Merge remote-tracking branch 'origin/main' into smowton/admin/merge-rc317-into-main

java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).

java/ql/src/change-notes/2025-03-02-unreleased-lock-fp.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.

java/ql/src/change-notes/2025-03-03-fix-improper-intent-verification-query.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.

java/ql/src/change-notes/2025-03-13-fix-toctou-false-positive.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.