Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb

Post-release preparation 2.7.3

.codeqlmanifest.json

@@ -10,7 +10,14 @@
         "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
         "misc/legacy-support/*/qlpack.yml",
         "misc/suite-helpers/qlpack.yml",
-        "ruby/ql/consistency-queries/qlpack.yml",
-        "ruby/extractor-pack/codeql-extractor.yml"
-   ]
-}
+        "ruby/extractor-pack/codeql-extractor.yml",
+        "ruby/ql/consistency-queries/qlpack.yml"
+    ],
+    "versionPolicies": {
+      "default": {
+        "requireChangeNotes": true,
+        "committedPrereleaseSuffix": "dev",
+        "committedVersion": "nextPatchRelease"
+      }
+    }
+}

cpp/ql/lib/CHANGELOG.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### New Features
+
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### New Features
+
+* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
+  `isFromSystemMacroDefinition` for identifying code that originates from a
+  macro outside the project being analyzed.

cpp/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/cpp-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 dependencies:
-  codeql/cpp-upgrades: 0.0.2
+  codeql/cpp-upgrades: 0.0.3

cpp/ql/src/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### New Queries
+
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### New Queries
+
+* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/cpp-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: cpp
 dependencies:
     codeql/cpp-all: "*"
     codeql/suite-helpers: "*"

cpp/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-tests
-version: 0.0.2
+groups: [cpp, test]
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml

@@ -1,6 +1,6 @@
 # This directory has its own qlpack for reasons detailed in commit 2550788598010fa2117274607c9d58f64f997f34
 name: codeql/cpp-tests-cwe-190-tainted
-version: 0.0.2
+groups: [cpp, test]
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

cpp/upgrades/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

cpp/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

cpp/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/cpp-upgrades
+groups: cpp
 upgrades: .
-version: 0.0.2
+version: 0.0.5-dev
 library: true

csharp/ql/lib/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

csharp/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/csharp-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
 library: true
 dependencies:
-  codeql/csharp-upgrades: 0.0.2
+  codeql/csharp-upgrades: 0.0.3

csharp/ql/src/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

csharp/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/csharp-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: csharp
 suites: codeql-suites
 extractor: csharp
 defaultSuiteFile: codeql-suites/csharp-code-scanning.qls

csharp/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-csharp-tests
-version: 0.0.2
+groups: [csharp, test]
 dependencies:
   codeql/csharp-all: "*"
   codeql/csharp-queries: "*"

csharp/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/upgrades/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

csharp/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

csharp/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/csharp-upgrades
+groups: csharp
+version: 0.0.5-dev
 upgrades: .
-version: 0.0.2
 library: true

java/ql/lib/CHANGELOG.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### Bug Fixes
+
+* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
+* The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
+* The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.

java/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1,7 @@
+## 0.0.4
+
+### Bug Fixes
+
+* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
+* The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
+* The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.

java/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

java/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/java-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
 library: true
 dependencies:
-    codeql/java-upgrades: 0.0.2
+    codeql/java-upgrades: 0.0.3

java/ql/src/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

java/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

java/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

java/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/java-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: java
 suites: codeql-suites
 extractor: java
 defaultSuiteFile: codeql-suites/java-code-scanning.qls

java/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-tests
-version: 0.0.2
+groups: [java, test]
 dependencies:
     codeql/java-all: "*"
     codeql/java-queries: "*"

java/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

java/upgrades/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

java/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

java/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/java-upgrades
+groups: java
 upgrades: .
 library: true
-version: 0.0.2
+version: 0.0.5-dev

javascript/ql/lib/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.5

javascript/ql/lib/change-notes/released/0.0.5.md

@@ -0,0 +1 @@
+## 0.0.5

javascript/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.5

javascript/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/javascript-all
-version: 0.0.3
+version: 0.0.5
+groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
 library: true
 dependencies:
-    codeql/javascript-upgrades: 0.0.3
+    codeql/javascript-upgrades: 0.0.4

javascript/ql/src/CHANGELOG.md

@@ -0,0 +1,7 @@
+## 0.0.5
+
+### New Queries
+
+* The `js/sensitive-get-query` query has been added. It highlights GET requests that read sensitive information from the query string.
+* The `js/insufficient-key-size` query has been added. It highlights the creation of cryptographic keys with a short key size.
+* The `js/session-fixation` query has been added. It highlights servers that reuse a session after a user has logged in.

javascript/ql/src/change-notes/released/0.0.5.md

@@ -0,0 +1,7 @@
+## 0.0.5
+
+### New Queries
+
+* The `js/sensitive-get-query` query has been added. It highlights GET requests that read sensitive information from the query string.
+* The `js/insufficient-key-size` query has been added. It highlights the creation of cryptographic keys with a short key size.
+* The `js/session-fixation` query has been added. It highlights servers that reuse a session after a user has logged in.

javascript/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.5

javascript/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/javascript-queries
-version: 0.0.3
+version: 0.0.5
+groups: javascript
 suites: codeql-suites
 extractor: javascript
 defaultSuiteFile: codeql-suites/javascript-code-scanning.qls

javascript/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-tests
-version: 0.0.3
+groups: [javascript, test]
 dependencies:
   codeql/javascript-all: "*"
   codeql/javascript-queries: "*"

javascript/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.5

javascript/upgrades/change-notes/released/0.0.5.md

@@ -0,0 +1 @@
+## 0.0.5

javascript/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.5

javascript/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/javascript-upgrades
+groups: javascript
 upgrades: .
 library: true
-version: 0.0.3
+version: 0.0.5

misc/suite-helpers/qlpack.yml

@@ -1,2 +1,3 @@
 name: codeql/suite-helpers
-version: 0.0.2
+version: 0.0.3
+groups: shared

python/ql/lib/CHANGELOG.md

@@ -0,0 +1,10 @@
+## 0.0.4
+
+### Major Analysis Improvements
+
+* Added modeling of `os.stat`, `os.lstat`, `os.statvfs`, `os.fstat`, and `os.fstatvfs`, which are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
+* Added modeling of the `posixpath`, `ntpath`, and `genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
+* Added modeling of `wsgiref.simple_server` applications, leading to new remote flow sources.
+* Added modeling of `aiopg` for sinks executing SQL.
+* Added modeling of HTTP requests and responses when using `flask_admin` (`Flask-Admin` PyPI package), which leads to additional remote flow sources.
+* Added modeling of the PyPI package `toml`, which provides encoding/decoding of TOML documents, leading to new taint-tracking steps.

python/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1,10 @@
+## 0.0.4
+
+### Major Analysis Improvements
+
+* Added modeling of `os.stat`, `os.lstat`, `os.statvfs`, `os.fstat`, and `os.fstatvfs`, which are new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
+* Added modeling of the `posixpath`, `ntpath`, and `genericpath` modules for path operations (although these are not supposed to be used), resulting in new sinks for the _Uncontrolled data used in path expression_ (`py/path-injection`) query.
+* Added modeling of `wsgiref.simple_server` applications, leading to new remote flow sources.
+* Added modeling of `aiopg` for sinks executing SQL.
+* Added modeling of HTTP requests and responses when using `flask_admin` (`Flask-Admin` PyPI package), which leads to additional remote flow sources.
+* Added modeling of the PyPI package `toml`, which provides encoding/decoding of TOML documents, leading to new taint-tracking steps.

python/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

python/ql/lib/qlpack.yml

@@ -1,7 +1,8 @@
 name: codeql/python-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
 library: true
 dependencies:
-    codeql/python-upgrades: 0.0.2
+    codeql/python-upgrades: 0.0.3

python/ql/src/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### Query Metadata Changes
+
+* Fixed the query ids of two queries that are meant for manual exploration: `python/count-untrusted-data-external-api` and `python/untrusted-data-to-external-api` have been changed to `py/count-untrusted-data-external-api` and `py/untrusted-data-to-external-api`.

python/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1,5 @@
+## 0.0.4
+
+### Query Metadata Changes
+
+* Fixed the query ids of two queries that are meant for manual exploration: `python/count-untrusted-data-external-api` and `python/untrusted-data-to-external-api` have been changed to `py/count-untrusted-data-external-api` and `py/untrusted-data-to-external-api`.

python/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

python/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/python-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: python
 dependencies:
     codeql/python-all: "*"
     codeql/suite-helpers: "*"

python/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-tests
-version: 0.0.2
+groups: [python, test]
 dependencies:
     codeql/python-all: "*"
     codeql/python-queries: "*"

python/upgrades/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

python/upgrades/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

python/upgrades/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

python/upgrades/qlpack.yml

@@ -1,4 +1,5 @@
 name: codeql/python-upgrades
+groups: python
 upgrades: .
 library: true
-version: 0.0.2
+version: 0.0.5-dev

ruby/ql/lib/CHANGELOG.md

@@ -0,0 +1 @@
+## 0.0.4

ruby/ql/lib/change-notes/released/0.0.4.md

@@ -0,0 +1 @@
+## 0.0.4

ruby/ql/lib/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/ruby-all
-version: 0.0.2
+version: 0.0.5-dev
+groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
 upgrades: upgrades

ruby/ql/src/CHANGELOG.md

@@ -0,0 +1,10 @@
+## 0.0.4
+
+### New Queries
+
+* A new query (`rb/request-forgery`) has been added. The query finds HTTP requests made with user-controlled URLs.
+* A new query (`rb/csrf-protection-disabled`) has been added. The query finds cases where cross-site forgery protection is explictly disabled.
+
+### Query Metadata Changes
+
+* The precision of "Hard-coded credentials" (`rb/hardcoded-credentials`) has been decreased from "high" to "medium". This query will no longer be run and displayed by default on Code Scanning and LGTM.

ruby/ql/src/change-notes/released/0.0.4.md

@@ -0,0 +1,10 @@
+## 0.0.4
+
+### New Queries
+
+* A new query (`rb/request-forgery`) has been added. The query finds HTTP requests made with user-controlled URLs.
+* A new query (`rb/csrf-protection-disabled`) has been added. The query finds cases where cross-site forgery protection is explictly disabled.
+
+### Query Metadata Changes
+
+* The precision of "Hard-coded credentials" (`rb/hardcoded-credentials`) has been decreased from "high" to "medium". This query will no longer be run and displayed by default on Code Scanning and LGTM.

ruby/ql/src/codeql-pack.release.yml

@@ -0,0 +1,2 @@
+---
+lastReleaseVersion: 0.0.4

ruby/ql/src/qlpack.yml

@@ -1,5 +1,6 @@
 name: codeql/ruby-queries
-version: 0.0.2
+version: 0.0.5-dev
+groups: ruby
 suites: codeql-suites
 defaultSuiteFile: codeql-suites/ruby-code-scanning.qls
 dependencies:

ruby/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-tests
-version: 0.0.2
+groups: [ruby, test]
 dependencies:
   codeql/ruby-queries: ^0.0.2
   codeql/ruby-examples: ^0.0.2