Release preparation for version 2.18.0

java/ql/automodel/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.3
+
+No user-facing changes.
+
 ## 1.0.2
 
 No user-facing changes.

java/ql/automodel/src/change-notes/released/1.0.3.md

@@ -0,0 +1,3 @@
+## 1.0.3
+
+No user-facing changes.

java/ql/automodel/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.0.3

java/ql/automodel/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-automodel-queries
-version: 1.0.3-dev
+version: 1.0.3
 groups:
     - java
     - automodel

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,25 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Added models for the following packages:
+
+  * io.undertow.server.handlers.resource
+  * jakarta.faces.context
+  * javax.faces.context
+  * javax.servlet
+  * org.jboss.vfs
+  * org.springframework.core.io
+* A bug has been fixed in the heuristic identification of uncertain control
+  flow, which is used to filter data flow in order to improve performance and
+  reduce false positives. This fix means that slightly more code is identified
+  and hence pruned from data flow.
+* Excluded reverse DNS from the loopback address as a source of untrusted data.
+
+### Bug Fixes
+
+* Support for `codeql test run` for Kotlin sources has been fixed.
+
 ## 1.1.1
 
 No user-facing changes.

java/ql/lib/change-notes/2024-06-13-kotlin-qltest-support.md

@@ -1,5 +0,0 @@
----
-category: fix
----
-
-* Support for `codeql test run` for Kotlin sources has been fixed.

java/ql/lib/change-notes/2024-06-14-exclude-loopback-from-reverse-dns.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Excluded reverse DNS from the loopback address as a source of untrusted data.

java/ql/lib/change-notes/2024-06-17-ffbl-implicit-this.md

@@ -1,7 +0,0 @@
----
-category: minorAnalysis
----
-* A bug has been fixed in the heuristic identification of uncertain control
-  flow, which is used to filter data flow in order to improve performance and
-  reduce false positives. This fix means that slightly more code is identified
-  and hence pruned from data flow.

java/ql/lib/change-notes/2024-06-28-resource-models.md

@@ -1,11 +0,0 @@
----
-category: minorAnalysis
----
-* Added models for the following packages:
-
-  * io.undertow.server.handlers.resource
-  * jakarta.faces.context
-  * javax.faces.context
-  * javax.servlet
-  * org.jboss.vfs
-  * org.springframework.core.io

java/ql/lib/change-notes/released/1.1.2.md

@@ -0,0 +1,21 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Added models for the following packages:
+
+  * io.undertow.server.handlers.resource
+  * jakarta.faces.context
+  * javax.faces.context
+  * javax.servlet
+  * org.jboss.vfs
+  * org.springframework.core.io
+* A bug has been fixed in the heuristic identification of uncertain control
+  flow, which is used to filter data flow in order to improve performance and
+  reduce false positives. This fix means that slightly more code is identified
+  and hence pruned from data flow.
+* Excluded reverse DNS from the loopback address as a source of untrusted data.
+
+### Bug Fixes
+
+* Support for `codeql test run` for Kotlin sources has been fixed.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 1.1.2-dev
+version: 1.1.2
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 1.1.0
+
+### Major Analysis Improvements
+
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.
+
+### Minor Analysis Improvements
+
+* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.
+* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.
+
 ## 1.0.2
 
 No user-facing changes.

java/ql/src/change-notes/2024-05-13-rsa-ecb-secure.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.

java/ql/src/change-notes/2024-06-10-path-injection-fileutils-sinks.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.

java/ql/src/change-notes/2024-06-17-tainted-permissions-check.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.

java/ql/src/change-notes/released/1.1.0.md

@@ -0,0 +1,10 @@
+## 1.1.0
+
+### Major Analysis Improvements
+
+* The query `java/weak-cryptographic-algorithm` no longer alerts about `RSA/ECB` algorithm strings.
+
+### Minor Analysis Improvements
+
+* The query `java/tainted-permissions-check` now uses threat models. This means that `local` sources are no longer included by default for this query, but can be added by enabling the `local` threat model.
+* Added more `org.apache.commons.io.FileUtils`-related sinks to the path injection query.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.2
+lastReleaseVersion: 1.1.0

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.0.3-dev
+version: 1.1.0
 groups:
   - java
   - queries