Release preparation for version 2.20.1

2026-04-23 15:55:18 +02:00 · 2025-01-06 18:20:22 +00:00
parent 0c2e05717f
commit a121c5a5d0
168 changed files with 447 additions and 197 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The class `ControlFlowNode` (and by extension `BasicBlock`) is no longer
+  directly equatable to `Expr` and `Stmt`. Any queries that have been
+  exploiting these equalities, for example by using casts, will need minor
+  updates in order to fix any compilation errors. Conversions can be inserted
+  in either direction depending on what is most convenient. Available
+  conversions include `Expr.getControlFlowNode()`, `Stmt.getControlFlowNode()`,
+  `ControlFlowNode.asExpr()`, `ControlFlowNode.asStmt()`, and
+  `ControlFlowNode.asCall()`. Exit nodes were until now modelled as a
+  `ControlFlowNode` equal to its enclosing `Callable`; these are now instead
+  modelled by the class `ControlFlow::ExitNode`.
+
+### Minor Analysis Improvements
+
+* Added `java.io.File.getName()` as a path injection sanitizer.
+* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
+* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
+
 ## 5.0.0

 ### Breaking Changes
--- a/java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md
+++ b/java/ql/lib/change-notes/2024-11-28-model-resttemplate-getforobject-third-parameter.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
--- a/java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md
+++ b/java/ql/lib/change-notes/2024-12-04-dataflow-type-pruning-tweak.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
--- a/java/ql/lib/change-notes/2024-12-06-file-getname.md
+++ b/java/ql/lib/change-notes/2024-12-06-file-getname.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added `java.io.File.getName()` as a path injection sanitizer.
--- a/java/ql/lib/change-notes/2024-11-14-control-flow-graph-lightweight-IR-layer.md
+++ b/java/ql/lib/change-notes/2024-11-14-control-flow-graph-lightweight-IR-layer.md
@@ -1,6 +1,7 @@
---
-category: breaking
---
+## 6.0.0
+
+### Breaking Changes
+
 * The class `ControlFlowNode` (and by extension `BasicBlock`) is no longer
  directly equatable to `Expr` and `Stmt`. Any queries that have been
  exploiting these equalities, for example by using casts, will need minor
@@ -11,3 +12,9 @@ category: breaking
  `ControlFlowNode.asCall()`. Exit nodes were until now modelled as a
  `ControlFlowNode` equal to its enclosing `Callable`; these are now instead
  modelled by the class `ControlFlow::ExitNode`.
+
+### Minor Analysis Improvements
+
+* Added `java.io.File.getName()` as a path injection sanitizer.
+* The data flow library has been updated to track types in a slightly different way: The type of the tainted data (which may be stored into fields, etc.) is tracked more precisely, while the types of intermediate containers for nested contents is tracked less precisely. This may have a slight effect on false positives for complex flow paths.
+* Added a sink for "Server-side request forgery" (`java/ssrf`) for the third parameter to org.springframework.web.client.RestTemplate.getForObject, when we cannot statically determine that it does not affect the host in the URL.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.0.0
+lastReleaseVersion: 6.0.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 5.0.1-dev
+version: 6.0.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.1.11
+
+No user-facing changes.
+
 ## 1.1.10

 ### Minor Analysis Improvements
--- a/java/ql/src/change-notes/released/1.1.11.md
+++ b/java/ql/src/change-notes/released/1.1.11.md
@@ -0,0 +1,3 @@
+## 1.1.11
+
+No user-facing changes.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.10
+lastReleaseVersion: 1.1.11
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.1.11-dev
+version: 1.1.11
 groups:
  - java
  - queries