Merge pull request #17182 from github/post-release-prep/codeql-cli-2.18.2

Post-release preparation for codeql-cli-2.18.2
2026-04-18 05:24:01 +02:00 · 2024-08-08 16:28:03 +01:00
parent c0a69f197d cc6d87c276
commit ffd811a55d
163 changed files with 425 additions and 180 deletions
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts.
+* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`.
+* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.
+* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides.
+
 ## 1.1.1

 ### Minor Analysis Improvements
@@ -325,7 +334,7 @@ No user-facing changes.
 ### New Queries

 * Added a new query, `java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions.
-* A new query "Uncontrolled data used in content resolution" (`java/android/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization.
+* A new query "Uncontrolled data used in content resolution" (`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's `ContentResolver` without previous validation or sanitization.

 ## 0.4.1

--- a/java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md
+++ b/java/ql/src/change-notes/2024-07-23-java-sensitivelogging-source.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides.
--- a/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md
+++ b/java/ql/src/change-notes/2024-07-25-java-error-message-exposure.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.
--- a/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md
+++ b/java/ql/src/change-notes/2024-07-30-sensitive-log-whitelist-tokenizer.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts.
--- a/java/ql/src/change-notes/2024-07-30-unused.md
+++ b/java/ql/src/change-notes/2024-07-30-unused.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`.
--- a/java/ql/src/change-notes/released/1.1.2.md
+++ b/java/ql/src/change-notes/released/1.1.2.md
@@ -0,0 +1,8 @@
+## 1.1.2
+
+### Minor Analysis Improvements
+
+* Variables names containing the string "tokenizer" (case-insensitively) are no longer sources for the `java/sensitive-log` query. They normally relate to things like `java.util.StringTokenizer`, which are not sensitive information. This should fix some false positive alerts.
+* The query "Unused classes and interfaces" (`java/unused-reference-type`) now recognizes that if a method of a class has an annotation then it may be accessed reflectively. This should remove false positive alerts, especially for JUnit 4-style tests annotated with `@test`.
+* Alerts about exposing `exception.getMessage()` in servlet responses are now split out of `java/stack-trace-exposure` into its own query `java/error-message-exposure`.
+* Added the extensible abstract class `SensitiveLoggerSource`. Now this class can be extended to add more sources to the `java/sensitive-log` query or for customizations overrides.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.1.1
+lastReleaseVersion: 1.1.2
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.1.2-dev
+version: 1.1.3-dev
 groups:
  - java
  - queries