Merge pull request #11134 from github/post-release-prep/codeql-cli-2.11.3

Post-release preparation for codeql-cli-2.11.3

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.
+
 ## 0.4.2
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
+## 0.4.3
-category: minorAnalysis
+
----
+### Minor Analysis Improvements
+
 * Fixed bugs in the `FormatLiteral` class that were causing `getMaxConvertedLength` and related predicates to return no results when the format literal was `%e`, `%f` or `%g` and an explicit precision was specified.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+
 ## 0.4.2
 
 ### New Queries

cpp/ql/src/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
+## 0.4.3
-category: minorAnalysis
+
----
+### Minor Analysis Improvements
-* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+
+* Fixed a bug in `cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: 
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.3.3-dev
+version: 1.3.4-dev
 groups:
     - csharp
     - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.3.3
+
+No user-facing changes.
+
 ## 1.3.2
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.3.3.md

@@ -0,0 +1,3 @@
+## 1.3.3
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.2
+lastReleaseVersion: 1.3.3

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.3.3-dev
+version: 1.3.4-dev
 groups:
     - csharp
     - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 No user-facing changes.

csharp/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 No user-facing changes.

csharp/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: 
   - csharp
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

go/ql/lib/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.3.3-dev
+version: 0.3.4-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.3.3
+
+### Minor Analysis Improvements
+
+* Query `go/clear-text-logging` now excludes `GetX` methods of protobuf `Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
+
 ## 0.3.2
 
 ### Minor Analysis Improvements

go/ql/src/change-notes/released/0.3.3.md

@@ -1,4 +1,5 @@
----
+## 0.3.3
-category: minorAnalysis
+
----
+### Minor Analysis Improvements
+
 * Query `go/clear-text-logging` now excludes `GetX` methods of protobuf `Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.3.3-dev
+version: 0.3.4-dev
 groups:
   - go
   - queries

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 ### Deprecated APIs

java/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.3
+
+No user-facing changes.
+
 ## 0.4.2
 
 ### New Queries

java/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,3 @@
+## 0.4.3
+
+No user-facing changes.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: 
   - java
   - queries

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

javascript/ql/lib/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 0.3.3-dev
+version: 0.3.4-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `js/second-order-command-line-injection`, to detect shell
+  commands that may execute arbitrary code when the user has control over 
+  the arguments to a command-line program.
+  This currently flags up unsafe invocations of git and hg.
+
+### Minor Analysis Improvements
+
+* Added sources for user defined path and query parameters in `Next.js`.
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
 ## 0.4.2
 
 ### Minor Analysis Improvements

javascript/ql/src/change-notes/2022-09-05-second-order-command-injection.md

@@ -1,7 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `js/second-order-command-line-injection`, to detect shell
-  commands that may execute arbitrary code when the user has control over 
-  the arguments to a command-line program.
-  This currently flags up unsafe invocations of git and hg.

javascript/ql/src/change-notes/2022-10-07-alert-messages.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

javascript/ql/src/change-notes/2022-10-26-nextjs-params.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-
-- Added sources for user defined path and query parameters in `Next.js`.

javascript/ql/src/change-notes/released/0.4.3.md

@@ -0,0 +1,13 @@
+## 0.4.3
+
+### New Queries
+
+* Added a new query, `js/second-order-command-line-injection`, to detect shell
+  commands that may execute arbitrary code when the user has control over 
+  the arguments to a command-line program.
+  This currently flags up unsafe invocations of git and hg.
+
+### Minor Analysis Improvements
+
+* Added sources for user defined path and query parameters in `Next.js`.
+* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: 
   - javascript
   - queries

misc/suite-helpers/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.3.3
+
+No user-facing changes.
+
 ## 0.3.2
 
 No user-facing changes.

misc/suite-helpers/change-notes/released/0.3.3.md

@@ -0,0 +1,3 @@
+## 0.3.3
+
+No user-facing changes.

misc/suite-helpers/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.2
+lastReleaseVersion: 0.3.3

misc/suite-helpers/qlpack.yml

@@ -1,3 +1,3 @@
 name: codeql/suite-helpers
-version: 0.3.3-dev
+version: 0.3.4-dev
 groups: shared

python/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.3
+
+No user-facing changes.
+
 ## 0.6.2
 
 ### Minor Analysis Improvements

python/ql/lib/change-notes/released/0.6.3.md

@@ -0,0 +1,3 @@
+## 0.6.3
+
+No user-facing changes.

python/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.2
+lastReleaseVersion: 0.6.3

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 0.6.3-dev
+version: 0.6.4-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.5.3
+
+No user-facing changes.
+
 ## 0.5.2
 
 ### Minor Analysis Improvements

python/ql/src/change-notes/released/0.5.3.md

@@ -0,0 +1,3 @@
+## 0.5.3
+
+No user-facing changes.

python/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: 
   - python
   - queries

ruby/ql/lib/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
+* Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.
+* Taint flow is now tracked through extension methods on `Hash`, `String` and
+  `Object` provided by `ActiveSupport`.
+
 ## 0.4.2
 
 ### Minor Analysis Improvements

ruby/ql/lib/change-notes/2022-10-18-activesupport-flow.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Taint flow is now tracked through extension methods on `Hash`, `String` and
-  `Object` provided by `ActiveSupport`.

ruby/ql/lib/change-notes/2022-10-20-expand-faraday-model-for-ssrf-sink.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-
-- Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.

ruby/ql/lib/change-notes/2022-10-21-local-taint-step.md

@@ -1,4 +0,0 @@
----
- category: minorAnalysis
----
- * There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.

ruby/ql/lib/change-notes/released/0.4.3.md

@@ -0,0 +1,8 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* There was a bug in `TaintTracking::localTaint` and `TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
+* Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.
+* Taint flow is now tracked through extension methods on `Hash`, `String` and
+  `Object` provided by `ActiveSupport`.

ruby/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme

ruby/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.3
+
+### Minor Analysis Improvements
+
+* The `rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
+
 ## 0.4.2
 
 ### New Queries

ruby/ql/src/change-notes/released/0.4.3.md

@@ -1,4 +1,5 @@
----
+## 0.4.3
-category: minorAnalysis
+
----
+### Minor Analysis Improvements
+
 * The `rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.

ruby/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.2
+lastReleaseVersion: 0.4.3

ruby/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 0.4.3-dev
+version: 0.4.4-dev
 groups: 
   - ruby
   - queries

shared/ssa/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.4
+
+No user-facing changes.
+
 ## 0.0.3
 
 No user-facing changes.

shared/ssa/change-notes/released/0.0.4.md

@@ -0,0 +1,3 @@
+## 0.0.4
+
+No user-facing changes.

shared/ssa/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.3
+lastReleaseVersion: 0.0.4

shared/ssa/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/ssa
-version: 0.0.4-dev
+version: 0.0.5-dev
 groups: shared
 library: true

shared/typos/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.4
+
+No user-facing changes.
+
 ## 0.0.3
 
 No user-facing changes.

shared/typos/change-notes/released/0.0.4.md

@@ -0,0 +1,3 @@
+## 0.0.4
+
+No user-facing changes.

shared/typos/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.3
+lastReleaseVersion: 0.0.4

shared/typos/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/typos
-version: 0.0.4-dev
+version: 0.0.5-dev
 groups: shared
 library: true