` and `escape()`.
|
||||
* Added support for the `@tanstack/vue-query` package.
|
||||
* Added taint-steps for `unescape()`.
|
||||
* Added support for the `@tanstack/angular-query-experimental` package.
|
||||
* Improved support for the `@angular/common/http` package, detecting outgoing HTTP requests in more cases.
|
||||
* Improved the modeling of the `markdown-table` package to ensure it handles nested arrays properly.
|
||||
* Added support for the `react-relay` library.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 2.5.1
|
||||
lastReleaseVersion: 2.6.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 2.5.2-dev
|
||||
version: 2.6.0
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -1,3 +1,17 @@
|
||||
## 1.5.2
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* Fixed a bug, first introduced in `2.20.3`, that would prevent `v-html` attributes in Vue files
|
||||
from being flagged by the `js/xss` query. The original behaviour has been restored and the `v-html`
|
||||
attribute is once again functioning as a sink for the `js/xss` query.
|
||||
* Fixed a bug that would in rare cases cause some regexp-based checks
|
||||
to be seen as generic taint sanitisers, even though the underlying regexp
|
||||
is not restrictive enough. The regexps are now analysed more precisely,
|
||||
and unrestrictive regexp checks will no longer block taint flow.
|
||||
* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
|
||||
valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
|
||||
|
||||
## 1.5.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a recently-introduced bug that caused `js/server-side-unvalidated-url-redirection` to ignore
|
||||
valid hostname checks and report spurious alerts after such a check. The original behaviour has been restored.
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* Fixed a bug that would in rare cases cause some regexp-based checks
|
||||
to be seen as generic taint sanitisers, even though the underlying regexp
|
||||
is not restrictive enough. The regexps are now analysed more precisely,
|
||||
and unrestrictive regexp checks will no longer block taint flow.
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user