Merge pull request #16099 from github/release-prep/2.17.0

Release preparation for version 2.17.0

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 0.12.10
+
+### New Features
+
+* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
+* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
+* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
+* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
+
+### Minor Analysis Improvements
+
+* Added destructors for temporary objects with extended lifetimes to the intermediate representation.
+
 ## 0.12.9
 
 No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.10.md

@@ -0,0 +1,14 @@
+## 0.12.10
+
+### New Features
+
+* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
+* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
+* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
+* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
+
+### Minor Analysis Improvements
+
+* Added destructors for temporary objects with extended lifetimes to the intermediate representation.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.9
+lastReleaseVersion: 0.12.10

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.10-dev
+version: 0.12.10
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 0.9.9
+
+### New Queries
+
+* Added a new query, `cpp/type-confusion`, to detect casts to invalid types.
+
+### Query Metadata Changes
+
+* `@precision medium` metadata was added to the `cpp/boost/tls-settings-misconfiguration` and `cpp/boost/use-of-deprecated-hardcoded-security-protocol` queries, and these queries are now included in the security-extended suite. The `@name` metadata of these queries were also updated.
+
+### Minor Analysis Improvements
+
+* The "Missing return-value check for a 'scanf'-like function" query (`cpp/missing-check-scanf`) has been converted to a `path-problem` query.
+* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) has been converted to a `path-problem` query.
+* Added models for `GLib` allocation and deallocation functions.
+
 ## 0.9.8
 
 No user-facing changes.

cpp/ql/src/change-notes/released/0.9.9.md

@@ -0,0 +1,15 @@
+## 0.9.9
+
+### New Queries
+
+* Added a new query, `cpp/type-confusion`, to detect casts to invalid types.
+
+### Query Metadata Changes
+
+* `@precision medium` metadata was added to the `cpp/boost/tls-settings-misconfiguration` and `cpp/boost/use-of-deprecated-hardcoded-security-protocol` queries, and these queries are now included in the security-extended suite. The `@name` metadata of these queries were also updated.
+
+### Minor Analysis Improvements
+
+* The "Missing return-value check for a 'scanf'-like function" query (`cpp/missing-check-scanf`) has been converted to a `path-problem` query.
+* The "Potentially uninitialized local variable" query (`cpp/uninitialized-local`) has been converted to a `path-problem` query.
+* Added models for `GLib` allocation and deallocation functions.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.9.8
+lastReleaseVersion: 0.9.9

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.9.9-dev
+version: 0.9.9
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.13
+
+No user-facing changes.
+
 ## 1.7.12
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.13.md

@@ -0,0 +1,3 @@
+## 1.7.13
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.12
+lastReleaseVersion: 1.7.13

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.13-dev
+version: 1.7.13
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.13
+
+No user-facing changes.
+
 ## 1.7.12
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.13.md

@@ -0,0 +1,3 @@
+## 1.7.13
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.12
+lastReleaseVersion: 1.7.13

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.13-dev
+version: 1.7.13
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,21 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The CIL extractor has been deleted and the corresponding extractor option `cil` has been removed. It is no longer possible to do CIL extraction.
+* The QL library C# classes no longer extend their corresponding `DotNet` classes. Furthermore, CIL related data flow functionality has been deleted and all `DotNet` and `CIL` related classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.
+
+### Minor Analysis Improvements
+
+* Added new source models for the `Dapper` package. These models can be enabled by enabling the `database` threat model.
+* Additional models have been added for `System.IO`. These are primarily source models with the `file` threat model, and summaries related to reading from a file or stream.
+* Support for C# 12 / .NET8.
+* Added the `windows-registry` source kind and threat model to represent values which come from the registry on Windows.
+* The models for `System.Net.Http.HttpRequestMessage` have been modified to better model the flow of tainted URIs.
+* The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the `commandargs` and `environment` threat models.
+* The `cs/assembly-path-injection` query has been modified so that it's sources rely on `ThreatModelFlowSource`. In order to restore results from command line arguments, you should enable the `commandargs` threat model.
+* The models for `System.IO.TextReader` have been modified to better model the flow of tainted text from a `TextReader`.
+
 ## 0.8.12
 
 No user-facing changes.

csharp/ql/lib/change-notes/released/0.9.0.md

@@ -0,0 +1,17 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The CIL extractor has been deleted and the corresponding extractor option `cil` has been removed. It is no longer possible to do CIL extraction.
+* The QL library C# classes no longer extend their corresponding `DotNet` classes. Furthermore, CIL related data flow functionality has been deleted and all `DotNet` and `CIL` related classes have been deprecated. This effectively means that it no longer has any effect to enable CIL extraction.
+
+### Minor Analysis Improvements
+
+* Added new source models for the `Dapper` package. These models can be enabled by enabling the `database` threat model.
+* Additional models have been added for `System.IO`. These are primarily source models with the `file` threat model, and summaries related to reading from a file or stream.
+* Support for C# 12 / .NET8.
+* Added the `windows-registry` source kind and threat model to represent values which come from the registry on Windows.
+* The models for `System.Net.Http.HttpRequestMessage` have been modified to better model the flow of tainted URIs.
+* The .NET standard libraries APIs for accessing command line arguments and environment variables have been modeled using the `commandargs` and `environment` threat models.
+* The `cs/assembly-path-injection` query has been modified so that it's sources rely on `ThreatModelFlowSource`. In order to restore results from command line arguments, you should enable the `commandargs` threat model.
+* The models for `System.IO.TextReader` have been modified to better model the flow of tainted text from a `TextReader`.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.12
+lastReleaseVersion: 0.9.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.13-dev
+version: 0.9.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,14 @@
+## 0.8.13
+
+### Major Analysis Improvements
+
+* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`, `cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
+
+### Minor Analysis Improvements
+
+* The alert message of `cs/wrong-compareto-signature` has been changed to remove unnecessary element references.
+* Data flow queries that track flow from *local* flow sources now use the current *threat model* configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses *remote* flow sources. The changed queries are `cs/code-injection`, `cs/resource-injection`, `cs/sql-injection`, and `cs/uncontrolled-format-string`.
+
 ## 0.8.12
 
 No user-facing changes.

csharp/ql/src/change-notes/released/0.8.13.md

@@ -0,0 +1,10 @@
+## 0.8.13
+
+### Major Analysis Improvements
+
+* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`, `cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
+
+### Minor Analysis Improvements
+
+* The alert message of `cs/wrong-compareto-signature` has been changed to remove unnecessary element references.
+* Data flow queries that track flow from *local* flow sources now use the current *threat model* configuration instead. This may lead to changes in the produced alerts if the threat model configuration only uses *remote* flow sources. The changed queries are `cs/code-injection`, `cs/resource-injection`, `cs/sql-injection`, and `cs/uncontrolled-format-string`.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.12
+lastReleaseVersion: 0.8.13

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.13-dev
+version: 0.8.13
 groups:
   - csharp
   - queries

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.0.12
+
+No user-facing changes.
+
 ## 0.0.11
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/0.0.12.md

@@ -0,0 +1,3 @@
+## 0.0.12
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.11
+lastReleaseVersion: 0.0.12

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 0.0.12-dev
+version: 0.0.12
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.7.13
+
+### Minor Analysis Improvements
+
+* The `CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` option, which speeds up retrieval of dependency information, is now on by default. This was originally an external contribution by @xhd2015.
+* Added dataflow sources for the package `gopkg.in/macaron.v1`.
+
 ## 0.7.12
 
 No user-facing changes.

go/ql/lib/change-notes/2024-03-20-dependecy-retrieval-improvement.md → go/ql/lib/change-notes/released/0.7.13.md

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 0.7.13
+
+### Minor Analysis Improvements
+
 * The `CODEQL_EXTRACTOR_GO_FAST_PACKAGE_INFO` option, which speeds up retrieval of dependency information, is now on by default. This was originally an external contribution by @xhd2015.
+* Added dataflow sources for the package `gopkg.in/macaron.v1`.