diff --git a/cpp/ql/lib/CHANGELOG.md b/cpp/ql/lib/CHANGELOG.md index 827d7ded490b..5dec13e72b52 100644 --- a/cpp/ql/lib/CHANGELOG.md +++ b/cpp/ql/lib/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.10.1 + +### Minor Analysis Improvements + +* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`. +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. + ## 0.10.0 ### Minor Analysis Improvements diff --git a/cpp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md b/cpp/ql/lib/change-notes/released/0.10.1.md similarity index 84% rename from cpp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md rename to cpp/ql/lib/change-notes/released/0.10.1.md index 7de425ff9f45..05d13789228b 100644 --- a/cpp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md +++ b/cpp/ql/lib/change-notes/released/0.10.1.md @@ -1,5 +1,6 @@ ---- -category: minorAnalysis ---- +## 0.10.1 + +### Minor Analysis Improvements + * Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`. * Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. diff --git a/cpp/ql/lib/codeql-pack.release.yml b/cpp/ql/lib/codeql-pack.release.yml index b21db6232459..af7510b3cd65 100644 --- a/cpp/ql/lib/codeql-pack.release.yml +++ b/cpp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.10.0 +lastReleaseVersion: 0.10.1 diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 6cd876f92679..bee00a069edc 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-all -version: 0.10.1-dev +version: 0.10.1 groups: cpp dbscheme: semmlecode.cpp.dbscheme extractor: cpp diff --git a/cpp/ql/src/CHANGELOG.md b/cpp/ql/src/CHANGELOG.md index cf5256e244d0..b5fba0867aca 100644 --- a/cpp/ql/src/CHANGELOG.md +++ b/cpp/ql/src/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.8.1 + +### New Queries + +* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null. + + Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6. + ## 0.8.0 ### Query Metadata Changes diff --git a/cpp/ql/src/change-notes/2023-10-16-redundant-null-check-simple.md b/cpp/ql/src/change-notes/released/0.8.1.md similarity index 93% rename from cpp/ql/src/change-notes/2023-10-16-redundant-null-check-simple.md rename to cpp/ql/src/change-notes/released/0.8.1.md index a2c35efdeafd..b8456ca8f7c4 100644 --- a/cpp/ql/src/change-notes/2023-10-16-redundant-null-check-simple.md +++ b/cpp/ql/src/change-notes/released/0.8.1.md @@ -1,6 +1,7 @@ ---- -category: newQuery ---- +## 0.8.1 + +### New Queries + * The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null. Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6. diff --git a/cpp/ql/src/codeql-pack.release.yml b/cpp/ql/src/codeql-pack.release.yml index 37eab3197dcb..2f693f95ba69 100644 --- a/cpp/ql/src/codeql-pack.release.yml +++ b/cpp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.0 +lastReleaseVersion: 0.8.1 diff --git a/cpp/ql/src/qlpack.yml b/cpp/ql/src/qlpack.yml index 2c693b7de4df..20e9f7450fff 100644 --- a/cpp/ql/src/qlpack.yml +++ b/cpp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/cpp-queries -version: 0.8.1-dev +version: 0.8.1 groups: - cpp - queries diff --git a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md index 61606368e4c6..6d013d8ce69a 100644 --- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.1 + +No user-facing changes. + ## 1.7.0 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.1.md b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.1.md new file mode 100644 index 000000000000..5c9570fd0c35 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.1.md @@ -0,0 +1,3 @@ +## 1.7.1 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml index d1184cc67507..7bdec0d85c73 100644 --- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.0 +lastReleaseVersion: 1.7.1 diff --git a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml index f4dd73b013e9..85e7c923a5fe 100644 --- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-all -version: 1.7.1-dev +version: 1.7.1 groups: - csharp - solorigate diff --git a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md index 61606368e4c6..6d013d8ce69a 100644 --- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md +++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.7.1 + +No user-facing changes. + ## 1.7.0 No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.1.md b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.1.md new file mode 100644 index 000000000000..5c9570fd0c35 --- /dev/null +++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.1.md @@ -0,0 +1,3 @@ +## 1.7.1 + +No user-facing changes. diff --git a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml index d1184cc67507..7bdec0d85c73 100644 --- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml +++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 1.7.0 +lastReleaseVersion: 1.7.1 diff --git a/csharp/ql/campaigns/Solorigate/src/qlpack.yml b/csharp/ql/campaigns/Solorigate/src/qlpack.yml index c6a5d9038392..45156516ef2f 100644 --- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml +++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-solorigate-queries -version: 1.7.1-dev +version: 1.7.1 groups: - csharp - solorigate diff --git a/csharp/ql/lib/CHANGELOG.md b/csharp/ql/lib/CHANGELOG.md index de8d30425f77..8c7b2cd062cc 100644 --- a/csharp/ql/lib/CHANGELOG.md +++ b/csharp/ql/lib/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.8.1 + +### Minor Analysis Improvements + +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. + ## 0.8.0 No user-facing changes. diff --git a/csharp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md b/csharp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md deleted file mode 100644 index 68748fbc4b8d..000000000000 --- a/csharp/ql/lib/change-notes/2023-10-09-outdated-deprecations.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. diff --git a/go/ql/lib/change-notes/2023-10-09-outdated-deprecations.md b/csharp/ql/lib/change-notes/released/0.8.1.md similarity index 77% rename from go/ql/lib/change-notes/2023-10-09-outdated-deprecations.md rename to csharp/ql/lib/change-notes/released/0.8.1.md index 68748fbc4b8d..272351f6e763 100644 --- a/go/ql/lib/change-notes/2023-10-09-outdated-deprecations.md +++ b/csharp/ql/lib/change-notes/released/0.8.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.8.1 + +### Minor Analysis Improvements + * Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. diff --git a/csharp/ql/lib/codeql-pack.release.yml b/csharp/ql/lib/codeql-pack.release.yml index 37eab3197dcb..2f693f95ba69 100644 --- a/csharp/ql/lib/codeql-pack.release.yml +++ b/csharp/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.0 +lastReleaseVersion: 0.8.1 diff --git a/csharp/ql/lib/qlpack.yml b/csharp/ql/lib/qlpack.yml index 16908da66d0d..1d7e566d0b4c 100644 --- a/csharp/ql/lib/qlpack.yml +++ b/csharp/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-all -version: 0.8.1-dev +version: 0.8.1 groups: csharp dbscheme: semmlecode.csharp.dbscheme extractor: csharp diff --git a/csharp/ql/src/CHANGELOG.md b/csharp/ql/src/CHANGELOG.md index 4b03f57bd9e8..e1d837bb40b3 100644 --- a/csharp/ql/src/CHANGELOG.md +++ b/csharp/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.8.1 + +### Minor Analysis Improvements + +* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes. + ## 0.8.0 ### New Queries diff --git a/csharp/ql/src/change-notes/2023-10-13-accesscontrol-idor-updates.md b/csharp/ql/src/change-notes/released/0.8.1.md similarity index 60% rename from csharp/ql/src/change-notes/2023-10-13-accesscontrol-idor-updates.md rename to csharp/ql/src/change-notes/released/0.8.1.md index ff88d4f90f1e..dcdfbc83265a 100644 --- a/csharp/ql/src/change-notes/2023-10-13-accesscontrol-idor-updates.md +++ b/csharp/ql/src/change-notes/released/0.8.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- -* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes. \ No newline at end of file +## 0.8.1 + +### Minor Analysis Improvements + +* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes. diff --git a/csharp/ql/src/codeql-pack.release.yml b/csharp/ql/src/codeql-pack.release.yml index 37eab3197dcb..2f693f95ba69 100644 --- a/csharp/ql/src/codeql-pack.release.yml +++ b/csharp/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.0 +lastReleaseVersion: 0.8.1 diff --git a/csharp/ql/src/qlpack.yml b/csharp/ql/src/qlpack.yml index ab9f80b9de57..f8363dcf421d 100644 --- a/csharp/ql/src/qlpack.yml +++ b/csharp/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/csharp-queries -version: 0.8.1-dev +version: 0.8.1 groups: - csharp - queries diff --git a/go/ql/lib/CHANGELOG.md b/go/ql/lib/CHANGELOG.md index 5b4530cd2a97..20567a56d406 100644 --- a/go/ql/lib/CHANGELOG.md +++ b/go/ql/lib/CHANGELOG.md @@ -1,3 +1,11 @@ +## 0.7.1 + +### Minor Analysis Improvements + +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. +* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris). +* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default + ## 0.7.0 ### Minor Analysis Improvements diff --git a/go/ql/lib/change-notes/2023-09-21-enable-gokit-framework-by-default.md b/go/ql/lib/change-notes/2023-09-21-enable-gokit-framework-by-default.md deleted file mode 100644 index bd7682a4c22b..000000000000 --- a/go/ql/lib/change-notes/2023-09-21-enable-gokit-framework-by-default.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default \ No newline at end of file diff --git a/go/ql/lib/change-notes/2023-09-25-add-new-file-system-access-sinks.md b/go/ql/lib/change-notes/released/0.7.1.md similarity index 57% rename from go/ql/lib/change-notes/2023-09-25-add-new-file-system-access-sinks.md rename to go/ql/lib/change-notes/released/0.7.1.md index 4c7a89495a2e..41ed0e297c10 100644 --- a/go/ql/lib/change-notes/2023-09-25-add-new-file-system-access-sinks.md +++ b/go/ql/lib/change-notes/released/0.7.1.md @@ -1,4 +1,7 @@ ---- -category: minorAnalysis ---- -* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris). \ No newline at end of file +## 0.7.1 + +### Minor Analysis Improvements + +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. +* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris). +* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default diff --git a/go/ql/lib/codeql-pack.release.yml b/go/ql/lib/codeql-pack.release.yml index c761f3e7ab44..e007a9aec3e9 100644 --- a/go/ql/lib/codeql-pack.release.yml +++ b/go/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.0 +lastReleaseVersion: 0.7.1 diff --git a/go/ql/lib/qlpack.yml b/go/ql/lib/qlpack.yml index fb6cd5638731..e1d937b12b81 100644 --- a/go/ql/lib/qlpack.yml +++ b/go/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-all -version: 0.7.1-dev +version: 0.7.1 groups: go dbscheme: go.dbscheme extractor: go diff --git a/go/ql/src/CHANGELOG.md b/go/ql/src/CHANGELOG.md index 0e1e2c030977..7ceadcda7452 100644 --- a/go/ql/src/CHANGELOG.md +++ b/go/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.7.1 + +### Minor Analysis Improvements + +* The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results. + ## 0.7.0 No user-facing changes. diff --git a/go/ql/src/change-notes/2023-10-03-incorrect-integer-conversion-improved.md b/go/ql/src/change-notes/released/0.7.1.md similarity index 90% rename from go/ql/src/change-notes/2023-10-03-incorrect-integer-conversion-improved.md rename to go/ql/src/change-notes/released/0.7.1.md index 1f0bc0cffe6b..d88d1ee55100 100644 --- a/go/ql/src/change-notes/2023-10-03-incorrect-integer-conversion-improved.md +++ b/go/ql/src/change-notes/released/0.7.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- +## 0.7.1 + +### Minor Analysis Improvements + * The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results. diff --git a/go/ql/src/codeql-pack.release.yml b/go/ql/src/codeql-pack.release.yml index c761f3e7ab44..e007a9aec3e9 100644 --- a/go/ql/src/codeql-pack.release.yml +++ b/go/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.7.0 +lastReleaseVersion: 0.7.1 diff --git a/go/ql/src/qlpack.yml b/go/ql/src/qlpack.yml index 9916dec16afb..1bb0feb1fbf4 100644 --- a/go/ql/src/qlpack.yml +++ b/go/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/go-queries -version: 0.7.1-dev +version: 0.7.1 groups: - go - queries diff --git a/java/ql/automodel/src/CHANGELOG.md b/java/ql/automodel/src/CHANGELOG.md index ee2610f9bd65..89d062a2a24e 100644 --- a/java/ql/automodel/src/CHANGELOG.md +++ b/java/ql/automodel/src/CHANGELOG.md @@ -1,3 +1,7 @@ +## 0.0.6 + +No user-facing changes. + ## 0.0.5 No user-facing changes. diff --git a/java/ql/automodel/src/change-notes/released/0.0.6.md b/java/ql/automodel/src/change-notes/released/0.0.6.md new file mode 100644 index 000000000000..ccbce856079d --- /dev/null +++ b/java/ql/automodel/src/change-notes/released/0.0.6.md @@ -0,0 +1,3 @@ +## 0.0.6 + +No user-facing changes. diff --git a/java/ql/automodel/src/codeql-pack.release.yml b/java/ql/automodel/src/codeql-pack.release.yml index bb45a1ab0182..cf398ce02aa4 100644 --- a/java/ql/automodel/src/codeql-pack.release.yml +++ b/java/ql/automodel/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.0.5 +lastReleaseVersion: 0.0.6 diff --git a/java/ql/automodel/src/qlpack.yml b/java/ql/automodel/src/qlpack.yml index d5cf16380154..8a941153cabb 100644 --- a/java/ql/automodel/src/qlpack.yml +++ b/java/ql/automodel/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-automodel-queries -version: 0.0.6-dev +version: 0.0.6 groups: - java - automodel diff --git a/java/ql/lib/CHANGELOG.md b/java/ql/lib/CHANGELOG.md index 34b1f5487a91..aad04cf36ded 100644 --- a/java/ql/lib/CHANGELOG.md +++ b/java/ql/lib/CHANGELOG.md @@ -1,3 +1,41 @@ +## 0.8.1 + +### New Features + +* Added predicate `MemberRefExpr::getReceiverExpr` + +### Minor Analysis Improvements + +* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations. +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. +* Deleted the deprecated `getAValue` predicate from the `Annotation` class. +* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead. +* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class. +* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class. +* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class. +* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`. +* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead. +* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead. +* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes. + There are no changes to results unless you add source models using the `environment` or `file` source kinds. +* Added `environment` source models for the following methods: + * `java.lang.System#getenv` + * `java.lang.System#getProperties` + * `java.lang.System#getProperty` + * `java.util.Properties#get` + * `java.util.Properties#getProperty` +* Added `file` source models for the following methods: + * the `java.io.FileInputStream` constructor + * `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded` + * `hudson.FilePath#openInputStream` + * `hudson.FilePath#read` + * `hudson.FilePath#readFromOffset` + * `hudson.FilePath#readToString` +* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes. + There are no changes to results unless you add source models using the `database` source kind. +* Added `database` source models for the following method: + * `java.sql.ResultSet#getString` + ## 0.8.0 ### New Features diff --git a/java/ql/lib/change-notes/2023-10-05-moved-localuserinput-to-mad.md b/java/ql/lib/change-notes/2023-10-05-moved-localuserinput-to-mad.md deleted file mode 100644 index 7d977eb472ba..000000000000 --- a/java/ql/lib/change-notes/2023-10-05-moved-localuserinput-to-mad.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -category: minorAnalysis ---- -* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes. - There are no changes to results unless you add source models using the `environment` or `file` source kinds. -* Added `environment` source models for the following methods: - * `java.lang.System#getenv` - * `java.lang.System#getProperties` - * `java.lang.System#getProperty` - * `java.util.Properties#get` - * `java.util.Properties#getProperty` -* Added `file` source models for the following methods: - * the `java.io.FileInputStream` constructor - * `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded` - * `hudson.FilePath#openInputStream` - * `hudson.FilePath#read` - * `hudson.FilePath#readFromOffset` - * `hudson.FilePath#readToString` -* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes. - There are no changes to results unless you add source models using the `database` source kind. -* Added `database` source models for the following method: - * `java.sql.ResultSet#getString` diff --git a/java/ql/lib/change-notes/2023-10-07-MemberRefExpr-getReceiverExpr.md b/java/ql/lib/change-notes/2023-10-07-MemberRefExpr-getReceiverExpr.md deleted file mode 100644 index 150a1615df22..000000000000 --- a/java/ql/lib/change-notes/2023-10-07-MemberRefExpr-getReceiverExpr.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: feature ---- -* Added predicate `MemberRefExpr::getReceiverExpr` diff --git a/java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md b/java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md deleted file mode 100644 index e5701bd768d0..000000000000 --- a/java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -category: minorAnalysis ---- -* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. -* Deleted the deprecated `getAValue` predicate from the `Annotation` class. -* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead. -* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class. -* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class. -* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class. -* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`. -* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead. -* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead. diff --git a/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md b/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md deleted file mode 100644 index 7e512093fb42..000000000000 --- a/java/ql/lib/change-notes/2023-10-12-sync-local-and-remote-dataflow-configurations.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: minorAnalysis ---- -* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations. diff --git a/java/ql/lib/change-notes/released/0.8.1.md b/java/ql/lib/change-notes/released/0.8.1.md new file mode 100644 index 000000000000..410b5384aedf --- /dev/null +++ b/java/ql/lib/change-notes/released/0.8.1.md @@ -0,0 +1,37 @@ +## 0.8.1 + +### New Features + +* Added predicate `MemberRefExpr::getReceiverExpr` + +### Minor Analysis Improvements + +* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations. +* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead. +* Deleted the deprecated `getAValue` predicate from the `Annotation` class. +* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead. +* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class. +* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class. +* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class. +* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`. +* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead. +* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead. +* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes. + There are no changes to results unless you add source models using the `environment` or `file` source kinds. +* Added `environment` source models for the following methods: + * `java.lang.System#getenv` + * `java.lang.System#getProperties` + * `java.lang.System#getProperty` + * `java.util.Properties#get` + * `java.util.Properties#getProperty` +* Added `file` source models for the following methods: + * the `java.io.FileInputStream` constructor + * `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded` + * `hudson.FilePath#openInputStream` + * `hudson.FilePath#read` + * `hudson.FilePath#readFromOffset` + * `hudson.FilePath#readToString` +* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes. + There are no changes to results unless you add source models using the `database` source kind. +* Added `database` source models for the following method: + * `java.sql.ResultSet#getString` diff --git a/java/ql/lib/codeql-pack.release.yml b/java/ql/lib/codeql-pack.release.yml index 37eab3197dcb..2f693f95ba69 100644 --- a/java/ql/lib/codeql-pack.release.yml +++ b/java/ql/lib/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.0 +lastReleaseVersion: 0.8.1 diff --git a/java/ql/lib/qlpack.yml b/java/ql/lib/qlpack.yml index eef8bc66fe1c..92d5e5316d36 100644 --- a/java/ql/lib/qlpack.yml +++ b/java/ql/lib/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-all -version: 0.8.1-dev +version: 0.8.1 groups: java dbscheme: config/semmlecode.dbscheme extractor: java diff --git a/java/ql/src/CHANGELOG.md b/java/ql/src/CHANGELOG.md index ea706bfd0559..c0a6261d914c 100644 --- a/java/ql/src/CHANGELOG.md +++ b/java/ql/src/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.8.1 + +### Minor Analysis Improvements + +* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed. + ## 0.8.0 No user-facing changes. diff --git a/java/ql/src/change-notes/2023-10-06-threat-models.md b/java/ql/src/change-notes/released/0.8.1.md similarity index 77% rename from java/ql/src/change-notes/2023-10-06-threat-models.md rename to java/ql/src/change-notes/released/0.8.1.md index 4fc9dda7fab2..0b1620f54c2a 100644 --- a/java/ql/src/change-notes/2023-10-06-threat-models.md +++ b/java/ql/src/change-notes/released/0.8.1.md @@ -1,4 +1,5 @@ ---- -category: minorAnalysis ---- -* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed. \ No newline at end of file +## 0.8.1 + +### Minor Analysis Improvements + +* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed. diff --git a/java/ql/src/codeql-pack.release.yml b/java/ql/src/codeql-pack.release.yml index 37eab3197dcb..2f693f95ba69 100644 --- a/java/ql/src/codeql-pack.release.yml +++ b/java/ql/src/codeql-pack.release.yml @@ -1,2 +1,2 @@ --- -lastReleaseVersion: 0.8.0 +lastReleaseVersion: 0.8.1 diff --git a/java/ql/src/qlpack.yml b/java/ql/src/qlpack.yml index bced8cc4b86c..4dfb807356d6 100644 --- a/java/ql/src/qlpack.yml +++ b/java/ql/src/qlpack.yml @@ -1,5 +1,5 @@ name: codeql/java-queries -version: 0.8.1-dev +version: 0.8.1 groups: - java - queries diff --git a/javascript/ql/lib/CHANGELOG.md b/javascript/ql/lib/CHANGELOG.md index f1aac73b5777..53155773c3df 100644 --- a/javascript/ql/lib/CHANGELOG.md +++ b/javascript/ql/lib/CHANGELOG.md @@ -1,3 +1,21 @@ +## 0.8.1 + +### Minor Analysis Improvements + +* The contents of `.jsp` files are now extracted, and any `