Release preparation for version 2.17.0

ruby/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.8.13
+
+### Minor Analysis Improvements
+
+* Data flow is now tracked through `ActiveRecord` scopes.
+* Modeled instances of `ActionDispatch::Http::UploadedFile` that can be obtained from element reads of `ActionController::Parameters`, with calls to `original_filename`, `content_type`, and `read` now propagating taint from their receiver. 
+* The second argument, `subquery_name`, of the `ActiveRecord::QueryMethods::from` method, is now recognized as an sql injection sink.
+* Calls to `Typhoeus::Request.new` are now considered as instances of the `Http::Client::Request` concept, with the response body being treated as a remote flow source.
+* New command injection sinks have been added, including `Process.spawn`, `Process.exec`, `Terrapin::CommandLine` and the `open4` gem.
+
 ## 0.8.12
 
 No user-facing changes.

ruby/ql/lib/change-notes/2024-02-27-process-spawn.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* New command injection sinks have been added, including `Process.spawn`, `Process.exec`, `Terrapin::CommandLine` and the `open4` gem.

ruby/ql/lib/change-notes/2024-03-01-typhoeus-request.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Calls to `Typhoeus::Request.new` are now considered as instances of the `Http::Client::Request` concept, with the response body being treated as a remote flow source.

ruby/ql/lib/change-notes/2024-03-08-activerecord-from.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The second argument, `subquery_name`, of the `ActiveRecord::QueryMethods::from` method, is now recognized as an sql injection sink.

ruby/ql/lib/change-notes/2024-03-14-actiondispatch-uploadedfile.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Modeled instances of `ActionDispatch::Http::UploadedFile` that can be obtained from element reads of `ActionController::Parameters`, with calls to `original_filename`, `content_type`, and `read` now propagating taint from their receiver. 

ruby/ql/lib/change-notes/2024-03-19-activerecord-scopes.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Data flow is now tracked through `ActiveRecord` scopes.

ruby/ql/lib/change-notes/released/0.8.13.md

@@ -0,0 +1,9 @@
+## 0.8.13
+
+### Minor Analysis Improvements
+
+* Data flow is now tracked through `ActiveRecord` scopes.
+* Modeled instances of `ActionDispatch::Http::UploadedFile` that can be obtained from element reads of `ActionController::Parameters`, with calls to `original_filename`, `content_type`, and `read` now propagating taint from their receiver. 
+* The second argument, `subquery_name`, of the `ActiveRecord::QueryMethods::from` method, is now recognized as an sql injection sink.
+* Calls to `Typhoeus::Request.new` are now considered as instances of the `Http::Client::Request` concept, with the response body being treated as a remote flow source.
+* New command injection sinks have been added, including `Process.spawn`, `Process.exec`, `Terrapin::CommandLine` and the `open4` gem.

ruby/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.12
+lastReleaseVersion: 0.8.13

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.8.13-dev
+version: 0.8.13
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme

ruby/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.13
+
+No user-facing changes.
+
 ## 0.8.12
 
 No user-facing changes.

ruby/ql/src/change-notes/released/0.8.13.md

@@ -0,0 +1,3 @@
+## 0.8.13
+
+No user-facing changes.

ruby/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.12
+lastReleaseVersion: 0.8.13

ruby/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 0.8.13-dev
+version: 0.8.13
 groups:
   - ruby
   - queries