Merge pull request #17182 from github/post-release-prep/codeql-cli-2.18.2

Post-release preparation for codeql-cli-2.18.2
2026-04-26 01:05:15 +02:00 · 2024-08-08 16:28:03 +01:00
parent c0a69f197d cc6d87c276
commit ffd811a55d
163 changed files with 425 additions and 180 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,23 @@
+## 3.0.0
+
+### Breaking Changes
+
+* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
+
+### New Features
+
+* Java support for `build-mode: none` is now out of beta, and generally available.
+
+### Major Analysis Improvements
+
+* We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
+
+### Minor Analysis Improvements
+
+* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
+* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
+* Adds models for request handlers using the `org.lastaflute.web` web framework.
+
 ## 2.0.0

 ### Breaking Changes
--- a/java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md
+++ b/java/ql/lib/change-notes/2024-07-16-add-models-for-the-lastaflute-framework.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Adds models for request handlers using the `org.lastaflute.web` web framework.
--- a/java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md
+++ b/java/ql/lib/change-notes/2024-07-19-apache-ant-property-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
--- a/java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md
+++ b/java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
--- a/java/ql/lib/change-notes/2024-07-25-env-vars.md
+++ b/java/ql/lib/change-notes/2024-07-25-env-vars.md
@@ -1,4 +0,0 @@
---
-category: breaking
---
-* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
--- a/java/ql/lib/change-notes/2024-08-02-buildless-ga.md
+++ b/java/ql/lib/change-notes/2024-08-02-buildless-ga.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Java support for `build-mode: none` is now out of beta, and generally available.
--- a/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md
+++ b/java/ql/lib/change-notes/2024-06-14-reverse-dns-separate-threat-model-kind.md
@@ -1,4 +1,19 @@
---
-category: majorAnalysis
---
+## 3.0.0
+
+### Breaking Changes
+
+* The Java and Kotlin extractors no longer support the `SOURCE_ARCHIVE` and `TRAP_FOLDER` legacy environment variable.
+
+### New Features
+
+* Java support for `build-mode: none` is now out of beta, and generally available.
+
+### Major Analysis Improvements
+
 * We previously considered reverse DNS resolutions (IP address -> domain name) as sources of untrusted data, since compromised/malicious DNS servers could potentially return malicious responses to arbitrary requests. We have now removed this source from the default set of untrusted sources and made a new threat model kind for them, called "reverse-dns". You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see [Analyzing your code with CodeQL queries](https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>) and [Customizing your advanced setup for code scanning](https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models).
+
+### Minor Analysis Improvements
+
+* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.
+* Added path-injection sinks for `org.apache.tools.ant.taskdefs.Property.setFile` and `org.apache.tools.ant.taskdefs.Property.setResource`.
+* Adds models for request handlers using the `org.lastaflute.web` web framework.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.0.0
+lastReleaseVersion: 3.0.0
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 2.0.1-dev
+version: 3.0.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java