mirror of
https://github.com/github/codeql.git
synced 2026-04-27 09:45:15 +02:00
Release preparation for version 2.9.2
This commit is contained in:
github-actions[bot]
@@ -1,3 +1,85 @@
|
||||
## 0.2.1
|
||||
|
||||
### New Features
|
||||
|
||||
* A number of new classes and methods related to the upcoming Kotlin
|
||||
support have been added. These are not yet stable, as Kotlin support
|
||||
is still under development.
|
||||
* `File::isSourceFile`
|
||||
* `File::isJavaSourceFile`
|
||||
* `File::isKotlinSourceFile`
|
||||
* `Member::getKotlinType`
|
||||
* `Element::isCompilerGenerated`
|
||||
* `Expr::getKotlinType`
|
||||
* `LambdaExpr::isKotlinFunctionN`
|
||||
* `Callable::getReturnKotlinType`
|
||||
* `Callable::getParameterKotlinType`
|
||||
* `Method::isLocal`
|
||||
* `Method::getKotlinName`
|
||||
* `Field::getKotlinType`
|
||||
* `Modifiable::isSealedKotlin`
|
||||
* `Modifiable::isInternal`
|
||||
* `Variable::getKotlinType`
|
||||
* `LocalVariableDecl::getKotlinType`
|
||||
* `Parameter::getKotlinType`
|
||||
* `Parameter::isExtensionParameter`
|
||||
* `Compilation` class
|
||||
* `Diagnostic` class
|
||||
* `KtInitializerAssignExpr` class
|
||||
* `ValueEQExpr` class
|
||||
* `ValueNEExpr` class
|
||||
* `ValueOrReferenceEqualsExpr` class
|
||||
* `ValueOrReferenceNotEqualsExpr` class
|
||||
* `ReferenceEqualityTest` class
|
||||
* `CastingExpr` class
|
||||
* `SafeCastExpr` class
|
||||
* `ImplicitCastExpr` class
|
||||
* `ImplicitNotNullExpr` class
|
||||
* `ImplicitCoercionToUnitExpr` class
|
||||
* `UnsafeCoerceExpr` class
|
||||
* `PropertyRefExpr` class
|
||||
* `NotInstanceOfExpr` class
|
||||
* `ExtensionReceiverAccess` class
|
||||
* `WhenExpr` class
|
||||
* `WhenBranch` class
|
||||
* `ClassExpr` class
|
||||
* `StmtExpr` class
|
||||
* `StringTemplateExpr` class
|
||||
* `NotNullExpr` class
|
||||
* `TypeNullPointerException` class
|
||||
* `KtComment` class
|
||||
* `KtCommentSection` class
|
||||
* `KotlinType` class
|
||||
* `KotlinNullableType` class
|
||||
* `KotlinNotnullType` class
|
||||
* `KotlinTypeAlias` class
|
||||
* `Property` class
|
||||
* `DelegatedProperty` class
|
||||
* `ExtensionMethod` class
|
||||
* `KtInitializerNode` class
|
||||
* `KtLoopStmt` class
|
||||
* `KtBreakContinueStmt` class
|
||||
* `KtBreakStmt` class
|
||||
* `KtContinueStmt` class
|
||||
* `ClassObject` class
|
||||
* `CompanionObject` class
|
||||
* `LiveLiteral` class
|
||||
* `LiveLiteralMethod` class
|
||||
* `CastConversionContext` renamed to `CastingConversionContext`
|
||||
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the libraries OkHttp and Retrofit.
|
||||
* Add taint models for the following `File` methods:
|
||||
* `File::getAbsoluteFile`
|
||||
* `File::getCanonicalFile`
|
||||
* `File::getAbsolutePath`
|
||||
* `File::getCanonicalPath`
|
||||
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
||||
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
||||
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
||||
|
||||
## 0.2.0
|
||||
|
||||
### Breaking Changes
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
||||
@@ -1,8 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Add taint models for the following `File` methods:
|
||||
* `File::getAbsoluteFile`
|
||||
* `File::getCanonicalFile`
|
||||
* `File::getAbsolutePath`
|
||||
* `File::getCanonicalPath`
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the libraries OkHttp and Retrofit.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
||||
@@ -1,6 +1,7 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
## 0.2.1
|
||||
|
||||
### New Features
|
||||
|
||||
* A number of new classes and methods related to the upcoming Kotlin
|
||||
support have been added. These are not yet stable, as Kotlin support
|
||||
is still under development.
|
||||
@@ -65,3 +66,16 @@ category: feature
|
||||
* `LiveLiteral` class
|
||||
* `LiveLiteralMethod` class
|
||||
* `CastConversionContext` renamed to `CastingConversionContext`
|
||||
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added models for the libraries OkHttp and Retrofit.
|
||||
* Add taint models for the following `File` methods:
|
||||
* `File::getAbsoluteFile`
|
||||
* `File::getCanonicalFile`
|
||||
* `File::getAbsolutePath`
|
||||
* `File::getCanonicalPath`
|
||||
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
||||
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
||||
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.2.0
|
||||
lastReleaseVersion: 0.2.1
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.2.1-dev
|
||||
version: 0.2.1
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,3 +1,16 @@
|
||||
## 0.1.2
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* Query `java/predictable-seed` now has a tag for CWE-337.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
||||
* The query `java/non-https-urls` has been simplified
|
||||
and no longer requires its sinks to be `MethodAccess`es.
|
||||
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
||||
|
||||
## 0.1.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
@@ -26,7 +39,7 @@ this respect.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
||||
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
||||
|
||||
## 0.0.11
|
||||
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
||||
|
||||
@@ -1,5 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query `java/non-https-urls` has been simplified
|
||||
and no longer requires its sinks to be `MethodAccess`es.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* Query `java/predictable-seed` now has a tag for CWE-337.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
||||
12
java/ql/src/change-notes/released/0.1.2.md
Normal file
12
java/ql/src/change-notes/released/0.1.2.md
Normal file
@@ -0,0 +1,12 @@
|
||||
## 0.1.2
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* Query `java/predictable-seed` now has a tag for CWE-337.
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
||||
* The query `java/non-https-urls` has been simplified
|
||||
and no longer requires its sinks to be `MethodAccess`es.
|
||||
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.1.1
|
||||
lastReleaseVersion: 0.1.2
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.1.2-dev
|
||||
version: 0.1.2
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
Reference in New Issue
Block a user