Merge pull request #21657 from github/release-prep/2.25.2

Release preparation for version 2.25.2

.pre-commit-config.yaml

@@ -7,9 +7,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: Cargo.lock$|/test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6

MODULE.bazel

@@ -242,6 +242,7 @@ use_repo(
     "kotlin-compiler-2.2.0-Beta1",
     "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-2.3.0",
+    "kotlin-compiler-2.3.20",
     "kotlin-compiler-embeddable-1.8.0",
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -252,6 +253,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.2.0-Beta1",
     "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-compiler-embeddable-2.3.0",
+    "kotlin-compiler-embeddable-2.3.20",
     "kotlin-stdlib-1.8.0",
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
@@ -262,6 +264,7 @@ use_repo(
     "kotlin-stdlib-2.2.0-Beta1",
     "kotlin-stdlib-2.2.20-Beta2",
     "kotlin-stdlib-2.3.0",
+    "kotlin-stdlib-2.3.20",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.4.33
+
+No user-facing changes.
+
 ## 0.4.32
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.33.md

@@ -0,0 +1,3 @@
+## 0.4.33
+
+No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.32
+lastReleaseVersion: 0.4.33

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.33-dev
+version: 0.4.33
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.6.25
+
+No user-facing changes.
+
 ## 0.6.24
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.25.md

@@ -0,0 +1,3 @@
+## 0.6.25
+
+No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.24
+lastReleaseVersion: 0.6.25

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.25-dev
+version: 0.6.25
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).
+
 ## 8.0.3
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.

cpp/ql/lib/change-notes/2026-03-31-meson.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.

cpp/ql/lib/change-notes/released/9.0.0.md

@@ -0,0 +1,19 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.3
+lastReleaseVersion: 9.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.4-dev
+version: 9.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
+
 ## 1.5.15
 
 No user-facing changes.

cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.

cpp/ql/src/change-notes/released/1.6.0.md

@@ -0,0 +1,13 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.15
+lastReleaseVersion: 1.6.0

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.16-dev
+version: 1.6.0
 groups:
   - cpp
   - queries

csharp/justfile

@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "csharp")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.64
+
+No user-facing changes.
+
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md

@@ -0,0 +1,3 @@
+## 1.7.64
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.63
+lastReleaseVersion: 1.7.64

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.64-dev
+version: 1.7.64
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.64
+
+No user-facing changes.
+
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md

@@ -0,0 +1,3 @@
+## 1.7.64
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.63
+lastReleaseVersion: 1.7.64

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.64-dev
+version: 1.7.64
 groups:
   - csharp
   - solorigate

csharp/ql/justfile

@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 5.4.12
+
+### Minor Analysis Improvements
+
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+* The `cs/log-forging` query no longer treats arguments to extension methods with
+  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
+  through extension method bodies, reducing false positives when extension methods
+  sanitize input internally.
+
 ## 5.4.11
 
 No user-facing changes.

csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.

csharp/ql/lib/change-notes/released/5.4.12.md

@@ -1,6 +1,8 @@
----
-category: minorAnalysis
----
+## 5.4.12
+
+### Minor Analysis Improvements
+
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
 * The `cs/log-forging` query no longer treats arguments to extension methods with
   source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
   through extension method bodies, reducing false positives when extension methods

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.11
+lastReleaseVersion: 5.4.12

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.12-dev
+version: 5.4.12
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 1.7.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Major Analysis Improvements
+
+* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
+
 ## 1.6.6
 
 No user-facing changes.

csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,5 +0,0 @@
----
-category: queryMetadata
----
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).

csharp/ql/src/change-notes/released/1.7.0.md

@@ -1,4 +1,10 @@
----
-category: majorAnalysis
----
+## 1.7.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Major Analysis Improvements
+
 * The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.6
+lastReleaseVersion: 1.7.0

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.7-dev
+version: 1.7.0
 groups:
   - csharp
   - queries

csharp/ql/test/justfile

@@ -1,13 +0,0 @@
-import "../justfile"
-
-base_flags := ""
-
-all_checks := default_db_checks + """\
-    --check-undefined-labels \
-    --check-repeated-labels \
-    --check-redefined-labels \
-    --additional-packs=ql \
-    --consistency-queries=""" + consistency_queries
-
-[no-cd]
-test *ARGS=".": (_codeql_test "csharp" base_flags all_checks ARGS)

docs/codeql/reusables/supported-versions-compilers.rst

@@ -21,7 +21,7 @@
    Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``
-   Kotlin,"Kotlin 1.8.0 to 2.3.0\ *x*","kotlinc",``.kt``
+   Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
    Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"

go/extractor/registries/registryproxy_test.go

@@ -75,3 +75,59 @@ func TestParseRegistryConfigsMultiple(t *testing.T) {
 		t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", second.URL)
 	}
 }
+
+func TestParseRegistryConfigsMultipleGitSources(t *testing.T) {
+	multiple := parseRegistryConfigsSuccess(t, "[{ \"type\": \"git_source\", \"url\": \"https://github.com/github\" }, { \"type\": \"git_source\", \"url\": \"https://go.googlesource.com/go\" }]")
+
+	if len(multiple) != 2 {
+		t.Fatalf("Expected `parseRegistryConfigs` to return two configurations, but got %d.", len(multiple))
+	}
+
+	first := multiple[0]
+
+	if first.Type != "git_source" {
+		t.Fatalf("Expected `Type` to be `git_source`, but got `%s`", first.Type)
+	}
+
+	if first.URL != "https://github.com/github" {
+		t.Fatalf("Expected `URL` to be `https://github.com/github`, but got `%s`", first.URL)
+	}
+
+	second := multiple[1]
+
+	if second.Type != "git_source" {
+		t.Fatalf("Expected `Type` to be `git_source`, but got `%s`", second.Type)
+	}
+
+	if second.URL != "https://go.googlesource.com/go" {
+		t.Fatalf("Expected `URL` to be `https://go.googlesource.com/go`, but got `%s`", second.URL)
+	}
+}
+
+func TestParseRegistryConfigsMultipleGoProxyServers(t *testing.T) {
+	multiple := parseRegistryConfigsSuccess(t, "[{ \"type\": \"goproxy_server\", \"url\": \"https://proxy.example.com/mod\" }, { \"type\": \"goproxy_server\", \"url\": \"https://goproxy.io\" }]")
+
+	if len(multiple) != 2 {
+		t.Fatalf("Expected `parseRegistryConfigs` to return two configurations, but got %d.", len(multiple))
+	}
+
+	first := multiple[0]
+
+	if first.Type != "goproxy_server" {
+		t.Fatalf("Expected `Type` to be `goproxy_server`, but got `%s`", first.Type)
+	}
+
+	if first.URL != "https://proxy.example.com/mod" {
+		t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", first.URL)
+	}
+
+	second := multiple[1]
+
+	if second.Type != "goproxy_server" {
+		t.Fatalf("Expected `Type` to be `goproxy_server`, but got `%s`", second.Type)
+	}
+
+	if second.URL != "https://goproxy.io" {
+		t.Fatalf("Expected `URL` to be `https://goproxy.io`, but got `%s`", second.URL)
+	}
+}

go/justfile

@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "go")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.47
+
+No user-facing changes.
+
 ## 1.0.46
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.47.md

@@ -0,0 +1,3 @@
+## 1.0.47
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.46
+lastReleaseVersion: 1.0.47

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.47-dev
+version: 1.0.47
 groups:
   - go
   - queries

go/ql/justfile

@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 7.0.5
+
+No user-facing changes.
+
 ## 7.0.4
 
 No user-facing changes.

go/ql/lib/change-notes/released/7.0.5.md

@@ -0,0 +1,3 @@
+## 7.0.5
+
+No user-facing changes.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.4
+lastReleaseVersion: 7.0.5

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.5-dev
+version: 7.0.5
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
 ## 1.5.10
 
 No user-facing changes.

go/ql/src/change-notes/released/1.6.0.md

@@ -1,5 +1,6 @@
----
-category: queryMetadata
----
+## 1.6.0
+
+### Query Metadata Changes
+
 * The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
 * The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.10
+lastReleaseVersion: 1.6.0

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.11-dev
+version: 1.6.0
 groups:
   - go
   - queries

go/ql/test/justfile

@@ -1,14 +0,0 @@
-import "../justfile"
-
-base_flags := ""
-
-all_checks := default_db_checks + """\
-    --check-undefined-labels \
-    --check-unused-labels \
-    --check-repeated-labels \
-    --check-redefined-labels \
-    --check-use-before-definition \
-    --consistency-queries=""" + consistency_queries
-
-[no-cd]
-test *ARGS=".": (_codeql_test "go" base_flags all_checks ARGS)

java/justfile

@@ -1,3 +0,0 @@
-import '../lib.just'
-
-build: (_build_dist "java")

java/kotlin-extractor/dev/wrapper.py

@@ -27,7 +27,7 @@ import shutil
 import io
 import os
 
-DEFAULT_VERSION = "2.3.10"
+DEFAULT_VERSION = "2.3.20"
 
 
 def options():

java/kotlin-extractor/src/main/kotlin/utils/GetByFqName.kt

@@ -1,3 +1,6 @@
+// referenceClass, referenceFunctions, referenceProperties are deprecated since Kotlin 2.3.20
+@file:Suppress("DEPRECATION")
+
 package com.github.codeql.utils
 
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext

java/kotlin-extractor/versions.bzl

@@ -10,6 +10,7 @@ VERSIONS = [
     "2.2.0-Beta1",
     "2.2.20-Beta2",
     "2.3.0",
+    "2.3.20",
 ]
 
 def _version_to_tuple(v):

java/ql/integration-tests/kotlin/all-platforms/annotation-id-consistency/PrintAst.expected

@@ -281,7 +281,12 @@ test.kt:
 #   40|   11: [Class] HasKotlinDeprecatedAnnotationUsedByJava
 #-----|     -3: (Annotations)
 #   40|       1: [Annotation] Deprecated
-#   40|         1: [StringLiteral] "Kotlin deprecation message 1"
+#    0|         1: [Annotation] ReplaceWith
+#    0|           1: [StringLiteral] ""
+#    0|           2: [ArrayInit] {...}
+#    0|         2: [VarAccess] DeprecationLevel.WARNING
+#    0|           -1: [TypeAccess] DeprecationLevel
+#   40|         3: [StringLiteral] "Kotlin deprecation message 1"
 #   40|     1: [Constructor] HasKotlinDeprecatedAnnotationUsedByJava
 #   40|       5: [BlockStmt] { ... }
 #   40|         0: [SuperConstructorInvocationStmt] super(...)
@@ -298,7 +303,12 @@ test.kt:
 #   46|   13: [Class] HasKotlinDeprecatedAnnotationUsedByKotlin
 #-----|     -3: (Annotations)
 #   46|       1: [Annotation] Deprecated
-#   46|         1: [StringLiteral] "Kotlin deprecation message 2"
+#    0|         1: [Annotation] ReplaceWith
+#    0|           1: [StringLiteral] ""
+#    0|           2: [ArrayInit] {...}
+#    0|         2: [VarAccess] DeprecationLevel.WARNING
+#    0|           -1: [TypeAccess] DeprecationLevel
+#   46|         3: [StringLiteral] "Kotlin deprecation message 2"
 #   46|     1: [Constructor] HasKotlinDeprecatedAnnotationUsedByKotlin
 #   46|       5: [BlockStmt] { ... }
 #   46|         0: [SuperConstructorInvocationStmt] super(...)

java/ql/integration-tests/kotlin/all-platforms/diagnostics/kotlin-version-too-new/diagnostics.expected

@@ -1,5 +1,5 @@
 {
-  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.3.20.",
+  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.3.30.",
   "severity": "error",
   "source": {
     "extractorName": "java",

java/ql/justfile

@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 9.0.3
+
+### Minor Analysis Improvements
+
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
+* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
+* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
+* Kotlin versions up to 2.3.20 are now supported.
+
 ## 9.0.2
 
 No user-facing changes.

java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.

java/ql/lib/change-notes/released/9.0.3.md

@@ -1,5 +1,8 @@
----
-category: minorAnalysis
----
+## 9.0.3
+
+### Minor Analysis Improvements
+
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
 * The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
 * The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
+* Kotlin versions up to 2.3.20 are now supported.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.2
+lastReleaseVersion: 9.0.3

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.0.3-dev
+version: 9.0.3
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.11.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).
+
 ## 1.10.11
 
 No user-facing changes.

java/ql/src/change-notes/released/1.11.0.md

@@ -1,5 +1,6 @@
----
-category: queryMetadata
----
+## 1.11.0
+
+### Query Metadata Changes
+
 * The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
 * The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.10.11
+lastReleaseVersion: 1.11.0

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.10.12-dev
+version: 1.11.0
 groups:
   - java
   - queries

java/ql/test/justfile

@@ -1,16 +0,0 @@
-import "../justfile"
-
-base_flags := """\
-     CODEQL_EXTRACTOR_KOTLIN_DIAGNOSTIC_LIMIT="\\ " \
-"""
-
-all_checks := default_db_checks + """\
-    --check-undefined-labels \
-    --check-repeated-labels \
-    --check-redefined-labels \
-    --check-use-before-definition \
-    --consistency-queries=""" + consistency_queries
-
-[no-cd]
-test *ARGS=".": (_codeql_test "java" base_flags all_checks ARGS)
-

javascript/justfile

@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "javascript")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')

javascript/ql/justfile

@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := ""

javascript/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 2.6.27
+
+No user-facing changes.
+
 ## 2.6.26
 
 No user-facing changes.

javascript/ql/lib/change-notes/released/2.6.27.md

@@ -0,0 +1,3 @@
+## 2.6.27
+
+No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.26
+lastReleaseVersion: 2.6.27

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.27-dev
+version: 2.6.27
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 2.3.7
+
+No user-facing changes.
+
 ## 2.3.6
 
 No user-facing changes.

javascript/ql/src/change-notes/released/2.3.7.md

@@ -0,0 +1,3 @@
+## 2.3.7
+
+No user-facing changes.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.6
+lastReleaseVersion: 2.3.7

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.7-dev
+version: 2.3.7
 groups:
   - javascript
   - queries

javascript/ql/test/justfile

@@ -1,8 +0,0 @@
-import "../justfile"
-
-base_flags := ""
-
-all_checks := default_db_checks
-
-[no-cd]
-test *ARGS=".": (_codeql_test "javascript" base_flags all_checks ARGS)