From 5bfeede364cc1570f0f19e16e8a1d972a01992ea Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 20 Jan 2026 15:30:38 +0000 Subject: [PATCH 01/25] Add dependency on shared controlflow library --- go/ql/lib/qlpack.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 669112f115d..32769f6bd29 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -7,6 +7,7 @@ library: true upgrades: upgrades dependencies: codeql/concepts: ${workspace} + codeql/controlflow: ${workspace} codeql/dataflow: ${workspace} codeql/mad: ${workspace} codeql/threat-models: ${workspace} From c316d51d4124cbf96f35b6a680c4938a2bbbef6c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 27 Jan 2026 11:03:01 +0000 Subject: [PATCH 02/25] Add `ConditionGuardNode.getOutcome` --- go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll index 1e66bc61dc4..355f98a705b 100644 --- a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll +++ b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll @@ -313,6 +313,9 @@ module ControlFlow { */ Expr getCondition() { result = cond } + /** Gets the value of the condition that this node corresponds to. */ + boolean getOutcome() { result = outcome } + override Root getRoot() { result.isRootOf(cond) } override string toString() { result = cond + " is " + outcome } From 3dd6b3fb69054537ebee3ac69e1121e2bd70dfe3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 28 Jan 2026 14:52:57 +0000 Subject: [PATCH 03/25] Use shared basic blocks library --- .../lib/semmle/go/controlflow/BasicBlocks.qll | 199 ++++-------------- .../go/controlflow/ControlFlowGraph.qll | 2 + go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 2 +- 3 files changed, 39 insertions(+), 164 deletions(-) diff --git a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll index 8380c6d6d5d..232b6a5e00b 100644 --- a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll +++ b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll @@ -4,140 +4,62 @@ import go private import ControlFlowGraphImpl +private import codeql.controlflow.BasicBlock as BB +private import codeql.controlflow.SuccessorType -/** - * Holds if `nd` starts a new basic block. - */ -private predicate startsBB(ControlFlow::Node nd) { - count(nd.getAPredecessor()) != 1 - or - nd.getAPredecessor().isBranch() -} +private module Input implements BB::InputSig { + /** A delineated part of the AST with its own CFG. */ + class CfgScope = ControlFlow::Root; -/** - * Holds if the first node of basic block `succ` is a control flow - * successor of the last node of basic block `bb`. - */ -private predicate succBB(BasicBlock bb, BasicBlock succ) { succ = bb.getLastNode().getASuccessor() } + /** The class of control flow nodes. */ + class Node = ControlFlowNode; -/** - * Holds if the first node of basic block `bb` is a control flow - * successor of the last node of basic block `pre`. - */ -private predicate predBB(BasicBlock bb, BasicBlock pre) { succBB(pre, bb) } + /** Gets the CFG scope in which this node occurs. */ + CfgScope nodeGetCfgScope(Node node) { node.getRoot() = result } -/** Holds if `bb` is an entry basic block. */ -private predicate entryBB(BasicBlock bb) { bb.getFirstNode().isEntryNode() } - -/** Holds if `bb` is an exit basic block. */ -private predicate exitBB(BasicBlock bb) { bb.getLastNode().isExitNode() } - -cached -private module Internal { - /** - * Holds if `succ` is a control flow successor of `nd` within the same basic block. - */ - private predicate intraBBSucc(ControlFlow::Node nd, ControlFlow::Node succ) { - succ = nd.getASuccessor() and - not startsBB(succ) + /** Gets an immediate successor of this node. */ + Node nodeGetASuccessor(Node node, SuccessorType t) { + result = node.getASuccessor() and + ( + not result instanceof ControlFlow::ConditionGuardNode and t instanceof DirectSuccessor + or + t.(BooleanSuccessor).getValue() = result.(ControlFlow::ConditionGuardNode).getOutcome() + ) } /** - * Holds if `nd` is the `i`th node in basic block `bb`. - * - * In other words, `i` is the shortest distance from a node `bb` - * that starts a basic block to `nd` along the `intraBBSucc` relation. + * Holds if `node` represents an entry node to be used when calculating + * dominance. */ - cached - predicate bbIndex(BasicBlock bb, ControlFlow::Node nd, int i) = - shortestDistances(startsBB/1, intraBBSucc/2)(bb, nd, i) + predicate nodeIsDominanceEntry(Node node) { node instanceof EntryNode } - cached - int bbLength(BasicBlock bb) { result = strictcount(ControlFlow::Node nd | bbIndex(bb, nd, _)) } - - cached - predicate reachableBB(BasicBlock bb) { - entryBB(bb) - or - exists(BasicBlock predBB | succBB(predBB, bb) | reachableBB(predBB)) - } + /** + * Holds if `node` represents an exit node to be used when calculating + * post dominance. + */ + predicate nodeIsPostDominanceExit(Node node) { node instanceof ExitNode } } -private import Internal - -/** Holds if `dom` is an immediate dominator of `bb`. */ -cached -private predicate bbIDominates(BasicBlock dom, BasicBlock bb) = - idominance(entryBB/1, succBB/2)(_, dom, bb) - -/** Holds if `dom` is an immediate post-dominator of `bb`. */ -cached -private predicate bbIPostDominates(BasicBlock dom, BasicBlock bb) = - idominance(exitBB/1, predBB/2)(_, dom, bb) - -/** - * A basic block, that is, a maximal straight-line sequence of control flow nodes - * without branches or joins. - * - * At the database level, a basic block is represented by its first control flow node. - */ -class BasicBlock extends TControlFlowNode { - BasicBlock() { startsBB(this) } +private module BbImpl = BB::Make; +class BasicBlock extends BbImpl::BasicBlock { /** Gets a basic block succeeding this one. */ - BasicBlock getASuccessor() { succBB(this, result) } + BasicBlock getASuccessor() { result = this.getASuccessor(_) } /** Gets a basic block preceding this one. */ BasicBlock getAPredecessor() { result.getASuccessor() = this } - /** Gets a node in this block. */ - ControlFlow::Node getANode() { result = this.getNode(_) } - - /** Gets the node at the given position in this block. */ - ControlFlow::Node getNode(int pos) { bbIndex(this, result, pos) } - - /** Gets the first node in this block. */ - ControlFlow::Node getFirstNode() { result = this } - - /** Gets the last node in this block. */ - ControlFlow::Node getLastNode() { result = this.getNode(this.length() - 1) } - - /** Gets the length of this block. */ - int length() { result = bbLength(this) } - - /** Gets the basic block that immediately dominates this basic block. */ - ReachableBasicBlock getImmediateDominator() { bbIDominates(result, this) } - /** Gets the innermost function or file to which this basic block belongs. */ - ControlFlow::Root getRoot() { result = this.getFirstNode().getRoot() } - - /** Gets a textual representation of this basic block. */ - string toString() { result = "basic block" } - - /** Gets the source location for this element. */ - Location getLocation() { result = this.getFirstNode().getLocation() } - - /** - * DEPRECATED: Use `getLocation()` instead. - * - * Holds if this basic block is at the specified location. - * The location spans column `startcolumn` of line `startline` to - * column `endcolumn` of line `endline` in file `filepath`. - * For more information, see - * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/). - */ - deprecated predicate hasLocationInfo( - string filepath, int startline, int startcolumn, int endline, int endcolumn - ) { - this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) - } + ControlFlow::Root getRoot() { result = this.getScope() } } -/** - * An entry basic block, that is, a basic block whose first node is an entry node. - */ -class EntryBasicBlock extends BasicBlock { - EntryBasicBlock() { entryBB(this) } +class EntryBasicBlock = BbImpl::EntryBasicBlock; + +cached +private predicate reachableBB(BasicBlock bb) { + bb instanceof EntryBasicBlock + or + exists(BasicBlock predBB | predBB.getASuccessor() = bb | reachableBB(predBB)) } /** @@ -145,38 +67,6 @@ class EntryBasicBlock extends BasicBlock { */ class ReachableBasicBlock extends BasicBlock { ReachableBasicBlock() { reachableBB(this) } - - /** - * Holds if this basic block strictly dominates `bb`. - */ - cached - predicate strictlyDominates(ReachableBasicBlock bb) { bbIDominates+(this, bb) } - - /** - * Holds if this basic block dominates `bb`. - * - * This predicate is reflexive: each reachable basic block dominates itself. - */ - predicate dominates(ReachableBasicBlock bb) { - bb = this or - this.strictlyDominates(bb) - } - - /** - * Holds if this basic block strictly post-dominates `bb`. - */ - cached - predicate strictlyPostDominates(ReachableBasicBlock bb) { bbIPostDominates+(this, bb) } - - /** - * Holds if this basic block post-dominates `bb`. - * - * This predicate is reflexive: each reachable basic block post-dominates itself. - */ - predicate postDominates(ReachableBasicBlock bb) { - bb = this or - this.strictlyPostDominates(bb) - } } /** @@ -184,21 +74,4 @@ class ReachableBasicBlock extends BasicBlock { */ class ReachableJoinBlock extends ReachableBasicBlock { ReachableJoinBlock() { this.getFirstNode().isJoin() } - - /** - * Holds if this basic block belongs to the dominance frontier of `b`, that is - * `b` dominates a predecessor of this block, but not this block itself. - * - * Algorithm from Cooper et al., "A Simple, Fast Dominance Algorithm" (Figure 5), - * who in turn attribute it to Ferrante et al., "The program dependence graph and - * its use in optimization". - */ - predicate inDominanceFrontierOf(ReachableBasicBlock b) { - b = this.getAPredecessor() and not b = this.getImmediateDominator() - or - exists(ReachableBasicBlock prev | this.inDominanceFrontierOf(prev) | - b = prev.getImmediateDominator() and - not b = this.getImmediateDominator() - ) - } } diff --git a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll index 355f98a705b..88adb88c026 100644 --- a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll +++ b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll @@ -353,4 +353,6 @@ module ControlFlow { } } +class ControlFlowNode = ControlFlow::Node; + class Write = ControlFlow::WriteNode; diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 8549d9b497a..9689c998acf 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -71,7 +71,7 @@ private module Internal { private predicate inDefDominanceFrontier(ReachableJoinBlock bb, SsaSourceVariable v) { exists(ReachableBasicBlock defbb, SsaDefinition def | def.definesAt(defbb, _, v) and - bb.inDominanceFrontierOf(defbb) + defbb.inDominanceFrontier(bb) ) } From b2f878229d3b3d0995af249ac09287db0511d80c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 28 Jan 2026 16:34:07 +0000 Subject: [PATCH 04/25] Use shared `getASuccessor` and `getAPredecessor` --- go/ql/lib/semmle/go/controlflow/BasicBlocks.qll | 8 +------- go/ql/lib/semmle/go/dataflow/SSA.qll | 2 +- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 6 +++--- go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql | 2 +- 4 files changed, 6 insertions(+), 12 deletions(-) diff --git a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll index 232b6a5e00b..4352312e1b8 100644 --- a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll +++ b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll @@ -43,12 +43,6 @@ private module Input implements BB::InputSig { private module BbImpl = BB::Make; class BasicBlock extends BbImpl::BasicBlock { - /** Gets a basic block succeeding this one. */ - BasicBlock getASuccessor() { result = this.getASuccessor(_) } - - /** Gets a basic block preceding this one. */ - BasicBlock getAPredecessor() { result.getASuccessor() = this } - /** Gets the innermost function or file to which this basic block belongs. */ ControlFlow::Root getRoot() { result = this.getScope() } } @@ -59,7 +53,7 @@ cached private predicate reachableBB(BasicBlock bb) { bb instanceof EntryBasicBlock or - exists(BasicBlock predBB | predBB.getASuccessor() = bb | reachableBB(predBB)) + exists(BasicBlock predBB | predBB.getASuccessor(_) = bb | reachableBB(predBB)) } /** diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index 98dae5f3d01..2c36051e3a7 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -285,7 +285,7 @@ abstract class SsaPseudoDefinition extends SsaImplicitDefinition { */ class SsaPhiNode extends SsaPseudoDefinition, TPhi { override SsaVariable getAnInput() { - result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(), this.getSourceVariable()) + result = getDefReachingEndOf(this.getBasicBlock().getAPredecessor(_), this.getSourceVariable()) } override predicate definesAt(ReachableBasicBlock bb, int i, SsaSourceVariable v) { diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index 9689c998acf..a5db316b601 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -186,7 +186,7 @@ private module Internal { * Holds if `v` is live at the beginning of any successor of basic block `bb`. */ private predicate liveAtSuccEntry(ReachableBasicBlock bb, SsaSourceVariable v) { - liveAtEntry(bb.getASuccessor(), v) + liveAtEntry(bb.getASuccessor(_), v) } /** @@ -317,7 +317,7 @@ private module Internal { SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2 ) { varOccursInBlock(v, b1) and - b2 = b1.getASuccessor() + b2 = b1.getASuccessor(_) } /** @@ -335,7 +335,7 @@ private module Internal { ) { varBlockReaches(v, b1, mid) and not varOccursInBlock(v, mid) and - b2 = mid.getASuccessor() + b2 = mid.getASuccessor(_) } /** diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql index f6e3df7d1d9..a6321b7d7cb 100644 --- a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql +++ b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql @@ -45,7 +45,7 @@ predicate writesHttpError(ReachableBasicBlock b) { predicate onlyErrors(BasicBlock block) { writesHttpError(block) or - forex(ReachableBasicBlock pred | pred = block.getAPredecessor() | onlyErrors(pred)) + forex(ReachableBasicBlock pred | pred = block.getAPredecessor(_) | onlyErrors(pred)) } /** Gets a node that refers to a handler that is considered to return an HTTP error. */ From 52c510bfea20f4ff94ea9902a895284c8712d2b7 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 28 Jan 2026 16:41:37 +0000 Subject: [PATCH 05/25] Use shared `getScope` instead of `getRoot` --- go/ql/lib/semmle/go/controlflow/BasicBlocks.qll | 5 +---- go/ql/lib/semmle/go/dataflow/SSA.qll | 2 +- go/ql/lib/semmle/go/dataflow/SsaImpl.qll | 4 ++-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll index 4352312e1b8..43b8c7e8dd3 100644 --- a/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll +++ b/go/ql/lib/semmle/go/controlflow/BasicBlocks.qll @@ -42,10 +42,7 @@ private module Input implements BB::InputSig { private module BbImpl = BB::Make; -class BasicBlock extends BbImpl::BasicBlock { - /** Gets the innermost function or file to which this basic block belongs. */ - ControlFlow::Root getRoot() { result = this.getScope() } -} +class BasicBlock = BbImpl::BasicBlock; class EntryBasicBlock = BbImpl::EntryBasicBlock; diff --git a/go/ql/lib/semmle/go/dataflow/SSA.qll b/go/ql/lib/semmle/go/dataflow/SSA.qll index 2c36051e3a7..69fffa393c1 100644 --- a/go/ql/lib/semmle/go/dataflow/SSA.qll +++ b/go/ql/lib/semmle/go/dataflow/SSA.qll @@ -144,7 +144,7 @@ class SsaDefinition extends TSsaDefinition { abstract string prettyPrintRef(); /** Gets the innermost function or file to which this SSA definition belongs. */ - ControlFlow::Root getRoot() { result = this.getBasicBlock().getRoot() } + ControlFlow::Root getRoot() { result = this.getBasicBlock().getScope() } /** Gets a textual representation of this element. */ string toString() { result = this.prettyPrintDef() } diff --git a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll index a5db316b601..026c8114f9f 100644 --- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll @@ -86,7 +86,7 @@ private module Internal { /** Holds if the `i`th node of `bb` in function `f` is an entry node. */ private predicate entryNode(FuncDef f, ReachableBasicBlock bb, int i) { - f = bb.getRoot() and + f = bb.getScope() and bb.getNode(i).isEntryNode() } @@ -94,7 +94,7 @@ private module Internal { * Holds if the `i`th node of `bb` in function `f` is a function call. */ private predicate callNode(FuncDef f, ReachableBasicBlock bb, int i) { - f = bb.getRoot() and + f = bb.getScope() and bb.getNode(i).(IR::EvalInstruction).getExpr() instanceof CallExpr } From e1cf0a15edbe3d1a943dea033d95fa5b6dd024ef Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 28 Jan 2026 21:57:11 +0000 Subject: [PATCH 06/25] Add change note --- .../lib/change-notes/2026-01-28-shared-basic-block-library.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md diff --git a/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md b/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md new file mode 100644 index 00000000000..ec795f8ff93 --- /dev/null +++ b/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md @@ -0,0 +1,4 @@ +--- +category: breaking +--- +* The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPrededecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. From 2f29c905c3ce4f558b43a87fc529e1c7754fb17c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Wed, 28 Jan 2026 22:39:08 +0000 Subject: [PATCH 07/25] Fix typo in change note Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md b/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md index ec795f8ff93..f26aeb9c07a 100644 --- a/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md +++ b/go/ql/lib/change-notes/2026-01-28-shared-basic-block-library.md @@ -1,4 +1,4 @@ --- category: breaking --- -* The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPrededecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. +* The `BasicBlock` class is now defined using the shared basic blocks library. `BasicBlock.getRoot` has been replaced by `BasicBlock.getScope`. `BasicBlock.getAPredecessor` and `BasicBlock.getASuccessor` now take a `SuccessorType` argument. `ReachableJoinBlock.inDominanceFrontierOf` has been removed, so use `BasicBlock.inDominanceFrontier` instead, swapping the receiver and the argument. From 0db542e9f0be08204e5391e73a708bb97c80886d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 2 Feb 2026 12:09:09 +0000 Subject: [PATCH 08/25] Release preparation for version 2.24.1 --- actions/ql/lib/CHANGELOG.md | 6 ++++++ .../0.4.27.md} | 7 ++++--- actions/ql/lib/codeql-pack.release.yml | 2 +- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/CHANGELOG.md | 4 ++++ .../ql/src/change-notes/released/0.6.19.md | 3 +++ actions/ql/src/codeql-pack.release.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/CHANGELOG.md | 18 ++++++++++++++++ cpp/ql/lib/change-notes/2026-01-19-embed.md | 4 ---- .../2026-01-19-parameterized-barrier-guard.md | 4 ---- .../change-notes/2026-01-23-as-definition.md | 4 ---- cpp/ql/lib/change-notes/2026-01-23-mysql.md | 4 ---- .../2026-01-26-buffer-overflow-fps.md | 4 ---- ...01-30-guard-condition-logical-operators.md | 4 ---- cpp/ql/lib/change-notes/released/7.1.0.md | 17 +++++++++++++++ cpp/ql/lib/codeql-pack.release.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/CHANGELOG.md | 4 ++++ cpp/ql/src/change-notes/released/1.5.10.md | 3 +++ cpp/ql/src/codeql-pack.release.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/lib/CHANGELOG.md | 4 ++++ .../lib/change-notes/released/1.7.58.md | 3 +++ .../Solorigate/lib/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- .../ql/campaigns/Solorigate/src/CHANGELOG.md | 4 ++++ .../src/change-notes/released/1.7.58.md | 3 +++ .../Solorigate/src/codeql-pack.release.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/CHANGELOG.md | 7 +++++++ ...2026-01-14-null-conditional-assignments.md | 4 ---- .../2026-01-16-summarized-callable.md | 4 ---- csharp/ql/lib/change-notes/released/5.4.6.md | 6 ++++++ csharp/ql/lib/codeql-pack.release.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/CHANGELOG.md | 4 ++++ csharp/ql/src/change-notes/released/1.6.1.md | 3 +++ csharp/ql/src/codeql-pack.release.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.41.md | 3 +++ .../codeql-pack.release.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/CHANGELOG.md | 6 ++++++ .../ql/lib/change-notes/released/6.0.1.md | 7 ++++--- go/ql/lib/codeql-pack.release.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/CHANGELOG.md | 4 ++++ go/ql/src/change-notes/released/1.5.5.md | 3 +++ go/ql/src/codeql-pack.release.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/CHANGELOG.md | 21 +++++++++++++++++++ .../lib/change-notes/2026-01-07-kotlin-2_3.md | 4 ---- ...6-01-07-kotlin-mimimum_suppoted_version.md | 4 ---- .../2026-01-09-maven-plugin-registries.md | 4 ---- .../2026-01-26-kotlin-extractor-load-last.md | 4 ---- .../2026-01-27-struts-7-support.md | 4 ---- .../2026-01-27-unreleased-lock-pools.md | 4 ---- java/ql/lib/change-notes/released/8.0.0.md | 20 ++++++++++++++++++ java/ql/lib/codeql-pack.release.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/CHANGELOG.md | 4 ++++ java/ql/src/change-notes/released/1.10.6.md | 3 +++ java/ql/src/codeql-pack.release.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/CHANGELOG.md | 6 ++++++ .../ql/lib/change-notes/released/2.6.21.md | 7 ++++--- javascript/ql/lib/codeql-pack.release.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/CHANGELOG.md | 4 ++++ .../ql/src/change-notes/released/2.3.1.md | 3 +++ javascript/ql/src/codeql-pack.release.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.41.md | 3 +++ misc/suite-helpers/codeql-pack.release.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/CHANGELOG.md | 13 ++++++++++++ .../lib/change-notes/2025-12-01-websockets.md | 4 ---- .../2026-01-02-prompt-injection.md | 5 ----- .../2026-01-16-summarized-callable.md | 4 ---- ...01-20-support-ListElement-in-python-MaD.md | 4 ---- python/ql/lib/change-notes/released/6.1.0.md | 12 +++++++++++ python/ql/lib/codeql-pack.release.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/CHANGELOG.md | 4 ++++ python/ql/src/change-notes/released/1.7.6.md | 3 +++ python/ql/src/codeql-pack.release.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/CHANGELOG.md | 6 ++++++ .../2026-01-16-summarized-callable.md | 4 ---- .../ql/lib/change-notes/released/5.1.9.md | 7 ++++--- ruby/ql/lib/codeql-pack.release.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/CHANGELOG.md | 4 ++++ ruby/ql/src/change-notes/released/1.5.6.md | 3 +++ ruby/ql/src/codeql-pack.release.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/CHANGELOG.md | 9 +++++++- .../2026-01-16-summarized-callable.md | 4 ---- .../2026-01-16-type-inference-closures.md | 4 ---- rust/ql/lib/change-notes/released/0.2.5.md | 6 ++++++ rust/ql/lib/codeql-pack.release.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/CHANGELOG.md | 4 ++++ rust/ql/src/change-notes/released/0.1.26.md | 3 +++ rust/ql/src/codeql-pack.release.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/CHANGELOG.md | 4 ++++ .../concepts/change-notes/released/0.0.15.md | 3 +++ shared/concepts/codeql-pack.release.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/CHANGELOG.md | 4 ++++ .../change-notes/released/2.0.25.md | 3 +++ shared/controlflow/codeql-pack.release.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/CHANGELOG.md | 4 ++++ .../dataflow/change-notes/released/2.0.25.md | 3 +++ shared/dataflow/codeql-pack.release.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/CHANGELOG.md | 4 ++++ shared/mad/change-notes/released/1.0.41.md | 3 +++ shared/mad/codeql-pack.release.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/CHANGELOG.md | 4 ++++ .../quantum/change-notes/released/0.0.19.md | 3 +++ shared/quantum/codeql-pack.release.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.41.md | 3 +++ shared/rangeanalysis/codeql-pack.release.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/CHANGELOG.md | 4 ++++ shared/regex/change-notes/released/1.0.41.md | 3 +++ shared/regex/codeql-pack.release.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/CHANGELOG.md | 4 ++++ shared/ssa/change-notes/released/2.0.17.md | 3 +++ shared/ssa/codeql-pack.release.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/CHANGELOG.md | 4 ++++ .../change-notes/released/1.0.41.md | 3 +++ shared/threat-models/codeql-pack.release.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/CHANGELOG.md | 4 ++++ .../tutorial/change-notes/released/1.0.41.md | 3 +++ shared/tutorial/codeql-pack.release.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/CHANGELOG.md | 4 ++++ .../typeflow/change-notes/released/1.0.41.md | 3 +++ shared/typeflow/codeql-pack.release.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/CHANGELOG.md | 4 ++++ .../change-notes/released/0.0.22.md | 3 +++ shared/typeinference/codeql-pack.release.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/CHANGELOG.md | 4 ++++ .../change-notes/released/2.0.25.md | 3 +++ shared/typetracking/codeql-pack.release.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/CHANGELOG.md | 4 ++++ shared/typos/change-notes/released/1.0.41.md | 3 +++ shared/typos/codeql-pack.release.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/CHANGELOG.md | 4 ++++ shared/util/change-notes/released/2.0.28.md | 3 +++ shared/util/codeql-pack.release.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/CHANGELOG.md | 4 ++++ shared/xml/change-notes/released/1.0.41.md | 3 +++ shared/xml/codeql-pack.release.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/CHANGELOG.md | 4 ++++ shared/yaml/change-notes/released/1.0.41.md | 3 +++ shared/yaml/codeql-pack.release.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/CHANGELOG.md | 6 ++++++ .../2026-01-16-summarized-callable.md | 4 ---- .../ql/lib/change-notes/released/6.2.1.md | 7 ++++--- swift/ql/lib/codeql-pack.release.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/CHANGELOG.md | 4 ++++ swift/ql/src/change-notes/released/1.2.15.md | 3 +++ swift/ql/src/codeql-pack.release.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 186 files changed, 477 insertions(+), 187 deletions(-) rename actions/ql/lib/change-notes/{2026-01-23-long-expression-fix.md => released/0.4.27.md} (78%) create mode 100644 actions/ql/src/change-notes/released/0.6.19.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-19-embed.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-19-parameterized-barrier-guard.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-23-as-definition.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-23-mysql.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-26-buffer-overflow-fps.md delete mode 100644 cpp/ql/lib/change-notes/2026-01-30-guard-condition-logical-operators.md create mode 100644 cpp/ql/lib/change-notes/released/7.1.0.md create mode 100644 cpp/ql/src/change-notes/released/1.5.10.md create mode 100644 csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.58.md create mode 100644 csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.58.md delete mode 100644 csharp/ql/lib/change-notes/2026-01-14-null-conditional-assignments.md delete mode 100644 csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md create mode 100644 csharp/ql/lib/change-notes/released/5.4.6.md create mode 100644 csharp/ql/src/change-notes/released/1.6.1.md create mode 100644 go/ql/consistency-queries/change-notes/released/1.0.41.md rename javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md => go/ql/lib/change-notes/released/6.0.1.md (85%) create mode 100644 go/ql/src/change-notes/released/1.5.5.md delete mode 100644 java/ql/lib/change-notes/2026-01-07-kotlin-2_3.md delete mode 100644 java/ql/lib/change-notes/2026-01-07-kotlin-mimimum_suppoted_version.md delete mode 100644 java/ql/lib/change-notes/2026-01-09-maven-plugin-registries.md delete mode 100644 java/ql/lib/change-notes/2026-01-26-kotlin-extractor-load-last.md delete mode 100644 java/ql/lib/change-notes/2026-01-27-struts-7-support.md delete mode 100644 java/ql/lib/change-notes/2026-01-27-unreleased-lock-pools.md create mode 100644 java/ql/lib/change-notes/released/8.0.0.md create mode 100644 java/ql/src/change-notes/released/1.10.6.md rename java/ql/lib/change-notes/2026-01-16-summarized-callable.md => javascript/ql/lib/change-notes/released/2.6.21.md (85%) create mode 100644 javascript/ql/src/change-notes/released/2.3.1.md create mode 100644 misc/suite-helpers/change-notes/released/1.0.41.md delete mode 100644 python/ql/lib/change-notes/2025-12-01-websockets.md delete mode 100644 python/ql/lib/change-notes/2026-01-02-prompt-injection.md delete mode 100644 python/ql/lib/change-notes/2026-01-16-summarized-callable.md delete mode 100644 python/ql/lib/change-notes/2026-01-20-support-ListElement-in-python-MaD.md create mode 100644 python/ql/lib/change-notes/released/6.1.0.md create mode 100644 python/ql/src/change-notes/released/1.7.6.md delete mode 100644 ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md rename cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md => ruby/ql/lib/change-notes/released/5.1.9.md (85%) create mode 100644 ruby/ql/src/change-notes/released/1.5.6.md delete mode 100644 rust/ql/lib/change-notes/2026-01-16-summarized-callable.md delete mode 100644 rust/ql/lib/change-notes/2026-01-16-type-inference-closures.md create mode 100644 rust/ql/lib/change-notes/released/0.2.5.md create mode 100644 rust/ql/src/change-notes/released/0.1.26.md create mode 100644 shared/concepts/change-notes/released/0.0.15.md create mode 100644 shared/controlflow/change-notes/released/2.0.25.md create mode 100644 shared/dataflow/change-notes/released/2.0.25.md create mode 100644 shared/mad/change-notes/released/1.0.41.md create mode 100644 shared/quantum/change-notes/released/0.0.19.md create mode 100644 shared/rangeanalysis/change-notes/released/1.0.41.md create mode 100644 shared/regex/change-notes/released/1.0.41.md create mode 100644 shared/ssa/change-notes/released/2.0.17.md create mode 100644 shared/threat-models/change-notes/released/1.0.41.md create mode 100644 shared/tutorial/change-notes/released/1.0.41.md create mode 100644 shared/typeflow/change-notes/released/1.0.41.md create mode 100644 shared/typeinference/change-notes/released/0.0.22.md create mode 100644 shared/typetracking/change-notes/released/2.0.25.md create mode 100644 shared/typos/change-notes/released/1.0.41.md create mode 100644 shared/util/change-notes/released/2.0.28.md create mode 100644 shared/xml/change-notes/released/1.0.41.md create mode 100644 shared/yaml/change-notes/released/1.0.41.md delete mode 100644 swift/ql/lib/change-notes/2026-01-16-summarized-callable.md rename go/ql/lib/change-notes/2026-01-16-summarized-callable.md => swift/ql/lib/change-notes/released/6.2.1.md (85%) create mode 100644 swift/ql/src/change-notes/released/1.2.15.md diff --git a/actions/ql/lib/CHANGELOG.md b/actions/ql/lib/CHANGELOG.md index 1759333d659..d2e85ddb6a2 100644 --- a/actions/ql/lib/CHANGELOG.md +++ b/actions/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.4.27 + +### Bug Fixes + +* Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length. + ## 0.4.26 ### Major Analysis Improvements diff --git a/actions/ql/lib/change-notes/2026-01-23-long-expression-fix.md b/actions/ql/lib/change-notes/released/0.4.27.md similarity index 78% rename from actions/ql/lib/change-notes/2026-01-23-long-expression-fix.md rename to actions/ql/lib/change-notes/released/0.4.27.md index 31adf6058a7..d56c7bd36e8 100644 --- a/actions/ql/lib/change-notes/2026-01-23-long-expression-fix.md +++ b/actions/ql/lib/change-notes/released/0.4.27.md @@ -1,4 +1,5 @@ ---- -category: fix ---- +## 0.4.27 + +### Bug Fixes + * Fixed a crash when analysing a `${{ ... }}` expression over around 300 characters in length. diff --git a/actions/ql/lib/codeql-pack.release.yml b/actions/ql/lib/codeql-pack.release.yml index 06a4605c767..5e24b634389 100644 --- a/actions/ql/lib/codeql-pack.release.yml +++ b/actions/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.4.26 +lastReleaseVersion: 0.4.27 diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index 27d4fa665e9..aa29568caf7 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.27-dev +version: 0.4.27 library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/CHANGELOG.md b/actions/ql/src/CHANGELOG.md index f667d284185..ebf6b7214c9 100644 --- a/actions/ql/src/CHANGELOG.md +++ b/actions/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.6.19 + +No user-facing changes. + ## 0.6.18 No user-facing changes. diff --git a/actions/ql/src/change-notes/released/0.6.19.md b/actions/ql/src/change-notes/released/0.6.19.md new file mode 100644 index 00000000000..db142fe8aed --- /dev/null +++ b/actions/ql/src/change-notes/released/0.6.19.md @@ -0,0 +1,3 @@ +## 0.6.19 + +No user-facing changes. diff --git a/actions/ql/src/codeql-pack.release.yml b/actions/ql/src/codeql-pack.release.yml index b694a16787b..2baec50a823 100644 --- a/actions/ql/src/codeql-pack.release.yml +++ b/actions/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.6.18 +lastReleaseVersion: 0.6.19 diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index e93b555f030..7b9f281601a 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.19-dev +version: 0.6.19 library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index a626fec99ae..9aa9e9953b5 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,21 @@ +## 7.1.0 + +### New Features + +* Added a subclass `Embed` of `PreprocessorDirective` for C23 and C++26 `#embed` preprocessor directives. +* Added modules `DataFlow::ParameterizedBarrierGuard` and `DataFlow::ParameterizedInstructionBarrierGuard`. These modules provide the same features as `DataFlow::BarrierGuard` and `DataFlow::InstructionBarrierGuard`, but allow for an additional parameter to support properly using them in dataflow configurations that uses flow states. + +### Minor Analysis Improvements + +* The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases. +* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + +### Bug Fixes + +* Fixed a bug in the `GuardCondition` library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using `GuardCondition` may see improved results. +* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments. + ## 7.0.0 ### Breaking Changes diff --git a/cpp/ql/lib/change-notes/2026-01-19-embed.md b/cpp/ql/lib/change-notes/2026-01-19-embed.md deleted file mode 100644 index 26d495277b5..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-19-embed.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added a subclass `Embed` of `PreprocessorDirective` for C23 and C++26 `#embed` preprocessor directives. diff --git a/cpp/ql/lib/change-notes/2026-01-19-parameterized-barrier-guard.md b/cpp/ql/lib/change-notes/2026-01-19-parameterized-barrier-guard.md deleted file mode 100644 index 4f2d754c0b8..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-19-parameterized-barrier-guard.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added modules `DataFlow::ParameterizedBarrierGuard` and `DataFlow::ParameterizedInstructionBarrierGuard`. These modules provide the same features as `DataFlow::BarrierGuard` and `DataFlow::InstructionBarrierGuard`, but allow for an additional parameter to support properly using them in dataflow configurations that uses flow states. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2026-01-23-as-definition.md b/cpp/ql/lib/change-notes/2026-01-23-as-definition.md deleted file mode 100644 index 1f18562cdcd..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-23-as-definition.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2026-01-23-mysql.md b/cpp/ql/lib/change-notes/2026-01-23-mysql.md deleted file mode 100644 index ee4268f8152..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-23-mysql.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. diff --git a/cpp/ql/lib/change-notes/2026-01-26-buffer-overflow-fps.md b/cpp/ql/lib/change-notes/2026-01-26-buffer-overflow-fps.md deleted file mode 100644 index ea9a5ccf798..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-26-buffer-overflow-fps.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/2026-01-30-guard-condition-logical-operators.md b/cpp/ql/lib/change-notes/2026-01-30-guard-condition-logical-operators.md deleted file mode 100644 index 646d9b3821f..00000000000 --- a/cpp/ql/lib/change-notes/2026-01-30-guard-condition-logical-operators.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Fixed a bug in the `GuardCondition` library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using `GuardCondition` may see improved results. \ No newline at end of file diff --git a/cpp/ql/lib/change-notes/released/7.1.0.md b/cpp/ql/lib/change-notes/released/7.1.0.md new file mode 100644 index 00000000000..7565cb4dab9 --- /dev/null +++ b/cpp/ql/lib/change-notes/released/7.1.0.md @@ -0,0 +1,17 @@ +## 7.1.0 + +### New Features + +* Added a subclass `Embed` of `PreprocessorDirective` for C23 and C++26 `#embed` preprocessor directives. +* Added modules `DataFlow::ParameterizedBarrierGuard` and `DataFlow::ParameterizedInstructionBarrierGuard`. These modules provide the same features as `DataFlow::BarrierGuard` and `DataFlow::InstructionBarrierGuard`, but allow for an additional parameter to support properly using them in dataflow configurations that uses flow states. + +### Minor Analysis Improvements + +* The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases. +* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + +### Bug Fixes + +* Fixed a bug in the `GuardCondition` library which sometimes prevented binary logical operators from being recognized as guard conditions. As a result, queries using `GuardCondition` may see improved results. +* Fixed a bug which caused `Node.asDefinition()` to not have a result for certain assignments. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index e0db21c7869..dcaaa76112a 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.0.0 +lastReleaseVersion: 7.1.0 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 4ee4779041d..ac07194106a 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 7.0.1-dev +version: 7.1.0 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index 02a055ee266..61792c6a700 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.10 + +No user-facing changes. + ## 1.5.9 ### Minor Analysis Improvements diff --git a/cpp/ql/src/change-notes/released/1.5.10.md b/cpp/ql/src/change-notes/released/1.5.10.md new file mode 100644 index 00000000000..829c5f1f1a1 --- /dev/null +++ b/cpp/ql/src/change-notes/released/1.5.10.md @@ -0,0 +1,3 @@ +## 1.5.10 + +No user-facing changes. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 5ac7d08bfbf..fda54b31bff 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.9 +lastReleaseVersion: 1.5.10 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 30fd4696695..232836a053d 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.5.10-dev +version: 1.5.10 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 029e03a4c9e..68238efa110 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.58 + +No user-facing changes. + ## 1.7.57 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.58.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.58.md new file mode 100644 index 00000000000..b6b1debf611 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.58.md @@ -0,0 +1,3 @@ +## 1.7.58 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 4b2fd88d6a3..422196097f2 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.57 +lastReleaseVersion: 1.7.58 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 59e35f8f8a2..09feed99265 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.58-dev +version: 1.7.58 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 029e03a4c9e..68238efa110 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.58 + +No user-facing changes. + ## 1.7.57 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.58.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.58.md new file mode 100644 index 00000000000..b6b1debf611 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.58.md @@ -0,0 +1,3 @@ +## 1.7.58 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 4b2fd88d6a3..422196097f2 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.57 +lastReleaseVersion: 1.7.58 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index a37381968ef..6f7ea3b625b 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.58-dev +version: 1.7.58 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index 371e10c370a..2910824c1b7 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 5.4.6 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* C# 14: Support for null-conditional assignments (such as `c?.Prop = p`). Furthermore, the `MaybeNullExpr` class now takes null-conditional access (such as `?.`) into account when modeling potential null values. + ## 5.4.5 ### Minor Analysis Improvements diff --git a/csharp/ql/lib/change-notes/2026-01-14-null-conditional-assignments.md b/csharp/ql/lib/change-notes/2026-01-14-null-conditional-assignments.md deleted file mode 100644 index ebce4c187e0..00000000000 --- a/csharp/ql/lib/change-notes/2026-01-14-null-conditional-assignments.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* C# 14: Support for null-conditional assignments (such as `c?.Prop = p`). Furthermore, the `MaybeNullExpr` class now takes null-conditional access (such as `?.`) into account when modeling potential null values. diff --git a/csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md b/csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md deleted file mode 100644 index 02c453207d4..00000000000 --- a/csharp/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. \ No newline at end of file diff --git a/csharp/ql/lib/change-notes/released/5.4.6.md b/csharp/ql/lib/change-notes/released/5.4.6.md new file mode 100644 index 00000000000..31fab7d4be8 --- /dev/null +++ b/csharp/ql/lib/change-notes/released/5.4.6.md @@ -0,0 +1,6 @@ +## 5.4.6 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* C# 14: Support for null-conditional assignments (such as `c?.Prop = p`). Furthermore, the `MaybeNullExpr` class now takes null-conditional access (such as `?.`) into account when modeling potential null values. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index e79e40bd1d8..2f1d6ff78a8 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.4.5 +lastReleaseVersion: 5.4.6 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 235030e2601..28d4a36b3ab 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.4.6-dev +version: 5.4.6 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index b3c3276ae5c..d532951fadc 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.6.1 + +No user-facing changes. + ## 1.6.0 ### Query Metadata Changes diff --git a/csharp/ql/src/change-notes/released/1.6.1.md b/csharp/ql/src/change-notes/released/1.6.1.md new file mode 100644 index 00000000000..898f6201ed7 --- /dev/null +++ b/csharp/ql/src/change-notes/released/1.6.1.md @@ -0,0 +1,3 @@ +## 1.6.1 + +No user-facing changes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index c4f0b07d533..ef7a789e0cf 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.6.0 +lastReleaseVersion: 1.6.1 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 2ea09521187..85d9dbf9ead 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.6.1-dev +version: 1.6.1 groups: - csharp - queries diff --git a/go/ql/consistency-queries/CHANGELOG.md b/go/ql/consistency-queries/CHANGELOG.md index 8718668249f..d0c8171cdf6 100644 --- a/go/ql/consistency-queries/CHANGELOG.md +++ b/go/ql/consistency-queries/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/go/ql/consistency-queries/change-notes/released/1.0.41.md b/go/ql/consistency-queries/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/go/ql/consistency-queries/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/go/ql/consistency-queries/codeql-pack.release.yml b/go/ql/consistency-queries/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/go/ql/consistency-queries/codeql-pack.release.yml +++ b/go/ql/consistency-queries/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index b164141b828..c07633f30b9 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.41-dev +version: 1.0.41 groups: - go - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 97391d2342a..126058537ce 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 6.0.1 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + ## 6.0.0 ### Breaking Changes diff --git a/javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md b/go/ql/lib/change-notes/released/6.0.1.md similarity index 85% rename from javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md rename to go/ql/lib/change-notes/released/6.0.1.md index b6e5101617e..7b5e8dad5a8 100644 --- a/javascript/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ b/go/ql/lib/change-notes/released/6.0.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 6.0.1 + +### Minor Analysis Improvements + * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index f8c4fa43ccb..d1f3c68c812 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.0.0 +lastReleaseVersion: 6.0.1 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index 669112f115d..af34da5d7d5 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 6.0.1-dev +version: 6.0.1 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 8a2f1355eec..f2475a92207 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.5 + +No user-facing changes. + ## 1.5.4 No user-facing changes. diff --git a/go/ql/src/change-notes/released/1.5.5.md b/go/ql/src/change-notes/released/1.5.5.md new file mode 100644 index 00000000000..76d0ac89489 --- /dev/null +++ b/go/ql/src/change-notes/released/1.5.5.md @@ -0,0 +1,3 @@ +## 1.5.5 + +No user-facing changes. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index c216828ee1c..1c73e9d9ce9 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.4 +lastReleaseVersion: 1.5.5 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index da64d00094f..20e25202476 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.5.5-dev +version: 1.5.5 groups: - go - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index cd0db2ab96f..a100137879d 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,24 @@ +## 8.0.0 + +### Breaking Changes + +* Support for Kotlin 1.6.x and 1.7.x series has been dropped + +### New Features + +* Kotlin versions up to 2.3.0\ *x* are now supported. + +### Minor Analysis Improvements + +* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy `com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new `org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions. +* The query `java/unreleased-lock` no longer applies to lock types with names ending in "Pool", as these typically manage a collection of resources and the `lock` and `unlock` methods typically only lock one resource at a time. This may lead to a reduction in false positives. +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* When Maven-compatible private package registries are configured for an organisation for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories. CodeQL previously already configured Maven to use them as regular package repositories. This should now allow Maven plugins to be obtained from private registries. + +### Bug Fixes + +* Kotlin: The Kotlin extractor now registers as the last IR generation extension, ensuring that code generated by other compiler plugins (such as kotlinx.serialization) is correctly captured. + ## 7.8.4 ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2026-01-07-kotlin-2_3.md b/java/ql/lib/change-notes/2026-01-07-kotlin-2_3.md deleted file mode 100644 index 82253f0e5e8..00000000000 --- a/java/ql/lib/change-notes/2026-01-07-kotlin-2_3.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Kotlin versions up to 2.3.0\ *x* are now supported. diff --git a/java/ql/lib/change-notes/2026-01-07-kotlin-mimimum_suppoted_version.md b/java/ql/lib/change-notes/2026-01-07-kotlin-mimimum_suppoted_version.md deleted file mode 100644 index 6877579f6c6..00000000000 --- a/java/ql/lib/change-notes/2026-01-07-kotlin-mimimum_suppoted_version.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: breaking ---- -* Support for Kotlin 1.6.x and 1.7.x series has been dropped diff --git a/java/ql/lib/change-notes/2026-01-09-maven-plugin-registries.md b/java/ql/lib/change-notes/2026-01-09-maven-plugin-registries.md deleted file mode 100644 index d3d42e9325b..00000000000 --- a/java/ql/lib/change-notes/2026-01-09-maven-plugin-registries.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* When Maven-compatible private package registries are configured for an organisation for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories. CodeQL previously already configured Maven to use them as regular package repositories. This should now allow Maven plugins to be obtained from private registries. diff --git a/java/ql/lib/change-notes/2026-01-26-kotlin-extractor-load-last.md b/java/ql/lib/change-notes/2026-01-26-kotlin-extractor-load-last.md deleted file mode 100644 index e6b496073b9..00000000000 --- a/java/ql/lib/change-notes/2026-01-26-kotlin-extractor-load-last.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: fix ---- -* Kotlin: The Kotlin extractor now registers as the last IR generation extension, ensuring that code generated by other compiler plugins (such as kotlinx.serialization) is correctly captured. diff --git a/java/ql/lib/change-notes/2026-01-27-struts-7-support.md b/java/ql/lib/change-notes/2026-01-27-struts-7-support.md deleted file mode 100644 index a94a03567ee..00000000000 --- a/java/ql/lib/change-notes/2026-01-27-struts-7-support.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy `com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new `org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions. diff --git a/java/ql/lib/change-notes/2026-01-27-unreleased-lock-pools.md b/java/ql/lib/change-notes/2026-01-27-unreleased-lock-pools.md deleted file mode 100644 index 6ac8a19a762..00000000000 --- a/java/ql/lib/change-notes/2026-01-27-unreleased-lock-pools.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `java/unreleased-lock` no longer applies to lock types with names ending in "Pool", as these typically manage a collection of resources and the `lock` and `unlock` methods typically only lock one resource at a time. This may lead to a reduction in false positives. diff --git a/java/ql/lib/change-notes/released/8.0.0.md b/java/ql/lib/change-notes/released/8.0.0.md new file mode 100644 index 00000000000..cf6f8f52f97 --- /dev/null +++ b/java/ql/lib/change-notes/released/8.0.0.md @@ -0,0 +1,20 @@ +## 8.0.0 + +### Breaking Changes + +* Support for Kotlin 1.6.x and 1.7.x series has been dropped + +### New Features + +* Kotlin versions up to 2.3.0\ *x* are now supported. + +### Minor Analysis Improvements + +* Added support for Struts 7.x package names in the Struts framework library. The library now recognizes both the legacy `com.opensymphony.xwork2` package names (Struts 2.x-6.x) and the new `org.apache.struts2` package names (Struts 7.x+), maintaining backward compatibility while enabling analysis of code using the latest Struts versions. +* The query `java/unreleased-lock` no longer applies to lock types with names ending in "Pool", as these typically manage a collection of resources and the `lock` and `unlock` methods typically only lock one resource at a time. This may lead to a reduction in false positives. +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* When Maven-compatible private package registries are configured for an organisation for Default Setup, CodeQL will now configure Maven to also use these as plugin repositories. CodeQL previously already configured Maven to use them as regular package repositories. This should now allow Maven plugins to be obtained from private registries. + +### Bug Fixes + +* Kotlin: The Kotlin extractor now registers as the last IR generation extension, ensuring that code generated by other compiler plugins (such as kotlinx.serialization) is correctly captured. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index c8145c25bf6..0f48687270d 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 7.8.4 +lastReleaseVersion: 8.0.0 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 37de3eb6f72..eb1a7f632c7 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 7.8.5-dev +version: 8.0.0 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index 113c024d14a..a7307229a49 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.10.6 + +No user-facing changes. + ## 1.10.5 ### Minor Analysis Improvements diff --git a/java/ql/src/change-notes/released/1.10.6.md b/java/ql/src/change-notes/released/1.10.6.md new file mode 100644 index 00000000000..eb53de204df --- /dev/null +++ b/java/ql/src/change-notes/released/1.10.6.md @@ -0,0 +1,3 @@ +## 1.10.6 + +No user-facing changes. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 2b3096747d5..4e10f150f2e 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.10.5 +lastReleaseVersion: 1.10.6 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 54fa90952dd..570c8bf7e18 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.10.6-dev +version: 1.10.6 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index 08f8bb5fbb2..c599ea0799b 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 2.6.21 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + ## 2.6.20 ### Minor Analysis Improvements diff --git a/java/ql/lib/change-notes/2026-01-16-summarized-callable.md b/javascript/ql/lib/change-notes/released/2.6.21.md similarity index 85% rename from java/ql/lib/change-notes/2026-01-16-summarized-callable.md rename to javascript/ql/lib/change-notes/released/2.6.21.md index b6e5101617e..4307ee55605 100644 --- a/java/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ b/javascript/ql/lib/change-notes/released/2.6.21.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 2.6.21 + +### Minor Analysis Improvements + * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 3c7db9023cc..872f4f9807c 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.6.20 +lastReleaseVersion: 2.6.21 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index b9abf987afb..2e54148b68c 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.21-dev +version: 2.6.21 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index d3a5bfa8f82..50da6325746 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.3.1 + +No user-facing changes. + ## 2.3.0 ### Major Analysis Improvements diff --git a/javascript/ql/src/change-notes/released/2.3.1.md b/javascript/ql/src/change-notes/released/2.3.1.md new file mode 100644 index 00000000000..af7c45e68fa --- /dev/null +++ b/javascript/ql/src/change-notes/released/2.3.1.md @@ -0,0 +1,3 @@ +## 2.3.1 + +No user-facing changes. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 5936154675a..530699ffecc 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.3.0 +lastReleaseVersion: 2.3.1 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index 9eb734b9d11..ad56a74e9b5 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.1-dev +version: 2.3.1 groups: - javascript - queries diff --git a/misc/suite-helpers/CHANGELOG.md b/misc/suite-helpers/CHANGELOG.md index 3fa0771beca..0d796d32439 100644 --- a/misc/suite-helpers/CHANGELOG.md +++ b/misc/suite-helpers/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/misc/suite-helpers/change-notes/released/1.0.41.md b/misc/suite-helpers/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/misc/suite-helpers/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/misc/suite-helpers/codeql-pack.release.yml b/misc/suite-helpers/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/misc/suite-helpers/codeql-pack.release.yml +++ b/misc/suite-helpers/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index b01f97237d3..4a0344c0f0f 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.41-dev +version: 1.0.41 groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index ee4f1b529e3..a273dc2628b 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,16 @@ +## 6.1.0 + +### New Features + +* It is now possible to refer to list elements in the Python models-as-data language, via the `ListElement` path. + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* Added experimental query `py/prompt-injection` to detect potential prompt injection vulnerabilities in code using LLMs. +* Added taint flow model and type model for `agents` and `openai` modules. +* Remote flow sources for the `websockets` package have been modeled. + ## 6.0.0 ### Breaking Changes diff --git a/python/ql/lib/change-notes/2025-12-01-websockets.md b/python/ql/lib/change-notes/2025-12-01-websockets.md deleted file mode 100644 index 6b4db223d7b..00000000000 --- a/python/ql/lib/change-notes/2025-12-01-websockets.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Remote flow sources for the `websockets` package have been modeled. \ No newline at end of file diff --git a/python/ql/lib/change-notes/2026-01-02-prompt-injection.md b/python/ql/lib/change-notes/2026-01-02-prompt-injection.md deleted file mode 100644 index 21f04216ecb..00000000000 --- a/python/ql/lib/change-notes/2026-01-02-prompt-injection.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* Added experimental query `py/prompt-injection` to detect potential prompt injection vulnerabilities in code using LLMs. -* Added taint flow model and type model for `agents` and `openai` modules. \ No newline at end of file diff --git a/python/ql/lib/change-notes/2026-01-16-summarized-callable.md b/python/ql/lib/change-notes/2026-01-16-summarized-callable.md deleted file mode 100644 index b6e5101617e..00000000000 --- a/python/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/python/ql/lib/change-notes/2026-01-20-support-ListElement-in-python-MaD.md b/python/ql/lib/change-notes/2026-01-20-support-ListElement-in-python-MaD.md deleted file mode 100644 index cf51193efe9..00000000000 --- a/python/ql/lib/change-notes/2026-01-20-support-ListElement-in-python-MaD.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* It is now possible to refer to list elements in the Python models-as-data language, via the `ListElement` path. diff --git a/python/ql/lib/change-notes/released/6.1.0.md b/python/ql/lib/change-notes/released/6.1.0.md new file mode 100644 index 00000000000..633ade1f67c --- /dev/null +++ b/python/ql/lib/change-notes/released/6.1.0.md @@ -0,0 +1,12 @@ +## 6.1.0 + +### New Features + +* It is now possible to refer to list elements in the Python models-as-data language, via the `ListElement` path. + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* Added experimental query `py/prompt-injection` to detect potential prompt injection vulnerabilities in code using LLMs. +* Added taint flow model and type model for `agents` and `openai` modules. +* Remote flow sources for the `websockets` package have been modeled. diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index f8c4fa43ccb..22247782f3e 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.0.0 +lastReleaseVersion: 6.1.0 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index ff6a730a2ea..db127bd5792 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 6.0.1-dev +version: 6.1.0 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 9b09127c0ae..3f9a869decc 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.6 + +No user-facing changes. + ## 1.7.5 No user-facing changes. diff --git a/python/ql/src/change-notes/released/1.7.6.md b/python/ql/src/change-notes/released/1.7.6.md new file mode 100644 index 00000000000..fe2a0f02e7e --- /dev/null +++ b/python/ql/src/change-notes/released/1.7.6.md @@ -0,0 +1,3 @@ +## 1.7.6 + +No user-facing changes. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 83aebd7c12a..1f68518dba9 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.5 +lastReleaseVersion: 1.7.6 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 8b797e76e6a..5725ef1f664 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.7.6-dev +version: 1.7.6 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index e6150ac44bc..408f2f3144f 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 5.1.9 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + ## 5.1.8 No user-facing changes. diff --git a/ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md b/ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md deleted file mode 100644 index b6e5101617e..00000000000 --- a/ruby/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md b/ruby/ql/lib/change-notes/released/5.1.9.md similarity index 85% rename from cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md rename to ruby/ql/lib/change-notes/released/5.1.9.md index b6e5101617e..5455fb9f5e2 100644 --- a/cpp/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ b/ruby/ql/lib/change-notes/released/5.1.9.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 5.1.9 + +### Minor Analysis Improvements + * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 8ffbb79d224..f9bf2605261 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 5.1.8 +lastReleaseVersion: 5.1.9 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 1a0515cc776..6a48d4be1a2 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.1.9-dev +version: 5.1.9 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 43e207937df..fd5b24f166e 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.5.6 + +No user-facing changes. + ## 1.5.5 No user-facing changes. diff --git a/ruby/ql/src/change-notes/released/1.5.6.md b/ruby/ql/src/change-notes/released/1.5.6.md new file mode 100644 index 00000000000..17fb577dc9e --- /dev/null +++ b/ruby/ql/src/change-notes/released/1.5.6.md @@ -0,0 +1,3 @@ +## 1.5.6 + +No user-facing changes. diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 1c73e9d9ce9..9a0b3c9461b 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.5.5 +lastReleaseVersion: 1.5.6 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index 8534baf2482..a14269c692a 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.5.6-dev +version: 1.5.6 groups: - ruby - queries diff --git a/rust/ql/lib/CHANGELOG.md b/rust/ql/lib/CHANGELOG.md index c06726370df..b913efd02f0 100644 --- a/rust/ql/lib/CHANGELOG.md +++ b/rust/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.2.5 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* Added type inference support for the `FnMut(..) -> ..` and `Fn(..) -> ..` traits. They now work in type parameter bounds and are implemented by closures. + ## 0.2.4 ### Minor Analysis Improvements @@ -6,7 +13,7 @@ * Renamed the `Adt` class to `TypeItem` and moved common predicates from `Struct`, `Enum`, and `Union` to `TypeItem`. * Added models for the Axum web application framework. * Reading content of a value now carries taint if the value itself is tainted. For instance, if `s` is tainted then `s.field` is also tainted. This generally improves taint flow. -* The call graph is now more precise for calls that target a trait function with a default implemention. This reduces the number of false positives for data flow queries. +* The call graph is now more precise for calls that target a trait function with a default implementation. This reduces the number of false positives for data flow queries. * Improved type inference for raw pointers (`*const` and `*mut`). This includes type inference for the raw borrow operators (`&raw const` and `&raw mut`) and dereferencing of raw pointers. ## 0.2.3 diff --git a/rust/ql/lib/change-notes/2026-01-16-summarized-callable.md b/rust/ql/lib/change-notes/2026-01-16-summarized-callable.md deleted file mode 100644 index b6e5101617e..00000000000 --- a/rust/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/rust/ql/lib/change-notes/2026-01-16-type-inference-closures.md b/rust/ql/lib/change-notes/2026-01-16-type-inference-closures.md deleted file mode 100644 index 1e093b74dbe..00000000000 --- a/rust/ql/lib/change-notes/2026-01-16-type-inference-closures.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added type inference support for the `FnMut(..) -> ..` and `Fn(..) -> ..` traits. They now work in type parameter bounds and are implemented by closures. \ No newline at end of file diff --git a/rust/ql/lib/change-notes/released/0.2.5.md b/rust/ql/lib/change-notes/released/0.2.5.md new file mode 100644 index 00000000000..5145bf5a9b2 --- /dev/null +++ b/rust/ql/lib/change-notes/released/0.2.5.md @@ -0,0 +1,6 @@ +## 0.2.5 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. +* Added type inference support for the `FnMut(..) -> ..` and `Fn(..) -> ..` traits. They now work in type parameter bounds and are implemented by closures. diff --git a/rust/ql/lib/codeql-pack.release.yml b/rust/ql/lib/codeql-pack.release.yml index 7f1e3841dcd..211454ed306 100644 --- a/rust/ql/lib/codeql-pack.release.yml +++ b/rust/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.4 +lastReleaseVersion: 0.2.5 diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index c976e05b9b9..4f33822af63 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.5-dev +version: 0.2.5 groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/CHANGELOG.md b/rust/ql/src/CHANGELOG.md index 6f17ba91133..fe96ab5baad 100644 --- a/rust/ql/src/CHANGELOG.md +++ b/rust/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.1.26 + +No user-facing changes. + ## 0.1.25 ### Minor Analysis Improvements diff --git a/rust/ql/src/change-notes/released/0.1.26.md b/rust/ql/src/change-notes/released/0.1.26.md new file mode 100644 index 00000000000..79d28dd1b40 --- /dev/null +++ b/rust/ql/src/change-notes/released/0.1.26.md @@ -0,0 +1,3 @@ +## 0.1.26 + +No user-facing changes. diff --git a/rust/ql/src/codeql-pack.release.yml b/rust/ql/src/codeql-pack.release.yml index 44eb1ee2438..e2396c0532f 100644 --- a/rust/ql/src/codeql-pack.release.yml +++ b/rust/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.25 +lastReleaseVersion: 0.1.26 diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index e8873e00339..61ff8e48167 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.26-dev +version: 0.1.26 groups: - rust - queries diff --git a/shared/concepts/CHANGELOG.md b/shared/concepts/CHANGELOG.md index 161a5091515..29dba07c365 100644 --- a/shared/concepts/CHANGELOG.md +++ b/shared/concepts/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.15 + +No user-facing changes. + ## 0.0.14 No user-facing changes. diff --git a/shared/concepts/change-notes/released/0.0.15.md b/shared/concepts/change-notes/released/0.0.15.md new file mode 100644 index 00000000000..7af9c05f23f --- /dev/null +++ b/shared/concepts/change-notes/released/0.0.15.md @@ -0,0 +1,3 @@ +## 0.0.15 + +No user-facing changes. diff --git a/shared/concepts/codeql-pack.release.yml b/shared/concepts/codeql-pack.release.yml index ca29e45d0a6..dff35216fc6 100644 --- a/shared/concepts/codeql-pack.release.yml +++ b/shared/concepts/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.14 +lastReleaseVersion: 0.0.15 diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index 0acc44a77e6..40350f8b33c 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.15-dev +version: 0.0.15 groups: shared library: true dependencies: diff --git a/shared/controlflow/CHANGELOG.md b/shared/controlflow/CHANGELOG.md index a0141238ede..1fd69b562a6 100644 --- a/shared/controlflow/CHANGELOG.md +++ b/shared/controlflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.25 + +No user-facing changes. + ## 2.0.24 No user-facing changes. diff --git a/shared/controlflow/change-notes/released/2.0.25.md b/shared/controlflow/change-notes/released/2.0.25.md new file mode 100644 index 00000000000..ca39dd50c69 --- /dev/null +++ b/shared/controlflow/change-notes/released/2.0.25.md @@ -0,0 +1,3 @@ +## 2.0.25 + +No user-facing changes. diff --git a/shared/controlflow/codeql-pack.release.yml b/shared/controlflow/codeql-pack.release.yml index 1460df314d5..f54d8620118 100644 --- a/shared/controlflow/codeql-pack.release.yml +++ b/shared/controlflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.24 +lastReleaseVersion: 2.0.25 diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index fe9c546bd4a..f8e86c3b834 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.25-dev +version: 2.0.25 groups: shared library: true dependencies: diff --git a/shared/dataflow/CHANGELOG.md b/shared/dataflow/CHANGELOG.md index 2190138e037..49857928ffe 100644 --- a/shared/dataflow/CHANGELOG.md +++ b/shared/dataflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.25 + +No user-facing changes. + ## 2.0.24 No user-facing changes. diff --git a/shared/dataflow/change-notes/released/2.0.25.md b/shared/dataflow/change-notes/released/2.0.25.md new file mode 100644 index 00000000000..ca39dd50c69 --- /dev/null +++ b/shared/dataflow/change-notes/released/2.0.25.md @@ -0,0 +1,3 @@ +## 2.0.25 + +No user-facing changes. diff --git a/shared/dataflow/codeql-pack.release.yml b/shared/dataflow/codeql-pack.release.yml index 1460df314d5..f54d8620118 100644 --- a/shared/dataflow/codeql-pack.release.yml +++ b/shared/dataflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.24 +lastReleaseVersion: 2.0.25 diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index f1c036d74df..86bfb0a5b05 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.25-dev +version: 2.0.25 groups: shared library: true dependencies: diff --git a/shared/mad/CHANGELOG.md b/shared/mad/CHANGELOG.md index 40e305bad35..bc1ee96895c 100644 --- a/shared/mad/CHANGELOG.md +++ b/shared/mad/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/mad/change-notes/released/1.0.41.md b/shared/mad/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/mad/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/mad/codeql-pack.release.yml b/shared/mad/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/mad/codeql-pack.release.yml +++ b/shared/mad/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index f001129240f..349dc19aa33 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true dependencies: diff --git a/shared/quantum/CHANGELOG.md b/shared/quantum/CHANGELOG.md index 172f2ee2b29..d5252bfc0c4 100644 --- a/shared/quantum/CHANGELOG.md +++ b/shared/quantum/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.19 + +No user-facing changes. + ## 0.0.18 No user-facing changes. diff --git a/shared/quantum/change-notes/released/0.0.19.md b/shared/quantum/change-notes/released/0.0.19.md new file mode 100644 index 00000000000..914e4c9074d --- /dev/null +++ b/shared/quantum/change-notes/released/0.0.19.md @@ -0,0 +1,3 @@ +## 0.0.19 + +No user-facing changes. diff --git a/shared/quantum/codeql-pack.release.yml b/shared/quantum/codeql-pack.release.yml index a0d2bc59d97..f406319f372 100644 --- a/shared/quantum/codeql-pack.release.yml +++ b/shared/quantum/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.18 +lastReleaseVersion: 0.0.19 diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index de32dad32f1..f394fab9654 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.19-dev +version: 0.0.19 groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/CHANGELOG.md b/shared/rangeanalysis/CHANGELOG.md index 7c9e43f8ff3..3dde8baa4b0 100644 --- a/shared/rangeanalysis/CHANGELOG.md +++ b/shared/rangeanalysis/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/rangeanalysis/change-notes/released/1.0.41.md b/shared/rangeanalysis/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/rangeanalysis/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/rangeanalysis/codeql-pack.release.yml b/shared/rangeanalysis/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/rangeanalysis/codeql-pack.release.yml +++ b/shared/rangeanalysis/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 5ecb12275e6..846d83bc93c 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true dependencies: diff --git a/shared/regex/CHANGELOG.md b/shared/regex/CHANGELOG.md index ecf8ebbe399..2e3dacffd92 100644 --- a/shared/regex/CHANGELOG.md +++ b/shared/regex/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/regex/change-notes/released/1.0.41.md b/shared/regex/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/regex/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/regex/codeql-pack.release.yml b/shared/regex/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/regex/codeql-pack.release.yml +++ b/shared/regex/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index c57a3de5189..80b995f7c50 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true dependencies: diff --git a/shared/ssa/CHANGELOG.md b/shared/ssa/CHANGELOG.md index 03f338ad3e6..62c6ce297f9 100644 --- a/shared/ssa/CHANGELOG.md +++ b/shared/ssa/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.17 + +No user-facing changes. + ## 2.0.16 No user-facing changes. diff --git a/shared/ssa/change-notes/released/2.0.17.md b/shared/ssa/change-notes/released/2.0.17.md new file mode 100644 index 00000000000..0ed1592726c --- /dev/null +++ b/shared/ssa/change-notes/released/2.0.17.md @@ -0,0 +1,3 @@ +## 2.0.17 + +No user-facing changes. diff --git a/shared/ssa/codeql-pack.release.yml b/shared/ssa/codeql-pack.release.yml index c10461a785c..a5f7c15c020 100644 --- a/shared/ssa/codeql-pack.release.yml +++ b/shared/ssa/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.16 +lastReleaseVersion: 2.0.17 diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index ac679f613ea..c1b143d616e 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.17-dev +version: 2.0.17 groups: shared library: true dependencies: diff --git a/shared/threat-models/CHANGELOG.md b/shared/threat-models/CHANGELOG.md index 8718668249f..d0c8171cdf6 100644 --- a/shared/threat-models/CHANGELOG.md +++ b/shared/threat-models/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/threat-models/change-notes/released/1.0.41.md b/shared/threat-models/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/threat-models/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/threat-models/codeql-pack.release.yml b/shared/threat-models/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/threat-models/codeql-pack.release.yml +++ b/shared/threat-models/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index f16ee329d00..634544a4eb8 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.41-dev +version: 1.0.41 library: true groups: shared dataExtensions: diff --git a/shared/tutorial/CHANGELOG.md b/shared/tutorial/CHANGELOG.md index 6a9afbe090a..83380772573 100644 --- a/shared/tutorial/CHANGELOG.md +++ b/shared/tutorial/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/tutorial/change-notes/released/1.0.41.md b/shared/tutorial/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/tutorial/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/tutorial/codeql-pack.release.yml b/shared/tutorial/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/tutorial/codeql-pack.release.yml +++ b/shared/tutorial/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 8ffe365de0a..93b95d3210c 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/CHANGELOG.md b/shared/typeflow/CHANGELOG.md index 37cada86362..caecb313a31 100644 --- a/shared/typeflow/CHANGELOG.md +++ b/shared/typeflow/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/typeflow/change-notes/released/1.0.41.md b/shared/typeflow/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/typeflow/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/typeflow/codeql-pack.release.yml b/shared/typeflow/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/typeflow/codeql-pack.release.yml +++ b/shared/typeflow/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 773700f2ac1..4512e955385 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true dependencies: diff --git a/shared/typeinference/CHANGELOG.md b/shared/typeinference/CHANGELOG.md index 2daa850c9cd..356c331b5df 100644 --- a/shared/typeinference/CHANGELOG.md +++ b/shared/typeinference/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.22 + +No user-facing changes. + ## 0.0.21 No user-facing changes. diff --git a/shared/typeinference/change-notes/released/0.0.22.md b/shared/typeinference/change-notes/released/0.0.22.md new file mode 100644 index 00000000000..00226747438 --- /dev/null +++ b/shared/typeinference/change-notes/released/0.0.22.md @@ -0,0 +1,3 @@ +## 0.0.22 + +No user-facing changes. diff --git a/shared/typeinference/codeql-pack.release.yml b/shared/typeinference/codeql-pack.release.yml index 0c15c351db4..11aaa2243f5 100644 --- a/shared/typeinference/codeql-pack.release.yml +++ b/shared/typeinference/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.21 +lastReleaseVersion: 0.0.22 diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 323af6d7d5d..6bb3be57eba 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.22-dev +version: 0.0.22 groups: shared library: true dependencies: diff --git a/shared/typetracking/CHANGELOG.md b/shared/typetracking/CHANGELOG.md index 769f68dd3dd..8504089f872 100644 --- a/shared/typetracking/CHANGELOG.md +++ b/shared/typetracking/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.25 + +No user-facing changes. + ## 2.0.24 No user-facing changes. diff --git a/shared/typetracking/change-notes/released/2.0.25.md b/shared/typetracking/change-notes/released/2.0.25.md new file mode 100644 index 00000000000..ca39dd50c69 --- /dev/null +++ b/shared/typetracking/change-notes/released/2.0.25.md @@ -0,0 +1,3 @@ +## 2.0.25 + +No user-facing changes. diff --git a/shared/typetracking/codeql-pack.release.yml b/shared/typetracking/codeql-pack.release.yml index 1460df314d5..f54d8620118 100644 --- a/shared/typetracking/codeql-pack.release.yml +++ b/shared/typetracking/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.24 +lastReleaseVersion: 2.0.25 diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index 3c2758e0907..fe7582bbde6 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.25-dev +version: 2.0.25 groups: shared library: true dependencies: diff --git a/shared/typos/CHANGELOG.md b/shared/typos/CHANGELOG.md index 5ef65f8781d..cfbec562b14 100644 --- a/shared/typos/CHANGELOG.md +++ b/shared/typos/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/typos/change-notes/released/1.0.41.md b/shared/typos/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/typos/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/typos/codeql-pack.release.yml b/shared/typos/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/typos/codeql-pack.release.yml +++ b/shared/typos/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index 07154ada547..e587573ad40 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/CHANGELOG.md b/shared/util/CHANGELOG.md index 1c818e1f21d..904aa45e034 100644 --- a/shared/util/CHANGELOG.md +++ b/shared/util/CHANGELOG.md @@ -1,3 +1,7 @@ +## 2.0.28 + +No user-facing changes. + ## 2.0.27 No user-facing changes. diff --git a/shared/util/change-notes/released/2.0.28.md b/shared/util/change-notes/released/2.0.28.md new file mode 100644 index 00000000000..3f9412b6e63 --- /dev/null +++ b/shared/util/change-notes/released/2.0.28.md @@ -0,0 +1,3 @@ +## 2.0.28 + +No user-facing changes. diff --git a/shared/util/codeql-pack.release.yml b/shared/util/codeql-pack.release.yml index a047558f018..ec5bd6ba369 100644 --- a/shared/util/codeql-pack.release.yml +++ b/shared/util/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 2.0.27 +lastReleaseVersion: 2.0.28 diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 0b10b300a47..dd8c960aa0b 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.28-dev +version: 2.0.28 groups: shared library: true dependencies: null diff --git a/shared/xml/CHANGELOG.md b/shared/xml/CHANGELOG.md index cb8550f886b..7a85ea45c7b 100644 --- a/shared/xml/CHANGELOG.md +++ b/shared/xml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/xml/change-notes/released/1.0.41.md b/shared/xml/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/xml/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/xml/codeql-pack.release.yml b/shared/xml/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/xml/codeql-pack.release.yml +++ b/shared/xml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index 86ac177bdbf..ad13296db46 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true dependencies: diff --git a/shared/yaml/CHANGELOG.md b/shared/yaml/CHANGELOG.md index 82c9137dbbf..78b636e0288 100644 --- a/shared/yaml/CHANGELOG.md +++ b/shared/yaml/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.0.41 + +No user-facing changes. + ## 1.0.40 No user-facing changes. diff --git a/shared/yaml/change-notes/released/1.0.41.md b/shared/yaml/change-notes/released/1.0.41.md new file mode 100644 index 00000000000..b9e9f7a5c44 --- /dev/null +++ b/shared/yaml/change-notes/released/1.0.41.md @@ -0,0 +1,3 @@ +## 1.0.41 + +No user-facing changes. diff --git a/shared/yaml/codeql-pack.release.yml b/shared/yaml/codeql-pack.release.yml index 326e4b5da67..d496eab6eb9 100644 --- a/shared/yaml/codeql-pack.release.yml +++ b/shared/yaml/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.0.40 +lastReleaseVersion: 1.0.41 diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 9e3dec90b6d..03ddecb8a05 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.41-dev +version: 1.0.41 groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/CHANGELOG.md b/swift/ql/lib/CHANGELOG.md index efad17a8e8b..f4fe2159e07 100644 --- a/swift/ql/lib/CHANGELOG.md +++ b/swift/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 6.2.1 + +### Minor Analysis Improvements + +* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. + ## 6.2.0 ### Major Analysis Improvements diff --git a/swift/ql/lib/change-notes/2026-01-16-summarized-callable.md b/swift/ql/lib/change-notes/2026-01-16-summarized-callable.md deleted file mode 100644 index b6e5101617e..00000000000 --- a/swift/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/go/ql/lib/change-notes/2026-01-16-summarized-callable.md b/swift/ql/lib/change-notes/released/6.2.1.md similarity index 85% rename from go/ql/lib/change-notes/2026-01-16-summarized-callable.md rename to swift/ql/lib/change-notes/released/6.2.1.md index b6e5101617e..bd50d7adb36 100644 --- a/go/ql/lib/change-notes/2026-01-16-summarized-callable.md +++ b/swift/ql/lib/change-notes/released/6.2.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 6.2.1 + +### Minor Analysis Improvements + * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. diff --git a/swift/ql/lib/codeql-pack.release.yml b/swift/ql/lib/codeql-pack.release.yml index 35c46c599f0..8e36085279d 100644 --- a/swift/ql/lib/codeql-pack.release.yml +++ b/swift/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 6.2.0 +lastReleaseVersion: 6.2.1 diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 84482a72c80..9fc1e4731dd 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.2.1-dev +version: 6.2.1 groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/CHANGELOG.md b/swift/ql/src/CHANGELOG.md index b555657d87a..bf6367cf668 100644 --- a/swift/ql/src/CHANGELOG.md +++ b/swift/ql/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.2.15 + +No user-facing changes. + ## 1.2.14 No user-facing changes. diff --git a/swift/ql/src/change-notes/released/1.2.15.md b/swift/ql/src/change-notes/released/1.2.15.md new file mode 100644 index 00000000000..c73741aba03 --- /dev/null +++ b/swift/ql/src/change-notes/released/1.2.15.md @@ -0,0 +1,3 @@ +## 1.2.15 + +No user-facing changes. diff --git a/swift/ql/src/codeql-pack.release.yml b/swift/ql/src/codeql-pack.release.yml index ef55ed9564a..df8980e5dd2 100644 --- a/swift/ql/src/codeql-pack.release.yml +++ b/swift/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.2.14 +lastReleaseVersion: 1.2.15 diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 61ca00447b2..86538099f75 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.15-dev +version: 1.2.15 groups: - swift - queries From 38fcc61817613ca2456ece88508d48b12645b4a3 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 2 Feb 2026 12:10:15 +0000 Subject: [PATCH 09/25] Fix formatting in Kotlin changelog --- java/ql/lib/change-notes/released/8.0.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/change-notes/released/8.0.0.md b/java/ql/lib/change-notes/released/8.0.0.md index cf6f8f52f97..efe82a7db85 100644 --- a/java/ql/lib/change-notes/released/8.0.0.md +++ b/java/ql/lib/change-notes/released/8.0.0.md @@ -6,7 +6,7 @@ ### New Features -* Kotlin versions up to 2.3.0\ *x* are now supported. +* Kotlin versions up to 2.3.0 are now supported. ### Minor Analysis Improvements From 5f1fd57f84b062da390765efc4c7f1c2b4842690 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 2 Feb 2026 12:22:50 +0000 Subject: [PATCH 10/25] Fix formatting of Kotlin version ranges --- java/ql/lib/CHANGELOG.md | 8 ++++---- java/ql/lib/change-notes/released/4.1.0.md | 2 +- java/ql/lib/change-notes/released/7.2.0.md | 2 +- java/ql/lib/change-notes/released/7.5.0.md | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index a100137879d..f238699b4e5 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -6,7 +6,7 @@ ### New Features -* Kotlin versions up to 2.3.0\ *x* are now supported. +* Kotlin versions up to 2.3.0*x* are now supported. ### Minor Analysis Improvements @@ -98,7 +98,7 @@ No user-facing changes. ### New Features -* Kotlin versions up to 2.2.2\ *x* are now supported. +* Kotlin versions up to 2.2.2*x* are now supported. ## 7.4.0 @@ -139,7 +139,7 @@ No user-facing changes. ### New Features -* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). ## 7.1.4 @@ -276,7 +276,7 @@ No user-facing changes. ### New Features * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0\ *x* are now supported. +* Kotlin versions up to 2.1.0*x* are now supported. ## 4.0.0 diff --git a/java/ql/lib/change-notes/released/4.1.0.md b/java/ql/lib/change-notes/released/4.1.0.md index 579567e1edd..d24446bd8c1 100644 --- a/java/ql/lib/change-notes/released/4.1.0.md +++ b/java/ql/lib/change-notes/released/4.1.0.md @@ -10,4 +10,4 @@ ### New Features * The Java extractor and QL libraries now support Java 23. -* Kotlin versions up to 2.1.0\ *x* are now supported. +* Kotlin versions up to 2.1.0*x* are now supported. diff --git a/java/ql/lib/change-notes/released/7.2.0.md b/java/ql/lib/change-notes/released/7.2.0.md index 7714e3eeb32..e3585377d0b 100644 --- a/java/ql/lib/change-notes/released/7.2.0.md +++ b/java/ql/lib/change-notes/released/7.2.0.md @@ -2,4 +2,4 @@ ### New Features -* Kotlin versions up to 2.2.0\ *x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). +* Kotlin versions up to 2.2.0*x* are now supported. Support for the Kotlin 1.5.x series is dropped (so the minimum Kotlin version is now 1.6.0). diff --git a/java/ql/lib/change-notes/released/7.5.0.md b/java/ql/lib/change-notes/released/7.5.0.md index 415dab5dfe4..36cc6112a12 100644 --- a/java/ql/lib/change-notes/released/7.5.0.md +++ b/java/ql/lib/change-notes/released/7.5.0.md @@ -2,4 +2,4 @@ ### New Features -* Kotlin versions up to 2.2.2\ *x* are now supported. +* Kotlin versions up to 2.2.2*x* are now supported. From 1a6b2b9b82563dcb8d68aa870aa6ffeae22d4766 Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 2 Feb 2026 12:37:32 +0000 Subject: [PATCH 11/25] Fix capitalization of MySQL --- cpp/ql/lib/CHANGELOG.md | 2 +- cpp/ql/lib/change-notes/released/7.1.0.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 9aa9e9953b5..6f256c9499b 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -8,7 +8,7 @@ ### Minor Analysis Improvements * The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases. -* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. +* Added `taint` summary models and `sql-injection` barrier models for the MySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. ### Bug Fixes diff --git a/cpp/ql/lib/change-notes/released/7.1.0.md b/cpp/ql/lib/change-notes/released/7.1.0.md index 7565cb4dab9..58ee0e9b6ef 100644 --- a/cpp/ql/lib/change-notes/released/7.1.0.md +++ b/cpp/ql/lib/change-notes/released/7.1.0.md @@ -8,7 +8,7 @@ ### Minor Analysis Improvements * The `Buffer.qll` library will no longer report incorrect buffer sizes on certain malformed databases. As a result, the queries `cpp/static-buffer-overflow`, `cpp/overflow-buffer`, `cpp/badly-bounded-write`, `cpp/overrunning-write`, `cpp/overrunning-write-with-float`, and `cpp/very-likely-overrunning-write` will report fewer false positives on such databases. -* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. +* Added `taint` summary models and `sql-injection` barrier models for the MySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions. * The predicate `SummarizedCallable.propagatesFlow` has been extended with the columns `Provenance p` and `boolean isExact`, and as a consequence the predicates `SummarizedCallable.hasProvenance` and `SummarizedCallable.hasExactModel` have been removed. ### Bug Fixes From 95afe615b5655430532ff5abca17ee34a9817021 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Mon, 2 Feb 2026 13:06:24 +0100 Subject: [PATCH 12/25] Rust: Add path resolution tests --- .../library-tests/path-resolution/main.rs | 23 +++ .../path-resolution/path-resolution.expected | 164 ++++++++++-------- 2 files changed, 110 insertions(+), 77 deletions(-) diff --git a/rust/ql/test/library-tests/path-resolution/main.rs b/rust/ql/test/library-tests/path-resolution/main.rs index 9336666b477..b330822ecc8 100644 --- a/rust/ql/test/library-tests/path-resolution/main.rs +++ b/rust/ql/test/library-tests/path-resolution/main.rs @@ -1056,6 +1056,29 @@ mod self_constructors { } } +/// Tests for using `Self` in type definitions. +mod self_types { + struct NonEmptyListStruct { + head: T, // $ item=T + tail: Option>, // $ item=Option item=Box MISSING: item=NonEmptyListStruct + } + + enum NonEmptyListEnum { + Single(T), // $ item=T + Cons(T, Box), // $ item=T item=Box MISSING: item=NonEmptyListEnum + } + + #[rustfmt::skip] + union NonEmptyListUnion< + 'a, + T // T + : Copy // $ item=Copy + > { + single: T, // $ item=T + cons: (T, &'a Self), // $ item=T MISSING: item=NonEmptyListUnion + } +} + fn main() { my::nested::nested1::nested2::f(); // $ item=I4 my::f(); // $ item=I38 diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected index fd1e5fd8503..e1f9f60b76a 100644 --- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected +++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected @@ -35,6 +35,7 @@ mod | main.rs:949:1:968:1 | mod impl_with_attribute_macro | | main.rs:970:1:1011:1 | mod patterns | | main.rs:1013:1:1057:1 | mod self_constructors | +| main.rs:1059:1:1080:1 | mod self_types | | my2/mod.rs:1:1:1:16 | mod nested2 | | my2/mod.rs:20:1:20:12 | mod my3 | | my2/mod.rs:22:1:23:10 | mod mymod | @@ -75,7 +76,7 @@ resolvePath | main.rs:37:17:37:24 | ...::f | main.rs:26:9:28:9 | fn f | | main.rs:39:17:39:23 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:40:17:40:17 | f | main.rs:26:9:28:9 | fn f | -| main.rs:47:9:47:13 | super | main.rs:1:1:1096:2 | SourceFile | +| main.rs:47:9:47:13 | super | main.rs:1:1:1119:2 | SourceFile | | main.rs:47:9:47:17 | ...::m1 | main.rs:20:1:44:1 | mod m1 | | main.rs:47:9:47:21 | ...::m2 | main.rs:25:5:43:5 | mod m2 | | main.rs:47:9:47:24 | ...::g | main.rs:30:9:34:9 | fn g | @@ -90,7 +91,7 @@ resolvePath | main.rs:68:17:68:19 | Foo | main.rs:66:9:66:21 | struct Foo | | main.rs:71:13:71:15 | Foo | main.rs:60:5:60:17 | struct Foo | | main.rs:73:5:73:5 | f | main.rs:62:5:69:5 | fn f | -| main.rs:75:5:75:8 | self | main.rs:1:1:1096:2 | SourceFile | +| main.rs:75:5:75:8 | self | main.rs:1:1:1119:2 | SourceFile | | main.rs:75:5:75:11 | ...::i | main.rs:78:1:90:1 | fn i | | main.rs:79:5:79:11 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:81:13:81:15 | Foo | main.rs:55:1:55:13 | struct Foo | @@ -112,7 +113,7 @@ resolvePath | main.rs:112:9:112:15 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:118:9:118:15 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:122:9:122:15 | println | {EXTERNAL LOCATION} | MacroRules | -| main.rs:125:13:125:17 | super | main.rs:1:1:1096:2 | SourceFile | +| main.rs:125:13:125:17 | super | main.rs:1:1:1119:2 | SourceFile | | main.rs:125:13:125:21 | ...::m5 | main.rs:110:1:114:1 | mod m5 | | main.rs:126:9:126:9 | f | main.rs:111:5:113:5 | fn f | | main.rs:126:9:126:9 | f | main.rs:117:5:119:5 | fn f | @@ -532,79 +533,88 @@ resolvePath | main.rs:1047:25:1047:27 | i32 | {EXTERNAL LOCATION} | struct i32 | | main.rs:1049:17:1049:20 | Self | main.rs:1045:5:1056:5 | impl MyEnum { ... } | | main.rs:1049:17:1049:23 | ...::A | main.rs:1040:9:1042:9 | A | -| main.rs:1060:5:1060:6 | my | main.rs:1:1:1:7 | mod my | -| main.rs:1060:5:1060:14 | ...::nested | my.rs:1:1:1:15 | mod nested | -| main.rs:1060:5:1060:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 | -| main.rs:1060:5:1060:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 | -| main.rs:1060:5:1060:35 | ...::f | my/nested.rs:3:9:5:9 | fn f | -| main.rs:1061:5:1061:6 | my | main.rs:1:1:1:7 | mod my | -| main.rs:1061:5:1061:9 | ...::f | my.rs:5:1:7:1 | fn f | -| main.rs:1062:5:1062:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | -| main.rs:1062:5:1062:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | -| main.rs:1062:5:1062:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 | -| main.rs:1062:5:1062:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1063:5:1063:5 | f | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1064:5:1064:5 | g | my2/nested2.rs:7:9:9:9 | fn g | -| main.rs:1065:5:1065:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) | -| main.rs:1065:5:1065:12 | ...::h | main.rs:57:1:76:1 | fn h | -| main.rs:1066:5:1066:6 | m1 | main.rs:20:1:44:1 | mod m1 | -| main.rs:1066:5:1066:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | -| main.rs:1066:5:1066:13 | ...::g | main.rs:30:9:34:9 | fn g | -| main.rs:1067:5:1067:6 | m1 | main.rs:20:1:44:1 | mod m1 | -| main.rs:1067:5:1067:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | -| main.rs:1067:5:1067:14 | ...::m3 | main.rs:36:9:42:9 | mod m3 | -| main.rs:1067:5:1067:17 | ...::h | main.rs:37:27:41:13 | fn h | -| main.rs:1068:5:1068:6 | m4 | main.rs:46:1:53:1 | mod m4 | -| main.rs:1068:5:1068:9 | ...::i | main.rs:49:5:52:5 | fn i | -| main.rs:1069:5:1069:5 | h | main.rs:57:1:76:1 | fn h | -| main.rs:1070:5:1070:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1071:5:1071:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g | -| main.rs:1072:5:1072:5 | j | main.rs:104:1:108:1 | fn j | -| main.rs:1073:5:1073:6 | m6 | main.rs:116:1:128:1 | mod m6 | -| main.rs:1073:5:1073:9 | ...::g | main.rs:121:5:127:5 | fn g | -| main.rs:1074:5:1074:6 | m7 | main.rs:130:1:149:1 | mod m7 | -| main.rs:1074:5:1074:9 | ...::f | main.rs:141:5:148:5 | fn f | -| main.rs:1075:5:1075:6 | m8 | main.rs:151:1:205:1 | mod m8 | -| main.rs:1075:5:1075:9 | ...::g | main.rs:189:5:204:5 | fn g | -| main.rs:1076:5:1076:6 | m9 | main.rs:207:1:215:1 | mod m9 | -| main.rs:1076:5:1076:9 | ...::f | main.rs:210:5:214:5 | fn f | -| main.rs:1077:5:1077:7 | m11 | main.rs:238:1:275:1 | mod m11 | -| main.rs:1077:5:1077:10 | ...::f | main.rs:243:5:246:5 | fn f | -| main.rs:1078:5:1078:7 | m15 | main.rs:306:1:375:1 | mod m15 | -| main.rs:1078:5:1078:10 | ...::f | main.rs:362:5:374:5 | fn f | -| main.rs:1079:5:1079:7 | m16 | main.rs:377:1:574:1 | mod m16 | -| main.rs:1079:5:1079:10 | ...::f | main.rs:446:5:470:5 | fn f | -| main.rs:1080:5:1080:20 | trait_visibility | main.rs:576:1:633:1 | mod trait_visibility | -| main.rs:1080:5:1080:23 | ...::f | main.rs:603:5:632:5 | fn f | -| main.rs:1081:5:1081:7 | m17 | main.rs:635:1:665:1 | mod m17 | -| main.rs:1081:5:1081:10 | ...::f | main.rs:659:5:664:5 | fn f | -| main.rs:1082:5:1082:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 | -| main.rs:1082:5:1082:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f | -| main.rs:1083:5:1083:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 | -| main.rs:1083:5:1083:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f | -| main.rs:1084:5:1084:7 | my3 | my2/mod.rs:20:1:20:12 | mod my3 | -| main.rs:1084:5:1084:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f | -| main.rs:1085:5:1085:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | -| main.rs:1086:5:1086:12 | my_alias | main.rs:1:1:1:7 | mod my | -| main.rs:1086:5:1086:22 | ...::nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | -| main.rs:1087:5:1087:7 | m18 | main.rs:667:1:685:1 | mod m18 | -| main.rs:1087:5:1087:12 | ...::m19 | main.rs:672:5:684:5 | mod m19 | -| main.rs:1087:5:1087:17 | ...::m20 | main.rs:677:9:683:9 | mod m20 | -| main.rs:1087:5:1087:20 | ...::g | main.rs:678:13:682:13 | fn g | -| main.rs:1088:5:1088:7 | m23 | main.rs:714:1:739:1 | mod m23 | -| main.rs:1088:5:1088:10 | ...::f | main.rs:734:5:738:5 | fn f | -| main.rs:1089:5:1089:7 | m24 | main.rs:741:1:809:1 | mod m24 | -| main.rs:1089:5:1089:10 | ...::f | main.rs:795:5:808:5 | fn f | -| main.rs:1090:5:1090:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) | -| main.rs:1090:5:1090:11 | ...::h | main.rs:57:1:76:1 | fn h | -| main.rs:1091:5:1091:13 | z_changed | main.rs:814:1:814:9 | fn z_changed | -| main.rs:1092:5:1092:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | -| main.rs:1092:5:1092:22 | ...::z_on_type | main.rs:820:5:820:17 | fn z_on_type | -| main.rs:1093:5:1093:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | -| main.rs:1094:5:1094:29 | impl_with_attribute_macro | main.rs:949:1:968:1 | mod impl_with_attribute_macro | -| main.rs:1094:5:1094:35 | ...::test | main.rs:964:5:967:5 | fn test | -| main.rs:1095:5:1095:12 | patterns | main.rs:970:1:1011:1 | mod patterns | -| main.rs:1095:5:1095:18 | ...::test | main.rs:971:5:985:5 | fn test | +| main.rs:1062:15:1062:15 | T | main.rs:1061:31:1061:31 | T | +| main.rs:1063:15:1063:31 | Option::<...> | {EXTERNAL LOCATION} | enum Option | +| main.rs:1063:22:1063:30 | Box::<...> | {EXTERNAL LOCATION} | struct Box | +| main.rs:1067:16:1067:16 | T | main.rs:1066:27:1066:27 | T | +| main.rs:1068:14:1068:14 | T | main.rs:1066:27:1066:27 | T | +| main.rs:1068:17:1068:25 | Box::<...> | {EXTERNAL LOCATION} | struct Box | +| main.rs:1075:13:1075:16 | Copy | {EXTERNAL LOCATION} | trait Copy | +| main.rs:1077:17:1077:17 | T | main.rs:1074:9:1074:9 | T | +| main.rs:1078:16:1078:16 | T | main.rs:1074:9:1074:9 | T | +| main.rs:1083:5:1083:6 | my | main.rs:1:1:1:7 | mod my | +| main.rs:1083:5:1083:14 | ...::nested | my.rs:1:1:1:15 | mod nested | +| main.rs:1083:5:1083:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 | +| main.rs:1083:5:1083:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 | +| main.rs:1083:5:1083:35 | ...::f | my/nested.rs:3:9:5:9 | fn f | +| main.rs:1084:5:1084:6 | my | main.rs:1:1:1:7 | mod my | +| main.rs:1084:5:1084:9 | ...::f | my.rs:5:1:7:1 | fn f | +| main.rs:1085:5:1085:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | +| main.rs:1085:5:1085:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | +| main.rs:1085:5:1085:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 | +| main.rs:1085:5:1085:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1086:5:1086:5 | f | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1087:5:1087:5 | g | my2/nested2.rs:7:9:9:9 | fn g | +| main.rs:1088:5:1088:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) | +| main.rs:1088:5:1088:12 | ...::h | main.rs:57:1:76:1 | fn h | +| main.rs:1089:5:1089:6 | m1 | main.rs:20:1:44:1 | mod m1 | +| main.rs:1089:5:1089:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | +| main.rs:1089:5:1089:13 | ...::g | main.rs:30:9:34:9 | fn g | +| main.rs:1090:5:1090:6 | m1 | main.rs:20:1:44:1 | mod m1 | +| main.rs:1090:5:1090:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | +| main.rs:1090:5:1090:14 | ...::m3 | main.rs:36:9:42:9 | mod m3 | +| main.rs:1090:5:1090:17 | ...::h | main.rs:37:27:41:13 | fn h | +| main.rs:1091:5:1091:6 | m4 | main.rs:46:1:53:1 | mod m4 | +| main.rs:1091:5:1091:9 | ...::i | main.rs:49:5:52:5 | fn i | +| main.rs:1092:5:1092:5 | h | main.rs:57:1:76:1 | fn h | +| main.rs:1093:5:1093:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1094:5:1094:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g | +| main.rs:1095:5:1095:5 | j | main.rs:104:1:108:1 | fn j | +| main.rs:1096:5:1096:6 | m6 | main.rs:116:1:128:1 | mod m6 | +| main.rs:1096:5:1096:9 | ...::g | main.rs:121:5:127:5 | fn g | +| main.rs:1097:5:1097:6 | m7 | main.rs:130:1:149:1 | mod m7 | +| main.rs:1097:5:1097:9 | ...::f | main.rs:141:5:148:5 | fn f | +| main.rs:1098:5:1098:6 | m8 | main.rs:151:1:205:1 | mod m8 | +| main.rs:1098:5:1098:9 | ...::g | main.rs:189:5:204:5 | fn g | +| main.rs:1099:5:1099:6 | m9 | main.rs:207:1:215:1 | mod m9 | +| main.rs:1099:5:1099:9 | ...::f | main.rs:210:5:214:5 | fn f | +| main.rs:1100:5:1100:7 | m11 | main.rs:238:1:275:1 | mod m11 | +| main.rs:1100:5:1100:10 | ...::f | main.rs:243:5:246:5 | fn f | +| main.rs:1101:5:1101:7 | m15 | main.rs:306:1:375:1 | mod m15 | +| main.rs:1101:5:1101:10 | ...::f | main.rs:362:5:374:5 | fn f | +| main.rs:1102:5:1102:7 | m16 | main.rs:377:1:574:1 | mod m16 | +| main.rs:1102:5:1102:10 | ...::f | main.rs:446:5:470:5 | fn f | +| main.rs:1103:5:1103:20 | trait_visibility | main.rs:576:1:633:1 | mod trait_visibility | +| main.rs:1103:5:1103:23 | ...::f | main.rs:603:5:632:5 | fn f | +| main.rs:1104:5:1104:7 | m17 | main.rs:635:1:665:1 | mod m17 | +| main.rs:1104:5:1104:10 | ...::f | main.rs:659:5:664:5 | fn f | +| main.rs:1105:5:1105:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 | +| main.rs:1105:5:1105:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f | +| main.rs:1106:5:1106:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 | +| main.rs:1106:5:1106:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f | +| main.rs:1107:5:1107:7 | my3 | my2/mod.rs:20:1:20:12 | mod my3 | +| main.rs:1107:5:1107:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f | +| main.rs:1108:5:1108:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | +| main.rs:1109:5:1109:12 | my_alias | main.rs:1:1:1:7 | mod my | +| main.rs:1109:5:1109:22 | ...::nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | +| main.rs:1110:5:1110:7 | m18 | main.rs:667:1:685:1 | mod m18 | +| main.rs:1110:5:1110:12 | ...::m19 | main.rs:672:5:684:5 | mod m19 | +| main.rs:1110:5:1110:17 | ...::m20 | main.rs:677:9:683:9 | mod m20 | +| main.rs:1110:5:1110:20 | ...::g | main.rs:678:13:682:13 | fn g | +| main.rs:1111:5:1111:7 | m23 | main.rs:714:1:739:1 | mod m23 | +| main.rs:1111:5:1111:10 | ...::f | main.rs:734:5:738:5 | fn f | +| main.rs:1112:5:1112:7 | m24 | main.rs:741:1:809:1 | mod m24 | +| main.rs:1112:5:1112:10 | ...::f | main.rs:795:5:808:5 | fn f | +| main.rs:1113:5:1113:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) | +| main.rs:1113:5:1113:11 | ...::h | main.rs:57:1:76:1 | fn h | +| main.rs:1114:5:1114:13 | z_changed | main.rs:814:1:814:9 | fn z_changed | +| main.rs:1115:5:1115:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | +| main.rs:1115:5:1115:22 | ...::z_on_type | main.rs:820:5:820:17 | fn z_on_type | +| main.rs:1116:5:1116:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | +| main.rs:1117:5:1117:29 | impl_with_attribute_macro | main.rs:949:1:968:1 | mod impl_with_attribute_macro | +| main.rs:1117:5:1117:35 | ...::test | main.rs:964:5:967:5 | fn test | +| main.rs:1118:5:1118:12 | patterns | main.rs:970:1:1011:1 | mod patterns | +| main.rs:1118:5:1118:18 | ...::test | main.rs:971:5:985:5 | fn test | | my2/mod.rs:4:5:4:11 | println | {EXTERNAL LOCATION} | MacroRules | | my2/mod.rs:5:5:5:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | | my2/mod.rs:5:5:5:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | @@ -630,7 +640,7 @@ resolvePath | my2/my3/mod.rs:3:5:3:5 | g | my2/mod.rs:3:1:6:1 | fn g | | my2/my3/mod.rs:4:5:4:5 | h | main.rs:57:1:76:1 | fn h | | my2/my3/mod.rs:7:5:7:9 | super | my2/mod.rs:1:1:25:34 | SourceFile | -| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:1096:2 | SourceFile | +| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:1119:2 | SourceFile | | my2/my3/mod.rs:7:5:7:19 | ...::h | main.rs:57:1:76:1 | fn h | | my2/my3/mod.rs:8:5:8:9 | super | my2/mod.rs:1:1:25:34 | SourceFile | | my2/my3/mod.rs:8:5:8:12 | ...::g | my2/mod.rs:3:1:6:1 | fn g | From 99b498b891bab893c2f542ea3de0d100fd7b48dd Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Mon, 2 Feb 2026 13:29:26 +0100 Subject: [PATCH 13/25] Rust: Resolve `Self` paths in type definitions --- .../codeql/rust/internal/PathResolution.qll | 34 ++++++------------- .../library-tests/path-resolution/main.rs | 6 ++-- .../path-resolution/path-resolution.expected | 3 ++ 3 files changed, 17 insertions(+), 26 deletions(-) diff --git a/rust/ql/lib/codeql/rust/internal/PathResolution.qll b/rust/ql/lib/codeql/rust/internal/PathResolution.qll index 7e77669cc4f..bfc2c4a0cc0 100644 --- a/rust/ql/lib/codeql/rust/internal/PathResolution.qll +++ b/rust/ql/lib/codeql/rust/internal/PathResolution.qll @@ -119,6 +119,15 @@ private ItemNode getAChildSuccessor(ItemNode item, string name, SuccessorKind ki if result.isPublic() then kind.isBoth() else kind.isInternal() + or + // `Self` has scoping rules similar to type parameters and can be considered + // an implicit type parameter child of the introducing item. + // - https://doc.rust-lang.org/stable/reference/paths.html#r-paths.qualifiers.type-self + // - https://doc.rust-lang.org/stable/reference/names/scopes.html#r-names.scopes.self + (item instanceof TypeItemTypeItemNode or item instanceof ImplOrTraitItemNode) and + name = "Self" and + kind.isInternal() and + result = item } private module UseOption = Option; @@ -405,9 +414,6 @@ abstract class ItemNode extends Locatable { this instanceof SourceFile and builtin(name, result) or - name = "Self" and - this = result.(ImplOrTraitItemNode).getAnItemInSelfScope() - or name = "crate" and this = result.(CrateItemNode).getASourceFile() ) @@ -718,26 +724,12 @@ class FunctionItemNode extends AssocItemNode, ParameterizableItemNode instanceof } abstract class ImplOrTraitItemNode extends ItemNode { - /** Gets an item that may refer to this node using `Self`. */ - pragma[nomagic] - ItemNode getAnItemInSelfScope() { - result = this - or - result.getImmediateParent() = this - or - exists(ItemNode mid | - mid = this.getAnItemInSelfScope() and - result.getImmediateParent() = mid and - not mid instanceof ImplOrTraitItemNode - ) - } - /** Gets a `Self` path that refers to this item. */ cached Path getASelfPath() { Stages::PathResolutionStage::ref() and isUnqualifiedSelfPath(result) and - result = this.getAnItemInSelfScope().getADescendant() + this = unqualifiedPathLookup(result, _, _) } /** Gets an associated item belonging to this trait or `impl` block. */ @@ -1610,11 +1602,7 @@ private predicate unqualifiedPathLookup(ItemNode ancestor, string name, Namespac // lookup in an outer scope, but only if the item is not declared in inner scope exists(ItemNode mid | unqualifiedPathLookup(mid, name, ns, encl) and - not declares(mid, ns, name) and - not ( - name = "Self" and - mid = any(ImplOrTraitItemNode i).getAnItemInSelfScope() - ) + not declares(mid, ns, name) | ancestor = getOuterScope(mid) or diff --git a/rust/ql/test/library-tests/path-resolution/main.rs b/rust/ql/test/library-tests/path-resolution/main.rs index b330822ecc8..4a3e4c82c20 100644 --- a/rust/ql/test/library-tests/path-resolution/main.rs +++ b/rust/ql/test/library-tests/path-resolution/main.rs @@ -1060,12 +1060,12 @@ mod self_constructors { mod self_types { struct NonEmptyListStruct { head: T, // $ item=T - tail: Option>, // $ item=Option item=Box MISSING: item=NonEmptyListStruct + tail: Option>, // $ item=Option item=Box item=NonEmptyListStruct } enum NonEmptyListEnum { Single(T), // $ item=T - Cons(T, Box), // $ item=T item=Box MISSING: item=NonEmptyListEnum + Cons(T, Box), // $ item=T item=Box item=NonEmptyListEnum } #[rustfmt::skip] @@ -1075,7 +1075,7 @@ mod self_types { : Copy // $ item=Copy > { single: T, // $ item=T - cons: (T, &'a Self), // $ item=T MISSING: item=NonEmptyListUnion + cons: (T, &'a Self), // $ item=T item=NonEmptyListUnion } } diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected index e1f9f60b76a..fbb81bbf2ca 100644 --- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected +++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected @@ -536,12 +536,15 @@ resolvePath | main.rs:1062:15:1062:15 | T | main.rs:1061:31:1061:31 | T | | main.rs:1063:15:1063:31 | Option::<...> | {EXTERNAL LOCATION} | enum Option | | main.rs:1063:22:1063:30 | Box::<...> | {EXTERNAL LOCATION} | struct Box | +| main.rs:1063:26:1063:29 | Self | main.rs:1061:5:1064:5 | struct NonEmptyListStruct | | main.rs:1067:16:1067:16 | T | main.rs:1066:27:1066:27 | T | | main.rs:1068:14:1068:14 | T | main.rs:1066:27:1066:27 | T | | main.rs:1068:17:1068:25 | Box::<...> | {EXTERNAL LOCATION} | struct Box | +| main.rs:1068:21:1068:24 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | | main.rs:1075:13:1075:16 | Copy | {EXTERNAL LOCATION} | trait Copy | | main.rs:1077:17:1077:17 | T | main.rs:1074:9:1074:9 | T | | main.rs:1078:16:1078:16 | T | main.rs:1074:9:1074:9 | T | +| main.rs:1078:23:1078:26 | Self | main.rs:1071:5:1079:5 | union NonEmptyListUnion | | main.rs:1083:5:1083:6 | my | main.rs:1:1:1:7 | mod my | | main.rs:1083:5:1083:14 | ...::nested | my.rs:1:1:1:15 | mod nested | | main.rs:1083:5:1083:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 | From 73d06f26cbffe97b29a80e1d3a2e9c41a79c8ff6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 2 Feb 2026 14:04:26 +0000 Subject: [PATCH 14/25] Post-release preparation for codeql-cli-2.24.1 --- actions/ql/lib/qlpack.yml | 2 +- actions/ql/src/qlpack.yml | 2 +- cpp/ql/lib/qlpack.yml | 2 +- cpp/ql/src/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/lib/qlpack.yml | 2 +- csharp/ql/campaigns/Solorigate/src/qlpack.yml | 2 +- csharp/ql/lib/qlpack.yml | 2 +- csharp/ql/src/qlpack.yml | 2 +- go/ql/consistency-queries/qlpack.yml | 2 +- go/ql/lib/qlpack.yml | 2 +- go/ql/src/qlpack.yml | 2 +- java/ql/lib/qlpack.yml | 2 +- java/ql/src/qlpack.yml | 2 +- javascript/ql/lib/qlpack.yml | 2 +- javascript/ql/src/qlpack.yml | 2 +- misc/suite-helpers/qlpack.yml | 2 +- python/ql/lib/qlpack.yml | 2 +- python/ql/src/qlpack.yml | 2 +- ruby/ql/lib/qlpack.yml | 2 +- ruby/ql/src/qlpack.yml | 2 +- rust/ql/lib/qlpack.yml | 2 +- rust/ql/src/qlpack.yml | 2 +- shared/concepts/qlpack.yml | 2 +- shared/controlflow/qlpack.yml | 2 +- shared/dataflow/qlpack.yml | 2 +- shared/mad/qlpack.yml | 2 +- shared/quantum/qlpack.yml | 2 +- shared/rangeanalysis/qlpack.yml | 2 +- shared/regex/qlpack.yml | 2 +- shared/ssa/qlpack.yml | 2 +- shared/threat-models/qlpack.yml | 2 +- shared/tutorial/qlpack.yml | 2 +- shared/typeflow/qlpack.yml | 2 +- shared/typeinference/qlpack.yml | 2 +- shared/typetracking/qlpack.yml | 2 +- shared/typos/qlpack.yml | 2 +- shared/util/qlpack.yml | 2 +- shared/xml/qlpack.yml | 2 +- shared/yaml/qlpack.yml | 2 +- swift/ql/lib/qlpack.yml | 2 +- swift/ql/src/qlpack.yml | 2 +- 41 files changed, 41 insertions(+), 41 deletions(-) diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml index aa29568caf7..d700f90710a 100644 --- a/actions/ql/lib/qlpack.yml +++ b/actions/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-all -version: 0.4.27 +version: 0.4.28-dev library: true warnOnImplicitThis: true dependencies: diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml index 7b9f281601a..7c19f90be06 100644 --- a/actions/ql/src/qlpack.yml +++ b/actions/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/actions-queries -version: 0.6.19 +version: 0.6.20-dev library: false warnOnImplicitThis: true groups: [actions, queries] diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index ac07194106a..eeb5d0adf08 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 7.1.0 +version: 7.1.1-dev groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 232836a053d..b374fb51f75 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 1.5.10 +version: 1.5.11-dev groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 09feed99265..bc1e19c5d11 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.58 +version: 1.7.59-dev groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index 6f7ea3b625b..87016f799ea 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.58 +version: 1.7.59-dev groups: - csharp - solorigate diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 28d4a36b3ab..31fb2ca6618 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 5.4.6 +version: 5.4.7-dev groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 85d9dbf9ead..492445c2374 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 1.6.1 +version: 1.6.2-dev groups: - csharp - queries diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml index c07633f30b9..9db7c50224d 100644 --- a/go/ql/consistency-queries/qlpack.yml +++ b/go/ql/consistency-queries/qlpack.yml @@ -1,5 +1,5 @@ name: codeql-go-consistency-queries -version: 1.0.41 +version: 1.0.42-dev groups: - go - queries diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index af34da5d7d5..3ddf09d9864 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 6.0.1 +version: 6.0.2-dev groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 20e25202476..cb2e964d440 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 1.5.5 +version: 1.5.6-dev groups: - go - queries diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index eb1a7f632c7..177711350d5 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 8.0.0 +version: 8.0.1-dev groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index 570c8bf7e18..792bb13eb32 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 1.10.6 +version: 1.10.7-dev groups: - java - queries diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 2e54148b68c..830994432a5 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 2.6.21 +version: 2.6.22-dev groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index ad56a74e9b5..8fc055f61e1 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 2.3.1 +version: 2.3.2-dev groups: - javascript - queries diff --git a/misc/suite-helpers/qlpack.yml b/misc/suite-helpers/qlpack.yml index 4a0344c0f0f..28a63301e69 100644 --- a/misc/suite-helpers/qlpack.yml +++ b/misc/suite-helpers/qlpack.yml @@ -1,4 +1,4 @@ name: codeql/suite-helpers -version: 1.0.41 +version: 1.0.42-dev groups: shared warnOnImplicitThis: true diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index db127bd5792..1ead7adb605 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 6.1.0 +version: 6.1.1-dev groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 5725ef1f664..e6de4a768bf 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 1.7.6 +version: 1.7.7-dev groups: - python - queries diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index 6a48d4be1a2..824d21e1331 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 5.1.9 +version: 5.1.10-dev groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index a14269c692a..63d59fd0faa 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 1.5.6 +version: 1.5.7-dev groups: - ruby - queries diff --git a/rust/ql/lib/qlpack.yml b/rust/ql/lib/qlpack.yml index 4f33822af63..d87089914d3 100644 --- a/rust/ql/lib/qlpack.yml +++ b/rust/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-all -version: 0.2.5 +version: 0.2.6-dev groups: rust extractor: rust dbscheme: rust.dbscheme diff --git a/rust/ql/src/qlpack.yml b/rust/ql/src/qlpack.yml index 61ff8e48167..850f67e18a8 100644 --- a/rust/ql/src/qlpack.yml +++ b/rust/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rust-queries -version: 0.1.26 +version: 0.1.27-dev groups: - rust - queries diff --git a/shared/concepts/qlpack.yml b/shared/concepts/qlpack.yml index 40350f8b33c..4cfa6918d19 100644 --- a/shared/concepts/qlpack.yml +++ b/shared/concepts/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/concepts -version: 0.0.15 +version: 0.0.16-dev groups: shared library: true dependencies: diff --git a/shared/controlflow/qlpack.yml b/shared/controlflow/qlpack.yml index f8e86c3b834..5ed22593368 100644 --- a/shared/controlflow/qlpack.yml +++ b/shared/controlflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/controlflow -version: 2.0.25 +version: 2.0.26-dev groups: shared library: true dependencies: diff --git a/shared/dataflow/qlpack.yml b/shared/dataflow/qlpack.yml index 86bfb0a5b05..de23fe3e38b 100644 --- a/shared/dataflow/qlpack.yml +++ b/shared/dataflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/dataflow -version: 2.0.25 +version: 2.0.26-dev groups: shared library: true dependencies: diff --git a/shared/mad/qlpack.yml b/shared/mad/qlpack.yml index 349dc19aa33..e1b46e5427c 100644 --- a/shared/mad/qlpack.yml +++ b/shared/mad/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/mad -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true dependencies: diff --git a/shared/quantum/qlpack.yml b/shared/quantum/qlpack.yml index f394fab9654..d3129461a49 100644 --- a/shared/quantum/qlpack.yml +++ b/shared/quantum/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/quantum -version: 0.0.19 +version: 0.0.20-dev groups: shared library: true dependencies: diff --git a/shared/rangeanalysis/qlpack.yml b/shared/rangeanalysis/qlpack.yml index 846d83bc93c..be9c067d84e 100644 --- a/shared/rangeanalysis/qlpack.yml +++ b/shared/rangeanalysis/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/rangeanalysis -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true dependencies: diff --git a/shared/regex/qlpack.yml b/shared/regex/qlpack.yml index 80b995f7c50..93baefe6d78 100644 --- a/shared/regex/qlpack.yml +++ b/shared/regex/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/regex -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true dependencies: diff --git a/shared/ssa/qlpack.yml b/shared/ssa/qlpack.yml index c1b143d616e..d5e6d266097 100644 --- a/shared/ssa/qlpack.yml +++ b/shared/ssa/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ssa -version: 2.0.17 +version: 2.0.18-dev groups: shared library: true dependencies: diff --git a/shared/threat-models/qlpack.yml b/shared/threat-models/qlpack.yml index 634544a4eb8..0ed1decf1d0 100644 --- a/shared/threat-models/qlpack.yml +++ b/shared/threat-models/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/threat-models -version: 1.0.41 +version: 1.0.42-dev library: true groups: shared dataExtensions: diff --git a/shared/tutorial/qlpack.yml b/shared/tutorial/qlpack.yml index 93b95d3210c..1e937c1f860 100644 --- a/shared/tutorial/qlpack.yml +++ b/shared/tutorial/qlpack.yml @@ -1,7 +1,7 @@ name: codeql/tutorial description: Library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries. -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/typeflow/qlpack.yml b/shared/typeflow/qlpack.yml index 4512e955385..f40dd352f6e 100644 --- a/shared/typeflow/qlpack.yml +++ b/shared/typeflow/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeflow -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true dependencies: diff --git a/shared/typeinference/qlpack.yml b/shared/typeinference/qlpack.yml index 6bb3be57eba..927036035b5 100644 --- a/shared/typeinference/qlpack.yml +++ b/shared/typeinference/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typeinference -version: 0.0.22 +version: 0.0.23-dev groups: shared library: true dependencies: diff --git a/shared/typetracking/qlpack.yml b/shared/typetracking/qlpack.yml index fe7582bbde6..fcaed606ded 100644 --- a/shared/typetracking/qlpack.yml +++ b/shared/typetracking/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typetracking -version: 2.0.25 +version: 2.0.26-dev groups: shared library: true dependencies: diff --git a/shared/typos/qlpack.yml b/shared/typos/qlpack.yml index e587573ad40..de131d17f6b 100644 --- a/shared/typos/qlpack.yml +++ b/shared/typos/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/typos -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true warnOnImplicitThis: true diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index dd8c960aa0b..def146658c0 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/util -version: 2.0.28 +version: 2.0.29-dev groups: shared library: true dependencies: null diff --git a/shared/xml/qlpack.yml b/shared/xml/qlpack.yml index ad13296db46..d12cff34fbe 100644 --- a/shared/xml/qlpack.yml +++ b/shared/xml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/xml -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true dependencies: diff --git a/shared/yaml/qlpack.yml b/shared/yaml/qlpack.yml index 03ddecb8a05..5ba88d4abdb 100644 --- a/shared/yaml/qlpack.yml +++ b/shared/yaml/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/yaml -version: 1.0.41 +version: 1.0.42-dev groups: shared library: true warnOnImplicitThis: true diff --git a/swift/ql/lib/qlpack.yml b/swift/ql/lib/qlpack.yml index 9fc1e4731dd..157e1334212 100644 --- a/swift/ql/lib/qlpack.yml +++ b/swift/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-all -version: 6.2.1 +version: 6.2.2-dev groups: swift extractor: swift dbscheme: swift.dbscheme diff --git a/swift/ql/src/qlpack.yml b/swift/ql/src/qlpack.yml index 86538099f75..bdac35f35b2 100644 --- a/swift/ql/src/qlpack.yml +++ b/swift/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/swift-queries -version: 1.2.15 +version: 1.2.16-dev groups: - swift - queries From b16f1d3778564ff07ccda14d6190d6c4c9611e59 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 2 Feb 2026 15:21:05 +0100 Subject: [PATCH 15/25] Rust: Fix bad join Before ``` Evaluated relational algebra for predicate _PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6_PathResolution::ImplOrTraitItemNode.ge__#shared@0d3de6d9 with tuple counts: 395360270 ~2% {5} r1 = JOIN Type::TAssociatedTypeTypeParameter#6da9e52a WITH `PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6` CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Lhs.1, Lhs.2, Rhs.1 1274237644 ~0% {6} | JOIN WITH `PathResolution::ItemNode.getASuccessor/1#8f430f71` ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Rhs.1, Rhs.2 1274237644 ~0% {6} | JOIN WITH PathResolution::TraitItemNode#8d4ce62d ON FIRST 1 OUTPUT Lhs.0, Lhs.4, Lhs.1, Lhs.2, Lhs.3, Lhs.5 6984871 ~0% {5} | JOIN WITH `PathResolution::ImplOrTraitItemNode.getAssocItem/1#f77bb9ed` ON FIRST 3 OUTPUT Lhs.2, Lhs.0, Lhs.3, Lhs.4, Lhs.5 6984871 ~0% {4} | JOIN WITH TypeAlias::Generated::TypeAlias#1ca97780 ON FIRST 1 OUTPUT Lhs.4, Lhs.1, Lhs.2, Lhs.3 6076675 ~0% {4} | JOIN WITH `TypeAlias::Generated::TypeAlias.getTypeRepr/0#dispred#5fd7e521` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3 return r1 ``` After ``` Evaluated relational algebra for predicate _PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6_PathResolution::ImplOrTraitItemNode.ge__#shared@760e0499 with tuple counts: 443292 ~2% {3} r1 = SCAN `PathResolution::ImplOrTraitItemNode.getAssocItem/1#f77bb9ed` OUTPUT In.0, In.2, In.1 1258 ~1% {3} | JOIN WITH Type::TAssociatedTypeTypeParameter#6da9e52a ON FIRST 2 OUTPUT Lhs.2, Lhs.0, Rhs.2 13656944 ~3% {4} | JOIN WITH `PathResolution::ItemNode.getASuccessor/1#8f430f71_102#join_rhs` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Rhs.2 6984871 ~0% {4} | JOIN WITH `PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6` ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.2, Rhs.1 6076675 ~0% {4} | JOIN WITH `TypeAlias::Generated::TypeAlias.getTypeRepr/0#dispred#5fd7e521` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3 return r1 ``` --- rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll b/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll index bdb25a65b15..4bff45ba027 100644 --- a/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll +++ b/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll @@ -323,7 +323,7 @@ private module MkTypeMention Date: Mon, 2 Feb 2026 14:39:27 +0000 Subject: [PATCH 16/25] Add `EmitPrivateRegistryUsed` --- go/extractor/diagnostics/diagnostics.go | 21 ++++++++++++++++++++ go/extractor/diagnostics/diagnostics_test.go | 21 ++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/go/extractor/diagnostics/diagnostics.go b/go/extractor/diagnostics/diagnostics.go index a91a9efac0d..b40b31c15f3 100644 --- a/go/extractor/diagnostics/diagnostics.go +++ b/go/extractor/diagnostics/diagnostics.go @@ -568,3 +568,24 @@ func EmitExtractionFailedForProjects(path []string) { noLocation, ) } + +func EmitPrivateRegistryUsed(writer DiagnosticsWriter, configs []string) { + lines := []string{} + + for i := range configs { + lines = append(lines, fmt.Sprintf("* %s", configs[i])) + } + + emitDiagnosticTo( + writer, + "go/autobuilder/analysis-using-private-registries", + "Go extraction used private package registries", + fmt.Sprintf( + "Go was extracted using the following private package registrie%s:\n\n%s\n", + plural(len(lines), "", "s"), + strings.Join(lines, "\n")), + severityNote, + fullVisibility, + noLocation, + ) +} diff --git a/go/extractor/diagnostics/diagnostics_test.go b/go/extractor/diagnostics/diagnostics_test.go index f2b560004ba..1582923fb55 100644 --- a/go/extractor/diagnostics/diagnostics_test.go +++ b/go/extractor/diagnostics/diagnostics_test.go @@ -83,3 +83,24 @@ func Test_EmitCannotFindPackages_Actions(t *testing.T) { // Custom build command suggestion assert.Contains(t, d.MarkdownMessage, "If any of the packages are already present in the repository") } + +func Test_EmitPrivateRegistryUsed(t *testing.T) { + writer := newMemoryDiagnosticsWriter() + + testItems := []string{ + "* https://github.com/github/example (Git Source)", + "* https://example.com/goproxy (GOPROXY Server)", + } + + EmitPrivateRegistryUsed(writer, testItems) + + assert.Len(t, writer.diagnostics, 1, "Expected one diagnostic to be emitted") + + d := writer.diagnostics[0] + assert.Equal(t, d.Source.Id, "go/autobuilder/analysis-using-private-registries") + assert.Equal(t, d.Severity, string(severityNote)) + + for i := range testItems { + assert.Contains(t, d.MarkdownMessage, testItems[i]) + } +} From 29930fa6bf98828af43ac93378ef9637b52ef385 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Feb 2026 14:40:08 +0000 Subject: [PATCH 17/25] Track active proxy configurations --- go/extractor/util/registryproxy.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/go/extractor/util/registryproxy.go b/go/extractor/util/registryproxy.go index 1f20832e8d8..600c05a5af1 100644 --- a/go/extractor/util/registryproxy.go +++ b/go/extractor/util/registryproxy.go @@ -22,6 +22,19 @@ type RegistryConfig struct { URL string `json:"url"` } +func (config *RegistryConfig) Pretty() string { + pretty_type := "other" + + switch config.Type { + case GIT_SOURCE: + pretty_type = "Git Source" + case GOPROXY_SERVER: + pretty_type = "GOPROXY Server" + } + + return fmt.Sprintf("`%s` (%s)", config.URL, pretty_type) +} + // The address of the proxy including protocol and port (e.g. http://localhost:1234) var proxy_address string @@ -97,18 +110,22 @@ func getEnvVars() []string { if err != nil { slog.Error("Unable to parse proxy configurations", slog.String("error", err.Error())) } else { + activeConfigs := []RegistryConfig{} + // We only care about private registry configurations that are relevant to Go and // filter others out at this point. for _, cfg := range val { if cfg.Type == GOPROXY_SERVER { goproxy_servers = append(goproxy_servers, cfg.URL) slog.Info("Found GOPROXY server", slog.String("url", cfg.URL)) + activeConfigs = append(activeConfigs, cfg) } else if cfg.Type == GIT_SOURCE { parsed, err := url.Parse(cfg.URL) if err == nil && parsed.Hostname() != "" { git_source := parsed.Hostname() + parsed.Path + "*" git_sources = append(git_sources, git_source) slog.Info("Found Git source", slog.String("source", git_source)) + activeConfigs = append(activeConfigs, cfg) } else { slog.Warn("Not a valid URL for Git source", slog.String("url", cfg.URL)) } From 6d67e419ffc705deb5033bbb07f82ef80b3a8bd3 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Feb 2026 14:45:06 +0000 Subject: [PATCH 18/25] Move private registry sources out of `util` package --- go/extractor/registries/BUILD.bazel | 16 ++++++++++++++++ .../{util => registries}/registryproxy.go | 2 +- .../{util => registries}/registryproxy_test.go | 2 +- go/extractor/toolchain/BUILD.bazel | 5 ++++- go/extractor/toolchain/toolchain.go | 3 ++- go/extractor/util/BUILD.bazel | 2 -- 6 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 go/extractor/registries/BUILD.bazel rename go/extractor/{util => registries}/registryproxy.go (99%) rename go/extractor/{util => registries}/registryproxy_test.go (99%) diff --git a/go/extractor/registries/BUILD.bazel b/go/extractor/registries/BUILD.bazel new file mode 100644 index 00000000000..8c002f20db2 --- /dev/null +++ b/go/extractor/registries/BUILD.bazel @@ -0,0 +1,16 @@ +# generated running `bazel run //go/gazelle`, do not edit + +load("@rules_go//go:def.bzl", "go_library", "go_test") + +go_library( + name = "registries", + srcs = ["registryproxy.go"], + importpath = "github.com/github/codeql-go/extractor/registries", + visibility = ["//visibility:public"], +) + +go_test( + name = "registries_test", + srcs = ["registryproxy_test.go"], + embed = [":registries"], +) diff --git a/go/extractor/util/registryproxy.go b/go/extractor/registries/registryproxy.go similarity index 99% rename from go/extractor/util/registryproxy.go rename to go/extractor/registries/registryproxy.go index 600c05a5af1..793bec5a41d 100644 --- a/go/extractor/util/registryproxy.go +++ b/go/extractor/registries/registryproxy.go @@ -1,4 +1,4 @@ -package util +package registries import ( "encoding/json" diff --git a/go/extractor/util/registryproxy_test.go b/go/extractor/registries/registryproxy_test.go similarity index 99% rename from go/extractor/util/registryproxy_test.go rename to go/extractor/registries/registryproxy_test.go index ef63bd9d3f8..c564040ff1b 100644 --- a/go/extractor/util/registryproxy_test.go +++ b/go/extractor/registries/registryproxy_test.go @@ -1,4 +1,4 @@ -package util +package registries import ( "testing" diff --git a/go/extractor/toolchain/BUILD.bazel b/go/extractor/toolchain/BUILD.bazel index 58374999323..16c591f2a96 100644 --- a/go/extractor/toolchain/BUILD.bazel +++ b/go/extractor/toolchain/BUILD.bazel @@ -7,7 +7,10 @@ go_library( srcs = ["toolchain.go"], importpath = "github.com/github/codeql-go/extractor/toolchain", visibility = ["//visibility:public"], - deps = ["//go/extractor/util"], + deps = [ + "//go/extractor/registries", + "//go/extractor/util", + ], ) go_test( diff --git a/go/extractor/toolchain/toolchain.go b/go/extractor/toolchain/toolchain.go index 01b3ab813bd..fb9d5512cd8 100644 --- a/go/extractor/toolchain/toolchain.go +++ b/go/extractor/toolchain/toolchain.go @@ -10,6 +10,7 @@ import ( "path/filepath" "strings" + "github.com/github/codeql-go/extractor/registries" "github.com/github/codeql-go/extractor/util" ) @@ -140,7 +141,7 @@ func SupportsWorkspaces() bool { // Constructs a `*exec.Cmd` for `go` with the specified arguments. func GoCommand(arg ...string) *exec.Cmd { cmd := exec.Command("go", arg...) - util.ApplyProxyEnvVars(cmd) + registries.ApplyProxyEnvVars(cmd) return cmd } diff --git a/go/extractor/util/BUILD.bazel b/go/extractor/util/BUILD.bazel index ee090607ced..ccebf5ebd86 100644 --- a/go/extractor/util/BUILD.bazel +++ b/go/extractor/util/BUILD.bazel @@ -8,7 +8,6 @@ go_library( "extractvendordirs.go", "logging.go", "overlays.go", - "registryproxy.go", "semver.go", "util.go", ], @@ -21,7 +20,6 @@ go_test( name = "util_test", srcs = [ "logging_test.go", - "registryproxy_test.go", "semver_test.go", "util_test.go", ], From 30b30d65c832a2a14a7f64834f532156d4e223c0 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Feb 2026 14:47:25 +0000 Subject: [PATCH 19/25] Emit the new diagnostic --- go/extractor/registries/BUILD.bazel | 1 + go/extractor/registries/registryproxy.go | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/go/extractor/registries/BUILD.bazel b/go/extractor/registries/BUILD.bazel index 8c002f20db2..7947556ee5d 100644 --- a/go/extractor/registries/BUILD.bazel +++ b/go/extractor/registries/BUILD.bazel @@ -7,6 +7,7 @@ go_library( srcs = ["registryproxy.go"], importpath = "github.com/github/codeql-go/extractor/registries", visibility = ["//visibility:public"], + deps = ["//go/extractor/diagnostics"], ) go_test( diff --git a/go/extractor/registries/registryproxy.go b/go/extractor/registries/registryproxy.go index 793bec5a41d..1bb5995e27a 100644 --- a/go/extractor/registries/registryproxy.go +++ b/go/extractor/registries/registryproxy.go @@ -8,6 +8,8 @@ import ( "os" "os/exec" "strings" + + "github.com/github/codeql-go/extractor/diagnostics" ) const PROXY_HOST = "CODEQL_PROXY_HOST" @@ -132,6 +134,18 @@ func getEnvVars() []string { } } + // Emit a diagnostic to make it easy for users to see that private registry + // configurations were picked up by the Go analysis. + if len(activeConfigs) > 0 { + prettyConfigs := []string{} + for i := range activeConfigs { + prettyConfigs = append(prettyConfigs, activeConfigs[i].Pretty()) + } + + diagnostics.EmitPrivateRegistryUsed(diagnostics.DefaultWriter, prettyConfigs) + } + + // Assemble environment variables for Go. goprivate := []string{} if len(goproxy_servers) > 0 { From cbbc057dd313144605650f4d59d23f220247194a Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Feb 2026 16:15:36 +0000 Subject: [PATCH 20/25] Fix singular/plural wording and add test --- go/extractor/diagnostics/diagnostics.go | 4 ++-- go/extractor/diagnostics/diagnostics_test.go | 24 +++++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/go/extractor/diagnostics/diagnostics.go b/go/extractor/diagnostics/diagnostics.go index b40b31c15f3..1deff68aa95 100644 --- a/go/extractor/diagnostics/diagnostics.go +++ b/go/extractor/diagnostics/diagnostics.go @@ -581,8 +581,8 @@ func EmitPrivateRegistryUsed(writer DiagnosticsWriter, configs []string) { "go/autobuilder/analysis-using-private-registries", "Go extraction used private package registries", fmt.Sprintf( - "Go was extracted using the following private package registrie%s:\n\n%s\n", - plural(len(lines), "", "s"), + "Go was extracted using the following private package registr%s:\n\n%s\n", + plural(len(lines), "y", "ies"), strings.Join(lines, "\n")), severityNote, fullVisibility, diff --git a/go/extractor/diagnostics/diagnostics_test.go b/go/extractor/diagnostics/diagnostics_test.go index 1582923fb55..1817610868f 100644 --- a/go/extractor/diagnostics/diagnostics_test.go +++ b/go/extractor/diagnostics/diagnostics_test.go @@ -84,7 +84,28 @@ func Test_EmitCannotFindPackages_Actions(t *testing.T) { assert.Contains(t, d.MarkdownMessage, "If any of the packages are already present in the repository") } -func Test_EmitPrivateRegistryUsed(t *testing.T) { +func Test_EmitPrivateRegistryUsed_Single(t *testing.T) { + writer := newMemoryDiagnosticsWriter() + + testItems := []string{ + "* https://github.com/github/example (Git Source)", + } + + EmitPrivateRegistryUsed(writer, testItems) + + assert.Len(t, writer.diagnostics, 1, "Expected one diagnostic to be emitted") + + d := writer.diagnostics[0] + assert.Equal(t, d.Source.Id, "go/autobuilder/analysis-using-private-registries") + assert.Equal(t, d.Severity, string(severityNote)) + assert.Contains(t, d.MarkdownMessage, "following private package registry") + + for i := range testItems { + assert.Contains(t, d.MarkdownMessage, testItems[i]) + } +} + +func Test_EmitPrivateRegistryUsed_Multiple(t *testing.T) { writer := newMemoryDiagnosticsWriter() testItems := []string{ @@ -99,6 +120,7 @@ func Test_EmitPrivateRegistryUsed(t *testing.T) { d := writer.diagnostics[0] assert.Equal(t, d.Source.Id, "go/autobuilder/analysis-using-private-registries") assert.Equal(t, d.Severity, string(severityNote)) + assert.Contains(t, d.MarkdownMessage, "following private package registries") for i := range testItems { assert.Contains(t, d.MarkdownMessage, testItems[i]) From d079671ec8b56014eb484419c1253474105dbe8b Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Mon, 2 Feb 2026 16:17:22 +0000 Subject: [PATCH 21/25] Align `testItems` with what `getEnvVars` does --- go/extractor/diagnostics/diagnostics_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/go/extractor/diagnostics/diagnostics_test.go b/go/extractor/diagnostics/diagnostics_test.go index 1817610868f..3c28a57d4b5 100644 --- a/go/extractor/diagnostics/diagnostics_test.go +++ b/go/extractor/diagnostics/diagnostics_test.go @@ -88,7 +88,7 @@ func Test_EmitPrivateRegistryUsed_Single(t *testing.T) { writer := newMemoryDiagnosticsWriter() testItems := []string{ - "* https://github.com/github/example (Git Source)", + "https://github.com/github/example (Git Source)", } EmitPrivateRegistryUsed(writer, testItems) @@ -109,8 +109,8 @@ func Test_EmitPrivateRegistryUsed_Multiple(t *testing.T) { writer := newMemoryDiagnosticsWriter() testItems := []string{ - "* https://github.com/github/example (Git Source)", - "* https://example.com/goproxy (GOPROXY Server)", + "https://github.com/github/example (Git Source)", + "https://example.com/goproxy (GOPROXY Server)", } EmitPrivateRegistryUsed(writer, testItems) From d5c4a19efa878c8c6b134c987cee5edd3ec921b0 Mon Sep 17 00:00:00 2001 From: "Michael B. Gale" Date: Tue, 3 Feb 2026 10:29:15 +0000 Subject: [PATCH 22/25] Apply suggestions from code review Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- go/extractor/diagnostics/diagnostics.go | 7 ++++--- go/extractor/registries/registryproxy.go | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/go/extractor/diagnostics/diagnostics.go b/go/extractor/diagnostics/diagnostics.go index 1deff68aa95..e7ff86cb878 100644 --- a/go/extractor/diagnostics/diagnostics.go +++ b/go/extractor/diagnostics/diagnostics.go @@ -570,10 +570,11 @@ func EmitExtractionFailedForProjects(path []string) { } func EmitPrivateRegistryUsed(writer DiagnosticsWriter, configs []string) { - lines := []string{} + n := len(configs) + lines := make([]string, n) for i := range configs { - lines = append(lines, fmt.Sprintf("* %s", configs[i])) + lines[i] = fmt.Sprintf("* %s", configs[i]) } emitDiagnosticTo( @@ -582,7 +583,7 @@ func EmitPrivateRegistryUsed(writer DiagnosticsWriter, configs []string) { "Go extraction used private package registries", fmt.Sprintf( "Go was extracted using the following private package registr%s:\n\n%s\n", - plural(len(lines), "y", "ies"), + plural(n, "y", "ies"), strings.Join(lines, "\n")), severityNote, fullVisibility, diff --git a/go/extractor/registries/registryproxy.go b/go/extractor/registries/registryproxy.go index 1bb5995e27a..39578af476b 100644 --- a/go/extractor/registries/registryproxy.go +++ b/go/extractor/registries/registryproxy.go @@ -112,7 +112,7 @@ func getEnvVars() []string { if err != nil { slog.Error("Unable to parse proxy configurations", slog.String("error", err.Error())) } else { - activeConfigs := []RegistryConfig{} + activeConfigs := make([]RegistryConfig, 0, len(val)) // We only care about private registry configurations that are relevant to Go and // filter others out at this point. From 1791c1f1f985ab0f4043c09d34e28c3dbb322521 Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Tue, 3 Feb 2026 11:45:38 +0100 Subject: [PATCH 23/25] Rust: Add test with path resolution inconsistency --- .../PathResolutionConsistency.expected | 2 + .../library-tests/path-resolution/main.rs | 8 + .../path-resolution/path-resolution.expected | 172 +++++++++--------- 3 files changed, 100 insertions(+), 82 deletions(-) diff --git a/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected index 23ac5e722d5..e98f8d29fed 100644 --- a/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected +++ b/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected @@ -7,3 +7,5 @@ multipleResolvedTargets | main.rs:565:9:566:15 | ...::Assoc(...) | | main.rs:568:9:569:12 | ...::f1(...) | | main.rs:571:9:572:12 | ...::f1(...) | +multiplePathResolutions +| main.rs:1075:13:1074:16 | Self | diff --git a/rust/ql/test/library-tests/path-resolution/main.rs b/rust/ql/test/library-tests/path-resolution/main.rs index 4a3e4c82c20..8699d9b9a36 100644 --- a/rust/ql/test/library-tests/path-resolution/main.rs +++ b/rust/ql/test/library-tests/path-resolution/main.rs @@ -1068,6 +1068,14 @@ mod self_types { Cons(T, Box), // $ item=T item=Box item=NonEmptyListEnum } + #[rustfmt::skip] + impl NonEmptyListEnum { // $ item=NonEmptyListEnum item=i32 + fn new_single(value: i32) -> Self { // $ item=i32 item=NonEmptyListEnum + use NonEmptyListEnum::*; // $ item=NonEmptyListEnum + Self::Single(value) // $ item=Single + } + } + #[rustfmt::skip] union NonEmptyListUnion< 'a, diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected index fbb81bbf2ca..a711e5cf6b5 100644 --- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected +++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected @@ -35,7 +35,7 @@ mod | main.rs:949:1:968:1 | mod impl_with_attribute_macro | | main.rs:970:1:1011:1 | mod patterns | | main.rs:1013:1:1057:1 | mod self_constructors | -| main.rs:1059:1:1080:1 | mod self_types | +| main.rs:1059:1:1088:1 | mod self_types | | my2/mod.rs:1:1:1:16 | mod nested2 | | my2/mod.rs:20:1:20:12 | mod my3 | | my2/mod.rs:22:1:23:10 | mod mymod | @@ -76,7 +76,7 @@ resolvePath | main.rs:37:17:37:24 | ...::f | main.rs:26:9:28:9 | fn f | | main.rs:39:17:39:23 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:40:17:40:17 | f | main.rs:26:9:28:9 | fn f | -| main.rs:47:9:47:13 | super | main.rs:1:1:1119:2 | SourceFile | +| main.rs:47:9:47:13 | super | main.rs:1:1:1127:2 | SourceFile | | main.rs:47:9:47:17 | ...::m1 | main.rs:20:1:44:1 | mod m1 | | main.rs:47:9:47:21 | ...::m2 | main.rs:25:5:43:5 | mod m2 | | main.rs:47:9:47:24 | ...::g | main.rs:30:9:34:9 | fn g | @@ -91,7 +91,7 @@ resolvePath | main.rs:68:17:68:19 | Foo | main.rs:66:9:66:21 | struct Foo | | main.rs:71:13:71:15 | Foo | main.rs:60:5:60:17 | struct Foo | | main.rs:73:5:73:5 | f | main.rs:62:5:69:5 | fn f | -| main.rs:75:5:75:8 | self | main.rs:1:1:1119:2 | SourceFile | +| main.rs:75:5:75:8 | self | main.rs:1:1:1127:2 | SourceFile | | main.rs:75:5:75:11 | ...::i | main.rs:78:1:90:1 | fn i | | main.rs:79:5:79:11 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:81:13:81:15 | Foo | main.rs:55:1:55:13 | struct Foo | @@ -113,7 +113,7 @@ resolvePath | main.rs:112:9:112:15 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:118:9:118:15 | println | {EXTERNAL LOCATION} | MacroRules | | main.rs:122:9:122:15 | println | {EXTERNAL LOCATION} | MacroRules | -| main.rs:125:13:125:17 | super | main.rs:1:1:1119:2 | SourceFile | +| main.rs:125:13:125:17 | super | main.rs:1:1:1127:2 | SourceFile | | main.rs:125:13:125:21 | ...::m5 | main.rs:110:1:114:1 | mod m5 | | main.rs:126:9:126:9 | f | main.rs:111:5:113:5 | fn f | | main.rs:126:9:126:9 | f | main.rs:117:5:119:5 | fn f | @@ -541,83 +541,91 @@ resolvePath | main.rs:1068:14:1068:14 | T | main.rs:1066:27:1066:27 | T | | main.rs:1068:17:1068:25 | Box::<...> | {EXTERNAL LOCATION} | struct Box | | main.rs:1068:21:1068:24 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | -| main.rs:1075:13:1075:16 | Copy | {EXTERNAL LOCATION} | trait Copy | -| main.rs:1077:17:1077:17 | T | main.rs:1074:9:1074:9 | T | -| main.rs:1078:16:1078:16 | T | main.rs:1074:9:1074:9 | T | -| main.rs:1078:23:1078:26 | Self | main.rs:1071:5:1079:5 | union NonEmptyListUnion | -| main.rs:1083:5:1083:6 | my | main.rs:1:1:1:7 | mod my | -| main.rs:1083:5:1083:14 | ...::nested | my.rs:1:1:1:15 | mod nested | -| main.rs:1083:5:1083:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 | -| main.rs:1083:5:1083:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 | -| main.rs:1083:5:1083:35 | ...::f | my/nested.rs:3:9:5:9 | fn f | -| main.rs:1084:5:1084:6 | my | main.rs:1:1:1:7 | mod my | -| main.rs:1084:5:1084:9 | ...::f | my.rs:5:1:7:1 | fn f | -| main.rs:1085:5:1085:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | -| main.rs:1085:5:1085:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | -| main.rs:1085:5:1085:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 | -| main.rs:1085:5:1085:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1086:5:1086:5 | f | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1087:5:1087:5 | g | my2/nested2.rs:7:9:9:9 | fn g | -| main.rs:1088:5:1088:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) | -| main.rs:1088:5:1088:12 | ...::h | main.rs:57:1:76:1 | fn h | -| main.rs:1089:5:1089:6 | m1 | main.rs:20:1:44:1 | mod m1 | -| main.rs:1089:5:1089:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | -| main.rs:1089:5:1089:13 | ...::g | main.rs:30:9:34:9 | fn g | -| main.rs:1090:5:1090:6 | m1 | main.rs:20:1:44:1 | mod m1 | -| main.rs:1090:5:1090:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | -| main.rs:1090:5:1090:14 | ...::m3 | main.rs:36:9:42:9 | mod m3 | -| main.rs:1090:5:1090:17 | ...::h | main.rs:37:27:41:13 | fn h | -| main.rs:1091:5:1091:6 | m4 | main.rs:46:1:53:1 | mod m4 | -| main.rs:1091:5:1091:9 | ...::i | main.rs:49:5:52:5 | fn i | -| main.rs:1092:5:1092:5 | h | main.rs:57:1:76:1 | fn h | -| main.rs:1093:5:1093:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f | -| main.rs:1094:5:1094:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g | -| main.rs:1095:5:1095:5 | j | main.rs:104:1:108:1 | fn j | -| main.rs:1096:5:1096:6 | m6 | main.rs:116:1:128:1 | mod m6 | -| main.rs:1096:5:1096:9 | ...::g | main.rs:121:5:127:5 | fn g | -| main.rs:1097:5:1097:6 | m7 | main.rs:130:1:149:1 | mod m7 | -| main.rs:1097:5:1097:9 | ...::f | main.rs:141:5:148:5 | fn f | -| main.rs:1098:5:1098:6 | m8 | main.rs:151:1:205:1 | mod m8 | -| main.rs:1098:5:1098:9 | ...::g | main.rs:189:5:204:5 | fn g | -| main.rs:1099:5:1099:6 | m9 | main.rs:207:1:215:1 | mod m9 | -| main.rs:1099:5:1099:9 | ...::f | main.rs:210:5:214:5 | fn f | -| main.rs:1100:5:1100:7 | m11 | main.rs:238:1:275:1 | mod m11 | -| main.rs:1100:5:1100:10 | ...::f | main.rs:243:5:246:5 | fn f | -| main.rs:1101:5:1101:7 | m15 | main.rs:306:1:375:1 | mod m15 | -| main.rs:1101:5:1101:10 | ...::f | main.rs:362:5:374:5 | fn f | -| main.rs:1102:5:1102:7 | m16 | main.rs:377:1:574:1 | mod m16 | -| main.rs:1102:5:1102:10 | ...::f | main.rs:446:5:470:5 | fn f | -| main.rs:1103:5:1103:20 | trait_visibility | main.rs:576:1:633:1 | mod trait_visibility | -| main.rs:1103:5:1103:23 | ...::f | main.rs:603:5:632:5 | fn f | -| main.rs:1104:5:1104:7 | m17 | main.rs:635:1:665:1 | mod m17 | -| main.rs:1104:5:1104:10 | ...::f | main.rs:659:5:664:5 | fn f | -| main.rs:1105:5:1105:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 | -| main.rs:1105:5:1105:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f | -| main.rs:1106:5:1106:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 | -| main.rs:1106:5:1106:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f | -| main.rs:1107:5:1107:7 | my3 | my2/mod.rs:20:1:20:12 | mod my3 | -| main.rs:1107:5:1107:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f | -| main.rs:1108:5:1108:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | -| main.rs:1109:5:1109:12 | my_alias | main.rs:1:1:1:7 | mod my | -| main.rs:1109:5:1109:22 | ...::nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | -| main.rs:1110:5:1110:7 | m18 | main.rs:667:1:685:1 | mod m18 | -| main.rs:1110:5:1110:12 | ...::m19 | main.rs:672:5:684:5 | mod m19 | -| main.rs:1110:5:1110:17 | ...::m20 | main.rs:677:9:683:9 | mod m20 | -| main.rs:1110:5:1110:20 | ...::g | main.rs:678:13:682:13 | fn g | -| main.rs:1111:5:1111:7 | m23 | main.rs:714:1:739:1 | mod m23 | -| main.rs:1111:5:1111:10 | ...::f | main.rs:734:5:738:5 | fn f | -| main.rs:1112:5:1112:7 | m24 | main.rs:741:1:809:1 | mod m24 | -| main.rs:1112:5:1112:10 | ...::f | main.rs:795:5:808:5 | fn f | -| main.rs:1113:5:1113:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) | -| main.rs:1113:5:1113:11 | ...::h | main.rs:57:1:76:1 | fn h | -| main.rs:1114:5:1114:13 | z_changed | main.rs:814:1:814:9 | fn z_changed | -| main.rs:1115:5:1115:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | -| main.rs:1115:5:1115:22 | ...::z_on_type | main.rs:820:5:820:17 | fn z_on_type | -| main.rs:1116:5:1116:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | -| main.rs:1117:5:1117:29 | impl_with_attribute_macro | main.rs:949:1:968:1 | mod impl_with_attribute_macro | -| main.rs:1117:5:1117:35 | ...::test | main.rs:964:5:967:5 | fn test | -| main.rs:1118:5:1118:12 | patterns | main.rs:970:1:1011:1 | mod patterns | -| main.rs:1118:5:1118:18 | ...::test | main.rs:971:5:985:5 | fn test | +| main.rs:1072:10:1072:30 | NonEmptyListEnum::<...> | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | +| main.rs:1072:27:1072:29 | i32 | {EXTERNAL LOCATION} | struct i32 | +| main.rs:1073:30:1073:32 | i32 | {EXTERNAL LOCATION} | struct i32 | +| main.rs:1073:38:1073:41 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | +| main.rs:1074:17:1074:32 | NonEmptyListEnum | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | +| main.rs:1075:13:1075:16 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | +| main.rs:1075:13:1075:16 | Self | main.rs:1071:5:1077:5 | impl NonEmptyListEnum::<...> { ... } | +| main.rs:1075:13:1075:24 | ...::Single | main.rs:1067:9:1067:17 | Single | +| main.rs:1083:13:1083:16 | Copy | {EXTERNAL LOCATION} | trait Copy | +| main.rs:1085:17:1085:17 | T | main.rs:1082:9:1082:9 | T | +| main.rs:1086:16:1086:16 | T | main.rs:1082:9:1082:9 | T | +| main.rs:1086:23:1086:26 | Self | main.rs:1079:5:1087:5 | union NonEmptyListUnion | +| main.rs:1091:5:1091:6 | my | main.rs:1:1:1:7 | mod my | +| main.rs:1091:5:1091:14 | ...::nested | my.rs:1:1:1:15 | mod nested | +| main.rs:1091:5:1091:23 | ...::nested1 | my/nested.rs:1:1:17:1 | mod nested1 | +| main.rs:1091:5:1091:32 | ...::nested2 | my/nested.rs:2:5:11:5 | mod nested2 | +| main.rs:1091:5:1091:35 | ...::f | my/nested.rs:3:9:5:9 | fn f | +| main.rs:1092:5:1092:6 | my | main.rs:1:1:1:7 | mod my | +| main.rs:1092:5:1092:9 | ...::f | my.rs:5:1:7:1 | fn f | +| main.rs:1093:5:1093:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | +| main.rs:1093:5:1093:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | +| main.rs:1093:5:1093:29 | ...::nested4 | my2/nested2.rs:2:5:10:5 | mod nested4 | +| main.rs:1093:5:1093:32 | ...::f | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1094:5:1094:5 | f | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1095:5:1095:5 | g | my2/nested2.rs:7:9:9:9 | fn g | +| main.rs:1096:5:1096:9 | crate | main.rs:0:0:0:0 | Crate(main@0.0.1) | +| main.rs:1096:5:1096:12 | ...::h | main.rs:57:1:76:1 | fn h | +| main.rs:1097:5:1097:6 | m1 | main.rs:20:1:44:1 | mod m1 | +| main.rs:1097:5:1097:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | +| main.rs:1097:5:1097:13 | ...::g | main.rs:30:9:34:9 | fn g | +| main.rs:1098:5:1098:6 | m1 | main.rs:20:1:44:1 | mod m1 | +| main.rs:1098:5:1098:10 | ...::m2 | main.rs:25:5:43:5 | mod m2 | +| main.rs:1098:5:1098:14 | ...::m3 | main.rs:36:9:42:9 | mod m3 | +| main.rs:1098:5:1098:17 | ...::h | main.rs:37:27:41:13 | fn h | +| main.rs:1099:5:1099:6 | m4 | main.rs:46:1:53:1 | mod m4 | +| main.rs:1099:5:1099:9 | ...::i | main.rs:49:5:52:5 | fn i | +| main.rs:1100:5:1100:5 | h | main.rs:57:1:76:1 | fn h | +| main.rs:1101:5:1101:11 | f_alias | my2/nested2.rs:3:9:5:9 | fn f | +| main.rs:1102:5:1102:11 | g_alias | my2/nested2.rs:7:9:9:9 | fn g | +| main.rs:1103:5:1103:5 | j | main.rs:104:1:108:1 | fn j | +| main.rs:1104:5:1104:6 | m6 | main.rs:116:1:128:1 | mod m6 | +| main.rs:1104:5:1104:9 | ...::g | main.rs:121:5:127:5 | fn g | +| main.rs:1105:5:1105:6 | m7 | main.rs:130:1:149:1 | mod m7 | +| main.rs:1105:5:1105:9 | ...::f | main.rs:141:5:148:5 | fn f | +| main.rs:1106:5:1106:6 | m8 | main.rs:151:1:205:1 | mod m8 | +| main.rs:1106:5:1106:9 | ...::g | main.rs:189:5:204:5 | fn g | +| main.rs:1107:5:1107:6 | m9 | main.rs:207:1:215:1 | mod m9 | +| main.rs:1107:5:1107:9 | ...::f | main.rs:210:5:214:5 | fn f | +| main.rs:1108:5:1108:7 | m11 | main.rs:238:1:275:1 | mod m11 | +| main.rs:1108:5:1108:10 | ...::f | main.rs:243:5:246:5 | fn f | +| main.rs:1109:5:1109:7 | m15 | main.rs:306:1:375:1 | mod m15 | +| main.rs:1109:5:1109:10 | ...::f | main.rs:362:5:374:5 | fn f | +| main.rs:1110:5:1110:7 | m16 | main.rs:377:1:574:1 | mod m16 | +| main.rs:1110:5:1110:10 | ...::f | main.rs:446:5:470:5 | fn f | +| main.rs:1111:5:1111:20 | trait_visibility | main.rs:576:1:633:1 | mod trait_visibility | +| main.rs:1111:5:1111:23 | ...::f | main.rs:603:5:632:5 | fn f | +| main.rs:1112:5:1112:7 | m17 | main.rs:635:1:665:1 | mod m17 | +| main.rs:1112:5:1112:10 | ...::f | main.rs:659:5:664:5 | fn f | +| main.rs:1113:5:1113:11 | nested6 | my2/nested2.rs:14:5:18:5 | mod nested6 | +| main.rs:1113:5:1113:14 | ...::f | my2/nested2.rs:15:9:17:9 | fn f | +| main.rs:1114:5:1114:11 | nested8 | my2/nested2.rs:22:5:26:5 | mod nested8 | +| main.rs:1114:5:1114:14 | ...::f | my2/nested2.rs:23:9:25:9 | fn f | +| main.rs:1115:5:1115:7 | my3 | my2/mod.rs:20:1:20:12 | mod my3 | +| main.rs:1115:5:1115:10 | ...::f | my2/my3/mod.rs:1:1:5:1 | fn f | +| main.rs:1116:5:1116:12 | nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | +| main.rs:1117:5:1117:12 | my_alias | main.rs:1:1:1:7 | mod my | +| main.rs:1117:5:1117:22 | ...::nested_f | my/my4/my5/mod.rs:1:1:3:1 | fn f | +| main.rs:1118:5:1118:7 | m18 | main.rs:667:1:685:1 | mod m18 | +| main.rs:1118:5:1118:12 | ...::m19 | main.rs:672:5:684:5 | mod m19 | +| main.rs:1118:5:1118:17 | ...::m20 | main.rs:677:9:683:9 | mod m20 | +| main.rs:1118:5:1118:20 | ...::g | main.rs:678:13:682:13 | fn g | +| main.rs:1119:5:1119:7 | m23 | main.rs:714:1:739:1 | mod m23 | +| main.rs:1119:5:1119:10 | ...::f | main.rs:734:5:738:5 | fn f | +| main.rs:1120:5:1120:7 | m24 | main.rs:741:1:809:1 | mod m24 | +| main.rs:1120:5:1120:10 | ...::f | main.rs:795:5:808:5 | fn f | +| main.rs:1121:5:1121:8 | zelf | main.rs:0:0:0:0 | Crate(main@0.0.1) | +| main.rs:1121:5:1121:11 | ...::h | main.rs:57:1:76:1 | fn h | +| main.rs:1122:5:1122:13 | z_changed | main.rs:814:1:814:9 | fn z_changed | +| main.rs:1123:5:1123:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | +| main.rs:1123:5:1123:22 | ...::z_on_type | main.rs:820:5:820:17 | fn z_on_type | +| main.rs:1124:5:1124:11 | AStruct | main.rs:816:1:816:17 | struct AStruct | +| main.rs:1125:5:1125:29 | impl_with_attribute_macro | main.rs:949:1:968:1 | mod impl_with_attribute_macro | +| main.rs:1125:5:1125:35 | ...::test | main.rs:964:5:967:5 | fn test | +| main.rs:1126:5:1126:12 | patterns | main.rs:970:1:1011:1 | mod patterns | +| main.rs:1126:5:1126:18 | ...::test | main.rs:971:5:985:5 | fn test | | my2/mod.rs:4:5:4:11 | println | {EXTERNAL LOCATION} | MacroRules | | my2/mod.rs:5:5:5:11 | nested2 | my2/mod.rs:1:1:1:16 | mod nested2 | | my2/mod.rs:5:5:5:20 | ...::nested3 | my2/nested2.rs:1:1:11:1 | mod nested3 | @@ -643,7 +651,7 @@ resolvePath | my2/my3/mod.rs:3:5:3:5 | g | my2/mod.rs:3:1:6:1 | fn g | | my2/my3/mod.rs:4:5:4:5 | h | main.rs:57:1:76:1 | fn h | | my2/my3/mod.rs:7:5:7:9 | super | my2/mod.rs:1:1:25:34 | SourceFile | -| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:1119:2 | SourceFile | +| my2/my3/mod.rs:7:5:7:16 | ...::super | main.rs:1:1:1127:2 | SourceFile | | my2/my3/mod.rs:7:5:7:19 | ...::h | main.rs:57:1:76:1 | fn h | | my2/my3/mod.rs:8:5:8:9 | super | my2/mod.rs:1:1:25:34 | SourceFile | | my2/my3/mod.rs:8:5:8:12 | ...::g | my2/mod.rs:3:1:6:1 | fn g | From d72d8b63ed64adb20b3923f7c3271b54f892b58a Mon Sep 17 00:00:00 2001 From: Simon Friis Vindum Date: Tue, 3 Feb 2026 11:54:28 +0100 Subject: [PATCH 24/25] Rust: Fix inconsistency by skipping `Self` in use globs --- rust/ql/lib/codeql/rust/internal/PathResolution.qll | 2 +- .../CONSISTENCY/PathResolutionConsistency.expected | 2 -- .../test/library-tests/path-resolution/path-resolution.expected | 1 - 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/rust/ql/lib/codeql/rust/internal/PathResolution.qll b/rust/ql/lib/codeql/rust/internal/PathResolution.qll index bfc2c4a0cc0..f57d9eed556 100644 --- a/rust/ql/lib/codeql/rust/internal/PathResolution.qll +++ b/rust/ql/lib/codeql/rust/internal/PathResolution.qll @@ -2135,7 +2135,7 @@ private predicate useImportEdge(Use use, string name, ItemNode item, SuccessorKi checkQualifiedVisibility(use, item, kind1, useOpt) and // glob imports can be shadowed not declares(encl, ns, name) and - not name = ["super", "self"] + not name = ["super", "self", "Self"] ) else ( item = used and diff --git a/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected index e98f8d29fed..23ac5e722d5 100644 --- a/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected +++ b/rust/ql/test/library-tests/path-resolution/CONSISTENCY/PathResolutionConsistency.expected @@ -7,5 +7,3 @@ multipleResolvedTargets | main.rs:565:9:566:15 | ...::Assoc(...) | | main.rs:568:9:569:12 | ...::f1(...) | | main.rs:571:9:572:12 | ...::f1(...) | -multiplePathResolutions -| main.rs:1075:13:1074:16 | Self | diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected index a711e5cf6b5..20982806999 100644 --- a/rust/ql/test/library-tests/path-resolution/path-resolution.expected +++ b/rust/ql/test/library-tests/path-resolution/path-resolution.expected @@ -546,7 +546,6 @@ resolvePath | main.rs:1073:30:1073:32 | i32 | {EXTERNAL LOCATION} | struct i32 | | main.rs:1073:38:1073:41 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | | main.rs:1074:17:1074:32 | NonEmptyListEnum | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | -| main.rs:1075:13:1075:16 | Self | main.rs:1066:5:1069:5 | enum NonEmptyListEnum | | main.rs:1075:13:1075:16 | Self | main.rs:1071:5:1077:5 | impl NonEmptyListEnum::<...> { ... } | | main.rs:1075:13:1075:24 | ...::Single | main.rs:1067:9:1067:17 | Single | | main.rs:1083:13:1083:16 | Copy | {EXTERNAL LOCATION} | trait Copy | From 3f08ff88a47386de983eb5e165c7b537efc5b00b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 4 Feb 2026 10:52:44 +0000 Subject: [PATCH 25/25] Pretty print models in test Otherwise the tests breaks when unrelated changes are made because the model numbers change --- .../CWE-1427-PromptInjection/PromptInjection.expected | 7 +++++-- .../CWE-1427-PromptInjection/PromptInjection.qlref | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected index d60b63c701e..1a899e7c82f 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected +++ b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.expected @@ -20,7 +20,7 @@ edges | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | provenance | | | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | agent_instructions.py:7:13:7:19 | ControlFlowNode for request | provenance | | | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | agent_instructions.py:17:13:17:19 | ControlFlowNode for request | provenance | | -| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:94 | +| agent_instructions.py:7:5:7:9 | ControlFlowNode for input | agent_instructions.py:9:50:9:89 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:2 | | agent_instructions.py:7:13:7:19 | ControlFlowNode for request | agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | agent_instructions.py:7:13:7:24 | ControlFlowNode for Attribute | agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | provenance | dict.get | | agent_instructions.py:7:13:7:37 | ControlFlowNode for Attribute() | agent_instructions.py:7:5:7:9 | ControlFlowNode for input | provenance | | @@ -38,7 +38,7 @@ edges | openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:41:22:41:46 | ControlFlowNode for BinaryExpr | provenance | | | openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:63:28:63:51 | ControlFlowNode for BinaryExpr | provenance | | | openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:80:28:80:51 | ControlFlowNode for BinaryExpr | provenance | | -| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:58614 | +| openai_test.py:12:5:12:11 | ControlFlowNode for persona | openai_test.py:92:22:92:46 | ControlFlowNode for BinaryExpr | provenance | Sink:MaD:1 | | openai_test.py:12:15:12:21 | ControlFlowNode for request | openai_test.py:12:15:12:26 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | openai_test.py:12:15:12:21 | ControlFlowNode for request | openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | openai_test.py:12:15:12:26 | ControlFlowNode for Attribute | openai_test.py:12:15:12:41 | ControlFlowNode for Attribute() | provenance | dict.get | @@ -53,6 +53,9 @@ edges | openai_test.py:13:13:13:19 | ControlFlowNode for request | openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | provenance | AdditionalTaintStep | | openai_test.py:13:13:13:24 | ControlFlowNode for Attribute | openai_test.py:13:13:13:37 | ControlFlowNode for Attribute() | provenance | dict.get | | openai_test.py:13:13:13:37 | ControlFlowNode for Attribute() | openai_test.py:13:5:13:9 | ControlFlowNode for query | provenance | | +models +| 1 | Sink: OpenAI; Member[beta].Member[assistants].Member[create].Argument[instructions:]; prompt-injection | +| 2 | Sink: agents; Member[Agent].Argument[instructions:]; prompt-injection | nodes | agent_instructions.py:2:26:2:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember | | agent_instructions.py:2:26:2:32 | ControlFlowNode for request | semmle.label | ControlFlowNode for request | diff --git a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref index 08466562ffe..bd9514c306b 100644 --- a/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref +++ b/python/ql/test/experimental/query-tests/Security/CWE-1427-PromptInjection/PromptInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE-1427/PromptInjection.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql \ No newline at end of file +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql