mirror of
https://github.com/github/codeql.git
synced 2026-04-22 23:35:14 +02:00
Merge pull request #15254 from github/post-release-prep/codeql-cli-2.16.0
Post-release preparation for codeql-cli-2.16.0
This commit is contained in:
Alexander Eyers-Taylor
@@ -1,3 +1,38 @@
|
||||
## 0.8.6
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
|
||||
* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
|
||||
* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
|
||||
* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.google.common.io
|
||||
* hudson
|
||||
* hudson.console
|
||||
* java.lang
|
||||
* java.net
|
||||
* java.util.logging
|
||||
* javax.imageio.stream
|
||||
* org.apache.commons.io
|
||||
* org.apache.hadoop.hive.ql.exec
|
||||
* org.apache.hadoop.hive.ql.metadata
|
||||
* org.apache.tools.ant.taskdefs
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql.repository
|
||||
* jakarta.persistence
|
||||
* jakarta.persistence.criteria
|
||||
* liquibase.database.jvm
|
||||
* liquibase.statement.core
|
||||
* org.apache.ibatis.mapping
|
||||
* org.keycloak.models.map.storage
|
||||
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,12 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql.repository
|
||||
* jakarta.persistence
|
||||
* jakarta.persistence.criteria
|
||||
* liquibase.database.jvm
|
||||
* liquibase.statement.core
|
||||
* org.apache.ibatis.mapping
|
||||
* org.keycloak.models.map.storage
|
||||
@@ -1,16 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.google.common.io
|
||||
* hudson
|
||||
* hudson.console
|
||||
* java.lang
|
||||
* java.net
|
||||
* java.util.logging
|
||||
* javax.imageio.stream
|
||||
* org.apache.commons.io
|
||||
* org.apache.hadoop.hive.ql.exec
|
||||
* org.apache.hadoop.hive.ql.metadata
|
||||
* org.apache.tools.ant.taskdefs
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
|
||||
* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
|
||||
34
java/ql/lib/change-notes/released/0.8.6.md
Normal file
34
java/ql/lib/change-notes/released/0.8.6.md
Normal file
@@ -0,0 +1,34 @@
|
||||
## 0.8.6
|
||||
|
||||
### Deprecated APIs
|
||||
|
||||
* Imports of the old dataflow libraries (e.g. `semmle.code.java.dataflow.DataFlow2`) have been deprecated in the libraries under the `semmle.code.java.security` namespace.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added the `Map#replace` and `Map#replaceAll` methods to the `MapMutator` class in `semmle.code.java.Maps`.
|
||||
* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.
|
||||
* Added a sink model for the `createRelative` method of the `org.springframework.core.io.Resource` interface.
|
||||
* Added source models for methods of the `org.springframework.web.util.UrlPathHelper` class and removed their taint flow models.
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.google.common.io
|
||||
* hudson
|
||||
* hudson.console
|
||||
* java.lang
|
||||
* java.net
|
||||
* java.util.logging
|
||||
* javax.imageio.stream
|
||||
* org.apache.commons.io
|
||||
* org.apache.hadoop.hive.ql.exec
|
||||
* org.apache.hadoop.hive.ql.metadata
|
||||
* org.apache.tools.ant.taskdefs
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql.repository
|
||||
* jakarta.persistence
|
||||
* jakarta.persistence.criteria
|
||||
* liquibase.database.jvm
|
||||
* liquibase.statement.core
|
||||
* org.apache.ibatis.mapping
|
||||
* org.keycloak.models.map.storage
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.6
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.8.6-dev
|
||||
version: 0.8.7-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
## 0.8.6
|
||||
|
||||
### Deprecated Queries
|
||||
|
||||
* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
|
||||
* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
|
||||
* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
|
||||
|
||||
## 0.8.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: deprecated
|
||||
---
|
||||
* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
|
||||
15
java/ql/src/change-notes/released/0.8.6.md
Normal file
15
java/ql/src/change-notes/released/0.8.6.md
Normal file
@@ -0,0 +1,15 @@
|
||||
## 0.8.6
|
||||
|
||||
### Deprecated Queries
|
||||
|
||||
* The three queries `java/insufficient-key-size`, `java/server-side-template-injection`, and `java/android/implicit-pendingintents` had accidentally general extension points allowing arbitrary string-based flow state. This has been fixed and the old extension points have been deprecated where possible, and otherwise updated.
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added the `java/insecure-randomness` query to detect uses of weakly random values which an attacker may be able to predict. Also added the `crypto-parameter` sink kind for sinks which represent the parameters and keys of cryptographic operations.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Modified the `java/potentially-weak-cryptographic-algorithm` query to include the use of weak cryptographic algorithms from configuration values specified in properties files.
|
||||
* The query `java/android/missing-certificate-pinning` should no longer alert about requests pointing to the local filesystem.
|
||||
* Removed some spurious sinks related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.5
|
||||
lastReleaseVersion: 0.8.6
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.8.6-dev
|
||||
version: 0.8.7-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
Reference in New Issue
Block a user