mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
Release preparation for version 2.9.2
This commit is contained in:
github-actions[bot]
@@ -1,3 +1,5 @@
|
|||||||
|
## 0.2.1
|
||||||
|
|
||||||
## 0.2.0
|
## 0.2.0
|
||||||
|
|
||||||
### Breaking Changes
|
### Breaking Changes
|
||||||
|
|||||||
1
cpp/ql/lib/change-notes/released/0.2.1.md
Normal file
1
cpp/ql/lib/change-notes/released/0.2.1.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
## 0.2.1
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.2.0
|
lastReleaseVersion: 0.2.1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-all
|
name: codeql/cpp-all
|
||||||
version: 0.2.1-dev
|
version: 0.2.1
|
||||||
groups: cpp
|
groups: cpp
|
||||||
dbscheme: semmlecode.cpp.dbscheme
|
dbscheme: semmlecode.cpp.dbscheme
|
||||||
extractor: cpp
|
extractor: cpp
|
||||||
|
|||||||
@@ -1,3 +1,9 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces.
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
### New Queries
|
### New Queries
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
---
|
## 0.1.2
|
||||||
category: minorAnalysis
|
|
||||||
---
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces.
|
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query has been extended to support a broader selection of XML libraries and interfaces.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/cpp-queries
|
name: codeql/cpp-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- cpp
|
- cpp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
## 1.1.2
|
||||||
|
|
||||||
## 1.1.1
|
## 1.1.1
|
||||||
|
|
||||||
## 1.1.0
|
## 1.1.0
|
||||||
|
|||||||
@@ -0,0 +1 @@
|
|||||||
|
## 1.1.2
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.1.1
|
lastReleaseVersion: 1.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-all
|
name: codeql/csharp-solorigate-all
|
||||||
version: 1.1.2-dev
|
version: 1.1.2
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
## 1.1.2
|
||||||
|
|
||||||
## 1.1.1
|
## 1.1.1
|
||||||
|
|
||||||
## 1.1.0
|
## 1.1.0
|
||||||
|
|||||||
@@ -0,0 +1 @@
|
|||||||
|
## 1.1.2
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 1.1.1
|
lastReleaseVersion: 1.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-solorigate-queries
|
name: codeql/csharp-solorigate-queries
|
||||||
version: 1.1.2-dev
|
version: 1.1.2
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- solorigate
|
- solorigate
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
## 0.2.1
|
||||||
|
|
||||||
## 0.2.0
|
## 0.2.0
|
||||||
|
|
||||||
### Breaking Changes
|
### Breaking Changes
|
||||||
|
|||||||
1
csharp/ql/lib/change-notes/released/0.2.1.md
Normal file
1
csharp/ql/lib/change-notes/released/0.2.1.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
## 0.2.1
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.2.0
|
lastReleaseVersion: 0.2.1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-all
|
name: codeql/csharp-all
|
||||||
version: 0.2.1-dev
|
version: 0.2.1
|
||||||
groups: csharp
|
groups: csharp
|
||||||
dbscheme: semmlecode.csharp.dbscheme
|
dbscheme: semmlecode.csharp.dbscheme
|
||||||
extractor: csharp
|
extractor: csharp
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
## 0.1.0
|
## 0.1.0
|
||||||
|
|||||||
1
csharp/ql/src/change-notes/released/0.1.2.md
Normal file
1
csharp/ql/src/change-notes/released/0.1.2.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
## 0.1.2
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/csharp-queries
|
name: codeql/csharp-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- csharp
|
- csharp
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,85 @@
|
|||||||
|
## 0.2.1
|
||||||
|
|
||||||
|
### New Features
|
||||||
|
|
||||||
|
* A number of new classes and methods related to the upcoming Kotlin
|
||||||
|
support have been added. These are not yet stable, as Kotlin support
|
||||||
|
is still under development.
|
||||||
|
* `File::isSourceFile`
|
||||||
|
* `File::isJavaSourceFile`
|
||||||
|
* `File::isKotlinSourceFile`
|
||||||
|
* `Member::getKotlinType`
|
||||||
|
* `Element::isCompilerGenerated`
|
||||||
|
* `Expr::getKotlinType`
|
||||||
|
* `LambdaExpr::isKotlinFunctionN`
|
||||||
|
* `Callable::getReturnKotlinType`
|
||||||
|
* `Callable::getParameterKotlinType`
|
||||||
|
* `Method::isLocal`
|
||||||
|
* `Method::getKotlinName`
|
||||||
|
* `Field::getKotlinType`
|
||||||
|
* `Modifiable::isSealedKotlin`
|
||||||
|
* `Modifiable::isInternal`
|
||||||
|
* `Variable::getKotlinType`
|
||||||
|
* `LocalVariableDecl::getKotlinType`
|
||||||
|
* `Parameter::getKotlinType`
|
||||||
|
* `Parameter::isExtensionParameter`
|
||||||
|
* `Compilation` class
|
||||||
|
* `Diagnostic` class
|
||||||
|
* `KtInitializerAssignExpr` class
|
||||||
|
* `ValueEQExpr` class
|
||||||
|
* `ValueNEExpr` class
|
||||||
|
* `ValueOrReferenceEqualsExpr` class
|
||||||
|
* `ValueOrReferenceNotEqualsExpr` class
|
||||||
|
* `ReferenceEqualityTest` class
|
||||||
|
* `CastingExpr` class
|
||||||
|
* `SafeCastExpr` class
|
||||||
|
* `ImplicitCastExpr` class
|
||||||
|
* `ImplicitNotNullExpr` class
|
||||||
|
* `ImplicitCoercionToUnitExpr` class
|
||||||
|
* `UnsafeCoerceExpr` class
|
||||||
|
* `PropertyRefExpr` class
|
||||||
|
* `NotInstanceOfExpr` class
|
||||||
|
* `ExtensionReceiverAccess` class
|
||||||
|
* `WhenExpr` class
|
||||||
|
* `WhenBranch` class
|
||||||
|
* `ClassExpr` class
|
||||||
|
* `StmtExpr` class
|
||||||
|
* `StringTemplateExpr` class
|
||||||
|
* `NotNullExpr` class
|
||||||
|
* `TypeNullPointerException` class
|
||||||
|
* `KtComment` class
|
||||||
|
* `KtCommentSection` class
|
||||||
|
* `KotlinType` class
|
||||||
|
* `KotlinNullableType` class
|
||||||
|
* `KotlinNotnullType` class
|
||||||
|
* `KotlinTypeAlias` class
|
||||||
|
* `Property` class
|
||||||
|
* `DelegatedProperty` class
|
||||||
|
* `ExtensionMethod` class
|
||||||
|
* `KtInitializerNode` class
|
||||||
|
* `KtLoopStmt` class
|
||||||
|
* `KtBreakContinueStmt` class
|
||||||
|
* `KtBreakStmt` class
|
||||||
|
* `KtContinueStmt` class
|
||||||
|
* `ClassObject` class
|
||||||
|
* `CompanionObject` class
|
||||||
|
* `LiveLiteral` class
|
||||||
|
* `LiveLiteralMethod` class
|
||||||
|
* `CastConversionContext` renamed to `CastingConversionContext`
|
||||||
|
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Added models for the libraries OkHttp and Retrofit.
|
||||||
|
* Add taint models for the following `File` methods:
|
||||||
|
* `File::getAbsoluteFile`
|
||||||
|
* `File::getCanonicalFile`
|
||||||
|
* `File::getAbsolutePath`
|
||||||
|
* `File::getCanonicalPath`
|
||||||
|
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
||||||
|
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
||||||
|
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
||||||
|
|
||||||
## 0.2.0
|
## 0.2.0
|
||||||
|
|
||||||
### Breaking Changes
|
### Breaking Changes
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
|
||||||
@@ -1,8 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Add taint models for the following `File` methods:
|
|
||||||
* `File::getAbsoluteFile`
|
|
||||||
* `File::getCanonicalFile`
|
|
||||||
* `File::getAbsolutePath`
|
|
||||||
* `File::getCanonicalPath`
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Added models for the libraries OkHttp and Retrofit.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: feature
|
|
||||||
---
|
|
||||||
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
|
||||||
@@ -1,6 +1,7 @@
|
|||||||
---
|
## 0.2.1
|
||||||
category: feature
|
|
||||||
---
|
### New Features
|
||||||
|
|
||||||
* A number of new classes and methods related to the upcoming Kotlin
|
* A number of new classes and methods related to the upcoming Kotlin
|
||||||
support have been added. These are not yet stable, as Kotlin support
|
support have been added. These are not yet stable, as Kotlin support
|
||||||
is still under development.
|
is still under development.
|
||||||
@@ -65,3 +66,16 @@ category: feature
|
|||||||
* `LiveLiteral` class
|
* `LiveLiteral` class
|
||||||
* `LiveLiteralMethod` class
|
* `LiveLiteralMethod` class
|
||||||
* `CastConversionContext` renamed to `CastingConversionContext`
|
* `CastConversionContext` renamed to `CastingConversionContext`
|
||||||
|
* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Added models for the libraries OkHttp and Retrofit.
|
||||||
|
* Add taint models for the following `File` methods:
|
||||||
|
* `File::getAbsoluteFile`
|
||||||
|
* `File::getCanonicalFile`
|
||||||
|
* `File::getAbsolutePath`
|
||||||
|
* `File::getCanonicalPath`
|
||||||
|
Added a flow step for `toString` calls on tainted `android.text.Editable` objects.
|
||||||
|
Added a data flow step for tainted Android intents that are sent to other activities and accessed there via `getIntent()`.
|
||||||
|
* Added modeling of MyBatis (`org.apache.ibatis`) Providers, resulting in additional sinks for the queries `java/ognl-injection`, `java/sql-injection`, `java/sql-injection-local` and `java/concatenated-sql-query`.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.2.0
|
lastReleaseVersion: 0.2.1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/java-all
|
name: codeql/java-all
|
||||||
version: 0.2.1-dev
|
version: 0.2.1
|
||||||
groups: java
|
groups: java
|
||||||
dbscheme: config/semmlecode.dbscheme
|
dbscheme: config/semmlecode.dbscheme
|
||||||
extractor: java
|
extractor: java
|
||||||
|
|||||||
@@ -1,3 +1,16 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### Query Metadata Changes
|
||||||
|
|
||||||
|
* Query `java/predictable-seed` now has a tag for CWE-337.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
||||||
|
* The query `java/non-https-urls` has been simplified
|
||||||
|
and no longer requires its sinks to be `MethodAccess`es.
|
||||||
|
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
@@ -26,7 +39,7 @@ this respect.
|
|||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
|
||||||
|
|
||||||
## 0.0.11
|
## 0.0.11
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
|
||||||
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* The query `java/non-https-urls` has been simplified
|
|
||||||
and no longer requires its sinks to be `MethodAccess`es.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: queryMetadata
|
|
||||||
---
|
|
||||||
* Query `java/predictable-seed` now has a tag for CWE-337.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
|
||||||
12
java/ql/src/change-notes/released/0.1.2.md
Normal file
12
java/ql/src/change-notes/released/0.1.2.md
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### Query Metadata Changes
|
||||||
|
|
||||||
|
* Query `java/predictable-seed` now has a tag for CWE-337.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* Query `java/insecure-cookie` now tolerates setting a cookie's secure flag to `request.isSecure()`. This means servlets that intentionally accept unencrypted connections will no longer raise an alert.
|
||||||
|
* The query `java/non-https-urls` has been simplified
|
||||||
|
and no longer requires its sinks to be `MethodAccess`es.
|
||||||
|
* The logic to detect `WebView`s with JavaScript (and optionally file access) enabled in the query `java/android/unsafe-android-webview-fetch` has been improved.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/java-queries
|
name: codeql/java-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- java
|
- java
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,18 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### Deprecated APIs
|
||||||
|
|
||||||
|
* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated.
|
||||||
|
Use the `Customizations.qll` file belonging to the query instead.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery.
|
||||||
|
Sinks and sources from cash should now be handled by all XSS queries.
|
||||||
|
* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query.
|
||||||
|
* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
|
||||||
|
* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
## 0.1.0
|
## 0.1.0
|
||||||
|
|||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
|
|
||||||
* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: deprecated
|
|
||||||
---
|
|
||||||
* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated.
|
|
||||||
Use the `Customizations.qll` file belonging to the query instead.
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery.
|
|
||||||
Sinks and sources from cash should now be handled by all XSS queries.
|
|
||||||
14
javascript/ql/lib/change-notes/released/0.1.2.md
Normal file
14
javascript/ql/lib/change-notes/released/0.1.2.md
Normal file
@@ -0,0 +1,14 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### Deprecated APIs
|
||||||
|
|
||||||
|
* The `ReflectedXss`, `StoredXss`, `XssThroughDom`, and `ExceptionXss` modules from `Xss.qll` have been deprecated.
|
||||||
|
Use the `Customizations.qll` file belonging to the query instead.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
* The [cash](https://github.com/fabiospampinato/cash) library is now modelled as an alias for JQuery.
|
||||||
|
Sinks and sources from cash should now be handled by all XSS queries.
|
||||||
|
* Added the `Selection` api as a DOM text source in the `js/xss-through-dom` query.
|
||||||
|
* The security queries now recognize drag and drop data as a source, enabling the queries to flag additional alerts.
|
||||||
|
* The security queries now recognize ClipboardEvent function parameters as a source, enabling the queries to flag additional alerts.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/javascript-all
|
name: codeql/javascript-all
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups: javascript
|
groups: javascript
|
||||||
dbscheme: semmlecode.javascript.dbscheme
|
dbscheme: semmlecode.javascript.dbscheme
|
||||||
extractor: javascript
|
extractor: javascript
|
||||||
|
|||||||
@@ -1,3 +1,10 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### New Queries
|
||||||
|
|
||||||
|
* The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event.
|
||||||
|
The query previously existed as the experimental `js/missing-postmessageorigin-verification` query.
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
### Minor Analysis Improvements
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
---
|
## 0.1.2
|
||||||
category: newQuery
|
|
||||||
---
|
### New Queries
|
||||||
|
|
||||||
* The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event.
|
* The `js/missing-origin-check` query has been added. It highlights "message" event handlers that do not check the origin of the event.
|
||||||
The query previously existed as the experimental `js/missing-postmessageorigin-verification` query.
|
The query previously existed as the experimental `js/missing-postmessageorigin-verification` query.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/javascript-queries
|
name: codeql/javascript-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- javascript
|
- javascript
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,15 @@
|
|||||||
|
## 0.3.0
|
||||||
|
|
||||||
|
### Breaking Changes
|
||||||
|
|
||||||
|
* The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
The modeling of `request.files` in Flask has been fixed, so we now properly handle
|
||||||
|
assignments to local variables (such as `files = request.files; files['key'].filename`).
|
||||||
|
* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
|
|
||||||
## 0.2.0
|
## 0.2.0
|
||||||
|
|
||||||
### Breaking Changes
|
### Breaking Changes
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: breaking
|
|
||||||
---
|
|
||||||
* The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
category: minorAnalysis
|
|
||||||
---
|
|
||||||
The modeling of `request.files` in Flask has been fixed, so we now properly handle
|
|
||||||
assignments to local variables (such as `files = request.files; files['key'].filename`).
|
|
||||||
11
python/ql/lib/change-notes/released/0.3.0.md
Normal file
11
python/ql/lib/change-notes/released/0.3.0.md
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
## 0.3.0
|
||||||
|
|
||||||
|
### Breaking Changes
|
||||||
|
|
||||||
|
* The imports made available from `import python` are no longer exposed under `DataFlow::` after doing `import semmle.python.dataflow.new.DataFlow`, for example using `DataFlow::Add` will now cause a compile error.
|
||||||
|
|
||||||
|
### Minor Analysis Improvements
|
||||||
|
|
||||||
|
The modeling of `request.files` in Flask has been fixed, so we now properly handle
|
||||||
|
assignments to local variables (such as `files = request.files; files['key'].filename`).
|
||||||
|
* Added taint propagation for `io.StringIO` and `io.BytesIO`. This addition was originally [submitted as part of an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.2.0
|
lastReleaseVersion: 0.3.0
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/python-all
|
name: codeql/python-all
|
||||||
version: 0.2.1-dev
|
version: 0.3.0
|
||||||
groups: python
|
groups: python
|
||||||
dbscheme: semmlecode.python.dbscheme
|
dbscheme: semmlecode.python.dbscheme
|
||||||
extractor: python
|
extractor: python
|
||||||
|
|||||||
@@ -1,3 +1,11 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
|
### New Queries
|
||||||
|
|
||||||
|
* "XML external entity expansion" (`py/xxe`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
|
* "XML internal entity expansion" (`py/xml-bomb`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
|
* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default.
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
## 0.1.0
|
## 0.1.0
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
category: newQuery
|
|
||||||
---
|
|
||||||
* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default.
|
|
||||||
@@ -1,5 +1,7 @@
|
|||||||
---
|
## 0.1.2
|
||||||
category: newQuery
|
|
||||||
---
|
### New Queries
|
||||||
|
|
||||||
* "XML external entity expansion" (`py/xxe`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
* "XML external entity expansion" (`py/xxe`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
* "XML internal entity expansion" (`py/xml-bomb`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
* "XML internal entity expansion" (`py/xml-bomb`). Results will appear by default. This query was based on [an experimental query by @jorgectf](https://github.com/github/codeql/pull/6112).
|
||||||
|
* The query "CSRF protection weakened or disabled" (`py/csrf-protection-disabled`) has been implemented. Its results will now appear by default.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/python-queries
|
name: codeql/python-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- python
|
- python
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
@@ -1,3 +1,9 @@
|
|||||||
|
## 0.2.1
|
||||||
|
|
||||||
|
### Bug Fixes
|
||||||
|
|
||||||
|
The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
|
||||||
|
|
||||||
## 0.2.0
|
## 0.2.0
|
||||||
|
|
||||||
### Breaking Changes
|
### Breaking Changes
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
---
|
## 0.2.1
|
||||||
category: fix
|
|
||||||
---
|
### Bug Fixes
|
||||||
|
|
||||||
The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
|
The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.2.0
|
lastReleaseVersion: 0.2.1
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/ruby-all
|
name: codeql/ruby-all
|
||||||
version: 0.2.1-dev
|
version: 0.2.1
|
||||||
groups: ruby
|
groups: ruby
|
||||||
extractor: ruby
|
extractor: ruby
|
||||||
dbscheme: ruby.dbscheme
|
dbscheme: ruby.dbscheme
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
|
## 0.1.2
|
||||||
|
|
||||||
## 0.1.1
|
## 0.1.1
|
||||||
|
|
||||||
### New Queries
|
### New Queries
|
||||||
|
|||||||
1
ruby/ql/src/change-notes/released/0.1.2.md
Normal file
1
ruby/ql/src/change-notes/released/0.1.2.md
Normal file
@@ -0,0 +1 @@
|
|||||||
|
## 0.1.2
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.1.1
|
lastReleaseVersion: 0.1.2
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
name: codeql/ruby-queries
|
name: codeql/ruby-queries
|
||||||
version: 0.1.2-dev
|
version: 0.1.2
|
||||||
groups:
|
groups:
|
||||||
- ruby
|
- ruby
|
||||||
- queries
|
- queries
|
||||||
|
|||||||
Reference in New Issue
Block a user