diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index d278929caed..6f030187ef9 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.1 + ## 0.2.0 ### Breaking Changes diff --git a/cpp/ql/lib/change-notes/released/0.2.1.md b/cpp/ql/lib/change-notes/released/0.2.1.md new file mode 100644 index 00000000000..c260de2a9ee --- /dev/null +++ b/cpp/ql/lib/change-notes/released/0.2.1.md @@ -0,0 +1 @@ +## 0.2.1 diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index 5274e27ed52..df29a726bcc 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.0 +lastReleaseVersion: 0.2.1 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 29c32aa15ac..9258aed4d71 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.2.1-dev +version: 0.2.1 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index fa04b672083..50408aea104 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.1.2 + +### Minor Analysis Improvements + +* The "XML external entity expansion" (`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces. + ## 0.1.1 ### New Queries diff --git a/cpp/ql/src/change-notes/2022-04-28-external-entity-expansion.md b/cpp/ql/src/change-notes/released/0.1.2.md similarity index 78% rename from cpp/ql/src/change-notes/2022-04-28-external-entity-expansion.md rename to cpp/ql/src/change-notes/released/0.1.2.md index 911cbd7e54c..ca3236f5950 100644 --- a/cpp/ql/src/change-notes/2022-04-28-external-entity-expansion.md +++ b/cpp/ql/src/change-notes/released/0.1.2.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.1.2 + +### Minor Analysis Improvements + * The "XML external entity expansion" (`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index d4df6bb5e07..9601c697983 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.1.2-dev +version: 0.1.2 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 2791add0d9c..a3b06b075db 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.1.2 + ## 1.1.1 ## 1.1.0 diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.1.2.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.1.2.md new file mode 100644 index 00000000000..a948ef6c11d --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.1.2.md @@ -0,0 +1 @@ +## 1.1.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index 1a19084be3f..53ab127707f 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.1 +lastReleaseVersion: 1.1.2 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index 6007262cb29..6561bfcf5f0 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.1.2-dev +version: 1.1.2 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 2791add0d9c..a3b06b075db 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 1.1.2 + ## 1.1.1 ## 1.1.0 diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.1.2.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.1.2.md new file mode 100644 index 00000000000..a948ef6c11d --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.1.2.md @@ -0,0 +1 @@ +## 1.1.2 diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index 1a19084be3f..53ab127707f 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.1.1 +lastReleaseVersion: 1.1.2 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index fd0349bb9f9..a4ad0ee1c9b 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.1.2-dev +version: 1.1.2 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index 67bb243493e..17252098beb 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.2.1 + ## 0.2.0 ### Breaking Changes diff --git a/csharp/ql/lib/change-notes/released/0.2.1.md b/csharp/ql/lib/change-notes/released/0.2.1.md new file mode 100644 index 00000000000..c260de2a9ee --- /dev/null +++ b/csharp/ql/lib/change-notes/released/0.2.1.md @@ -0,0 +1 @@ +## 0.2.1 diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 5274e27ed52..df29a726bcc 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.0 +lastReleaseVersion: 0.2.1 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index f0f70451e5f..55b19e9db85 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.2.1-dev +version: 0.2.1 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index c6b210ab15b..77df7a74581 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.1.2 + ## 0.1.1 ## 0.1.0 diff --git a/csharp/ql/src/change-notes/released/0.1.2.md b/csharp/ql/src/change-notes/released/0.1.2.md new file mode 100644 index 00000000000..66bd49d11eb --- /dev/null +++ b/csharp/ql/src/change-notes/released/0.1.2.md @@ -0,0 +1 @@ +## 0.1.2 diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index 979ad1cd37b..78c812109ec 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.1.2-dev +version: 0.1.2 groups: - csharp - queries diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index ab5c12f5463..c528e23745c 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,85 @@ +## 0.2.1 + +### New Features + + * A number of new classes and methods related to the upcoming Kotlin + support have been added. These are not yet stable, as Kotlin support + is still under development. + * `File::isSourceFile` + * `File::isJavaSourceFile` + * `File::isKotlinSourceFile` + * `Member::getKotlinType` + * `Element::isCompilerGenerated` + * `Expr::getKotlinType` + * `LambdaExpr::isKotlinFunctionN` + * `Callable::getReturnKotlinType` + * `Callable::getParameterKotlinType` + * `Method::isLocal` + * `Method::getKotlinName` + * `Field::getKotlinType` + * `Modifiable::isSealedKotlin` + * `Modifiable::isInternal` + * `Variable::getKotlinType` + * `LocalVariableDecl::getKotlinType` + * `Parameter::getKotlinType` + * `Parameter::isExtensionParameter` + * `Compilation` class + * `Diagnostic` class + * `KtInitializerAssignExpr` class + * `ValueEQExpr` class + * `ValueNEExpr` class + * `ValueOrReferenceEqualsExpr` class + * `ValueOrReferenceNotEqualsExpr` class + * `ReferenceEqualityTest` class + * `CastingExpr` class + * `SafeCastExpr` class + * `ImplicitCastExpr` class + * `ImplicitNotNullExpr` class + * `ImplicitCoercionToUnitExpr` class + * `UnsafeCoerceExpr` class + * `PropertyRefExpr` class + * `NotInstanceOfExpr` class + * `ExtensionReceiverAccess` class + * `WhenExpr` class + * `WhenBranch` class + * `ClassExpr` class + * `StmtExpr` class + * `StringTemplateExpr` class + * `NotNullExpr` class + * `TypeNullPointerException` class + * `KtComment` class + * `KtCommentSection` class + * `KotlinType` class + * `KotlinNullableType` class + * `KotlinNotnullType` class + * `KotlinTypeAlias` class + * `Property` class + * `DelegatedProperty` class + * `ExtensionMethod` class + * `KtInitializerNode` class + * `KtLoopStmt` class + * `KtBreakContinueStmt` class + * `KtBreakStmt` class + * `KtContinueStmt` class + * `ClassObject` class + * `CompanionObject` class + * `LiveLiteral` class + * `LiveLiteralMethod` class + * `CastConversionContext` renamed to `CastingConversionContext` +* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded. + +### Minor Analysis Improvements + +* Added models for the libraries OkHttp and Retrofit. + * Add taint models for the following `File` methods: + * `File::getAbsoluteFile` + * `File::getCanonicalFile` + * `File::getAbsolutePath` + * `File::getCanonicalPath` +Added a flow step for `toString` calls on tainted `android.text.Editable` objects. +Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`. +* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`. + ## 0.2.0 ### Breaking Changes diff --git a/java/ql/lib/change-notes/2022-03-15-mybatis-providers.md b/java/ql/lib/change-notes/2022-03-15-mybatis-providers.md deleted file mode 100644 index 32ba9c23c12..00000000000 --- a/java/ql/lib/change-notes/2022-03-15-mybatis-providers.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-04-26-additional-file-taint-flow.md b/java/ql/lib/change-notes/2022-04-26-additional-file-taint-flow.md deleted file mode 100644 index bd931220045..00000000000 --- a/java/ql/lib/change-notes/2022-04-26-additional-file-taint-flow.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -category: minorAnalysis ---- - * Add taint models for the following `File` methods: - * `File::getAbsoluteFile` - * `File::getCanonicalFile` - * `File::getAbsolutePath` - * `File::getCanonicalPath` \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-04-26-android-editable-tostring-flow-step.md b/java/ql/lib/change-notes/2022-04-26-android-editable-tostring-flow-step.md deleted file mode 100644 index 2c8e2e367fb..00000000000 --- a/java/ql/lib/change-notes/2022-04-26-android-editable-tostring-flow-step.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -Added a flow step for `toString` calls on tainted `android.text.Editable` objects. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md b/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md deleted file mode 100644 index 82d58183edd..00000000000 --- a/java/ql/lib/change-notes/2022-04-26-startactivity-flow-step.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-05-02-okhttp-retrofit-models.md b/java/ql/lib/change-notes/2022-05-02-okhttp-retrofit-models.md deleted file mode 100644 index f575b10cfec..00000000000 --- a/java/ql/lib/change-notes/2022-05-02-okhttp-retrofit-models.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added models for the libraries OkHttp and Retrofit. \ No newline at end of file diff --git a/java/ql/lib/change-notes/2022-05-09-value-discarding-expression.md b/java/ql/lib/change-notes/2022-05-09-value-discarding-expression.md deleted file mode 100644 index 36adb0169d4..00000000000 --- a/java/ql/lib/change-notes/2022-05-09-value-discarding-expression.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded. diff --git a/java/ql/lib/change-notes/2022-05-09-kotlin.md b/java/ql/lib/change-notes/released/0.2.1.md similarity index 70% rename from java/ql/lib/change-notes/2022-05-09-kotlin.md rename to java/ql/lib/change-notes/released/0.2.1.md index ce1a25ca183..aad2b5804ca 100644 --- a/java/ql/lib/change-notes/2022-05-09-kotlin.md +++ b/java/ql/lib/change-notes/released/0.2.1.md @@ -1,6 +1,7 @@ ---- -category: feature ---- +## 0.2.1 + +### New Features + * A number of new classes and methods related to the upcoming Kotlin support have been added. These are not yet stable, as Kotlin support is still under development. @@ -65,3 +66,16 @@ category: feature * `LiveLiteral` class * `LiveLiteralMethod` class * `CastConversionContext` renamed to `CastingConversionContext` +* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded. + +### Minor Analysis Improvements + +* Added models for the libraries OkHttp and Retrofit. + * Add taint models for the following `File` methods: + * `File::getAbsoluteFile` + * `File::getCanonicalFile` + * `File::getAbsolutePath` + * `File::getCanonicalPath` +Added a flow step for `toString` calls on tainted `android.text.Editable` objects. +Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`. +* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`. diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 5274e27ed52..df29a726bcc 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.0 +lastReleaseVersion: 0.2.1 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index 1a0a0929a12..067a9d9f8aa 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.2.1-dev +version: 0.2.1 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index dc7d34948f1..cb4057aff73 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,16 @@ +## 0.1.2 + +### Query Metadata Changes + +* Query `java/predictable-seed` now has a tag for CWE-337. + +### Minor Analysis Improvements + +* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert. +* The query `java/non-https-urls` has been simplified +and no longer requires its sinks to be `MethodAccess`es. + * The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved. + ## 0.1.1 ### Minor Analysis Improvements @@ -26,7 +39,7 @@ this respect. ### Minor Analysis Improvements -* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard. + * Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard. ## 0.0.11 diff --git a/java/ql/src/change-notes/2022-03-24-unsafe-android-access-improvements.md b/java/ql/src/change-notes/2022-03-24-unsafe-android-access-improvements.md deleted file mode 100644 index 8f0089f616a..00000000000 --- a/java/ql/src/change-notes/2022-03-24-unsafe-android-access-improvements.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- - * The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved. - \ No newline at end of file diff --git a/java/ql/src/change-notes/2022-05-02-non-https-urls-simplified.md b/java/ql/src/change-notes/2022-05-02-non-https-urls-simplified.md deleted file mode 100644 index 9baa9a9bbae..00000000000 --- a/java/ql/src/change-notes/2022-05-02-non-https-urls-simplified.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* The query `java/non-https-urls` has been simplified -and no longer requires its sinks to be `MethodAccess`es. \ No newline at end of file diff --git a/java/ql/src/change-notes/2022-05-03-predictable-seed-tag.md b/java/ql/src/change-notes/2022-05-03-predictable-seed-tag.md deleted file mode 100644 index 3133c82ef95..00000000000 --- a/java/ql/src/change-notes/2022-05-03-predictable-seed-tag.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: queryMetadata ---- -* Query `java/predictable-seed` now has a tag for CWE-337. \ No newline at end of file diff --git a/java/ql/src/change-notes/2022-05-11-insecure-cookie.md b/java/ql/src/change-notes/2022-05-11-insecure-cookie.md deleted file mode 100644 index 73d884b46a1..00000000000 --- a/java/ql/src/change-notes/2022-05-11-insecure-cookie.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert. diff --git a/java/ql/src/change-notes/released/0.1.2.md b/java/ql/src/change-notes/released/0.1.2.md new file mode 100644 index 00000000000..3e116941e41 --- /dev/null +++ b/java/ql/src/change-notes/released/0.1.2.md @@ -0,0 +1,12 @@ +## 0.1.2 + +### Query Metadata Changes + +* Query `java/predictable-seed` now has a tag for CWE-337. + +### Minor Analysis Improvements + +* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert. +* The query `java/non-https-urls` has been simplified +and no longer requires its sinks to be `MethodAccess`es. + * The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index ab897e87726..d9342ccb24f 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.1.2-dev +version: 0.1.2 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index d50d7fa0dbb..2ffafc074a7 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,18 @@ +## 0.1.2 + +### Deprecated APIs + +* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated. + Use the `Customizations.qll` file belonging to the query instead. + +### Minor Analysis Improvements + +* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery. + Sinks and sources from cash should now be handled by all XSS queries. +* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query. +* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts. +* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts. + ## 0.1.1 ## 0.1.0 diff --git a/javascript/ql/lib/change-notes/2022-04-11-drag-and-drop-data.md b/javascript/ql/lib/change-notes/2022-04-11-drag-and-drop-data.md deleted file mode 100644 index 8d3208ffcd2..00000000000 --- a/javascript/ql/lib/change-notes/2022-04-11-drag-and-drop-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts. -* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts. diff --git a/javascript/ql/lib/change-notes/2022-04-22-xss-library.md b/javascript/ql/lib/change-notes/2022-04-22-xss-library.md deleted file mode 100644 index 561fc4f63a3..00000000000 --- a/javascript/ql/lib/change-notes/2022-04-22-xss-library.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: deprecated ---- -* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated. - Use the `Customizations.qll` file belonging to the query instead. diff --git a/javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md b/javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md deleted file mode 100644 index ac6e2c0ce06..00000000000 --- a/javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/2022-05-09-cash.md b/javascript/ql/lib/change-notes/2022-05-09-cash.md deleted file mode 100644 index e5e0056e86c..00000000000 --- a/javascript/ql/lib/change-notes/2022-05-09-cash.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery. - Sinks and sources from cash should now be handled by all XSS queries. \ No newline at end of file diff --git a/javascript/ql/lib/change-notes/released/0.1.2.md b/javascript/ql/lib/change-notes/released/0.1.2.md new file mode 100644 index 00000000000..3f3e762813a --- /dev/null +++ b/javascript/ql/lib/change-notes/released/0.1.2.md @@ -0,0 +1,14 @@ +## 0.1.2 + +### Deprecated APIs + +* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated. + Use the `Customizations.qll` file belonging to the query instead. + +### Minor Analysis Improvements + +* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery. + Sinks and sources from cash should now be handled by all XSS queries. +* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query. +* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts. +* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts. diff --git a/javascript/ql/lib/codeql-pack.release.yml b/javascript/ql/lib/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/javascript/ql/lib/codeql-pack.release.yml +++ b/javascript/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/javascript/ql/lib/qlpack.yml b/javascript/ql/lib/qlpack.yml index 9723715b1a8..9fa23bce00c 100644 --- a/javascript/ql/lib/qlpack.yml +++ b/javascript/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-all -version: 0.1.2-dev +version: 0.1.2 groups: javascript dbscheme: semmlecode.javascript.dbscheme extractor: javascript diff --git a/javascript/ql/src/CHANGELOG.md b/javascript/ql/src/CHANGELOG.md index a70da925644..0854beff86d 100644 --- a/javascript/ql/src/CHANGELOG.md +++ b/javascript/ql/src/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.1.2 + +### New Queries + +* The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event. + The query previously existed as the experimental `js/missing-postmessageorigin-verification` query. + ## 0.1.1 ### Minor Analysis Improvements diff --git a/javascript/ql/src/change-notes/2022-04-12-postmessage-origin-verification.md b/javascript/ql/src/change-notes/released/0.1.2.md similarity index 75% rename from javascript/ql/src/change-notes/2022-04-12-postmessage-origin-verification.md rename to javascript/ql/src/change-notes/released/0.1.2.md index f59652a8640..345f24ec493 100644 --- a/javascript/ql/src/change-notes/2022-04-12-postmessage-origin-verification.md +++ b/javascript/ql/src/change-notes/released/0.1.2.md @@ -1,5 +1,6 @@ ---- -category: newQuery ---- +## 0.1.2 + +### New Queries + * The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event. - The query previously existed as the experimental `js/missing-postmessageorigin-verification` query. \ No newline at end of file + The query previously existed as the experimental `js/missing-postmessageorigin-verification` query. diff --git a/javascript/ql/src/codeql-pack.release.yml b/javascript/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/javascript/ql/src/codeql-pack.release.yml +++ b/javascript/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/javascript/ql/src/qlpack.yml b/javascript/ql/src/qlpack.yml index ee8d91927f3..a2860bc7d41 100644 --- a/javascript/ql/src/qlpack.yml +++ b/javascript/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/javascript-queries -version: 0.1.2-dev +version: 0.1.2 groups: - javascript - queries diff --git a/python/ql/lib/CHANGELOG.md b/python/ql/lib/CHANGELOG.md index ae6636f6f6e..03fd17a0d06 100644 --- a/python/ql/lib/CHANGELOG.md +++ b/python/ql/lib/CHANGELOG.md @@ -1,3 +1,15 @@ +## 0.3.0 + +### Breaking Changes + + * The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error. + +### Minor Analysis Improvements + +The modeling of `request.files` in Flask has been fixed, so we now properly handle +assignments to local variables (such as `files = request.files; files['key'].filename`). +* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). + ## 0.2.0 ### Breaking Changes diff --git a/python/ql/lib/change-notes/2022-03-29-add-taint-for-StringIO.md b/python/ql/lib/change-notes/2022-03-29-add-taint-for-StringIO.md deleted file mode 100644 index 7857e6f9ca6..00000000000 --- a/python/ql/lib/change-notes/2022-03-29-add-taint-for-StringIO.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). diff --git a/python/ql/lib/change-notes/2022-04-20-export-python-under-DataFlow.md b/python/ql/lib/change-notes/2022-04-20-export-python-under-DataFlow.md deleted file mode 100644 index 2729b834ccf..00000000000 --- a/python/ql/lib/change-notes/2022-04-20-export-python-under-DataFlow.md +++ /dev/null @@ -1,4 +0,0 @@ ---- - category: breaking ---- - * The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error. diff --git a/python/ql/lib/change-notes/2022-05-02-flask-request-files-modeling.md b/python/ql/lib/change-notes/2022-05-02-flask-request-files-modeling.md deleted file mode 100644 index 9b80811a608..00000000000 --- a/python/ql/lib/change-notes/2022-05-02-flask-request-files-modeling.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -category: minorAnalysis ---- -The modeling of `request.files` in Flask has been fixed, so we now properly handle -assignments to local variables (such as `files = request.files; files['key'].filename`). diff --git a/python/ql/lib/change-notes/released/0.3.0.md b/python/ql/lib/change-notes/released/0.3.0.md new file mode 100644 index 00000000000..f08cf6aa83b --- /dev/null +++ b/python/ql/lib/change-notes/released/0.3.0.md @@ -0,0 +1,11 @@ +## 0.3.0 + +### Breaking Changes + + * The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error. + +### Minor Analysis Improvements + +The modeling of `request.files` in Flask has been fixed, so we now properly handle +assignments to local variables (such as `files = request.files; files['key'].filename`). +* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). diff --git a/python/ql/lib/codeql-pack.release.yml b/python/ql/lib/codeql-pack.release.yml index 5274e27ed52..95f6e3a0ba6 100644 --- a/python/ql/lib/codeql-pack.release.yml +++ b/python/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.0 +lastReleaseVersion: 0.3.0 diff --git a/python/ql/lib/qlpack.yml b/python/ql/lib/qlpack.yml index ca2423b1b94..7dd0f6d51bc 100644 --- a/python/ql/lib/qlpack.yml +++ b/python/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-all -version: 0.2.1-dev +version: 0.3.0 groups: python dbscheme: semmlecode.python.dbscheme extractor: python diff --git a/python/ql/src/CHANGELOG.md b/python/ql/src/CHANGELOG.md index 3b427cfaae9..a0c725aeb08 100644 --- a/python/ql/src/CHANGELOG.md +++ b/python/ql/src/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.1.2 + +### New Queries + +* "XML external entity expansion" (`py/xxe`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). +* "XML internal entity expansion" (`py/xml-bomb`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). +* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default. + ## 0.1.1 ## 0.1.0 diff --git a/python/ql/src/change-notes/2022-03-24-csrf-protection.md b/python/ql/src/change-notes/2022-03-24-csrf-protection.md deleted file mode 100644 index 14a291d5f78..00000000000 --- a/python/ql/src/change-notes/2022-03-24-csrf-protection.md +++ /dev/null @@ -1,4 +0,0 @@ ---- - category: newQuery ---- -* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default. diff --git a/python/ql/src/change-notes/2022-04-05-add-xxe-and-xmlbomb.md b/python/ql/src/change-notes/released/0.1.2.md similarity index 68% rename from python/ql/src/change-notes/2022-04-05-add-xxe-and-xmlbomb.md rename to python/ql/src/change-notes/released/0.1.2.md index bd867091aea..04e3e8b97af 100644 --- a/python/ql/src/change-notes/2022-04-05-add-xxe-and-xmlbomb.md +++ b/python/ql/src/change-notes/released/0.1.2.md @@ -1,5 +1,7 @@ ---- -category: newQuery ---- +## 0.1.2 + +### New Queries + * "XML external entity expansion" (`py/xxe`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). * "XML internal entity expansion" (`py/xml-bomb`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112). +* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default. diff --git a/python/ql/src/codeql-pack.release.yml b/python/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/python/ql/src/codeql-pack.release.yml +++ b/python/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/python/ql/src/qlpack.yml b/python/ql/src/qlpack.yml index 265e6acebd3..33ef76ea514 100644 --- a/python/ql/src/qlpack.yml +++ b/python/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/python-queries -version: 0.1.2-dev +version: 0.1.2 groups: - python - queries diff --git a/ruby/ql/lib/CHANGELOG.md b/ruby/ql/lib/CHANGELOG.md index bc171ff917b..2aad8cccfc4 100644 --- a/ruby/ql/lib/CHANGELOG.md +++ b/ruby/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.2.1 + +### Bug Fixes + +The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly. + ## 0.2.0 ### Breaking Changes diff --git a/ruby/ql/lib/change-notes/2022-04-30-update-grammar.md b/ruby/ql/lib/change-notes/released/0.2.1.md similarity index 81% rename from ruby/ql/lib/change-notes/2022-04-30-update-grammar.md rename to ruby/ql/lib/change-notes/released/0.2.1.md index a5190ee7368..980d7481388 100644 --- a/ruby/ql/lib/change-notes/2022-04-30-update-grammar.md +++ b/ruby/ql/lib/change-notes/released/0.2.1.md @@ -1,4 +1,5 @@ ---- -category: fix ---- +## 0.2.1 + +### Bug Fixes + The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly. diff --git a/ruby/ql/lib/codeql-pack.release.yml b/ruby/ql/lib/codeql-pack.release.yml index 5274e27ed52..df29a726bcc 100644 --- a/ruby/ql/lib/codeql-pack.release.yml +++ b/ruby/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.2.0 +lastReleaseVersion: 0.2.1 diff --git a/ruby/ql/lib/qlpack.yml b/ruby/ql/lib/qlpack.yml index cd407edd0a8..7a63727b9da 100644 --- a/ruby/ql/lib/qlpack.yml +++ b/ruby/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-all -version: 0.2.1-dev +version: 0.2.1 groups: ruby extractor: ruby dbscheme: ruby.dbscheme diff --git a/ruby/ql/src/CHANGELOG.md b/ruby/ql/src/CHANGELOG.md index 72bf3f42e84..be4af4786d1 100644 --- a/ruby/ql/src/CHANGELOG.md +++ b/ruby/ql/src/CHANGELOG.md @@ -1,3 +1,5 @@ +## 0.1.2 + ## 0.1.1 ### New Queries diff --git a/ruby/ql/src/change-notes/released/0.1.2.md b/ruby/ql/src/change-notes/released/0.1.2.md new file mode 100644 index 00000000000..66bd49d11eb --- /dev/null +++ b/ruby/ql/src/change-notes/released/0.1.2.md @@ -0,0 +1 @@ +## 0.1.2 diff --git a/ruby/ql/src/codeql-pack.release.yml b/ruby/ql/src/codeql-pack.release.yml index 92d1505475f..6abd14b1ef8 100644 --- a/ruby/ql/src/codeql-pack.release.yml +++ b/ruby/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.1.1 +lastReleaseVersion: 0.1.2 diff --git a/ruby/ql/src/qlpack.yml b/ruby/ql/src/qlpack.yml index c4fbe058d06..b95529ed86c 100644 --- a/ruby/ql/src/qlpack.yml +++ b/ruby/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/ruby-queries -version: 0.1.2-dev +version: 0.1.2 groups: - ruby - queries