From fce5b4d43e0bf8ecb707473537ee120495a873c8 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 13:55:45 -0500 Subject: [PATCH 1/6] Changedocs for 2.21.3 --- .../codeql-changelog/codeql-cli-2.19.4.rst | 2 +- .../codeql-changelog/codeql-cli-2.20.4.rst | 6 +- .../codeql-changelog/codeql-cli-2.20.5.rst | 8 - .../codeql-changelog/codeql-cli-2.20.6.rst | 7 +- .../codeql-changelog/codeql-cli-2.21.0.rst | 4 +- .../codeql-changelog/codeql-cli-2.21.1.rst | 26 +-- .../codeql-changelog/codeql-cli-2.21.2.rst | 2 +- .../codeql-changelog/codeql-cli-2.21.3.rst | 159 ++++++++++++++++++ .../codeql-changelog/index.rst | 1 + 9 files changed, 186 insertions(+), 29 deletions(-) create mode 100644 docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 754b6d2c4da..9235d63fe2c 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`. +* Added taint-steps for :code:`Array.prototype.reverse`\ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index a5c9c4f222f..f488198ea3d 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead. -* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead. +* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. +* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files. +* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. * Deleted the old deprecated TypeTracking library. Swift diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst index 855f25655ec..48d4ff27f0b 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst @@ -109,14 +109,6 @@ Python * Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes. * Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case. -Major Analysis Improvements -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Golang -"""""" - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - Minor Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst index d6b93444925..006aeec5a05 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -35,7 +35,7 @@ Bug Fixes GitHub Actions """""""""""""" -* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query remains in the default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is available, the query will be updated to report alerts again. +* The :code:`actions/unversioned-immutable-action` query will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query has also been moved to the experimental folder and will not be used in code scanning unless it is explicitly added to a code scanning configuration. Once the Immutable Actions feature is available, the query will be updated to report alerts again. Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -71,6 +71,11 @@ Language Libraries Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + JavaScript/TypeScript """"""""""""""""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index aa604d702e7..f48e372f277 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -165,7 +165,7 @@ Java/Kotlin """"""""""" * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure :code:`/`, :code:`\\`, :code:`..` are not in the path. +* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure '/', '', '..' are not in the path. JavaScript/TypeScript """"""""""""""""""""" @@ -207,5 +207,5 @@ JavaScript/TypeScript * Intersection :code:`&&` * Subtraction :code:`--` - * :code:`\\q` quoted string + * :code:`\q` quoted string diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst index 2a8e20d84d1..40587985d9d 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.1.rst @@ -37,14 +37,6 @@ Bug Fixes Query Packs ----------- -New Features -~~~~~~~~~~~~ - -GitHub Actions -"""""""""""""" - -* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. - Bug Fixes ~~~~~~~~~ @@ -87,6 +79,14 @@ Python * The :code:`py/mixed-tuple-returns` query no longer flags instances where the tuple is passed into the function as an argument, as this led to too many false positives. +New Features +~~~~~~~~~~~~ + +GitHub Actions +"""""""""""""" + +* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. + Language Libraries ------------------ @@ -131,17 +131,17 @@ Ruby New Features ~~~~~~~~~~~~ -GitHub Actions -"""""""""""""" - -* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. - C/C++ """"" * Calling conventions explicitly specified on function declarations (:code:`__cdecl`, :code:`__stdcall`, :code:`__fastcall`, etc.) are now represented as specifiers of those declarations. * A new class :code:`CallingConventionSpecifier` extending the :code:`Specifier` class was introduced, which represents explicitly specified calling conventions. +GitHub Actions +"""""""""""""" + +* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available. + Shared Libraries ---------------- diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst index 636cf2fe63d..8d9c20cfbb5 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -108,7 +108,7 @@ Swift """"" * Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, - :code:`ExtractFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. New Features ~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst new file mode 100644 index 00000000000..d499f27dcb1 --- /dev/null +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.3.rst @@ -0,0 +1,159 @@ +.. _codeql-cli-2.21.3: + +========================== +CodeQL 2.21.3 (2025-05-15) +========================== + +.. contents:: Contents + :depth: 2 + :local: + :backlinks: none + +This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog `__, `relevant GitHub Changelog updates `__, `changes in the CodeQL extension for Visual Studio Code `__, and the `CodeQL Action changelog `__. + +Security Coverage +----------------- + +CodeQL 2.21.3 runs a total of 452 security queries when configured with the Default suite (covering 168 CWE). The Extended suite enables an additional 136 queries (covering 35 more CWE). + +CodeQL CLI +---------- + +Miscellaneous +~~~~~~~~~~~~~ + +* Windows binaries for the CodeQL CLI are now built with :code:`/guard:cf`, enabling `Control Flow Guard `__. + +Query Packs +----------- + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +C# +"" + +* Changed the precision of the :code:`cs/equality-on-floats` query from medium to high. + +JavaScript/TypeScript +""""""""""""""""""""" + +* Type information is now propagated more precisely through :code:`Promise.all()` calls, + leading to more resolved calls and more sources and sinks being detected. + +Query Metadata Changes +~~~~~~~~~~~~~~~~~~~~~~ + +C/C++ +""""" + +* The tag :code:`external/cwe/cwe-14` has been removed from :code:`cpp/memset-may-be-deleted` and the tag :code:`external/cwe/cwe-014` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/count-untrusted-data-external-api-ir` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/untrusted-data-to-external-api-ir` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cpp/late-check-of-function-argument` and the tag :code:`external/cwe/cwe-020` has been added. + +C# +"" + +* The tag :code:`external/cwe/cwe-13` has been removed from :code:`cs/password-in-configuration` and the tag :code:`external/cwe/cwe-013` has been added. +* The tag :code:`external/cwe/cwe-11` has been removed from :code:`cs/web/debug-binary` and the tag :code:`external/cwe/cwe-011` has been added. +* The tag :code:`external/cwe/cwe-16` has been removed from :code:`cs/web/large-max-request-length` and the tag :code:`external/cwe/cwe-016` has been added. +* The tag :code:`external/cwe/cwe-16` has been removed from :code:`cs/web/request-validation-disabled` and the tag :code:`external/cwe/cwe-016` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/serialization-check-bypass` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`cs/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-12` has been removed from :code:`cs/web/missing-global-error-handler` and the tag :code:`external/cwe/cwe-012` has been added. + +Golang +"""""" + +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/incomplete-hostname-regexp` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/regex/missing-regexp-anchor` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/suspicious-character-in-regex` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`go/untrusted-data-to-unknown-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-90` has been removed from :code:`go/ldap-injection` and the tag :code:`external/cwe/cwe-090` has been added. +* The tag :code:`external/cwe/cwe-74` has been removed from :code:`go/dsn-injection` and the tag :code:`external/cwe/cwe-074` has been added. +* The tag :code:`external/cwe/cwe-74` has been removed from :code:`go/dsn-injection-local` and the tag :code:`external/cwe/cwe-074` has been added. +* The tag :code:`external/cwe/cwe-79` has been removed from :code:`go/html-template-escaping-passthrough` and the tag :code:`external/cwe/cwe-079` has been added. + +Java/Kotlin +""""""""""" + +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`java/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`java/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-93` has been removed from :code:`java/netty-http-request-or-response-splitting` and the tag :code:`external/cwe/cwe-093` has been added. + +JavaScript/TypeScript +""""""""""""""""""""" + +* The tag :code:`external/cwe/cwe-79` has been removed from :code:`js/disabling-electron-websecurity` and the tag :code:`external/cwe/cwe-079` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`js/untrusted-data-to-external-api-more-sources` and the tag :code:`external/cwe/cwe-020` has been added. + +Python +"""""" + +* The tags :code:`security/cwe/cwe-94` and :code:`security/cwe/cwe-95` have been removed from :code:`py/use-of-input` and the tags :code:`external/cwe/cwe-094` and :code:`external/cwe/cwe-095` have been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/count-untrusted-data-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/untrusted-data-to-external-api` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/cookie-injection` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-20` has been removed from :code:`py/incomplete-url-substring-sanitization` and the tag :code:`external/cwe/cwe-020` has been added. +* The tag :code:`external/cwe/cwe-94` has been removed from :code:`py/js2py-rce` and the tag :code:`external/cwe/cwe-094` has been added. + +Ruby +"""" + +* The precision of :code:`rb/useless-assignment-to-local` has been adjusted from :code:`medium` to :code:`high`. +* The tag :code:`external/cwe/cwe-94` has been removed from :code:`rb/server-side-template-injection` and the tag :code:`external/cwe/cwe-094` has been added. + +Language Libraries +------------------ + +Bug Fixes +~~~~~~~~~ + +C/C++ +""""" + +* Fixed an infinite loop in :code:`semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies. + +Minor Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +JavaScript/TypeScript +""""""""""""""""""""" + +* Enhanced modeling of the `fastify `__ framework to support the :code:`all` route handler method. +* Improved modeling of the |link-code-shelljs-1|_ and |link-code-async-shelljs-2|_ libraries by adding support for the :code:`which`, :code:`cmd`, :code:`asyncExec` and :code:`env`. +* Added support for the :code:`fastify` :code:`addHook` method. + +Python +"""""" + +* Added modeling for the :code:`hdbcli` PyPI package as a database library implementing PEP 249. +* Added header write model for :code:`send_header` in :code:`http.server`. + +New Features +~~~~~~~~~~~~ + +Java/Kotlin +""""""""""" + +* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). + +Swift +""""" + +* Added AST nodes :code:`UnsafeCastExpr`, :code:`TypeValueExpr`, :code:`IntegerType`, and :code:`BuiltinFixedArrayType` that correspond to new nodes added by Swift 6.1. + +.. |link-code-shelljs-1| replace:: :code:`shelljs`\ +.. _link-code-shelljs-1: https://www.npmjs.com/package/shelljs + +.. |link-code-async-shelljs-2| replace:: :code:`async-shelljs`\ +.. _link-code-async-shelljs-2: https://www.npmjs.com/package/async-shelljs + diff --git a/docs/codeql/codeql-overview/codeql-changelog/index.rst b/docs/codeql/codeql-overview/codeql-changelog/index.rst index 92781448af8..2d2fd483aed 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/index.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst @@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here Date: Mon, 19 May 2025 16:33:45 -0500 Subject: [PATCH 2/6] Fixing some upstream typos etc --- .../codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst | 2 +- .../codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst | 2 +- java/ql/lib/CHANGELOG.md | 2 +- swift/ql/lib/CHANGELOG.md | 2 +- swift/ql/lib/change-notes/released/4.2.0.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst index 9235d63fe2c..754b6d2c4da 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.19.4.rst @@ -79,4 +79,4 @@ JavaScript/TypeScript * Added taint-steps for :code:`Array.prototype.toReversed`. * Added taint-steps for :code:`Array.prototype.toSorted`. * Added support for :code:`String.prototype.matchAll`. -* Added taint-steps for :code:`Array.prototype.reverse`\ +* Added taint-steps for :code:`Array.prototype.reverse`. diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index f48e372f277..b6396b2be4e 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -165,7 +165,7 @@ Java/Kotlin """"""""""" * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure '/', '', '..' are not in the path. +* Added a path injection sanitizer for calls to :code:`java.lang.String.matches`, :code:`java.lang.String.replace`, and :code:`java.lang.String.replaceAll` that make sure :code:`/`, :code:`\\`, :code:`..` are not in the path. JavaScript/TypeScript """"""""""""""""""""" diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst index 8d9c20cfbb5..636cf2fe63d 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.2.rst @@ -108,7 +108,7 @@ Swift """"" * Added AST nodes :code:`ActorIsolationErasureExpr`, :code:`CurrentContextIsolationExpr`, - :code:`ExtracFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. + :code:`ExtractFunctionIsolationExpr` and :code:`UnreachableExpr` that correspond to new nodes added by Swift 6.0. New Features ~~~~~~~~~~~~ diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 01832478c5b..fff0ac11496 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -20,7 +20,7 @@ No user-facing changes. ### Minor Analysis Improvements * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path. +* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure `/`, `\\`, `..` are not in the path. ### Bug Fixes diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index 36f0bc8e5fd..1c9326d76e8 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -13,7 +13,7 @@ ### Minor Analysis Improvements * Added AST nodes `ActorIsolationErasureExpr`, `CurrentContextIsolationExpr`, - `ExtracFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes + `ExtractFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes added by Swift 6.0. ## 4.1.4 diff --git a/swift/ql/lib/change-notes/released/4.2.0.md b/swift/ql/lib/change-notes/released/4.2.0.md index 734840c9318..935d4b5e832 100644 --- a/swift/ql/lib/change-notes/released/4.2.0.md +++ b/swift/ql/lib/change-notes/released/4.2.0.md @@ -7,5 +7,5 @@ ### Minor Analysis Improvements * Added AST nodes `ActorIsolationErasureExpr`, `CurrentContextIsolationExpr`, - `ExtracFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes + `ExtractFunctionIsolationExpr` and `UnreachableExpr` that correspond to new nodes added by Swift 6.0. From b9841dccfb8a5ee1bba8e8c43c4fd9a940b1c516 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 16:45:08 -0500 Subject: [PATCH 3/6] Fixing more upstream typos --- .../codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst | 2 +- java/ql/lib/change-notes/released/7.1.2.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst index b6396b2be4e..aa604d702e7 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.21.0.rst @@ -207,5 +207,5 @@ JavaScript/TypeScript * Intersection :code:`&&` * Subtraction :code:`--` - * :code:`\q` quoted string + * :code:`\\q` quoted string diff --git a/java/ql/lib/change-notes/released/7.1.2.md b/java/ql/lib/change-notes/released/7.1.2.md index 57fc5b2cc6d..811b2353c99 100644 --- a/java/ql/lib/change-notes/released/7.1.2.md +++ b/java/ql/lib/change-notes/released/7.1.2.md @@ -3,7 +3,7 @@ ### Minor Analysis Improvements * Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it. -* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path. +* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure `/`, `\\`, `..` are not in the path. ### Bug Fixes From 759ad8adc1748afea0388a46f4cdd440277a284b Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 16:53:05 -0500 Subject: [PATCH 4/6] Fixing Go 1.24 release accuracy. It went supported in 2.20.5 and docs were a late commit so this fixes it upstream. --- .../codeql-changelog/codeql-cli-2.20.5.rst | 8 ++++++++ .../codeql-changelog/codeql-cli-2.20.6.rst | 5 ----- go/ql/lib/CHANGELOG.md | 8 ++++---- go/ql/lib/change-notes/released/4.1.0.md | 4 ++++ go/ql/lib/change-notes/released/4.2.0.md | 4 ---- 5 files changed, 16 insertions(+), 13 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst index 48d4ff27f0b..855f25655ec 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.5.rst @@ -109,6 +109,14 @@ Python * Fixed a bug in the extractor where a comment inside a subscript could sometimes cause the AST to be missing nodes. * Using the :code:`break` and :code:`continue` keywords outside of a loop, which is a syntax error but is accepted by our parser, would cause the control-flow construction to fail. This is now no longer the case. +Major Analysis Improvements +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Golang +"""""" + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + Minor Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst index 006aeec5a05..76c038bded2 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.6.rst @@ -71,11 +71,6 @@ Language Libraries Major Analysis Improvements ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Golang -"""""" - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - JavaScript/TypeScript """"""""""""""""""""" diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 9eb5ef69ebc..b6031842a21 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -30,10 +30,6 @@ No user-facing changes. * The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead. -### Major Analysis Improvements - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - ### Minor Analysis Improvements * The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`. @@ -48,6 +44,10 @@ No user-facing changes. * The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. * The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. +### Major Analysis Improvements + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + ### Minor Analysis Improvements * Taint models have been added for the `weak` package, which was added in Go 1.24. diff --git a/go/ql/lib/change-notes/released/4.1.0.md b/go/ql/lib/change-notes/released/4.1.0.md index 3061e491f48..728d754bd1d 100644 --- a/go/ql/lib/change-notes/released/4.1.0.md +++ b/go/ql/lib/change-notes/released/4.1.0.md @@ -6,6 +6,10 @@ * The member predicate `getNamedType` on `GoMicro::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. * The member predicate `getNamedType` on `Twirp::ServiceInterfaceType` has been deprecated. Use the new member predicate `getDefinedType` instead. +### Major Analysis Improvements + +* Go 1.24 is now supported. This includes the new language feature of generic type aliases. + ### Minor Analysis Improvements * Taint models have been added for the `weak` package, which was added in Go 1.24. diff --git a/go/ql/lib/change-notes/released/4.2.0.md b/go/ql/lib/change-notes/released/4.2.0.md index 771e8733053..34af613a015 100644 --- a/go/ql/lib/change-notes/released/4.2.0.md +++ b/go/ql/lib/change-notes/released/4.2.0.md @@ -4,10 +4,6 @@ * The member predicate `hasLocationInfo` has been deprecated on the following classes: `BasicBlock`, `Callable`, `Content`, `ContentSet`, `ControlFlow::Node`, `DataFlowCallable`, `DataFlow::Node`, `Entity`, `GVN`, `HtmlTemplate::TemplateStmt`, `IR:WriteTarget`, `SourceSinkInterpretationInput::SourceOrSinkElement`, `SourceSinkInterpretationInput::InterpretNode`, `SsaVariable`, `SsaDefinition`, `SsaWithFields`, `StringOps::ConcatenationElement`, `Type`, and `VariableWithFields`. Use `getLocation()` instead. -### Major Analysis Improvements - -* Go 1.24 is now supported. This includes the new language feature of generic type aliases. - ### Minor Analysis Improvements * The location info for the following classes has been changed slightly to match a location that is in the database: `BasicBlock`, `ControlFlow::EntryNode`, `ControlFlow::ExitNode`, `ControlFlow::ConditionGuardNode`, `IR::ImplicitLiteralElementIndexInstruction`, `IR::EvalImplicitTrueInstruction`, `SsaImplicitDefinition`, `SsaPhiNode`. From e5efe83243a0c18d0b3816b1766ef770f52f2afc Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 17:03:23 -0500 Subject: [PATCH 5/6] Fixing upstream backticks around problematic characters so that the RST generator doesn't choke on asterisks --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 4 ++-- java/ql/lib/CHANGELOG.md | 4 ++-- java/ql/lib/change-notes/released/7.0.0.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index f488198ea3d..143f50387b7 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -117,8 +117,8 @@ Java/Kotlin * Deleted the deprecated :code:`isLValue` and :code:`isRValue` predicates from the :code:`VarAccess` class, use :code:`isVarWrite` and :code:`isVarRead` respectively instead. * Deleted the deprecated :code:`getRhs` predicate from the :code:`VarWrite` class, use :code:`getASource` instead. * Deleted the deprecated :code:`LValue` and :code:`RValue` classes, use :code:`VarWrite` and :code:`VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in ``*Access``, use the corresponding ``*Call`` classes instead. +* Deleted a lot of deprecated predicates ending in ``*Access``, use the corresponding ``*Call`` predicates instead. * Deleted the deprecated :code:`EnvInput` and :code:`DatabaseInput` classes from :code:`FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from :code:`SensitiveApi.qll`, use the Sink classes from that file instead. diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index fff0ac11496..412521919b9 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -55,8 +55,8 @@ No user-facing changes. * Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead. * Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead. * Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. +* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. * Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead. diff --git a/java/ql/lib/change-notes/released/7.0.0.md b/java/ql/lib/change-notes/released/7.0.0.md index 08a4b0f85bf..1f367abb668 100644 --- a/java/ql/lib/change-notes/released/7.0.0.md +++ b/java/ql/lib/change-notes/released/7.0.0.md @@ -5,8 +5,8 @@ * Deleted the deprecated `isLValue` and `isRValue` predicates from the `VarAccess` class, use `isVarWrite` and `isVarRead` respectively instead. * Deleted the deprecated `getRhs` predicate from the `VarWrite` class, use `getASource` instead. * Deleted the deprecated `LValue` and `RValue` classes, use `VarWrite` and `VarRead` respectively instead. -* Deleted a lot of deprecated classes ending in "*Access", use the corresponding "*Call" classes instead. -* Deleted a lot of deprecated predicates ending in "*Access", use the corresponding "*Call" predicates instead. +* Deleted a lot of deprecated classes ending in `*Access`, use the corresponding `*Call` classes instead. +* Deleted a lot of deprecated predicates ending in `*Access`, use the corresponding `*Call` predicates instead. * Deleted the deprecated `EnvInput` and `DatabaseInput` classes from `FlowSources.qll`, use the threat models feature instead. * Deleted some deprecated API predicates from `SensitiveApi.qll`, use the Sink classes from that file instead. From 7570f503ceacd4b0be1e78ae8176ef84465ca346 Mon Sep 17 00:00:00 2001 From: Jon Janego Date: Mon, 19 May 2025 17:06:29 -0500 Subject: [PATCH 6/6] Escaping more problematic asterisks --- .../codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst | 2 +- ruby/ql/lib/CHANGELOG.md | 2 +- ruby/ql/lib/change-notes/released/4.0.0.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst index 143f50387b7..a5c9c4f222f 100644 --- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst +++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.20.4.rst @@ -144,7 +144,7 @@ Ruby * Deleted the deprecated :code:`ModelClass` and :code:`ModelInstance` classes from :code:`ActiveResource.qll`, use :code:`ModelClassNode` and :code:`ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated :code:`Collection` class from :code:`ActiveResource.qll`, use :code:`CollectionSource` instead. * Deleted the deprecated :code:`ServiceInstantiation` and :code:`ClientInstantiation` classes from :code:`Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from ``*Query.qll`` files. * Deleted the old deprecated TypeTracking library. Swift diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index f9858668d93..4d3dfc9c436 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -48,7 +48,7 @@ No user-facing changes. * Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead. * Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. * Deleted the old deprecated TypeTracking library. ## 3.0.2 diff --git a/ruby/ql/lib/change-notes/released/4.0.0.md b/ruby/ql/lib/change-notes/released/4.0.0.md index 9674020e9dd..28ccd379dc5 100644 --- a/ruby/ql/lib/change-notes/released/4.0.0.md +++ b/ruby/ql/lib/change-notes/released/4.0.0.md @@ -14,5 +14,5 @@ * Deleted the deprecated `ModelClass` and `ModelInstance` classes from `ActiveResource.qll`, use `ModelClassNode` and `ModelClassNode.getAnInstanceReference()` instead. * Deleted the deprecated `Collection` class from `ActiveResource.qll`, use `CollectionSource` instead. * Deleted the deprecated `ServiceInstantiation` and `ClientInstantiation` classes from `Twirp.qll`. -* Deleted a lot of deprecated dataflow modules from "*Query.qll" files. +* Deleted a lot of deprecated dataflow modules from `*Query.qll` files. * Deleted the old deprecated TypeTracking library.