mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Merge remote-tracking branch 'origin/main' into dbartol/threat-models
This commit is contained in:
Dave Bartolomeo
@@ -1,3 +1,7 @@
|
||||
## 0.0.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
java/ql/automodel/src/change-notes/released/0.0.6.md
Normal file
3
java/ql/automodel/src/change-notes/released/0.0.6.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.0.6
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.5
|
||||
lastReleaseVersion: 0.0.6
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-automodel-queries
|
||||
version: 0.0.6-dev
|
||||
version: 0.0.7-dev
|
||||
groups:
|
||||
- java
|
||||
- automodel
|
||||
|
||||
@@ -1,3 +1,41 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Features
|
||||
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
@@ -1,12 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
37
java/ql/lib/change-notes/released/0.8.1.md
Normal file
37
java/ql/lib/change-notes/released/0.8.1.md
Normal file
@@ -0,0 +1,37 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Features
|
||||
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.0
|
||||
lastReleaseVersion: 0.8.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.8.1-dev
|
||||
version: 0.8.2-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.0
|
||||
lastReleaseVersion: 0.8.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.8.1-dev
|
||||
version: 0.8.2-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
Reference in New Issue
Block a user