mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
Release preparation for version 2.13.4
This commit is contained in:
github-actions[bot]
@@ -1,3 +1,11 @@
|
||||
## 0.7.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
|
||||
* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `CodeDuplication.qll` file.
|
||||
|
||||
## 0.7.2
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.7.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `hasCopyConstructor` predicate from the `Class` class in `Class.qll`.
|
||||
* Deleted many deprecated predicates and classes with uppercase `AST`, `SSA`, `CFG`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `CodeDuplication.qll` file.
|
||||
* Deleted the deprecated `CodeDuplication.qll` file.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.2
|
||||
lastReleaseVersion: 0.7.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 0.7.3-dev
|
||||
version: 0.7.3
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 0.6.3
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new query, `cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.5.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.5.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.5.2
|
||||
lastReleaseVersion: 1.5.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.5.3-dev
|
||||
version: 1.5.3
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 1.5.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
## 1.5.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.5.2
|
||||
lastReleaseVersion: 1.5.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.5.3-dev
|
||||
version: 1.5.3
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,3 +1,24 @@
|
||||
## 0.6.3
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
|
||||
* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
|
||||
* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
|
||||
* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
|
||||
* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
|
||||
* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
|
||||
* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `code` to `code-injection`
|
||||
* `sql` to `sql-injection`
|
||||
* `html` to `html-injection`
|
||||
* `xss` to `js-injection`
|
||||
* `remote` to `file-content-store`
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `code` to `code-injection`
|
||||
* `sql` to `sql-injection`
|
||||
* `html` to `html-injection`
|
||||
* `xss` to `js-injection`
|
||||
* `remote` to `file-content-store`
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
|
||||
@@ -1,8 +1,20 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, `.cshtml` files and their generated `.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* C#: Analysis of the `dotnet test` command supplied with a `dll` or `exe` file as argument no longer fails due to the addition of an erroneous `-p:SharedCompilation=false` argument.
|
||||
* Deleted the deprecated `WebConfigXML`, `ConfigurationXMLElement`, `LocationXMLElement`, `SystemWebXMLElement`, `SystemWebServerXMLElement`, `CustomErrorsXMLElement`, and `HttpRuntimeXMLElement` classes from `WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
|
||||
* Deleted the deprecated `Record` class from both `Types.qll` and `Type.qll`.
|
||||
* Deleted the deprecated `StructuralComparisonConfiguration` class from `StructuralComparison.qll`, use `sameGvn` instead.
|
||||
* Deleted the deprecated `isParameterOf` predicate from the `ParameterNode` class.
|
||||
* Deleted the deprecated `SafeExternalAPICallable`, `ExternalAPIDataNode`, `UntrustedDataToExternalAPIConfig`, `UntrustedExternalAPIDataNode`, and `ExternalAPIUsedWithUntrustedData` classes from `ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
|
||||
* Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `code` to `code-injection`
|
||||
* `sql` to `sql-injection`
|
||||
* `html` to `html-injection`
|
||||
* `xss` to `js-injection`
|
||||
* `remote` to `file-content-store`
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
csharp/ql/src/change-notes/released/0.6.3.md
Normal file
3
csharp/ql/src/change-notes/released/0.6.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.6.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
3
go/ql/lib/change-notes/released/0.5.3.md
Normal file
3
go/ql/lib/change-notes/released/0.5.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.5.2
|
||||
lastReleaseVersion: 0.5.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 0.5.3-dev
|
||||
version: 0.5.3
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
go/ql/src/change-notes/released/0.5.3.md
Normal file
3
go/ql/src/change-notes/released/0.5.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.5.2
|
||||
lastReleaseVersion: 0.5.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 0.5.3-dev
|
||||
version: 0.5.3
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,61 @@
|
||||
## 0.6.3
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin versions up to 1.9.0 are now supported.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql
|
||||
* com.fasterxml.jackson.databind
|
||||
* com.jcraft.jsch
|
||||
* io.netty.handler.ssl
|
||||
* okhttp3
|
||||
* org.antlr.runtime
|
||||
* org.fusesource.leveldbjni
|
||||
* org.influxdb
|
||||
* org.springframework.core.io
|
||||
* org.yaml.snakeyaml
|
||||
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
|
||||
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Added models for the following packages:
|
||||
|
||||
* java.lang
|
||||
* java.nio.file
|
||||
* Added dataflow models for the Gson deserialization library.
|
||||
* Added models for the following packages:
|
||||
|
||||
* okhttp3
|
||||
* Added more dataflow models for the Play Framework.
|
||||
Modified the models related to `java.nio.file.Files.copy` so that generic `[Input|Output]Stream` arguments are not considered file-related sinks.
|
||||
* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.
|
||||
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
|
||||
* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
|
||||
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.
|
||||
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
|
||||
* `sql` to `sql-injection`
|
||||
* `url-redirect` to `url-redirection`
|
||||
* `xpath` to `xpath-injection`
|
||||
* `ssti` to `template-injection`
|
||||
* `logging` to `log-injection`
|
||||
* `groovy` to `groovy-injection`
|
||||
* `jexl` to `jexl-injection`
|
||||
* `mvel` to `mvel-injection`
|
||||
* `xslt` to `xslt-injection`
|
||||
* `ldap` to `ldap-injection`
|
||||
* `pending-intent-sent` to `pending-intents`
|
||||
* `intent-start` to `intent-redirection`
|
||||
* `set-hostname-verifier` to `hostname-verification`
|
||||
* `header-splitting` to `response-splitting`
|
||||
* `xss` to `html-injection` and `js-injection`
|
||||
* `write-file` to `file-system-store`
|
||||
* `create-file` and `read-file` to `path-injection`
|
||||
* `open-url` and `jdbc-url` to `request-forgery`
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,22 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
|
||||
* `sql` to `sql-injection`
|
||||
* `url-redirect` to `url-redirection`
|
||||
* `xpath` to `xpath-injection`
|
||||
* `ssti` to `template-injection`
|
||||
* `logging` to `log-injection`
|
||||
* `groovy` to `groovy-injection`
|
||||
* `jexl` to `jexl-injection`
|
||||
* `mvel` to `mvel-injection`
|
||||
* `xslt` to `xslt-injection`
|
||||
* `ldap` to `ldap-injection`
|
||||
* `pending-intent-sent` to `pending-intents`
|
||||
* `intent-start` to `intent-redirection`
|
||||
* `set-hostname-verifier` to `hostname-verification`
|
||||
* `header-splitting` to `response-splitting`
|
||||
* `xss` to `html-injection` and `js-injection`
|
||||
* `write-file` to `file-system-store`
|
||||
* `create-file` and `read-file` to `path-injection`
|
||||
* `open-url` and `jdbc-url` to `request-forgery`
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
Modified the models related to `java.nio.file.Files.copy` so that generic `[Input|Output]Stream` arguments are not considered file-related sinks.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Kotlin versions up to 1.9.0 are now supported.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added more dataflow models for the Play Framework.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added dataflow models for the Gson deserialization library.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* okhttp3
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* java.lang
|
||||
* java.nio.file
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
|
||||
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
|
||||
@@ -1,15 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql
|
||||
* com.fasterxml.jackson.databind
|
||||
* com.jcraft.jsch
|
||||
* io.netty.handler.ssl
|
||||
* okhttp3
|
||||
* org.antlr.runtime
|
||||
* org.fusesource.leveldbjni
|
||||
* org.influxdb
|
||||
* org.springframework.core.io
|
||||
* org.yaml.snakeyaml
|
||||
57
java/ql/lib/change-notes/released/0.6.3.md
Normal file
57
java/ql/lib/change-notes/released/0.6.3.md
Normal file
@@ -0,0 +1,57 @@
|
||||
## 0.6.3
|
||||
|
||||
### New Features
|
||||
|
||||
* Kotlin versions up to 1.9.0 are now supported.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.druid.sql
|
||||
* com.fasterxml.jackson.databind
|
||||
* com.jcraft.jsch
|
||||
* io.netty.handler.ssl
|
||||
* okhttp3
|
||||
* org.antlr.runtime
|
||||
* org.fusesource.leveldbjni
|
||||
* org.influxdb
|
||||
* org.springframework.core.io
|
||||
* org.yaml.snakeyaml
|
||||
* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
|
||||
* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Added models for the following packages:
|
||||
|
||||
* java.lang
|
||||
* java.nio.file
|
||||
* Added dataflow models for the Gson deserialization library.
|
||||
* Added models for the following packages:
|
||||
|
||||
* okhttp3
|
||||
* Added more dataflow models for the Play Framework.
|
||||
Modified the models related to `java.nio.file.Files.copy` so that generic `[Input|Output]Stream` arguments are not considered file-related sinks.
|
||||
* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.
|
||||
* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.
|
||||
* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
|
||||
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.
|
||||
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
|
||||
* `sql` to `sql-injection`
|
||||
* `url-redirect` to `url-redirection`
|
||||
* `xpath` to `xpath-injection`
|
||||
* `ssti` to `template-injection`
|
||||
* `logging` to `log-injection`
|
||||
* `groovy` to `groovy-injection`
|
||||
* `jexl` to `jexl-injection`
|
||||
* `mvel` to `mvel-injection`
|
||||
* `xslt` to `xslt-injection`
|
||||
* `ldap` to `ldap-injection`
|
||||
* `pending-intent-sent` to `pending-intents`
|
||||
* `intent-start` to `intent-redirection`
|
||||
* `set-hostname-verifier` to `hostname-verification`
|
||||
* `header-splitting` to `response-splitting`
|
||||
* `xss` to `html-injection` and `js-injection`
|
||||
* `write-file` to `file-system-store`
|
||||
* `create-file` and `read-file` to `path-injection`
|
||||
* `open-url` and `jdbc-url` to `request-forgery`
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,23 @@
|
||||
## 0.6.3
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added support for TypeScript 5.1.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
|
||||
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
|
||||
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
|
||||
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
|
||||
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
|
||||
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
|
||||
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `command-line-injection` to `command-injection`
|
||||
* `credentials[kind]` to `credentials-kind`
|
||||
- Added a support of sub modules in `node_modules`.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: majorAnalysis
|
||||
---
|
||||
* Added support for TypeScript 5.1.
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
|
||||
- Added a support of sub modules in `node_modules`.
|
||||
@@ -1,6 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `command-line-injection` to `command-injection`
|
||||
* `credentials[kind]` to `credentials-kind`
|
||||
@@ -1,10 +1,19 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
* Added support for TypeScript 5.1.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
|
||||
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
|
||||
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
|
||||
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
|
||||
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
|
||||
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
|
||||
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
|
||||
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
|
||||
* `command-line-injection` to `command-injection`
|
||||
* `credentials[kind]` to `credentials-kind`
|
||||
- Added a support of sub modules in `node_modules`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -1,3 +1,11 @@
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
|
||||
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
|
||||
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
|
||||
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
|
||||
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-queries
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups:
|
||||
- javascript
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
misc/suite-helpers/change-notes/released/0.5.3.md
Normal file
3
misc/suite-helpers/change-notes/released/0.5.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.5.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.5.2
|
||||
lastReleaseVersion: 0.5.3
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
name: codeql/suite-helpers
|
||||
version: 0.5.3-dev
|
||||
version: 0.5.3
|
||||
groups: shared
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.9.3
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.9.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
3
python/ql/lib/change-notes/released/0.9.3.md
Normal file
3
python/ql/lib/change-notes/released/0.9.3.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.9.3
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.9.2
|
||||
lastReleaseVersion: 0.9.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-all
|
||||
version: 0.9.3-dev
|
||||
version: 0.9.3
|
||||
groups: python
|
||||
dbscheme: semmlecode.python.dbscheme
|
||||
extractor: python
|
||||
|
||||
@@ -1,3 +1,9 @@
|
||||
## 0.7.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The display name (`@name`) of the `py/unsafe-deserialization` query has been updated in favor of consistency with other languages.
|
||||
|
||||
## 0.7.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
---
|
||||
category: fix
|
||||
---
|
||||
* The display name (`@name`) of the `py/unsafe-deserialization` query has been updated in favor of consistency with other languages.
|
||||
## 0.7.3
|
||||
|
||||
### Bug Fixes
|
||||
|
||||
* The display name (`@name`) of the `py/unsafe-deserialization` query has been updated in favor of consistency with other languages.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.2
|
||||
lastReleaseVersion: 0.7.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-queries
|
||||
version: 0.7.3-dev
|
||||
version: 0.7.3
|
||||
groups:
|
||||
- python
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,15 @@
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted many deprecated predicates and classes with uppercase `URL`, `XSS`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `getValueText` predicate from the `Expr`, `StringComponent`, and `ExprCfgNode` classes. Use `getConstantValue` instead.
|
||||
* Deleted the deprecated `VariableReferencePattern` class, use `ReferencePattern` instead.
|
||||
* Deleted all deprecated aliases in `StandardLibrary.qll`, use `codeql.ruby.frameworks.Core` and `codeql.ruby.frameworks.Stdlib` instead.
|
||||
* Support for the `sequel` gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
|
||||
* Support for the `mysql2` gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
* Support for the `pg` gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Support for the `mysql2` gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Support for the `pg` gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Support for the `sequel` gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
|
||||
@@ -1,7 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted many deprecated predicates and classes with uppercase `URL`, `XSS`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `getValueText` predicate from the `Expr`, `StringComponent`, and `ExprCfgNode` classes. Use `getConstantValue` instead.
|
||||
* Deleted the deprecated `VariableReferencePattern` class, use `ReferencePattern` instead.
|
||||
* Deleted all deprecated aliases in `StandardLibrary.qll`, use `codeql.ruby.frameworks.Core` and `codeql.ruby.frameworks.Stdlib` instead.
|
||||
11
ruby/ql/lib/change-notes/released/0.6.3.md
Normal file
11
ruby/ql/lib/change-notes/released/0.6.3.md
Normal file
@@ -0,0 +1,11 @@
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted many deprecated predicates and classes with uppercase `URL`, `XSS`, etc. in their names. Use the PascalCased versions instead.
|
||||
* Deleted the deprecated `getValueText` predicate from the `Expr`, `StringComponent`, and `ExprCfgNode` classes. Use `getConstantValue` instead.
|
||||
* Deleted the deprecated `VariableReferencePattern` class, use `ReferencePattern` instead.
|
||||
* Deleted all deprecated aliases in `StandardLibrary.qll`, use `codeql.ruby.frameworks.Core` and `codeql.ruby.frameworks.Stdlib` instead.
|
||||
* Support for the `sequel` gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
|
||||
* Support for the `mysql2` gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
* Support for the `pg` gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ruby-all
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups: ruby
|
||||
extractor: ruby
|
||||
dbscheme: ruby.dbscheme
|
||||
|
||||
@@ -1,3 +1,13 @@
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a bug that would occur when an `initialize` method returns `self` or one of its parameters.
|
||||
In such cases, the corresponding calls to `new` would be associated with an incorrect return type.
|
||||
This could result in inaccurate call target resolution and cause false positive alerts.
|
||||
* Fixed an issue where calls to `delete` or `assoc` with a constant-valued argument would be analyzed imprecisely,
|
||||
as if the argument value was not a known constant.
|
||||
|
||||
## 0.6.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Fixed an issue where calls to `delete` or `assoc` with a constant-valued argument would be analyzed imprecisely,
|
||||
as if the argument value was not a known constant.
|
||||
@@ -1,6 +1,9 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
## 0.6.3
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Fixed a bug that would occur when an `initialize` method returns `self` or one of its parameters.
|
||||
In such cases, the corresponding calls to `new` would be associated with an incorrect return type.
|
||||
This could result in inaccurate call target resolution and cause false positive alerts.
|
||||
* Fixed an issue where calls to `delete` or `assoc` with a constant-valued argument would be analyzed imprecisely,
|
||||
as if the argument value was not a known constant.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.6.2
|
||||
lastReleaseVersion: 0.6.3
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ruby-queries
|
||||
version: 0.6.3-dev
|
||||
version: 0.6.3
|
||||
groups:
|
||||
- ruby
|
||||
- queries
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.0.14
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.13
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
shared/regex/change-notes/released/0.0.14.md
Normal file
3
shared/regex/change-notes/released/0.0.14.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.0.14
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.13
|
||||
lastReleaseVersion: 0.0.14
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/regex
|
||||
version: 0.0.14-dev
|
||||
version: 0.0.14
|
||||
groups: shared
|
||||
library: true
|
||||
dependencies:
|
||||
|
||||
@@ -1,3 +1,7 @@
|
||||
## 0.0.18
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.17
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
3
shared/ssa/change-notes/released/0.0.18.md
Normal file
3
shared/ssa/change-notes/released/0.0.18.md
Normal file
@@ -0,0 +1,3 @@
|
||||
## 0.0.18
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.17
|
||||
lastReleaseVersion: 0.0.18
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user