Release preparation for version 2.11.0

2026-04-28 18:25:24 +02:00 · 2022-09-22 20:14:12 +00:00
parent cee0e8e137
commit f5cf8cffa3
126 changed files with 546 additions and 286 deletions
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,24 @@
+## 0.4.0
+
+### Breaking Changes
+
+* `import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module `Ast` into scope, which must be imported. Alternatively, it is also possible to import `codeql.ruby.AST`.
+* Changed the `HTTP::Client::Request` concept from using `MethodCall` as base class, to using `DataFlow::Node` as base class. Any class that extends `HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of `HTTP::Client::Request`, no changes are required.
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### Minor Analysis Improvements
+
+* Uses of `ActionView::FileSystemResolver` are now recognized as filesystem accesses.
+* Accesses of ActiveResource models are now recognized as HTTP requests.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
 ## 0.3.5

 ## 0.3.4
--- a/ruby/ql/lib/change-notes/2022-08-16-active-resource.md
+++ b/ruby/ql/lib/change-notes/2022-08-16-active-resource.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Accesses of ActiveResource models are now recognized as HTTP requests.
--- a/ruby/ql/lib/change-notes/2022-08-18-change-http-client-request.md
+++ b/ruby/ql/lib/change-notes/2022-08-18-change-http-client-request.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* Changed the `HTTP::Client::Request` concept from using `MethodCall` as base class, to using `DataFlow::Node` as base class. Any class that extends `HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of `HTTP::Client::Request`, no changes are required.
--- a/ruby/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md
+++ b/ruby/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
--- a/ruby/ql/lib/change-notes/2022-09-12-uppercase.md
+++ b/ruby/ql/lib/change-notes/2022-09-12-uppercase.md
@@ -1,5 +0,0 @@
---
-category: deprecated
---
-* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
-  The old name still exists as a deprecated alias.
--- a/ruby/ql/lib/change-notes/2022-09-13-filesystemresolver.md
+++ b/ruby/ql/lib/change-notes/2022-09-13-filesystemresolver.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Uses of `ActionView::FileSystemResolver` are now recognized as filesystem accesses.
--- a/ruby/ql/lib/change-notes/2022-09-14-ruby-qll.md
+++ b/ruby/ql/lib/change-notes/2022-09-14-ruby-qll.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* `import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module `Ast` into scope, which must be imported. Alternatively, it is also possible to import `codeql.ruby.AST`.
--- a/ruby/ql/lib/change-notes/released/0.4.0.md
+++ b/ruby/ql/lib/change-notes/released/0.4.0.md
@@ -0,0 +1,20 @@
+## 0.4.0
+
+### Breaking Changes
+
+* `import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module `Ast` into scope, which must be imported. Alternatively, it is also possible to import `codeql.ruby.AST`.
+* Changed the `HTTP::Client::Request` concept from using `MethodCall` as base class, to using `DataFlow::Node` as base class. Any class that extends `HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of `HTTP::Client::Request`, no changes are required.
+
+### Deprecated APIs
+
+* Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. 
+  The old name still exists as a deprecated alias.
+
+### Minor Analysis Improvements
+
+* Uses of `ActionView::FileSystemResolver` are now recognized as filesystem accesses.
+* Accesses of ActiveResource models are now recognized as HTTP requests.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.5
+lastReleaseVersion: 0.4.0
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.4.0-dev
+version: 0.4.0
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 0.4.0
+
+### New Queries
+
+* Added a new query, `rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
+
+### Minor Analysis Improvements
+
+* The `rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to `Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
+* The alert message of many queries have been changed to make the message consistent with other languages.
+
 ## 0.3.4

 ## 0.3.3
--- a/ruby/ql/src/change-notes/2022-07-26-hardcoded-data.md
+++ b/ruby/ql/src/change-notes/2022-07-26-hardcoded-data.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* Added a new query, `rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
--- a/ruby/ql/src/change-notes/2022-08-23-alert-messages.md
+++ b/ruby/ql/src/change-notes/2022-08-23-alert-messages.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The alert message of many queries have been changed to make the message consistent with other languages.
--- a/ruby/ql/src/change-notes/2022-09-21-hash-from-trusted-xml.md
+++ b/ruby/ql/src/change-notes/2022-09-21-hash-from-trusted-xml.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to `Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
--- a/ruby/ql/src/change-notes/released/0.4.0.md
+++ b/ruby/ql/src/change-notes/released/0.4.0.md
@@ -0,0 +1,10 @@
+## 0.4.0
+
+### New Queries
+
+* Added a new query, `rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
+
+### Minor Analysis Improvements
+
+* The `rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to `Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
+* The alert message of many queries have been changed to make the message consistent with other languages.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.4
+lastReleaseVersion: 0.4.0
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 0.4.0-dev
+version: 0.4.0
 groups: 
  - ruby
  - queries