mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
4.8 KiB
4.8 KiB
0.4.1
Minor Analysis Improvements
DateTimeexpressions are now considered simple type sanitizers. This affects a wide range of security queries.- ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
0.4.0
Deprecated APIs
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Bug Fixes
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
0.3.5
0.3.4
Deprecated APIs
- Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Minor Analysis Improvements
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
0.3.3
0.3.2
0.3.1
0.3.0
Deprecated APIs
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
0.2.3
0.2.2
0.2.1
0.2.0
Breaking Changes
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
0.1.0
Breaking Changes
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed.
0.0.13
0.0.12
Breaking Changes
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
Deprecated APIs
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
New Features
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
Minor Analysis Improvements
- All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
0.0.11
Breaking Changes
- The C# extractor no longer supports the following legacy environment variables:
ODASA_BUILD_ERROR_DIR
ODASA_CSHARP_LAYOUT
ODASA_SNAPSHOT
SEMMLE_DIST
SEMMLE_EXTRACTOR_OPTIONS
SEMMLE_PLATFORM_TOOLS
SEMMLE_PRESERVE_SYMLINKS
SOURCE_ARCHIVE
TRAP_FOLDER
codeql test runnow extracts source code recursively from sub folders. This may break existing tests that have other tests in nested sub folders, as those will now get the nested test code included.
0.0.10
0.0.9
Major Analysis Improvements
- Added support for C# 10 lambda improvements
- Explicit return types on lambda expressions.
- Lambda expression can be tagged with method and return value attributes.
- Added support for C# 10 Extended property patterns.
- Return value attributes are extracted.
- The QL
Attributeclass now has subclasses for each kind of attribute.
0.0.8
Deprecated APIs
- The
codeql/csharp-upgradesCodeQL pack has been removed. All upgrades scripts have been merged into thecodeql/csharp-allCodeQL pack.
Major Analysis Improvements
Added support for the following C# 10 features.
- Record structs.
- Improvements of structure types.
- Instance parameterless constructor in a structure type.
- Enhance
WithExprin QL to supportstructsand anonymous classes.
- Global using directives.
- File-scoped namespace declaration.
- Enhanced #line pragma.
Minor Analysis Improvements
- The query
cs/local-shadows-memberno longer highlights parameters ofrecordtypes.