Merge pull request #9332 from github/post-release-prep/codeql-cli-2.9.3

Post-release preparation for codeql-cli-2.9.3
2026-04-28 02:05:14 +02:00 · 2022-05-31 16:17:50 +01:00
parent 78fd0385fc ed2f3409bc
commit f417c12c5e
80 changed files with 205 additions and 105 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 0.2.2
+
+### Deprecated APIs
+
+* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
+
+### Minor Analysis Improvements
+
+* Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
+  safe against intent redirection, both its package name and class name must be checked.
+
 ## 0.2.1

 ### New Features
--- a/java/ql/lib/change-notes/2022-04-29-intent-redirection-sanitizer-fix.md
+++ b/java/ql/lib/change-notes/2022-04-29-intent-redirection-sanitizer-fix.md
@@ -1,5 +0,0 @@
---
-category: minorAnalysis
---
-Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
-safe against intent redirection, both its package name and class name must be checked.
--- a/java/ql/lib/change-notes/2022-05-16-floating-point-literal-rename.md
+++ b/java/ql/lib/change-notes/2022-05-16-floating-point-literal-rename.md
@@ -1,4 +0,0 @@
---
-category: deprecated
---
-* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
--- a/java/ql/lib/change-notes/released/0.2.2.md
+++ b/java/ql/lib/change-notes/released/0.2.2.md
@@ -0,0 +1,10 @@
+## 0.2.2
+
+### Deprecated APIs
+
+* The QL class `FloatingPointLiteral` has been renamed to `FloatLiteral`.
+
+### Minor Analysis Improvements
+
+* Fixed a sanitizer of the query `java/android/intent-redirection`. Now, for an intent to be considered
+  safe against intent redirection, both its package name and class name must be checked.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.2.1
+lastReleaseVersion: 0.2.2
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.2.2-dev
+version: 0.2.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -777,10 +777,10 @@ module Private {
    predicate prohibitsUseUseFlow(ArgNode arg, SummarizedCallable sc) {
      exists(ParamNode p, Node mid, ParameterPosition ppos, Node ret |
        p = summaryArgParam0(_, arg, sc) and
-        p.isParameterOf(_, ppos) and
+        p.isParameterOf(_, pragma[only_bind_into](ppos)) and
        summaryLocalStep(p, mid, true) and
        summaryLocalStep(mid, ret, true) and
-        isParameterPostUpdate(ret, _, ppos)
+        isParameterPostUpdate(ret, _, pragma[only_bind_into](ppos))
      |
        summaryClearsContent(mid, _) or
        summaryExpectsContent(mid, _)
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 0.1.3
+
+### New Queries
+
+* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
+These queries help find instances of Regular Expression Denial of Service vulnerabilities. 
+
+### Minor Analysis Improvements
+
+* Query `java/sensitive-log` has received several improvements.
+  * It no longer considers usernames as sensitive information.
+  * The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
+  * A sanitizer has been added to handle certain elements introduced by a Kotlin compiler plugin that have deceptive names.
+
 ## 0.1.2

 ### Query Metadata Changes
@@ -39,7 +53,7 @@ this respect.

 ### Minor Analysis Improvements

-* Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.
+ * Updated "Local information disclosure in a temporary directory" (`java/local-temp-file-or-directory-information-disclosure`) to remove false-positives when OS is properly used as logical guard.

 ## 0.0.11

--- a/java/ql/src/change-notes/2022-03-03-redos.md
+++ b/java/ql/src/change-notes/2022-03-03-redos.md
@@ -1,6 +0,0 @@
---
-category: newQuery
---
-
-* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
-These queries help find instances of Regular Expression Denial of Service vulnerabilities. 
--- a/java/ql/src/change-notes/2022-05-12-sensitive-log-improvements.md
+++ b/java/ql/src/change-notes/2022-05-12-sensitive-log-improvements.md
@@ -1,6 +1,12 @@
---
-category: minorAnalysis
---
+## 0.1.3
+
+### New Queries
+
+* Two new queries "Inefficient regular expression" (`java/redos`) and "Polynomial regular expression used on uncontrolled data" (`java/polynomial-redos`) have been added.
+These queries help find instances of Regular Expression Denial of Service vulnerabilities. 
+
+### Minor Analysis Improvements
+
 * Query `java/sensitive-log` has received several improvements.
  * It no longer considers usernames as sensitive information.
  * The conditions to consider a variable a constant (and therefore exclude it as user-provided sensitive information) have been tightened.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.1.2
+lastReleaseVersion: 0.1.3
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.1.3-dev
+version: 0.1.4-dev
 groups: 
  - java
  - queries